ezpeČnost doma a ezpeČnost v loudu - gapp.cz · azure_vnet adfs allow drag & drop dynamic...

1©2019 Check Point Software Technologies Ltd. ©2019 Check Point Software Technologies Ltd.

BEZPEČNOST DOMA A BEZPEČNOST V CLOUDU

Petr Kadrmas | SE Eastern Europe

2©2019 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees

•Cloud Security vs Data Center Security

•Challanges for Security in Cloud

•Cloud Security with Check Point

Agenda

3©2019 Check Point Software Technologies Ltd.

Attacks Are On Rise Across Every CloudJan 19, 2017 Attackers start wiping

data from CouchDB and Hadoop

databasesFeb 16 2017 The Era of Data-Jacking is

Here. Are You Ready?

Jul 12 2017 Misconfigured Amazon

Storage Exposes 14 Million Verizon

Customer Records

Jul 12 2017 Cloud Security Failure:

Millions of Wrestling Fans'

Personal Data Exposed

Jun 1 2017 Booz Allen Hamilton leaves

60,000 unsecured DOD files on AWS

serverApr 3 2018 37M Panera Bread customer records

found to be exposed to all and sundry in the

cloud

Dec 19, 2017 120 Million American

Households Exposed In 'Massive'

ConsumerView Database LeakJul 17 2017 Dow Jones customer data

exposed in cloud error


To the new…From the old…The security boundary has

moved..

What problems are we trying to solve?

• Controlling at the perimeter is no longer enough

• Cloud services are inherently internet facing

• Where does my responsibility lie?

• What does the cloud provider manage for me?

[Restricted] for designated teams


Cloud is „easy“• Agility / Time to Market

• Focus on the core business rather than IT

• Easier to innovate (IaaS and PaaS as

service)

But also risky• With agility comes risks

• More developers touch systems previously

handled by security professionals

• CI/CD: Speed and DevOps (and especially

both combined) are risky for security

Why Cloud?


• Distributed and Departmental

• BU budgets and credit cards

• Lack of visibility

• Lack of governance

• On Prem methodologies doesn’t work in the cloud

• To Stay relevant they have to support the cloud adoptionand have tools in place

The CISO’s Nightmare


What challenges lie ahead

[Internal Use] for Check Point employees

Attack SurfaceVisibility

Security in CI/CDCont. Compliance


The new cloud perimeters

• Data perimeters

– Allowing unauthorised users to read / modify or delete your private data

• Compute perimeters

– Allowing external entities to run code in your environment

• Messaging perimeters

– Allowing external entities to receive / send messages to private systems

• Identity perimeter

– Allowing external entities full control over your virtualized data centre

[Restricted] for designated teams

9©2019 Check Point Software Technologies Ltd. [Restricted] for designated teams

Facilities

Compute Storage+DB Network

Encryption, Network Traffic Protection, Operating System

Platform

Customer Content

Applications

IAM (Users, Roles, Permissions)

IaaS PaaS SaaS

Through 2022, at least 95% of cloud security failures will be the customer’s fault.” GARTNER

Cloud Security is a Shared Responsibility


Increased need for Visibility


Cloud Network Security Visualization

ClarityVisibility into cloud network topology and analysis of native control configuration


Analyzing Cloud Traffic Is Hard

2 270870580655 eni-6d25f24c 172.31.100.49 178.137.87.242 80 57379 6 15 1843 1496697675 1496697715 ACCEPT OK

VPC Flow Log version

AWS Account

Elastic Network Interface

Source IP

Destination IP

Source Port

Destination Port

IP Protocol

Number of Packets

Bytes

Timeframe (in seconds)

SG or NACL action

Log Status

Lambda Function

a known malicious destinationis talking to

Lambda function is

sending outbound traffic

over port 80 to a

malicious IP address

178.137.87.242


CloudGuard Log.ic: Context-Aware Security Intelligence

Enriched FlowLogs

Visual Traffic Map Detailed Properties

Canned & Custom Queries


Security in CI/CD Pipeline


System Development Life Cycle

“…high-performing development teams spend 50 percent less time remediating security issues” when they address security throughout the SDLC, instead of “retrofitting security at the end.”

Puppet 2016 State of DevOps Report

1. Planning

2. Systems Analysis and Requirements

3. Systems Design

4. Development

5. Integration and Testing

6. Implementation

7. Operations and Maintenance

• SDLC methodologies:

Waterfall, Agile, Lean (Kanban), Iterative, Prototyping, DevOps, Spiral or V-model?


CI/CD

• Continuous integration is the practice of constantly merging development work with a Master/Trunk/Mainline branch so that you can test changes and test that those changes work with other changes.

• Continuous delivery is the continual delivery of code to an environment once the developer feels the code is ready to ship - this could be UAT, staging or production.

• Continuous deployment is the deployment or release of code to production as soon as it’s ready.

“…high-performing development teams spend 50 percent less time remediating security issues” when they address security throughout the SDLC, instead of “retrofitting security at the end.”

Puppet 2016 State of DevOps Report


Traditional Security is Not Built for CI/CD

Problem

• Security checks happen at the end of SDLC. Any issue sends product back to development causing delays

• Manual, siloed approach to security hardening robs DevOps of its agility

• Organizations forced to trade off agility for security


Security and Compliance Testing in CI/CD Pipeline

Problem

• Security checks happen at the end of SDLC. Any issue sends product back to development causing delays

• Manual, siloed approach to security hardening robs DevOps of its agility

• Organizations forced to trade off agility for security

Dome9Dome9

Dome9 IaaS

Log.ic

Log.ic

IaaS


Dome9 Delivers Security at the Speed of DevOps

1. Validation Before Deployment: Test security and compliance posture prior to deployment

2. Automated Testing During Development: Use Dome9 API to incorporate testing of security best practices and compliance early into the build process

3. Secure Deployment: Maintain a closed-by-default security posture during deployment

4. Actionable Alerts Streamline alerts with machine intelligence to make them more actionable


The Cloud Attack SurfaceAttack Surface

Assets

Network

Control Plane

Identity

Data

Servers and services


Dome9

ACI

IaaS

IaaS

CloudGuard Family for Complete Cloud Security

Security Posture, Compliance and Active

Remediation

Workload & Network Security for Private Cloud

Workload & Network Security for Public Cloud

Cloud Application Threat Prevention

22©2019 Check Point Software Technologies Ltd. ©2019 Check Point Software Technologies Ltd. 22

Protect The Network

• Examples of Network Attacks: Man-in-the-middle & Eavesdropping

Denial of Service

SQL injection & XSS

Scanning and Brute Forcing

Lateral Movement from the Edge

• Best Practices: Advanced Threat Prevention

Real time Network Analysis and Threat Intelligence

Segmentation: Macro and Micro

Consistent policies across virtualized and cloud controls

Network


IaaS Cloud Security Blueprint


Simplified and systematic security

architecture

“template-ize” security across multiple

cloud platforms

Product alignment that focuses on cloud

Security at the speed of DevOps,

DevSecOps


Alternative Design


More Granular segmentation


PREVENT LATERAL THREATSBETWEEN APPLICATIONS Application Control

Threat EmulationIPS

Antivirus

Firewall

Identity Awareness

DLP

Networkingand Clustering

Anti-Bot


CLOUDGUARD ADAPTIVE SECURITY

Check Point Access Policy

Rule From To Application Action

3

Web_SecurityGroup

Object

DB_VM

Object

MSSQL Allow

4

CRM_SecurityGroup

Object

SAP_SecurityGroup

Object

CRM Allow

5

AWS_VPC

Object

Azure_VNET

Object

ADFS Allow

Drag & Drop dynamic policy with cloud objects


Check Point is the only security that is designed for cloud orchestration:

1. Policy with granular delegation privileges (per rule)

2. Policy that allows simultaneous changes

TRUSTED ORCHESTRATION WITH R80 APIs


Protect Identities

• Examples of Identity Attacks

Brute-force Password

Phishing

SMS Spoofing

Endpoint Compromise

• Examples of Best Practices

Strong password policy, Rotation & MFA

Principle of “Least Privilege”

“Just-in-time” Authorization

Endpoint Hardening

Identity


Identity Protection with CloudGuard

1 Identity Protection for SaaS and IaaS

2 Privileged Identity protection with Dome9

3 Phishing Protection for SaaS

Block account takeovers with behavior analytics and CloudGuard ID-Guard

Detect and block attempts at phishing, spear phishing and email spoofing

Protect privileged accounts from causing catastrophic consequences


Accesses

App

Accesses

App

Stolen ID

Hacker

Identify Device

• Only users and devices with ID-

Guard endpoint agent can login

• Malicious login prevented even if

the hacker has correct credentials

• No user involvement

CLOUDGUARD SAAS IDENTITY PROTECTION PREVENT ACCOUNT TAKEOVER WITH

Identity Server

ADFS, AzureAD,

Okta

Employee

Identity Server

ADFS,

AzureAD, Okta


PRIVILEGED IDENTITY PROTECTION

CLOUDGUARD DOME9

©2018 Check Point Software Technologies Ltd.

Minimize the blast radius in the event of privileged account takeover

Enable just-in-time privilege elevation for protected actions

• Out-of-band authorization from a mobile device for

critical permissions that can have catastrophic impact

• Audited tamper protection from suspicious activity for

IAM


PHISHING PROTECTION

CLOUDGUARD SAAS


Stop sophisticated phishing attacks, spear phishing, email spoofing

Leverage AI engines for a higher catch-rate

• Catch malicious emails analyzing

hundreds of content indicators

• Identify dangerous email sources

with advanced URL filtering


Protecting the Cloud Control Plane

• Examples of Cloud Control Plane Attacks

S3 bucket data extraction

RDS data exposure

Instance Takeover & Spawning for Cryptojacking

DDoS Relay

• Examples of Best Practices

Continuous Compliance

Service Discovery

Integration with Cloud Provider feeds

Active Prevention through Auto Remediation

Control Plane


Control Plane Security with CloudGuard

1 Visibility of assets and security posture

2 Continuous compliance 3 Cloud Security Intelligence

Quickly identify misconfigurations

Continuous assess and enforce security best practices and compliance standards

Protect against threats and intrusions with actionable threat intelligence


Continuous Compliance and Remediation

Audit Coming Up !

Audit Coming Up!


Continuous Compliance – 24/7 Protection

• Over 2,000 security checks out of the box

• Continuous Assessments• Natural language for

custom policies


Cloud Compliance and Governance

Private copy - Contains sensitive data –Do not distribute without authorization - Dome9 Security Inc. 2018

Compliance Engine• Continuously validate your cloud

security posture against PCI-DSS, HIPAA, GDPR, NIST, CIS and more

• Easily customizable governance language to build your own policy

• Out of the box auto-remediation actions like suspend user or quarantine server


CloudBots Automatic Remediation

Quarantine an Instance

Make a Storage Bucket Private

Suspend a User or a Role

Completely Customizable and at your service!Turn Cloud Trail On

Encrypt a Database

Force Password Change

Rotate Encryption Keys


Security for Cloud SaaS applications

CLOUDGUARD SAAS



MORE THAN JUST A CASB

CLOUDGUARD SAAS

Zero-dayThreat Protection

IdentityProtection

PhishingProtection

Easy Visibility& Control


Prevent targeted attacks on SaaS applications and cloud-based email


Security Gateway

SAAS PROVIDERS

SECURITY STACK

Prevent

Account

Takeovers

Data Leak

PreventionReveal

Shadow IT

HOW IT WORKS

API & AD

…

CloudGuard SaaS

Documents

encryption

Zero-day

Threats

Protection


The Power of THREATCLOUD

86 Billion Transactions/Day

Inspect 4 Millions Files / Day

Detect 5000 Zero-days / Day


Unexpected Money

THE EMAIL PROBLEM – PHISHING

Personal touch (Spear/BEC)

The Urgent Request


PHISHING PROTECTION

CLOUDGUARD SAAS


Suspicious body text language

Subject language often used for phishing

Sent to a senior recipient

Low traffic website

Sender’s name has brand-related text

+300 more email indicators

PHISHING

Credentials Phishing

Financial Scam

Spear Phishing

Whaling


ZERO-DAY THREAT PROTECTION

CLOUDGUARD SAAS


Prevent malware and zero-day threats from attacking SaaS users

‘Most Effective Breach Prevention’

• Protect email attachments, and file

downloads on Office365, G-Suite,

Box, OneDrive, Salesforce

• Block threats before they reach users,

deliver safe content in seconds


THREAT EMULATION SANDBOXPOWERED BY 30 ENGINES

Dropped File Emulation

Shellcode Detector

DGA GeneratorIcon Similarity

Link Scanner

Virtual Network Service

Evasion Detection

SMEP Detector

DeepScan

UAC Monitor

FP GuardNetwork Activity Monitor

Decoys

Image Sanitation

Macro Analysis

Static Analyzer

Human Interaction Simulator

AND DOZENS MORE TECHNOLOGIES…

CPU-LEVEL PUSH-FORWARD CONTEXT-AWARE


THINK OUTSIDE THE

FILE SHARING APPLICATIONS

Data

Security

Threat

Protection

ComplianceData

Security

0 1 2 3 4 5

Amount of users

Exposure & Connectivity

Content

Use cases

Quite popular, not a killer

Invite-based

Agnostic, but limited to files

Files


STOP SHARING OF INFECTED FILES


ACCOUNT TAKEOVER

ALL ATTACKS START WITH



IDENTITY PROTECTION

CLOUDGUARD SAAS


Eliminate primary SaaS threat with transparent, strong authentication

Prevent account takeovers on any SaaS application

• Block unauthorized user access and logins from

compromised devices: mobile and PCs

• Identify imposturous access using a centralized,

hassle-free Multi-Factor Authentication


THANK YOU!
