Secure All your Cloud Workloads in a Modern Enterprise · Secure All your Cloud Workloads in a...
Transcript of Secure All your Cloud Workloads in a Modern Enterprise · Secure All your Cloud Workloads in a...
Secure All your Cloud Workloads in a Modern EnterpriseHomogenous Security for Heterogenous World
Director of Product Management
Kevin Stultz
Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Problem: Cloud Breaks Traditional Approaches to Security and Infrastructure Management
Today’s Reality: “Hybrid Cloud” Data Centers
Evolution of Enterprise Data Center Platforms & Orchestration Tools
Public CloudPhysical Data Center Private Cloud
Traditional / IT Ops Managed Modern / DevOps Managed
Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Problem: Attacks Increasingly Targeting Cloud-based Resources and Infrastructure
Victim: Large Credit Reporting Agency
Target: Customer Database
Method of Attack:
• Unpatched Apache Struts
vulnerability enabled compromise of
corporate web servers
• Hackers drop bots and Bitcoin
miners to steal sensitive data
Losses: Massive PII Data Breach
• Large fines and loss of credibility
• Loss of data integrity requiring
complete restore and rebuild
COMPUTE ATTACK
Victim: Unnamed Military Outfit
Target: Recruiting Applications
Method of Attack:
• Word Docs from military recruits
accepted by front-end containers,
then written to AWS S3 buckets
• Attacker used misconfigured desktop
to access networks and S3 buckets
Losses: Sensitive PII Data Breach
• Military personnel records exposed
• Cleanup of S3 buckets infested with
malware
STORAGE ATTACK
What is Cloud-native Security?
Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Why Cloud is Different: The DevOps Cycle
Modern / DevOps1. Deploy immutable image.2. Automatically repave image
when problems are detected.
REPAVETraditional / IT Ops1. Deploy software on server.2. Update/remediate software
when problems are detected.
FIX
Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Traditional Security Tools Can’t Integrate with Modern DevOps Workflows
Why “Lift & Shift” Security Fails in Cloud Native
Traditional tools BREAK immutable workload
requirements
Traditional tools BREAK auto-deployment workflows
I need immutable workloads with baked-in security for
continuous release and auto-scaling.
DevOps
I need secure, auto-deployed apps that enable
agile business planning.
CISO / CIO
Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Cloud-native Security that Supports Both Traditional and Modern Environments
The Solution: Symantec Cloud Workload Protection
Public CloudPhysical Data Center Private Cloud
Traditional / IT Ops Managed Modern / DevOps Managed
Symantec Cloud Workload Protection
Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Cloud-native Design Supports DevOps Workflows
How CWP Enables Security for Modern DevOps
CWP security controls are baked into images,
satisfying immutability requirements
CWP single agent integrates into deployment process, enabling auto-deployment workflows
What Protections Are Needed for Cloud Native Security?
Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
• Real-time file integrity monitoring (RT-FIM) prevents unauthorized system changes
• OS hardening stops zero-day threats
• Unique application isolation blocks exploits targeting known and unknown vulnerabilities
• Protection and monitoring for Docker containers
Compute Hardening
Symantec Cloud Workload Protection
For Compute:
• Multilayered cloud-native anti-malware scanning
• Prevents malware from infecting compute instances and servers
For Storage:
• Automatic and scheduled anti-malware scanning for AWS S3 buckets
• Prevents spread of malware between cloud-based applications and users
Anti-malware
SINGLE AGENT SINGLE
CONSOLE
Unique: More Platforms, More Capabilities, More Clouds - Than Anyone Else!
Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Automatic and Scheduled Anti-malware Scanning for AWS S3 Buckets
Cloud Workload Protection for Storage
Elastic, Scalable Storage Protection
• Threat scanning infrastructure scales elastically for cost optimization
• Enables secure adoption of containers and serverless compute
• Ensures privacy of sensitive data during assessment
• Anti-malware scanning occurs entirely inside of the customers cloud
Customer Data Never Leaves Their Cloud
• Helps to protect against data breaches by discovering and alerting when S3 buckets are misconfigured or exposed to the public internet
Alerts to Prevent Public S3 Exposures
Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
CWP for Storage– Architecture
DLP Detection
Service
DLP Enforce
Assets / Buckets
Events
Alerts
Metering
Dashboards
Customer’s AWS account
Controller
Protection Unit (Scanner)
Discovery
KMS Dynamo DB
S3 Bucket
SQS
SNS
Load Balancer
File download
File MetadataNotifications
Buckets metadata
DLP Managed on Premise
Single Pass multi-scan
Single Pass, Fully Assess• Permissions• Anti-Malware
• Comprehensive• Detection
Meet Regulatory Requirements• PCI• GDPR• HIPPA• Data Residency
• What’s Next:• Data Classification and
enforcement - In Beta• Azure Blob – Customer
Preview Next Month!
Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Enables DevOps Monitoring and/or Enforcement of Immutable Workloads
Cloud Workload Protection Hardening Controls
Also enables DevOps orchestration tools:
Real-time file integrity monitoring (RT-FIM)• Noise free - if configuration changes, then redeploy
Full Application Control• No shells - mitigates vulnerabilities
Application Isolation• Completely Immutable – no unapproved activity
Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
CWP Comprehensive Hardening Controls
Insure no new applications are introduced into
production
REAL TIME FILE INTEGRITY
MONITORING
APPLICATION LEVEL FIREWALL
SYSTEM MONITORING
OPERATING SYSTEM
HARDENING
APPLICATION CONTROL
APPLICATION ISOLATION
IMMUTABALE WORKLOAD
Insure only approved
changes to critical
infrastructure and application
files
Protect again OS vulnerability exploit– No
patching required
Reduce attack surface and stop
advanced targeted threats
Detect and Respond to abnormal behavior
Protect against application
vulnerabilities
100% Protection – no unauthorized activity
allowed.
Track Record of Stopping Zero Day ZER0 infections since introduced in 2005!
Enabling the Evolution to Immutable Workloads
Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
IT OPS MANAGED
General Purpose
Computing
Patch/Update
Bolt-on Security
DEVOPS MANAGED
Scalable Business Apps
Immutable/Replace
Built-in Security
CONTROLS
Anti-Malware
RT-FIM
App Control
CONTROLS
RT-FIM
OS Hardening
App Control
App Isolation
The Right Controls for BOTH DevOps and IT
Summary: Cloud Workload Protection
15
SINGLE AGENT SINGLE
CONSOLE
Thank you!