Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
1©2019 Check Point Software Technologies Ltd. ©2019 Check Point Software Technologies Ltd.
BEZPEČNOST DOMA A BEZPEČNOST V CLOUDU
Petr Kadrmas | SE Eastern Europe
2©2019 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees
•Cloud Security vs Data Center Security
•Challanges for Security in Cloud
•Cloud Security with Check Point
Agenda
3©2019 Check Point Software Technologies Ltd.
Attacks Are On Rise Across Every CloudJan 19, 2017 Attackers start wiping
data from CouchDB and Hadoop
databasesFeb 16 2017 The Era of Data-Jacking is
Here. Are You Ready?
Jul 12 2017 Misconfigured Amazon
Storage Exposes 14 Million Verizon
Customer Records
Jul 12 2017 Cloud Security Failure:
Millions of Wrestling Fans'
Personal Data Exposed
Jun 1 2017 Booz Allen Hamilton leaves
60,000 unsecured DOD files on AWS
serverApr 3 2018 37M Panera Bread customer records
found to be exposed to all and sundry in the
cloud
Dec 19, 2017 120 Million American
Households Exposed In 'Massive'
ConsumerView Database LeakJul 17 2017 Dow Jones customer data
exposed in cloud error
4©2019 Check Point Software Technologies Ltd.
To the new…From the old…The security boundary has
moved..
What problems are we trying to solve?
• Controlling at the perimeter is no longer enough
• Cloud services are inherently internet facing
• Where does my responsibility lie?
• What does the cloud provider manage for me?
[Restricted] for designated teams
5©2019 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees
Cloud is „easy“• Agility / Time to Market
• Focus on the core business rather than IT
• Easier to innovate (IaaS and PaaS as
service)
But also risky• With agility comes risks
• More developers touch systems previously
handled by security professionals
• CI/CD: Speed and DevOps (and especially
both combined) are risky for security
Why Cloud?
6©2019 Check Point Software Technologies Ltd.
• Distributed and Departmental
• BU budgets and credit cards
• Lack of visibility
• Lack of governance
• On Prem methodologies doesn’t work in the cloud
• To Stay relevant they have to support the cloud adoptionand have tools in place
The CISO’s Nightmare
7©2019 Check Point Software Technologies Ltd.
What challenges lie ahead
[Internal Use] for Check Point employees
Attack SurfaceVisibility
Security in CI/CDCont. Compliance
8©2019 Check Point Software Technologies Ltd.
The new cloud perimeters
• Data perimeters
– Allowing unauthorised users to read / modify or delete your private data
• Compute perimeters
– Allowing external entities to run code in your environment
• Messaging perimeters
– Allowing external entities to receive / send messages to private systems
• Identity perimeter
– Allowing external entities full control over your virtualized data centre
[Restricted] for designated teams
9©2019 Check Point Software Technologies Ltd. [Restricted] for designated teams
Facilities
Compute Storage+DB Network
Encryption, Network Traffic Protection, Operating System
Platform
Customer Content
Applications
IAM (Users, Roles, Permissions)
IaaS PaaS SaaS
Through 2022, at least 95% of cloud security failures will be the customer’s fault.” GARTNER
Cloud Security is a Shared Responsibility
10©2019 Check Point Software Technologies Ltd.
Increased need for Visibility
11©2019 Check Point Software Technologies Ltd.
Cloud Network Security Visualization
ClarityVisibility into cloud network topology and analysis of native control configuration
12©2019 Check Point Software Technologies Ltd.
Analyzing Cloud Traffic Is Hard
2 270870580655 eni-6d25f24c 172.31.100.49 178.137.87.242 80 57379 6 15 1843 1496697675 1496697715 ACCEPT OK
VPC Flow Log version
AWS Account
Elastic Network Interface
Source IP
Destination IP
Source Port
Destination Port
IP Protocol
Number of Packets
Bytes
Timeframe (in seconds)
SG or NACL action
Log Status
Lambda Function
a known malicious destinationis talking to
Lambda function is
sending outbound traffic
over port 80 to a
malicious IP address
178.137.87.242
13©2019 Check Point Software Technologies Ltd.
CloudGuard Log.ic: Context-Aware Security Intelligence
Enriched FlowLogs
Visual Traffic Map Detailed Properties
Canned & Custom Queries
14©2019 Check Point Software Technologies Ltd.
Security in CI/CD Pipeline
15©2019 Check Point Software Technologies Ltd.
System Development Life Cycle
“…high-performing development teams spend 50 percent less time remediating security issues” when they address security throughout the SDLC, instead of “retrofitting security at the end.”
Puppet 2016 State of DevOps Report
1. Planning
2. Systems Analysis and Requirements
3. Systems Design
4. Development
5. Integration and Testing
6. Implementation
7. Operations and Maintenance
• SDLC methodologies:
Waterfall, Agile, Lean (Kanban), Iterative, Prototyping, DevOps, Spiral or V-model?
16©2019 Check Point Software Technologies Ltd.
CI/CD
• Continuous integration is the practice of constantly merging development work with a Master/Trunk/Mainline branch so that you can test changes and test that those changes work with other changes.
• Continuous delivery is the continual delivery of code to an environment once the developer feels the code is ready to ship - this could be UAT, staging or production.
• Continuous deployment is the deployment or release of code to production as soon as it’s ready.
“…high-performing development teams spend 50 percent less time remediating security issues” when they address security throughout the SDLC, instead of “retrofitting security at the end.”
Puppet 2016 State of DevOps Report
17©2019 Check Point Software Technologies Ltd.
Traditional Security is Not Built for CI/CD
Problem
• Security checks happen at the end of SDLC. Any issue sends product back to development causing delays
• Manual, siloed approach to security hardening robs DevOps of its agility
• Organizations forced to trade off agility for security
18©2019 Check Point Software Technologies Ltd.
Security and Compliance Testing in CI/CD Pipeline
Problem
• Security checks happen at the end of SDLC. Any issue sends product back to development causing delays
• Manual, siloed approach to security hardening robs DevOps of its agility
• Organizations forced to trade off agility for security
Dome9Dome9
Dome9 IaaS
Log.ic
Log.ic
IaaS
19©2019 Check Point Software Technologies Ltd.
Dome9 Delivers Security at the Speed of DevOps
1. Validation Before Deployment: Test security and compliance posture prior to deployment
2. Automated Testing During Development: Use Dome9 API to incorporate testing of security best practices and compliance early into the build process
3. Secure Deployment: Maintain a closed-by-default security posture during deployment
4. Actionable Alerts Streamline alerts with machine intelligence to make them more actionable
20©2019 Check Point Software Technologies Ltd.
The Cloud Attack SurfaceAttack Surface
Assets
Network
Control Plane
Identity
Data
Servers and services
21©2019 Check Point Software Technologies Ltd.
Dome9
ACI
IaaS
IaaS
CloudGuard Family for Complete Cloud Security
Security Posture, Compliance and Active
Remediation
Workload & Network Security for Private Cloud
Workload & Network Security for Public Cloud
Cloud Application Threat Prevention
22©2019 Check Point Software Technologies Ltd. ©2019 Check Point Software Technologies Ltd. 22
Protect The Network
• Examples of Network Attacks: Man-in-the-middle & Eavesdropping
Denial of Service
SQL injection & XSS
Scanning and Brute Forcing
Lateral Movement from the Edge
• Best Practices: Advanced Threat Prevention
Real time Network Analysis and Threat Intelligence
Segmentation: Macro and Micro
Consistent policies across virtualized and cloud controls
Network
23©2019 Check Point Software Technologies Ltd.
IaaS Cloud Security Blueprint
[Internal Use] for Check Point employees
Simplified and systematic security
architecture
“template-ize” security across multiple
cloud platforms
Product alignment that focuses on cloud
Security at the speed of DevOps,
DevSecOps
24©2019 Check Point Software Technologies Ltd.
Alternative Design
[Internal Use] for Check Point employees
More Granular segmentation
25©2019 Check Point Software Technologies Ltd.
PREVENT LATERAL THREATSBETWEEN APPLICATIONS Application Control
Threat EmulationIPS
Antivirus
Firewall
Identity Awareness
DLP
Networkingand Clustering
Anti-Bot
26©2019 Check Point Software Technologies Ltd.
CLOUDGUARD ADAPTIVE SECURITY
Check Point Access Policy
Rule From To Application Action
3
Web_SecurityGroup
Object
DB_VM
Object
MSSQL Allow
4
CRM_SecurityGroup
Object
SAP_SecurityGroup
Object
CRM Allow
5
AWS_VPC
Object
Azure_VNET
Object
ADFS Allow
Drag & Drop dynamic policy with cloud objects
27©2019 Check Point Software Technologies Ltd.
Check Point is the only security that is designed for cloud orchestration:
1. Policy with granular delegation privileges (per rule)
2. Policy that allows simultaneous changes
TRUSTED ORCHESTRATION WITH R80 APIs
28©2019 Check Point Software Technologies Ltd. ©2019 Check Point Software Technologies Ltd. 28
Protect Identities
• Examples of Identity Attacks
Brute-force Password
Phishing
SMS Spoofing
Endpoint Compromise
• Examples of Best Practices
Strong password policy, Rotation & MFA
Principle of “Least Privilege”
“Just-in-time” Authorization
Endpoint Hardening
Identity
29©2019 Check Point Software Technologies Ltd.
Identity Protection with CloudGuard
1 Identity Protection for SaaS and IaaS
2 Privileged Identity protection with Dome9
3 Phishing Protection for SaaS
Block account takeovers with behavior analytics and CloudGuard ID-Guard
Detect and block attempts at phishing, spear phishing and email spoofing
Protect privileged accounts from causing catastrophic consequences
30©2019 Check Point Software Technologies Ltd.
Accesses
App
Accesses
App
Stolen ID
Hacker
Identify Device
• Only users and devices with ID-
Guard endpoint agent can login
• Malicious login prevented even if
the hacker has correct credentials
• No user involvement
CLOUDGUARD SAAS IDENTITY PROTECTION PREVENT ACCOUNT TAKEOVER WITH
Identity Server
ADFS, AzureAD,
Okta
Employee
Identity Server
ADFS,
AzureAD, Okta
31©2019 Check Point Software Technologies Ltd.
PRIVILEGED IDENTITY PROTECTION
CLOUDGUARD DOME9
©2018 Check Point Software Technologies Ltd.
Minimize the blast radius in the event of privileged account takeover
Enable just-in-time privilege elevation for protected actions
• Out-of-band authorization from a mobile device for
critical permissions that can have catastrophic impact
• Audited tamper protection from suspicious activity for
IAM
32©2019 Check Point Software Technologies Ltd.
PHISHING PROTECTION
CLOUDGUARD SAAS
©2018 Check Point Software Technologies Ltd.
Stop sophisticated phishing attacks, spear phishing, email spoofing
Leverage AI engines for a higher catch-rate
• Catch malicious emails analyzing
hundreds of content indicators
• Identify dangerous email sources
with advanced URL filtering
33©2019 Check Point Software Technologies Ltd. ©2019 Check Point Software Technologies Ltd. 33
Protecting the Cloud Control Plane
• Examples of Cloud Control Plane Attacks
S3 bucket data extraction
RDS data exposure
Instance Takeover & Spawning for Cryptojacking
DDoS Relay
• Examples of Best Practices
Continuous Compliance
Service Discovery
Integration with Cloud Provider feeds
Active Prevention through Auto Remediation
Control Plane
34©2019 Check Point Software Technologies Ltd.
Control Plane Security with CloudGuard
1 Visibility of assets and security posture
2 Continuous compliance 3 Cloud Security Intelligence
Quickly identify misconfigurations
Continuous assess and enforce security best practices and compliance standards
Protect against threats and intrusions with actionable threat intelligence
35©2019 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees
Continuous Compliance and Remediation
Audit Coming Up !
Audit Coming Up!
36©2019 Check Point Software Technologies Ltd.
Continuous Compliance – 24/7 Protection
• Over 2,000 security checks out of the box
• Continuous Assessments• Natural language for
custom policies
37©2019 Check Point Software Technologies Ltd.
Cloud Compliance and Governance
Private copy - Contains sensitive data –Do not distribute without authorization - Dome9 Security Inc. 2018
Compliance Engine• Continuously validate your cloud
security posture against PCI-DSS, HIPAA, GDPR, NIST, CIS and more
• Easily customizable governance language to build your own policy
• Out of the box auto-remediation actions like suspend user or quarantine server
38©2019 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees
CloudBots Automatic Remediation
Quarantine an Instance
Make a Storage Bucket Private
Suspend a User or a Role
Completely Customizable and at your service!Turn Cloud Trail On
Encrypt a Database
Force Password Change
Rotate Encryption Keys
39©2019 Check Point Software Technologies Ltd. ©2019 Check Point Software Technologies Ltd.
Security for Cloud SaaS applications
CLOUDGUARD SAAS
[Internal Use] for Check Point employees
40©2019 Check Point Software Technologies Ltd.
MORE THAN JUST A CASB
CLOUDGUARD SAAS
Zero-dayThreat Protection
IdentityProtection
PhishingProtection
Easy Visibility& Control
©2019 Check Point Software Technologies Ltd.
Prevent targeted attacks on SaaS applications and cloud-based email
41©2019 Check Point Software Technologies Ltd.
Security Gateway
SAAS PROVIDERS
SECURITY STACK
Prevent
Account
Takeovers
Data Leak
PreventionReveal
Shadow IT
HOW IT WORKS
API & AD
…
CloudGuard SaaS
Documents
encryption
Zero-day
Threats
Protection
42©2019 Check Point Software Technologies Ltd.
The Power of THREATCLOUD
86 Billion Transactions/Day
Inspect 4 Millions Files / Day
Detect 5000 Zero-days / Day
43©2019 Check Point Software Technologies Ltd.
Unexpected Money
THE EMAIL PROBLEM – PHISHING
Personal touch (Spear/BEC)
The Urgent Request
44©2019 Check Point Software Technologies Ltd.
PHISHING PROTECTION
CLOUDGUARD SAAS
©2019 Check Point Software Technologies Ltd.
Suspicious body text language
Subject language often used for phishing
Sent to a senior recipient
Low traffic website
Sender’s name has brand-related text
+300 more email indicators
PHISHING
Credentials Phishing
Financial Scam
Spear Phishing
Whaling
45©2019 Check Point Software Technologies Ltd.
ZERO-DAY THREAT PROTECTION
CLOUDGUARD SAAS
©2019 Check Point Software Technologies Ltd.
Prevent malware and zero-day threats from attacking SaaS users
‘Most Effective Breach Prevention’
• Protect email attachments, and file
downloads on Office365, G-Suite,
Box, OneDrive, Salesforce
• Block threats before they reach users,
deliver safe content in seconds
46©2019 Check Point Software Technologies Ltd.
THREAT EMULATION SANDBOXPOWERED BY 30 ENGINES
Dropped File Emulation
Shellcode Detector
DGA GeneratorIcon Similarity
Link Scanner
Virtual Network Service
Evasion Detection
SMEP Detector
DeepScan
UAC Monitor
FP GuardNetwork Activity Monitor
Decoys
Image Sanitation
Macro Analysis
Static Analyzer
Human Interaction Simulator
AND DOZENS MORE TECHNOLOGIES…
CPU-LEVEL PUSH-FORWARD CONTEXT-AWARE
47©2019 Check Point Software Technologies Ltd.
THINK OUTSIDE THE
FILE SHARING APPLICATIONS
Data
Security
Threat
Protection
ComplianceData
Security
0 1 2 3 4 5
Amount of users
Exposure & Connectivity
Content
Use cases
Quite popular, not a killer
Invite-based
Agnostic, but limited to files
Files
48©2019 Check Point Software Technologies Ltd.
STOP SHARING OF INFECTED FILES
49©2019 Check Point Software Technologies Ltd.
ACCOUNT TAKEOVER
ALL ATTACKS START WITH
©2019 Check Point Software Technologies Ltd.
50©2019 Check Point Software Technologies Ltd.
IDENTITY PROTECTION
CLOUDGUARD SAAS
©2019 Check Point Software Technologies Ltd.
Eliminate primary SaaS threat with transparent, strong authentication
Prevent account takeovers on any SaaS application
• Block unauthorized user access and logins from
compromised devices: mobile and PCs
• Identify imposturous access using a centralized,
hassle-free Multi-Factor Authentication
51©2019 Check Point Software Technologies Ltd. ©2019 Check Point Software Technologies Ltd.
THANK YOU!
[Internal Use] for Check Point employees