Company Confidential1

Skyport SystemsNet Field Day 11

January 2016

Company Confidential2

The Fallacy of Security Technology

“If you think technology can fix security, you don’t understand technology and you don’t understand security.” ~ Briankrebs.com

Company Confidential3

A Platform Approach: Not a Product Approach

Software-Defined Perimeters that Operate at the

Application Layer

Protect Against Low-Level

Rootkits/Malware, BIOS, SSD Firmware, Physical Ports, IPMI

Forensics that cannot be modified or by employees or

third parties

Company Confidential5

A High-Performance, Secure Enterprise Platform

Runs your application VMs

Trusted Hardware Platform

Hardened HW/SW stack

Security I/O Co-processor

Designed for hostile environments - Branch, remote location, Datacenter

Security is built-in and invisible - Protects platform, workloads, compliance

No special skills required- Plug and play, no integration or modifications

No performance compromise - Enforcement offloaded to co-processor

Company Confidential7

• Secure Architecture that substantiates architectural integrity from the ground up

• Hardware-enforced security policy and forensic logging at application edge

• Abstracts security execution from application execution

SkySecure Enclave

x86 subsystem communicates only through I/O controller

SECURITY CO-PROCESSOR

x86 SYSTEM

Company Confidential8

Software-Defined Perimeter: DMZ per VM

ShieldNET

ShieldID

ShieldFS

ShieldADMIN

ShieldWEB

File Systems and Content Filtering

Administrative Privileged Access

Identity Management Proxy

Web Applications and Crypto/Credential Proxy

Domain Name and Zone Based Access

Company Confidential9

Private DMZ per VMTraditional Zone-BasedNetwork Security

SkySecure Per-VM DMZ

DMZ Network Zone

Security I/O Co-processor

DMZVM

DMZVM

DMZVM

• Protections limited to network perimeter

• No protection between systems in DMZ

• Complex integration and management

• Zero-trust architecture based on hardware

• Applications are always protected

• Defends workloads against compromise

Company Confidential10

SkySecure Center

Secure Audit / Log

VM Mgmt

Traffic Intelligence

WebUI Service

Security Data Warehouse Real-time Data Service

Security Reporting

Real-time Analytics

Device Mgmt

Policy Mgmt

Key Mgmt

Remote Attestation

Authentication / Secure Enclave

HSM CredentialMgmt

Company Confidential11

SkySecure Center: Traffic Intelligence

Company Confidential12

Initial Deployment Use CasesExposed DMZ Applications

Critical IT Systems

Branch / Untrusted

Out-of-Compliance Applications

• Secure File Transfer

• Web / E-Commerce Applications

• Cloud/API gateways

• Web authentication servers

• Active Directory

• DNS / DHCP• Software

distribution• DevOps / SDN

Controllers

• Branch consolidation

• Trusted application deployment in hostile locations

• End-of-Support Applications and Operating Systems

• Windows XP / 2003 / 2008, RHEL4/5, etc

• Web servers with unpatched SSL vulnerabilities

Company Confidential13

Win2012R2 - Unsecured

(truncated)

• No protection• Accepting HTTPS

connections

Company Confidential14

Win2012R2 – Micro-segmented

(truncated)

• Firewall allowing HTTPS inbound

• Accepting HTTPS connections

Company Confidential15

Win2012R2 - SkySecure

• “IP Forwarding” is only non-info plugin returning a result.• MS14-066 and MS15-034 critical MS vulnerabilities mitigated entirely

• ShieldWeb-In Enabled

• Accepting HTTPS connections

Company Confidential16

Contrast: Point Product Approach to Security

HardenedHardware

HardenedFirmware

Network

HardenedVM Environment (Compartment)

TPM ManagementSecure IPMI/ILOTamper Detection

Signed BIOSUSB Disable/Monitor

PCAP Tooling, IPFIX/SFlow MonitorPassive Taps, Network Packet BrokerIDS/IPS

HypervisorMicro-segmentationWeb Application FirewallVirtual FirewallSW SigningKey Management

HardenedCtrl/Mgmt Plane

Operations ManagementJump Servers/SAWsSecure Logging/Analysis/SIEMSecure Backup

Company Confidential17

Thank You