Lessons From the Infrastructure and Operations Playbook

WHAT SECURITY PROS CAN LEARN FROM SHADOW IT:
LESSONS FROM THE INFRASTRUCTURE
AND OPERATIONS PLAYBOOK
Bo Skeel, Chief Evangelist
[email protected]
TOP IT INITIATIVES 2014
SECURITY & CLOUD ARE IN THE TOPS
VIRTUALIZATION,
CLOUD AND
MOBILITY
CLOUD & MOBILITY
TWO MAJOR IT TRENDS
End User
 Data access
from any
device
 Remote
working
 Easy user
experience
Drivers
DevOps
 Flexibility
 Instant
provisioning
 Improved
productivity
CLOUD IS ATTRACTIVE
• Designed for consumer or customers; continuous delivery
•
•
•
•
App’s built/updated very rapidly
Focused on functionality for users
Wide variety, cross-platform
Zero capital investment; scale to demand instantly
• DevOps have the same goals
•
•
Rapid try/fail try/grow cycle
Scale with demand, no capital lag, approval process, etc.
There is a high risk of corporate data
being outside of corporate controls
CLOUD AND SHADOW IT
• Public cloud (IaaS/PaaS) is driving on ongoing explosion of
services (SaaS)
• Both DevOps (datacenter users) and end-users are
embracing shadow IT
• Traditional IT – including security - is being left behind
Cloud
Backup
Evern
ote
DropB
ox
End-users
Web
mail
Traditional IT = CONTROL
IaaS
Datacenter
users
PaaS
Storage
IT AS A SERVICE
End Users
• Embrace BYOD
• Gain control of mobile devices
• Provide services for end-users (large file transfer, edit-fromanywhere, etc.)
IT
epiphany
Goals
BYOD
End-users
Servic
es
DropB
ox
Web
mail
Traditional IT = CONTROL
Datacenter
users
PaaS
ITaaS
Storage
Poli
cy
WHAT NEEDS TO HAPPEN
• Treat public cloud as an extension of the datacenter
• Understand the needs of end-users
• Treat DevOps as a customer
• DON’T IGNORE INTERNAL CUSTOMER NEEDS
SECURITY BEST PRACTICES
• Asset tracking/lifecycle management
• Common view of endpoint security
• Elastic management
• Define BYOD policy
IMPROVING
SECURITY
THREAT OVERVIEW
From 32.000 new unique
malware every day to 390.000 in
6 years!
Source: AV-Test in Germany.
THREAT CONSEQUENCE
2015: 1GB disk space
150MB RAM @ idle
2009: 200MB disk space
40MB RAM @ idle
AV SIGNATURE UPDATE FREQUENCY
Every
24 hours
Every
8 hours
Every
8 hours
Hourly
Even with hourly updates present 16,250 possible infections per hour, when AV-Test is
registering 390,000 new threats per day..
MALWARE IS NOW SERIOUS BIG BUSINESS
Previously malware was used to prove capability, or to earn petty cash by stealing
computer resources for manipulating banner advertising, SEO, renting botnets, etc.
That’s still going on, but..
Now we have threats like Identity Theft, Credit Card Fraud, Ransomware, Advanced Persistent Threats
and Industrial Espionage - and EVERYONE are at risk, by simply connecting to the Internet!
“There are two kinds of big
companies in the United States.
There are those who've been hacked
by the Chinese and those who don't
know they've been hacked by the
Chinese.”
60 minutes, October 5th 2014
SYMANTEC: AV IS DEAD
CONCLUSION
A: Signature based protection is dead!
- There are simply too many new unique daily threats (390,000 according to AV-test)
B: Infections are becoming a lot more dangerous
- An infection is no longer a question of disruptive business, it poses serious financial threats.
C: Local resource consumption is not unlimited
- There is a limit to how much intelligent analysis you can run locally, detecting threats in
business environments
WE REALIZED THIS 4 YEARS AGO, SO
THREAT MANAGEMENT
SYSTEM
The biggest, most advanced and fastest cloud-based security installation in the world.
THREAT MANAGEMENT SYSTEM
Project development started in 2010, fully implemented in 2014
Cloud requirement: Maximum response time of 20ms
NIMBUS Infrastructure statistics
6 linked datacenters (5 running in AWS)
+ 1,200 virtual servers
+ 7 billion requests per day
+ 900k active connections at any given time
+ 80 TB of traffic per month
+ 100 different web services:
Url checking, cleanset similarities, outbreak detection, antifraud, antispam,
antiphishing, antitheft, real-time virus reporting, statistics, honeypots, etc.
Multiple security technologies provide superior capabilities, speed and scaling
Nimbus Security
handles more than
7 billion requests
daily
Business
GravityZone cloud-based multi-tenant manager
Consumers
Online or Shrink-wrapped
GOAL: Higher protection level with a lower resource impact
-
Lighter and more aggressive local engines
Faster reaction time: SPAM waves now detected in 10 seconds
New range of products
Unify Bitdefender technologies
Consequence:
Ranked #1 in detection since 2012, especially on zero-day-attacks
Ranked #1 in performance, since 2013
NIMBUS
“NOT ONLY A RANGE OF LOOKUP TOOLS, BUT A REFLECTIVE
INTELLIGENT SYSTEM, CAPABLE OF MAKING ANALYTIC SECURITY
DECISIONS BASED ON ADVANCED TECHNOLOGY, SUCH AS
APPLICATION REPUTATION, EVENT COLORATION, MACHINE
LEARNING
AND MEMORY INTROSPECTION.”
MERGING THE TECHNOLOGY INTO CUSTOMER BENEFITS
NEW DELIVERY
CONCEPT
AV LEGACY MODEL
Distribution
AV Management
New signature
Local AV Installation
- Local signature DB
- Local scanning engines with signature dependency
LEARN
NIMBUS MODEL
LEARN
LEARN
Local Bitdefender Installation
- Local scanning engines without signature dependency
- Local intelligence through B-Have and AVC (300+ heuristics)
- NIMBUS queries and response
- Local signature DB for offline usage
NIMBUS MODEL “AS-A-SERVICE”
Local Bitdefender Installation
- Local scanning engines without signature dependency
- Local intelligence through B-Have and AVC (300+ heuristics)
- NIMBUS queries and response
- Local signature DB for offline usage
Security Virtual Appliance
NIMBUS MODEL “AS-A-SERVICE”
Local Bitdefender Installation
- Security broker
- User interface
Security Virtual Appliance
Major benefits
- Very high protection at almost zero local resource impact
- No AV maintenance needed on endpoint
- Protection is now provided “as-a-service” from the network
NIMBUS MODEL “AS-A-SERVICE”
Security Virtual Appliance (SVA)
•
•
•
•
•
•
Import into any hypervisor (VMware, Citrix, Microsoft, others)
Loaded with all Bitdefender protective technologies
Extremely fast on a firmware built Linux core
Deploy multiple (unlimited):
• Eliminates single-point-of-failure
• Enables load-balance of protective services
• Share knowledge on local endpoints through
• Multi-level caching
• Machine learning
Will protect all major operating systems
Will protect all computers on the network – physical or virtual
NIMBUS MODEL “AS-A-SERVICE”
NIMBUS MODEL “AS-A-SERVICE”
Bitdefender Security Tools:
A. Install on all physical computers
B. Install on all virtual computers
Now everything is protected is
protected by the SVA
instances…. and NIMBUS
Result:
a) Extremely high protection
b) Unnoticeable local resource cost
c) AV maintenance reduced to SVA instances
d) High Availability and Load-Balancing included
BITDEFENDER SECURITY TOOLS
Minimum configuration for network service only




Windows, Linux and Mac version
Static installation – requires no updating
70~100 MB disk space inside each VM/Workstation/Server
Three main components:

Gateway (broker), allowing centralized engine to
access the system
Maximum 15MB memory footprint
No CPU load

Local tools (uncompressing, file move,
file deletion, encryption, neutralizer, etc.

Optional UI, including pop-up
notification, policy controlled
BITDEFENDER SECURITY TOOLS
Additional options for physical, external and offline support






2-way firewall with Intrusion Detection System
Local Active Virus Control components
Device Control (Hardware Control)
Content/Web Control
Application Control
Data Loss Protection
All adjustable through security policies.
When deployed with all scanning technologies,
the actual protection can be provided either
Central Scan
Hybrid Scan
Local Scan
AV MANAGEMENT MADE EASY
GRAVITYZONE
VIRTUAL APPLIANCE BASED
Server Roles
LAN
GravityZone Virtual Appliance
D
Database (MongoDB)
C
Communication Server
U
Update Server
M
Management Console
VIRTUAL APPLIANCE BASED
Server Roles
LAN
D
M
U
C
GravityZone
Virtual Appliance
D
Database (MongoDB)
C
Communication Server
U
Update Server
M
Management Console
VIRTUAL APPLIANCE BASED
Server Roles
AWS
LAN
D
M
GravityZone
Virtual Appliance
DMZ
U
C
GravityZone
Virtual Appliance
D
Database (MongoDB)
C
Communication Server
U
Update Server
M
Management Console
Internet (SSL)
Remote Devices
BITDEFENDER PROPOSAL AND SUMMATION
Near real-time protection against new threats using NIMBUS, B-Have and AVC
Option for “Security-as-a-Service”, using virtual appliances
•
•
•
•
•
No AV maintenance needed on endpoints
Remove single point of failure
Provide Load-Balanced AV protection
Minimal local resource consumption
Support for all major operating systems – physical and virtual
Fast, scalable and flexible management with GravityZone, extending even to cloud
providers such as Amazon, etc.
UNFOLLOW THE TRADITIONAL