This year at RSA 2017, we caught up with VP Cloud Research Mark Nunnikhoven to get his insights on trends and challenges the modern security team is facing and the steps we can take towards a more secure and layered approach to hybrid cloud security. Whether you’re moving to cloud, your DevOps team is feeling the pressure of security responsibilities, or you can’t determine if the latest “silver bullet” solution is what you really need, Mark provides the answers to your burning security questions.
Here are some great takeaways from the interview to help you answer your hybrid cloud security questions.
More and more we see DevOps teams feeling overwhelmed by the challenges of increasing responsibilities with fewer resources. What can your security vendor do to help balance the load?
There is currently an overload in messaging from all vendors, but you have to can’t rely on one thing and have to look to your security best practices. Advanced techniques like machine learning can help, but if you can catch a problem with a simple check of what’s known good or known bad, why wouldn’t you go for the simpler solution?
“Machine learning” is the newest fad in security, but the definition isn’t always so clear. How do you define machine learning and what is it doing to improve security?
It’s a big buzzword right now in security, but it isn’t even a new tool to Trend. Machine learning, to the IEEE Computational Society and tech communities, is clearly defined. The simple result is setting up a computer program that will be able to look at something and make a decision whether it matches a known set of something or not. Over time the model learns and will be able to make judgements based on its learnings.
With that understanding of machine learning, it’s easy to understand why others might consider it to be the be-all end-all solution. Why might it not be enough?
Nothing is perfect. Even the best trained machine learning models are only in the high 90’s for accuracy. You can’t expect there to be a one-trick pony solution for security. When responsible for a customer’s data, you can’t responsibly protect it with one tool. People have made those controls, people make mistakes.
You’ve been hit with ransomware. What are the steps you should take in the first 24 hours?
It depends what level of user you are. Hopefully you’ve take the steps to back up your data and apply basic security controls. While it’s hard to give generic advice, if you have been breached, the easiest thing you can do is disconnect your system from the network, but leave it on. Once you’ve disconnected, you prevent further damage, but if you turn it off, you can actually increase the damage. Then get in touch with an expert, IT help desk, consulting companies, or service providers. But leave it as is! This gives a better chance of recovering your data. This is a nightmare scenario. Ideally it is better to take the preventative measures up front.
Many teams are making the move to a hybrid cloud environment. What can security vendors be doing to help with that move and make the transition easier?
What people need to realize up front, it’s not a spontaneous move, it’s a transition that applies to both security and operations. Look at where you want to be in the cloud and your ideal end state, and the tools needed to make that change and start applying those changes today in your data center. The faster you can get your teams used to those new tools and skill set as you migrate your assets out to the cloud, the smoother transition you will have.
Follow @marknca for your daily dose of cloud security news
As more and more organizations are starting to realize, hybrid cloud is already happening and will continue to evolve as we strive to find better, faster and more efficient ways to store and share data. Not unlike the great cities of our world, we often see old and new side by side – the ancient architectures of yesterday nestled next to the futuristic glass skyscrapers of tomorrow.
When it comes to securing your on-premise and virtual environments it may seem like you’ve got it all figured out, but what happens as we move along the server evolution and bring environments like the cloud and containers into the mix? In an effort to be agile and cost efficient many organizations are using these new environments but may not have the protection to match.
Bridging the hybrid cloud
We are very excited to announce the release of Deep Security 10 powered by XGen™ security. Deep Security 10 continues to embrace the challenge of hybrid cloud, delivering enhancements designed to give you even more visibility across all of your environments—physical, virtual, cloud, and now containers. You’re working to leverage these environments to support your business – and that business needs to be protected.
The first step is visibility. With the new smart folders feature, applications that span different infrastructures can be treated as one using a smart attribute-based grouping system. Now you can manage applications across vastly different infrastructure platforms as if they were one, be it physical, virtual or cloud.
Next, let’s talk about layered security. Deep Security 10 is powered by XGen™ Security, a blend of cross-generational threat defense techniques. Deep Security leverages server-centric threat defense techniques from tried and true technologies like intrusion prevention, anti-malware, and application control right up to the most leading threat defense techniques like sandbox analysis, machine learning and behavioral analysis to guard against the most sophisticated threats.
New in Deep Security 10 we introduce behavioral monitoring capabilities, which can identify changes in installed software and/or changes in system files. These enhanced protection capabilities for Windows environments including new ransomware capabilities, protection against unauthorized encryption, and new real-time memory scanning, combine to ensure a more advanced layered security protection across Windows environments and your entire hybrid cloud.
This new release adds many integration and management enhancements, including faster connection and time to protection for Azure workloads, along with support for the latest Azure account format, Azure Resource Manager v2 (ARM). It also expands beyond server workloads to protect Docker containers, leveraging proven techniques like anti-malware, IPS and application control to protect dynamic container deployments.
Security that fits your environment, and your team.
Deep Security 10 has at its core the support for flexible deployment, hybrid policy management, support for auto-scaling, and blue/green deployments. We understand how to secure the long-standing physical servers, right up to the ephemeral servers living for mere minutes or even seconds in the cloud. This includes consumption-based licensing options for truly dynamic workloads that you can find in the Azure Marketplace and by using our Deep Security as a Service product. No matter how you manage security, Deep Security is designed to support the traditional IT security model or the latest DevSecOps – or both!
Stay tuned for the general availability of Deep Security 10 this March, and be sure to check back here often for new updates and releases about your favorite hybrid cloud security tool for Azure!
Breaking down gateway and host-based security approaches in the cloud.
For most organizations, moving to the cloud has become a requirement, not an option. In the cloud, many of the same security controls are required but how they are delivered needs to change in order to fit into the agile cloud environment and DevOps methodologies. In the data center, security controls are delivered at the perimeter either using hardware security appliances for Firewall or Intrusion detection & prevention (IDS/IPS); or delivered through software (agents) on the servers themselves, such as Anti-Malware or File Integrity Monitoring. In the cloud, security is a shared responsibility which means that both the cloud provider and the cloud user share responsibilities for providing protection. Cloud providers like Azure provide immense physical data center security and processes, which is great for cloud users as it takes a lot of work off their plate. But it also means that cloud users can’t bring the hardware firewall or IPS devices to the cloud as they don’t have access to the physical servers. That leaves two options for controls like IPS:
- Gateway or virtual appliance
- Host-based with security software (agent) running on each workload
To get a better idea of the different approaches let’s dive into an example of IDS/IPS architecture in the cloud, as it is one of the security controls that most organizations have and it is often required for compliance.
Intrusion Detection and Prevention (IDS/IPS) Overview
Intrusion Detection Systems (IDS) were the first generation of network security controls. A reactive control, it would alert you when a breach or attack occurred so you could investigate. Intrusion Prevention Systems (IPS) overtook IDS in popularity because of the ability to proactively block attacks, not just react to them. IDS/IPS systems for data centers were network-based and consisted of dedicated hardware appliance with the performance and throughput being based on the size of the network interface, CPU and memory.
Virtual Appliance (Gateway) Approach
Using the security virtual appliance deployment model there are two methods in which IDS/IPS can be used. Method 1 requires software to be deployed to each instance in order to send a copy of the network traffic to the appliance for inspection. Method 2 requires routing configuration changes to be made in order for the security virtual appliance to inspect the traffic. Figure 1 illustrates both deployment scenarios.
Figure 1: Security Virtual appliance
Host-based Security Approach
The other option is to deploy software (also known as an agent) onto each workload. This allows the security polices to be tailored to the specific software executing on that server. This removes the need to have generic or extraneous rules running and taking up resources. For instance, with Trend Micro Deep Security you can run a Recommendation Scan that quickly determines the specific rules needed to protect the instance, depending on the OS or patches applied. Additionally, the deployment of security software and policies can be automated for environments with auto-scaling requirements with configuration management tools such as Chef, Puppet or OpsWorks. This approach is illustrated in Figure 2. A host-based fits seamlessly with your existing deployment workflow.
Figure 2: Host-based IPS from Deep Security
One of the biggest architectural problems with network-based IDS/IPS is the use of encryption to protect network traffic. This security practice protects the contents of network traffic but it makes it difficult or impossible to analyze traffic and detect exploits. With host-based IDS/IPS, network encryption is less of an issue as the host decrypts traffic before it is analyzed. The following is a summary comparison of the different methods, which can be used to deploy IDS/IPS protection for cloud instances.
|Virtual Appliance (Method 1 Inline)||Virtual Appliance (Method 2 Tap)||Host-based Security|
|Scaling||Parallel to the workload||In proportion to the workload||With the workload|
|Protection||Detect||Generic protection||Customized protection|
Although both security virtual appliances and host-based software can be used to deliver IDS/IPS in the cloud, there is a strong argument that a host-based approach is easier and more cost effective.
- Host-based security can be deployed with automation tools like Chef or Puppet.
- Host-based controls seamlessly auto-scale to thousands of instances without requiring additional virtual appliances or managers to be added.
- A host-based approach reduces resource requirements as there is no duplication of traffic and no specialized instance is required for a virtual appliance.
- Eliminates the requirement to configure SSL/TLS to decrypt and analyze network traffic.
Host-based security enable controls and policies to be customized for each workload.
Healthcare application vendors are innovating with new technology to provide new services that improve patient engagement and access to knowledge and healthcare, all while protecting sensitive data.
In this white paper you will learn the risks that healthcare organizations face when deploying in a cloud or hybrid cloud environment, discover how cyberattackers are accessing sensitive information, and how to prevent such security breaches.
Register to download this free white paper where MedITology Services outlines the technology options for storing and sharing sensitive healthcare data, and how to choose which security service is right for you.
Trend Micro Deep Security enables you to manage a broad set of security capabilities across multiple environments from a single integrated console.
See which Hybrid architecture is right for you.
- Typical enterprise VDI use case yields 44% ROI and 16-month payback period.
- Typical enterprise cloud-centric use case yields 181% ROI and seven-month payback period.
- Typical enterprise server (non-VDI) virtualization use case yields 163% ROI and five-month payback period
Trend Micro™ Deep Security™ is a comprehensive security platform that protects your critical data and applications, across physical, virtual, and cloud environments while addressing 9 of 12 PCI DSS control categories.
Watch our video to understand the importance of PCI DSS compliance for your business and how Deep Security for Azure can help accelerate your compliance requirements.
Download the PCI DSS white paper now to find your way out of the PCI DSS compliance maze.