Security TechTalk | AWS Public Sector Summit 2016
-
Upload
amazon-web-services -
Category
Technology
-
view
268 -
download
1
Transcript of Security TechTalk | AWS Public Sector Summit 2016
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
June 21st, 2016
AWS Talk: SecurityNikola Bozinovic, CEO, Frame
Matt Keil, Director of Product Marketing, Palo Alto NetworksMichael Schmidt, Founder & CTO, Nutonian
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Nikola Bozinovic, CEO Frame
June 21, 2016
Cloud, Security & the End of the Desktop
Millions of cyber-attacks happen every day
How will you manage and secure your IT environment?
IT used to be simple(r)
Today
Virtual Desktops and Apps
Apps running on PCs
PHYSICAL DESKTOP MODEL
Virtual Desktops and Apps
Datacenter Clients
VIRTUAL DESKTOP MODEL (VDI)PHYSICAL DESKTOP MODEL
Apps running on PCs
Apps runningin the datacenter
Stream pixels to clients
Problems with VDI
Complicated Expensive Doesn’t work that well
Because of this, less than 5% of the world’s desktops have been virtualized.
Requires months (or years) of
training
$100,000 to start (buy servers and
software)
Low performance, poor user
experience
Cloud changes everything
PC
Datacenter (VDI)
Cloud
Question: Can we move to the cloud with legacy VDI?
“If we design this architecture and just continue to do business as usual, it will be an absolute waste of money. It’s like designing the autobahn with the horse
and buggy.”
“If we design this architecture and just continue to do business as usual, it will be an absolute waste of money. It’s like designing the autobahn with the horse
and buggy.”
Lt. Gen. Vincent Stewart, DIA Director
What is Frame?
Frame is a secure cloud platform that lets organizations deliver amazing experiences
to users on all connected devices.
Pixels
user input
Revolution in end-user computing
Founded in 2012Headquartered in San Mateo, CAPlatform of choice for top Windows ISVs and Enterprises www.fra.me
Most demanding customers pick Frame
Cloud IaaS Faster, more reliable networks
The rise of “dumb terminals”
BYODHTML5 browsers
Data gravity Frame Protocol(H.264 + QOS)
Frame Platform(orchestration)
Frame Product (U/X)
Convergence of technologies makes it possible to deliver apps remotely from the cloud at hyper-scale.
2008
2016 VDI
Why now
* Infrastructure is managed through Frame. Customers can choose the configuration that works best for you based on performance, cost, and location.
2. Pick infrastructure*
(Compute & Graphics)
AWS
1. Bring your apps(Windows or Linux )
4. Connect files (Cloud storage)
3. Authorize users(Configure SSO)
5. Deliver to users (Any location, any device)
Public
AD
How it works
AWSC2S
Self-service onboarding, system management, usage and in-app analytics.
CPANEL
APP STORE
Persistent data, Storage User identity (SSO), Authentication
HTML5 terminal, native Win/OSX terminals, Touch U/X, HID support…
TERMINALSMarketing, access rights,, metering, billing…
CONNECTORSPROTOCOLVideo (h.264-based) protocol, QOS, content-adaptive, encoding WAN optimization, collaboration
Full-stack solution
Apps
Users
PUBLIC CLOUD
IDENTITY (SSO)
STORAGE
AWS AWSGovCloud
Infrastructure
Integrations
GOV. CLOUD
PLATFORMOrchestration, brokering, security, geographical distribution, high-availability, scaling,…
FRAME
AD/ADFS
Custom
Technology
S3/EBS
AWSC2S cloud
C2S
The LaunchpadThe DashboardWhere users go to run appsWhere admins go to install and manage apps
Super adminWhere you go to create and manage teams
Beautiful, Intuitive Interface
Optimized infrastructure management
Modern, developer friendly
Scalable, multi-tenant platform
Custom workflows and
blueprints
Rich APIs for instant integration
Optimized capacity usageUp to 90% savings
Best of breedworkflow solutions
How is Frame different from VDI?
Web scale app delivery
platform
“Frame is the future of both software distribution and personal computing in the post-mobile era I’m going to
call ubiquitous computing.”Bob Cringely,
Learn more at [email protected]
Thank you
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Matt Keil, Director of Product Marketing, Public Cloud, Palo Alto Networks
June 21, 2016
Cloud First! Now What?VM-Series for AWS GovCloud (US): Securely enabling
Cloud First Directives
The Threat Lifecycle Remains Unchanged
SPEAR PHISHING EMAIL
EXPLOITKIT
or
INFECTUSER
MOVE ACROSSTHE NETWORK
FIND THETARGET
ADVERSARY COMMANDS
STEALDATA
$
BUILDBOTNETS
HARVEST BITCOIN
Cloud First Security Considerations
1. Know and understand what apps are in use
2. Adopt a prevention architecture in the cloud
3. Strive for consistency, automate where possible
25 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Reduce Your Threat Footprint
• Security groups + next-gen firewall = app visibility, regardless of port• Whitelist apps to leverage the firewall “deny-all-else” premise• Grant application access based on user identity and need
26 | © 2015, Palo Alto Networks. Confidential and Proprietary.
• Policies keep apps and data separate = improved security, compliance• Prevent threats from moving laterally, block exfiltration efforts
27 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Segmentation = A Prevention Architecture
AppDev
App Data
AppTest
App Data
App Production
App Data
• Centrally manage policies = consistency from the network to the cloud• Automation ensures security keeps pace with cloud first initiatives
Policy Consistency and Automation
Control apps | Segment | Prevent threats
ContentUsersApps
Takeaways
1. Knowledge of apps, content, user is key
2. Segmentation + prevention = improved security posture
3. Policy consistency = agnostic workload location
29 | © 2015, Palo Alto Networks. Confidential and Proprietary.
30 | © 2015, Palo Alto Networks. Confidential and Proprietary.
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Michael Schmidt, Founder & CTO, Nutonian
June 21, 2016
Discovering Threat Patterns in Chaotic Security Data
© 2016 Nutonian. Confidential and Proprietary.
Founded out of the Cornell Artificial Intelligence Lab in 2011, Nutonian empowers blue-chip companies to extract meaning from chaos. Its proprietary A.I.-powered modeling engine, Eureqa, analyzes vast amounts of structured data billions of times per second to build the most accurate and actionable models.
Data Modeling Explanation Action
Industrializing Data Science
© 2016 Nutonian. Confidential and Proprietary.
The “Eureqa” Moment
Schmidt M., Lipson H. (2009) "Distilling Free-Form Natural Laws from Experimental Data," Science, Vol. 324, no. 5923, pp. 81 - 85.
Algorithms distill laws of physics from chaotic systems(published in Science 2009)
Explain Unleash
Connect Model
…
© 2016 Nutonian. Confidential and Proprietary.
Massively parallel analysis
© 2016 Nutonian. Confidential and Proprietary.
Search
Kernel
Computation tests billions of independent models on the data
Search
Kernel
● Low bandwidth -- transferring solutions● High latency -- no control flow dependencies
Compute Server 1
Search
Kernel
Search
Kernel
CPU Cores
Search
Kernel
Search
Kernel
Compute Server 2
Search
Kernel
Search
Kernel
CPU Cores
Search
Kernel
Search
Kernel
Compute Server N
Search
Kernel
Search
Kernel
CPU Cores
...
• Predict finish positions of the 2016 Kentucky Derby
• Expose relationships between running style, speed, and trainer record
• Predicted winner, and 4 out of top 5 horses– Winning Exacta (30:1 odds), – Winning Trifecta (87:1)– Winning Superfecta (542:1)
Machine Intelligence in Action
1. Nyquist2. Gun Runner3. Exaggerator4. Creator5. Mohaymen
• Standardized live odds probability• Speed over the past two races• Post position• Racing style• Track conditions
http://performancegenetics.com/machine-learning-algorithm-crushed-kentucky-derby/
© 2016 Nutonian. Confidential and Proprietary.
Intrusion Detection
Vulnerability Assessment
Firewall Log Data
HTTP Proxy Log Data
More sources
SIEMSplunk / ArcSight
EureqaAI App
ArchitectureSecurity Analyst
© 2016 Nutonian. Confidential and Proprietary.
Use Case - Industrial Control Systems• Differentiate between naturally occurring events and those
caused by a malicious actor on a set of power transmission lines
*Dataset dev. by Mississippi State University and Oak Ridge National Laboratory
ImpedanceRelay Status FlagVoltage Phase Angle
CurrentCurrent Phase Angle
© 2016 Nutonian. Confidential and Proprietary.
Twitter: @Nutonian Blog: http://blog.nutonian.com
Michael SchmidtFounder & CTO, [email protected]
Conclusions
www.nutonian.com
• Machine Intelligence extracts meaning from data• Companies already employing Machine Intelligence today• Many new applications ahead of us
© 2016 Nutonian. Confidential and Proprietary.
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you