Moving to Application Centric

Security Models

Scottie Ray—Staff Solutions Engineer

VMware Network & Security Virtualization
sray@vmware.com
@H20nly

©2018 VMware, Inc.

Software + (Hyper)Connectivity Are Fueling
a Shift from Data Centers to Centers of Data
A New Approach is Needed to Support the Hyper Distribution of Apps and Data

SaaS

PaaS IaaS

Data center Cloud Edge / IoT

Security and data everywhere

©2018 VMware, Inc. CONFIDENTIAL 2 2 2

 Threat Landscape

Organized Crime
Nation States Hacktivists

Agile
Apps Data

Data Center / Cloud Infrastructure End User Infrastructure

Compute Storage Network Users Devices Access

Modernization

©2018 VMware, Inc. 3

 Increase in
Security Losses

Growth in
Security Spend
Forecasted Growth in
Overall IT Spend
26%
(since 2014)

10.2%
(since 2017)
4.5%

$3.7 Trillion in 2018 $91.4 Billion in 2018 $600 Billion in 2017

Gartner Press Release, Gartner Says Global IT Spending to Source: IDC, Worldwide Semiannual Security Source: Center for Strategic and Int’l Studies,
Reach $3.7 Trillion in 2018, January 16, 2018 Spending Guide, #US42570018, March 2018 Economic Impact of Cybercrime, February, 2018

©2018 VMware, Inc. 4

 The Response by Industry

©2018 VMware, Inc. 5

The Importance of Context in Security

©2018 VMware, Inc. 6

The Contextual Advantage

Bedroom Kitchen Living Room

Playroom

Study
Master
Bedroom
Courtyard
Outdoor Kitchen
Bathroom

Garage

©2018 VMware, Inc. 7

An Analogy of a System…. Family

Understanding how your family uses your home, and using that context to shrink your
security posture

Bedroom Kitchen Living Room

Playroom

Study
Master
Bedroom
Courtyard Outdoor
Kitchen
Bathroom

Garage

©2018 VMware, Inc. 8

Context Creates Advantage

Detect Threats

Family

Shrink the Attack Surface

©2018 VMware, Inc. 9

We Keep All the Lights On, and All the Rooms Open

Room
Bedroom Room
Kitchen Room
Living Room

Room
Playroom

Room
Study
Master
Room
Bedroom
Courtyard Outdoor
Room
Kitchen
Room
Bathroom

Room
Garage

©2018 VMware, Inc. 10

©2018 VMware, Inc. 11
We See Security Through an
Infrastructure Lens
Monitor
Perimeter
For Threats

Monitor
Network
For Threats

Monitor
Endpoint
For Threats

©2018 VMware, Inc. 12

If We Compartmentalize at All, it’s Aligned to an Infrastructure Lens

Bedrooms

Bathrooms

Living
Rooms
Kitchens

©2018 VMware, Inc. 13

©2018 VMware, Inc. 14
We Should Focus More on Core Protection Strategies
Gartner Market Guide for Cloud Workload Protection Framework
Figure 1. Cloud Workload Protection Controls Less Critical
Hierarchy, © 2018 Gartner, Inc.
AV

Deception
Optional Server
HIPS with Protection Strategies
Vulnerability Shielding
Server Workload EDR
Behavioral Monitoring
Important, but often provided
outside of CWPP
IaaS Data at Rest Encryption

Exploit Prevention / Memory Protection

Application Control / Whitelisting

Core Server Protection
System Integrity Monitoring / Management Strategies

Network Firewalling, Segmentation and Visibility

Hardening, Configuration and Vulnerability Management

Foundational
No arbitrary code Admin Privilege Change Log
No email, web client Management Management Management Operations Hygiene

Restricted Physical and Logical Perimeter Access

Source: Gartner, Market Guide for Cloud Workload Protection Platforms, Neil MacDonald, March 26th 2018. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those
vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to
©2018 VMware, Inc. this research, including any warranties of merchantability or fitness for a particular purpose. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. 15
Changing the Data Center Security Model
From chasing bad to ensuring good

10010101010011001010010101010101101001
01010100110010100101010101011010010101
01001100101001010101010110100101010100
11001010010101010101101001010101001100
10100101010101011010010101010011001010
01010101010110100101010100110010100101

Processes

Processes

Processes
01010101101001010101001100101001010101
01011010010101010011001010010101010101
Chasing Bad 10100101010100110010100101010101011010 Ensuring Good
01010101001100101001010101010110100101
01010011001010010010101011010010101010
01100101001010101010110100101010100110
75,000,000 OS
01010010101010101101001010101001100101
00101010101011010010101010011001010010
200
10101010101001010101001100101001010101
0101101

©2018 VMware, Inc. 16

Protecting Applications in Virtualized and Cloud Environments

Learn Protect

Capture & Analyze Detect Respond

Manifest Manifest

©2018 VMware, Inc. Compute Data Network Users Devices Access 17

Capture & Analyze
Capture the purpose and intended state of applications and VMs

Learn Protect

Capture & Analyze Detect Respond

CI/CD Integration
Runtime Observation
App Templates/Definitions
Machine Learning

Manifest

Intended App
Scope Manifest
State Engine

Manifest

vCenter ESX

©2018 VMware, Inc. Compute Data Network Users Devices Access 18

The Result - The App Manifest
The Result – The App Manifest

©2018 VMware, Inc. 20

Detect
Runtime application attestation and secure manifest store

Learn Protect

Capture & Analyze Detect Respond

Processes

Processes

Processes

Processes

Processes

Processes

Processes

Processes

Processes
OS OS OS

AppDefense AppDefense AppDefense

Monitor Monitor Monitor

Manifest Manifest Manifest

Protected zone

©2018 VMware, Inc. Compute Data Network Users Devices Access 21

Respond
Orchestrated incident response routines for the SOC

Learn Protect

Capture & Analyze Detect

Respond

Secure Integrated
infrastructure Ecosystem

Snapshot Block/Alarm
Quarantine Network Blocking

©2018 VMware, Inc. Compute Data Network Users Devices Access 22

 Cyber Threats
Residual Risk

Apps Data

Cyber Hygiene
Attack Surface
Micro- Least Encryption Multi-Factor Patching
Segmentation Privilege Authentication
©2018 VMware, Inc. 23
 Threat Landscape

Organized Crime
Nation States Hacktivists

Agile
Apps Data

Data Center / Cloud Infrastructure End User Infrastructure

Compute Storage Network Users Devices Access

Modernization

©2018 VMware, Inc. 24

 Security Controls
Arch/Eng SOC GRC

Compute Data Network User Device SaaS

Control
Context
Apps Data
SDDC User Access Layer

Virtualization Mobility

Compute Data Network Secure Users Devices Access

Infrastructure

AppDefense TM
NSX® Workspace ONETM

©2018 VMware, Inc. 25

Distributed Systems Require Distributed
Control Points

©2018 VMware, Inc. 26

At VMware – We Can Uniquely Leverage the Hypervisor

Application Isolation Automation

What was What is

Provisioned Running

©2018 VMware, Inc. 27

Combining Organic Capabilities with Best of Breed across
the Larger Ecosystem

Partner Partner
Guest VM
Service 1 VM Service 2 VM
Deploy Apply Automate

DFW
Provision and monitor uptime Apply and visualize security Automate workflows across
of different services, using one policies for workloads, in best-of-breed services,
method. one place. without custom integration.
Partner Traffic Redirection
Module
NSX Network Virtualization Platform
Partner

Built-In Services Third-Party Services

Intrusion VDS
Firewall Data Security (DLP) Antivirus DLP Firewall
Prevention
Security Policy Vulnerability Identity and Access
Management Management Mgmt
Server Activity Monitoring VPN (IPSEC, SSL)
…and more in progress

External Network

©2018 VMware, Inc. 28

 Move from “Network Centric” to “Mission Centric” Deployments
Traditional Data Center NSX Data Center

Perimeter Perimeter
firewall firewall

DMZ/Web VLAN Mission-A Mission-B

Mission-A Mission-B DMZ/Web DMZ/Web

Inside firewall

App VLAN Services/Management VLAN

App App

Mission-A
DB DB
Services Mgmt
DB VLAN
Mission-B

Mission-B Mission-A
Services Mgmt

Services/Management
Group

CONFIDENTIAL
VMware Security Capabilities
Deeper Introspection & Strengthened Ecosystem

Source In-Guest Network

Endpoint Monitoring (EM) Application Rule Manager (ARM)

vCenter
OpenStack
Cloud File / Binary Proc / Exe Socket L4/5-tuple AppID-UserID
Container

Action-Driven Context Triggers

NSX Dynamic Rulesets
NSX Tags, Alerts, Logs

VMware AppDefense

Partners Anti-Malware / Adv Threat Protection NGFW / IPS

©2018 VMware, Inc. 30

Validate and Verify
Right user + right device + right app

Private Cloud

Apps Data

SaaS

Insertion Point Insertion Point

Public Cloud

©2018 VMware, Inc. Compute Data Network Users Devices Access 31

Integration into Operations

©2018 VMware, Inc. 32

Review and Readiness
Collaboration Between Security Teams and Application Teams

Figure 2: DevSecOps: Secure Development as a Continuous Improvement

Process © 2017 Gartner, Inc.

Sec
Dev Ops

Plan Prevent
Create Continuous Continuous Detect
Improvement Configuration

Adapt
Continuous Monitoring Monitoring Continuous
Integration and Analytics and Analytics Monitoring
Release
Continuous Continuous
Deployment Learning
Verify Respond
Preprod Predict
Continuous Delivery

Source: Gartner,10 Things to Get Right for Successful DevSecOps, Neil MacDonald, October 03 2017. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors
with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this
©2018 VMware, Inc. research, including any warranties of merchantability or fitness for a particular purpose. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. 33
Security “Agility” in the view of VMware

Integrate in the CI/CD pipeline to ingest application intended state and

deviations

Use the hypervisor as a distributed & isolated boundary

Align network and segmentation controls with process behavior

knowledge in an automation fashion

©2018 VMware, Inc. 34

Reducing the Clutter
Security Controls
Arch/Eng SOC GRC

Compute Data Network User Device SaaS

Control
Context

Apps Data
SDDC User Access Layer

Compute Network Data Users Devices Access

Secure Infrastructure

©2018 VMware, Inc. Source: Momentum Partners Cyberscape 2017 35

 Secure
Infrastructure
Compute Data Network Users Devices Access

Go beyond: Securing Cloud & Mobility

To using: Cloud & Mobility to Secure

©2018 VMware, Inc. 36

Thanks

©2018 VMware, Inc.