A Tale of Software-Defined & Adaptive Security
Download as PPTX, PDF2 likes341 views
The document discusses the evolution of software-defined security, focusing on the transformation from traditional security measures to a service model that enhances flexibility and adaptability. It highlights the integration of intelligent edge architectures and emphasizes the benefits of automated security workflows, collaborative security sensors, and micro-segmentation to address modern security challenges. Key takeaways include the necessity for physical micro-virtual network functions (μVNFs) to improve cost performance and meet the demands of emerging technologies like 5G.
![Motivations : Security SaaS & Threat Intelligence
– By 2017, 75% of large enterprises will receive custom threat intelligence information
– one of the fastest-growing data-as-a-service (DaaS) offerings on the 3rd Platform
– will require a software platform for full visibility and integration of data
– need to share info [between security products] and automatically respond
– By 2018, 33% [of security solutions] will be delivered by SaaS or hosted
– more innovation, agility, and effectiveness from IT security to remain competitive
– Transformation challenges IT organization to deliver all services using in-house staff
– Demand for security professionals far exceeds supply
– Most security solutions will be hybrid [on-premise / cloud-based SaaS]
– By 2019, +30% of largest vendors investments will have shifted from cloud-first to cloud-only
– By 2020, a corporate ”no-cloud" policy will be as rare as a ”no-Internet" policy is today
– Hybrid will be the most common use of the cloud](https://image.slidesharecdn.com/ataleofsoftware-definedsecurity-170518212722/85/A-Tale-of-Software-Defined-Adaptive-Security-4-320.jpg)
A Tale of Software-Defined & Adaptive Security
- 1. A Tale of Software-Defined & Adaptive Security Sebastien Tandel, sta@hpe.com slideshare.net/standel
- 2. Sébastien Tandel – Working within HPE Aruba CTO as a Principal Architect – Technologist with sound business knowledge – Software engineer with sound knowledge of hardware – Product focused although experienced in all innovation waves (research & advanced development) – Driving programs from Software-Defined Infrastructure & Intelligent Edge to Security Analytics – Contributions in several aspects of SDN / NFV since 2010 – First Software-Defined Lync demo @ ONS’13 – First Software-Defined Security demo (IPS coupled to security analytics) @ ONS’14 – First HW accelerated SFC (MAC Chaining) including legacy physical SFCs demo @ Sigcomm’16 – Distributed Software-Defined Load Balancer, IoT Universal Profiler (identification & anomaly behavior detection) views and opinions expressed are my own and does not necessarily reflect views or opinions of my employer 2
- 3. Outline – Software-Defined Security : from legacy Security Sensor to “as a Service” model – Physical µVNF : cost performance evidence – Security as a Software-Defined and Adaptive Overlay – Security as a first-class citizen of the Intelligent Edge – Key Take Aways Confidential 3
- 4. Motivations : Security SaaS & Threat Intelligence – By 2017, 75% of large enterprises will receive custom threat intelligence information – one of the fastest-growing data-as-a-service (DaaS) offerings on the 3rd Platform – will require a software platform for full visibility and integration of data – need to share info [between security products] and automatically respond – By 2018, 33% [of security solutions] will be delivered by SaaS or hosted – more innovation, agility, and effectiveness from IT security to remain competitive – Transformation challenges IT organization to deliver all services using in-house staff – Demand for security professionals far exceeds supply – Most security solutions will be hybrid [on-premise / cloud-based SaaS] – By 2019, +30% of largest vendors investments will have shifted from cloud-first to cloud-only – By 2020, a corporate ”no-cloud" policy will be as rare as a ”no-Internet" policy is today – Hybrid will be the most common use of the cloud
- 5. Software-Defined Security : A Tale of a legacy IPS becoming an IPS as a Service 5
- 6. Intrusion Prevention System (IPS) 101 6 Intrusion Prevention System Attack Signatures Set Clean & Malicious Traffic Clean Traffic
- 7. IPS Challenges: Coverage IPS commonly placed only on critical segments major aggregation/core locations No coverage on East-West traffic BYOD / IoT weakening Security Perimeter No scale-out model, weak resilient model 7
- 8. Software-Defined Security: IPS as a Service (IPSaaS) Creating a Security Control plane 8 IPS SwitchSwitch SFC Device 1 Device 2 Device 3 IPSaaS app on SDN Controller Dynamic setup of traffic redirection to IPS • May be physical or virtual • On- or off-premises • Beware of bandwidth and latency !
- 9. Software-Defined Security : Security Sensor as a Service model Flexible, Resilient and Dynamic 1. Flexible security sensor placement: traffic is dynamically redirected to the right security sensor Easy to scale-out by simply adding a security sensor anywhere in the infrastructure Resilient security infrastructure with dynamic fast failover in case of failures 2. Enabling new dynamic policies. Specifically for IPS as a Service: 1. Full Inline Inspection : Permanent inspection of critical assets (~= legacy mode), although dynamically configured 2. New Devices Onboarding : Inspect device for a period of time once it connects 3. Time-Slice Auditing: Opportunistic inspection of non-critical assets, leveraging further free ISP resources
- 10. Physical µVNF : a cost performance evidence 10
- 11. IPS Cost Spectrum 11 IPS Max Inspection throughput (Gb/s) Listing price (US$) US$ per Gb/s of inspection TPT S7500 20 500000 25000 Snort (4 proc) 2 10000 5000 Tipping Point (TPT) IPS State-of-the-art product performance - Price point too high for many market segments (small/medium) Snort Low cost solution - Performance - Operational costs for same performance (10 servers to match TPT S7500)
- 12. Physical IPS appliance : 10,000 feet hardware architecture 12 Intrusion Prevention System Attack Signatures Set pre- filtering ‘hardware’ Deep Packet Inspection (NPU) ‘software’ Deep Packet Inspection (CPU) 100% traffic ~10% Fast (line rate) slower slow path Clean & Malicious Traffic Clean Traffic 90% of traffic won’t go to Deep Inspection What-if I execute pre-filtering in another place of the infra?
- 13. A story of decomposition: pre-filtering as a micro-VNF Switch Performing Pre-Filtering Clients Destinatio n 20 Gb/s ~2 Gb/s Less than 2 Gb/s Clean ~18 Gb/s IPS IPS only processes ~10% traffic (suspicious traffic) Distribute pre-filtering function over all infrastructure Regular traffic directly forwarded to destination (~90% traffic)
- 14. µVNF changes cost performance 14 IPS Max Inspection throughput (Gb/s) Listing price (US$) US$ per Gb/s of inspection TPT S7500 20 500000 25000 Snort (4 proc) 2 10000 5000 Pre-filtering µVNF + Snort 20 10000 500 Distributed physical pre-filtering µVNF + IPS VNF (Snort) State-of-the-art product performance Virtually Free : 50x cheaper than TPT
- 15. Adaptive Security: Sensors as a Micro-Segmented Coordinated Overlay Confidential 15
- 16. Software-Defined Security: Closing the loop 16 IPS SwitchSwitch SFC Device 1 Device 2 Device 3 Software-Defined Security SDN Controller security events ?
- 17. Software-Defined Security: Closing the loop Making Sense of Security Events & Automate Remediation Actions 17 IPS SwitchSwitch SFC Device 1 Device 2 Device 3 Redirect to another Security Sensor security events Automated Remediation Actions Software-Defined Security SDN Controller Block Device 2 Security Analytics security events
- 18. Software-Defined & Adaptive Security : Security Sensor as a Service model II Micro-Segmentation & Transparent Coordination Overlay – Fully Automated Remediation Actions workflow: 1. By Software-Defined Security : block device, isolate (guest-like / quarantine), rate limit, ... 2. Through 3rd party (like Aruba ClearPass): revoke certificate, 2-factor authentication, ... – Multi-sensors transparent coordination: 1. New complex policies: Redirect traffic to IPS if malware DNS severity is “major” Fill security gap: Enable coordinated effort of otherwise unaware security sensors Cost optimization: redirects « value added » traffic to expensive box (like IPSes are) – High-level intent security policies implemented as micro-segmented rules – Fine-grained rules installed where the workload/device is – Dynamically moving with the workload/device
- 19. Software-Defined & Adaptive Security : Security Sensor as a Service model II Wrapping up 1. Flexible security sensor placement, allowing scale-out and dynamic fast failover 2. Enabling new dynamic policies. (ex.: New Device Onboarding, Time-Sliced Auditing) 3. Automated Remediation Action compliant with company workflow 4. Multi-sensors transparent coordination 5. High-level intent security policies implemented as micro-segmented rules
- 20. IPS Sensor IPS Sensor IPS Sensor DNS Sensor DNS Sensor DNS Sensor DDoS Sensor DDoS Sensor DDoS Sensor NBAD NBAD NBAD Directory Server Security Platform Engine Security Platform Engine Security Platform Engine Security Platform Engine Security Platform Engine Stream Event Processing Stream Event Processing Signals Ex: DNS reqs Security Events Sensor Coordination Real-time Policy enforcement Near real-time policy enforcement Software-Defined Security: a Security Control Plane to Rule them All
- 21. Security as a first-class citizen of the Intelligent Edge Confidential 21
- 22. IPS Sensor IPS Sensor IPS Sensor DNS Sensor DNS Sensor DNS Sensor DDoS Sensor DDoS Sensor DDoS Sensor NBAD NBAD NBAD Directory Server Security Platform Engine Security Platform Engine Security Platform Engine Security Platform Engine Security Platform Engine Stream Event Processing Stream Event Processing Signals Ex: DNS reqs Security Events Sensor Coordination Real-time Policy enforcement Near real-time policy enforcement Software-Defined Security in the Clouds Limits of bandwidth, latency and privacy
- 23. Intelligent Edge Cloud Analytics Shield Signals Security Events Security Events Sensor Coordination Real-time Policy enforcement Near real-time Policy enforcement Batched policy enforcement Software-Defined Security & Cloud Analytics Shield
- 24. Intelligent Edge Cloud Analytics Shield Signals Security Events Security Events Sensor Coordination Real-time Policy enforcement Near real-time Policy enforcement Batched policy enforcement Software-Defined Security & Cloud Analytics Shield efficient single function flow level decision No storage Unified sensor policy user/device level decision limited storage Complex security analytics & machine learning Long term storage (forensics/audit)
- 25. Software-Defined Security & Intelligent Edge: the full story Software-Defined Security Platform Management Operations Management Visibility Dashboard Continuous Delivery Live Upgrades Fast fix updates / upgrades Fast Security Fixes Highly likely to be on-premises available 99.999% Highly likely to be SaaS available 99.9% Resilient
- 26. Key Take Aways Confidential 26
- 27. Key Take Aways Software-Defined Security & ”Security Sensors as a Service” to provide improved agility & protection – With a fully automated Security workflow: –provisioning infrastructure to send right data to the security sensors –remediation actions based on security analytics run against events received from the security sensors –transparent collaboration of security sensors that otherwise are unaware of each other – Micro-segmentation - even of legacy security sensors - to protect against east/west malware propagation – Software-Defined & Adaptive Security will seamlessly integrate intelligent edge architectures: – Cloud-only is good for Capex/Opex but not good enough from bandwidth, latency and privacy perspectives. – data will be analyzed at the edge by security sensors and security analytics to enable real-time and near real-time insights as well as remediation actions – while aggregate of security events will be sent to the cloud for complex security analytics and machine learning as well as forensics-like use cases. – Strong need for physical µVNFs because virtualization of Security Sensors is not enough: – 5G tactile requiring latency ~1ms & 6.5Tbs ToR ASICs are here – Economics & cost performance evidence Confidential 27
- 30. From Idea to Market? 1.High Impact: Holistic Approach to Solve Customer Headaches 2.From idea to market? An top-down approach Start with SaaS (cloud-first) for fast TTM and quickly test idea against market integrate to Intelligent Edge architecture physical µVNF for better scale and cost performance – Along the stack, Open APIs to avoid vendor lock-in & fragmentation 30
- 31. From Idea to Market 31 0 10 20 30 40 50 60 70 80 90 100 Software Hardware Product: Performance x Time-To-Market Product Performance Time To Market Very Good Very Bad Better performance with hardware (improving scale & price) Longer to reach market with hardware (slower innovation)
- 32. From Idea to Market 32 0 10 20 30 40 50 60 70 80 90 100 Software Hardware Product: Performance x Time-To-Market Product Performance Time To Market Very Good Very Bad software is excellent starting point to test the market How do you evolve? What may remain software? Open interfaces?
Editor's Notes
- #5: Source : http://www.gartner.com/newsroom/id/3354117 IDC FutureScape: Worldwide IT Security Products and Security Services 2015 Predictions — Moving Toward Security Integration Threat Intelligence Big Data has come to security from the processing of threat intelligence. Threat intelligence data services provide a better understanding of the active tools, targets, and campaigns of cybercriminals and other online miscreants. Security threat intelligence allows security analysts to be proactive in predicting the probability of specific attacks instead of reacting after the fact. There are a number of flavors of threat intelligence, which range from subscribing to a newsfeed that may or may not be consumed by an analyst to purchasing one or many data feeds that are processed by a SIEM tool to a full intelligence security service that tailors threat information specifically for your environment and vertical. Security SaaS IT security continues to be plagued with cost constraints, and more importantly, it is increasingly difficult for enterprises of all sizes to hire and retain security professionals. Most security teams have too much to do, thus they are not able to provide active defense; instead they must react to the most immediate alarm. These pressures are driving the adoption of security SaaS technologies, which can provide lower deployment and operational costs than on-premises security solutions. SaaS allows for the shifting of security spending from a capital expense to an operational one. Over time, cost will be less of a driver for growth in SaaS and cloud-based security solutions as other advantages (deployment flexibility, quick provisioning, scalability, automation, and security expertise) gain momentum. Enterprises overall have positive perceptions of security and cloud computing services, with many organizations believing that SaaS solution providers can provide better security than their own IT organizations. The risk/reward equation for cloud and security skews toward the proactive use of security SaaS among many organizations.
- #9: SFC : Service Function Chain
- #10: We started the story with a legacy IPS middlebox. Obviously, the same story can be told for any other security middlebox.
- #14: This hardware accelerated pre-filtering will not only reduce the East-West bottleneck (4), but it will also enable those low cost software IPS solutions running in a commodity hardware (5) to handle the volume of suspicious traffic that are about 1/10 of the real traffic. And since it is a software based IPS, we can actually easily scale this UP (5), by adding more Network Cards, CPUs or more commodity hardware. In Practice, we turn a 2 Gb/s IPS Software Appliance into a 20 Gb/s IPS.