secure sd-wan service from ibm security
TRANSCRIPT
Secure SD-WAN service from IBM Security
Ben HendrickPartner & Global Competency LeaderInfrastructure & Endpoint Security (IES)
July 24, 2017
2 IBM Security
Flat
networks
Security
infra sprawl
Simplified,
agile
management
Secure
end-to-end
fabric
Zero Trust Security is the guiding principle made possible by next generation architectures and technologies now available to clients
IBM CONFIDENTIAL
• Security is an enabler for the SDx infrastructure changes
• Enhanced security can be enabled by these SDx
changes in the infrastructure
IBM Security will help you in partnership with your infrastructure teams to:
Private and Public Cloud, Virtualized, Boundary-less,
Software Defined, and Zero TrustPerimeter-Centric, Boundaries, and Trusted
FUTURE STATECURRENT STATE
Design and prove
• Build a business case
• Create a macro design
Integrate and test
• Develop a micro design
• Execute an implementation plan
Manage and optimize
• Run a healthy security infrastructure
• Respond to changes
3 IBM Security
Security
Thought Leadership White Paper
Rein in “box sprawl” with
an end-to-end Zero Trust
approach to security
Deploy strong segmentation and
encryption to ensure coherent data
protection, enterprise-wide
4 IBM Security
5 IBM Security
6 IBM Security
Key links on the new Secure SD-WAN Solution
• http://www-03.ibm.com/security/services/managed-security-services/sd-wan/
(Main Public – IBM Portal for Secure SD-WAN)
• https://youtu.be/bUlAAHcM5j4 (John Wheeler – VP) Overview of Infrastructure
and Endpoint Security video
• https://youtu.be/BrZWscc_Syk (Ben Hendrick – IES Partner) Overview of Zero
Trust Security video
• https://securityintelligence.com/secure-sd-wan-the-first-step-toward-zero-trust-
security/ (Ben Hendrick – Global IES Partner Blog)
• https://securityintelligence.com/events/zero-trust-security-for-the-
infrastructure-and-endpoint/ (External Webinar)
7 IBM Security
An integrated and intelligent security immune system
Criminal detection
Fraud protection
Workloadprotection
Cloud accesssecurity broker
Access management
Entitlements and roles
Privileged identity management
Identity management
Data access control
Application security management
Application scanning
Data monitoring
Device management
Transaction protection
Content security
Malware protection
Antivirus
Endpoint patching and management
Virtual patching
Firewalls
Network forensics and threat management
Sandboxing
Network visibility and segmentation
Indicators of compromise
IP reputation Threat sharing
Vulnerability management Incident response
Threat hunting and investigation
User behavior analysisCognitive security
Threat and anomaly detection
8 IBM Security
Introducing Secure SD-WAN from IBM Security
Enhance the security, performance and agility of your Wide Area Network (WAN)
and accelerate your journey to the cloud by partnering with IBM Security to
introduce security-rich software-defined technology that can work with your
current network infrastructure to:
• Improve network security
• Reduce network connectivity costs
• Optimize network and application
performance
• Accelerate hybrid cloud adoption
9 IBM Security
Benefits of Secure SD-WAN
• Low impact to existing operations; no expensive “rip and
replace” required
• Immediate security improvement
• Flexible delivery models and platforms
• Increased network visibility to security
• All circuit paths are encrypted at all times
• Applications run faster, as application routing always uses
the fastest and lowest latency path available
• Cloud access is enabled and optimized; multi-cloud services
are secured and protected
• Can be combined with IBM Security’s Managed Security
Services (MSS) for a complete end-to-end security solution
10 IBM Security
Corporate
Business Units
Legal, Audit
Se
cu
rity
Hu
b
Te
ch
no
log
yIBM Security Hub – Reference Model Baseline
SOC Service Delivery ManagementService Level Management Operational Efficiency Service Reporting Escalation
Cyber-Security Command Center (CSCC)Executive Security Intelligence Briefings Local Reg. Security Oversight SOC Governance
Consolidated Security Analytics & Dashboards Local/Reg. Intel. Briefings
Se
cu
rity
Hu
b
Go
ve
rnan
ce
Se
cu
rity
Hu
b
Op
era
tio
ns
SOC Platform Components
Big DataBI ToolsSIEMPortalUse Case
Library
Integration
Tool
Response
Procedure
Tool
Ticketing
& Workflow
Cyber-Security Command Center (CSCC)
Executive Security Intelligence Briefings SOC Governance
Consolidated Security Analytics & Dashboards Local/Reg. Intel. Briefings
Local Reg. Security Oversight
SOC Service Delivery Management
Service Level Management Operational Efficiency Service Reporting Escalation
Sec. Integration Security Intelligence Security Analytics
Projects and
Admin.
Support
Threat
Monitoring
Threat
Triage
Threat
Response
CSIRT
Management
Security Hub Input Sources
Active Directory/LDAP | Network Security | Unstructured Data | Reference Data
IT Ops
OT Ops
Business Ops
Emergency
Response
Legend
MSS
IES
11 IBM Security
No matter where you are in your SD-WAN journey, IBM Security can help
• Onsite workshop
• Network assessment
• Business case creation
• Architectural design
• Proof of concept
• Quality Assurance Testing
• Documentation creation and
review
• Create and execute
implementation plan
• Transition to steady state
• Full monitoring and
management from IBM
Managed Security Services
• Client-managed
• Ongoing vulnerability and
penetration testing services
from IBM X-Force Red
Plan & design Implement Manage & optimize
12 IBM Security
Secure SD-WAN: Edge Delivery Model
• Branch office firewall
• IPSec between branch offices
• Secure Transport Overlay over any type of WAN
• Scalable Cloud VPN for secure connectivity to any destination
• Extensible Network Segmentation to Enterprise datacenter and Cloud
• Integrated Application Firewall for Branch security
• Virtual Services Edge Platform for adding 3rd party Secure VNFs
Security features
13 IBM Security
Circuit Costs: MPLS vs Hybrid vs Commercial Broadband
Source: Telegeography.com – Broadband vs. MPLS pricing for San Francisco Q4 2014.
Median monthly price: 10-20 Mbps Broadband $110/month, 10 Mbps MPLS IP VPN + Local Access $2,100 Month
~$2100/Month
~$1100/Month
~$220/Month
MPLS Only
~$2,520,000
Hybrid
~$1,200,000
Dual Internet
~ $264,000
Mo
nth
ly C
os
t P
er
Sit
e
14 IBM Security
Secure SD-WAN: Security as a Service
Branch
officeWireless
centric
site
Legacy
site
Remote
user
CUSTOMER
EDGE
EDGE DEVICE
Legacy MPLSIBM MWSMSS SD Wan
Internet VPN MPLS
Internet VPN MPLS
WAN TRANSPORT
CLOUD
RESOURCES INTERNETSOFTLAYERWATSON IOT AZUREAWS
Internet VPN MPLS/direct
EDGE DEVICE EDGE DEVICE
SECURITY HUB
OPTIONAL – QRADAR
(SEIM, FLOW, FORENSICS)
IBM PEERING POINT
Secure VPN
EDGE DEVICE
Available Security Features
• Next Gen firewall
• IPS
• Anti-spam
• URL Filtering
• Malware / AV detection
• Command & control traffic
detection
• Geo IP blocking
• SSL VPN
• IPSec
• Dynamic routing (eBGP, iBGP,
OSPF)
• QoS
• User FW with machine
identification
• SSL forward proxy
15 IBM Security
Case Study – Before
• Client relied exclusively on expensive private MPLS circuits for
communications between regional datacenters and branch
offices
• Updates/changes had to be propagated separately via each
datacenter/branch office cluster, thus introducing significant risk
of inconsistent network security controls
DC #1
Internet
DC #2
Internet
DC #3
Internet
DC #4
Internet
DC #5
Internet
DC #6
Internet
DC #7
Internet
DC #8
Internet
DC #9
Internet
100% 100% 100% 100% 100% 100% 100% 100% 100%
MPLS MPLS MPLS MPLS MPLS MPLS MPLS MPLS MPLS
Branches Branches Branches Branches Branches Branches BranchesBranchesBranches
• Getting a comprehensive view of the effectiveness of access
control policies and network/application usage was nearly
impossible
• Network bandwidth could not be optimized at an enterprise level
• Advanced security, Unified Threat Management (UTM) and
analytics capabilities were not enabled throughout the enterprise
16 IBM Security
Case Study – After
• Security is centralized and standardized across five “hubs”,
improving the client’s security posture and reducing end-user
time needed to access cloud applications. The hubs are
integrated back into the clients’ active directory infrastructure
to ensure proper user authentication.
• SIEM analytics is performed against all traffic and alerts are
prioritized and acted upon according to corporate policy
Internet
Cloud services
IBM Secure
SD-WAN
Client
datacentersMPLS
Internet IP-Sec
Branches
70% of network traffic
30% of network traffic
Internet IP-Sec
• 70% of network traffic is now routed over the internet via secure
IP-SEC tunnels, reducing the need for private MPLS circuits and
significantly reducing circuit costs
• Network traffic is optimized by always routing across the best
available connection
• Data center consolidation and transformation activities can now be
performed by the client without having to alter security infrastructure
17 IBM Security
IBM Security – Integrated Consulting and Managed Security Services
Unparalleled Expertise
• Access to a global network of recognized security experts
• Deep industry service delivery experience across numerous types of operations
• Ability to lead and execute large, transformational projects
Integrated Approach
• Integrated portfolio of security servicesand technology
• Open ecosystem with 100+ technology partners and 30+ services partners
• 800+ technical vendor and 150+ professional security certifications
Best-in-class Managed
Security Services
• IBM X-Force® Exchange and Threat Research teams providing zero-day threat alerts to clients
• 1400+ employees serving 130+ countries, with a 95% retention rate
• 35 billion+ security events analyzed daily across 4,500+ global clients
18 IBM Security
A global leader in network innovation
• #1 in enterprise security
software and services*
• 7,500+ people
• 12,000+ customers
• 133 countries
• 3,500+ security patents
• 15 acquisitions since 2005*According to Technology Business Research, Inc. (TBR) 2016