Cybersecurity come i Pokémon: evolvere i processi verso il cloud - Contiene alcuni commenti su errori comuni, più o meno facili da evitare ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cybersecurity come i
Pokémon: evolvere i
processi verso il
cloud
Contiene alcuni commenti su errori comuni,
più o meno facili da evitare
Mega Salamence
Evoluzione…
Pichu Pikachu Raichu
Mauro Cicognini - Security Summit 2019 2
Evoluzione tecnologia
Personal
Mainframe LAN Cloud
Computer
Mauro Cicognini - Security Summit 2019 3
Mando tutto a quel cloud
◼ Mi arrendo, la rete vecchia
non si potrà mai sistemare
◼ Ricomincio da zero con il
cloud
◼ Sicuramente stavolta andrà
tutto bene
Mega Pidgeot
Mauro Cicognini - Security Summit 2019 4
I punti dolenti
più frequenti
Bulbasaur
Mauro Cicognini - Security Summit 2019 5
Non so cosa ho
◼ Ci piacerebbe fare “discovery”
◆ Censire l’esistente è laborioso e lungo
◆ Le persone sono imprecise
◆ Ci piacerebbe che l’automazione
informatica ci aiutasse
◼ Attendiamo di avere l’informazione
perfetta
◼ Meglio qualche falso positivo o qualche
falso negativo?
Mauro Cicognini - Security Summit 2019 6
Ho chiuso tutto?
◼ Siamo convinti di poter definire un
perimetro sicuro?
◼ Abbiamo la politica di sicurezza per
verificare le configurazioni?
◆ Anche solo una hardening baseline?
◼ Abbiamo usato tecnologie di rete per
fare sicurezza?
◼ Ci appoggiamo sulla Security by
Obscurity? Cloyster
Mauro Cicognini - Security Summit 2019 7
Oltre il cloud
◼ IoT
◆ Telecamere
◆ Termostati
◆ Elettrodomestici
◆ Tornelli
◆ Antifurto
◆…
◼ Reti di controllo e reti industriali
◼ Infrastrutture critiche Rayquaza
Mauro Cicognini - Security Summit 2019 8
Alcuni
suggerimenti
pratici Bulbasaur
Mauro Cicognini - Security Summit 2019 9
Come si fa?
◼ Abbiamo un processo?
◼ Dove sta il vero valore aggiunto?
◼ Possiamo automatizzare
qualcosa se il processo non c’è
ancora?
Ponyta
Mauro Cicognini - Security Summit 2019 10Suggerimenti?
◼ Soluzioni zero-
perimeter
◼ VSYS, non VRF
◼ Perché non usare
IPv6?
Mega Charizard Y
Mauro Cicognini - Security Summit 2019 11Evoluzione processi
Initial Repeatable Defined Managed
Mauro Cicognini - Security Summit 2019 12La parola a
Skybox
Mauro Cicognini Bulbasaur
Mauro Cicognini - Security Summit 2019 13Processi di Rule Lifecycle Management Davide Rivolta | Technical Director, Italy davide.rivolta@skyboxsecurity.com
Firewall Change Management - The Problem
Firewall change
Picked up by Level- Assigned to Level-X
ticket opened by
1 engineer engineer
customer
Is this even done? Who takes
ownership? Are security
policies and vulnerable assets Did they assign it to
both assessed? How? the right person?
Engineer
Changes
Risk Assessment? researches
implemented
implementation
Was it done right? Do other changes
Do they have all the
need to happen on this device for
information? Know the
other tickets? Who verifies?
environment? Ticket re-
Ticket closed assigned to different engineer?
15Change Management Workflow
Technical Risk Implementation
Request Verification
Details Assessment
Capture Translate Identify policy Assign to Reconcile
business/ violations & team for against
Path
technical Vulnerability provisioning observed
identification
details exposures changes
Rule analysis
Accept/Reject Verify Access
Skybox Analytics Engine
16
16Network Access Compliance
17Security in Multi-Cloud Environments
CISCO ACI NSX
AWS
(Private) (Private)
Complete Visibility
End–to–end path analysis
Policy compliance across networks
in a single dashboard view
Out–of–the–box regulatory
compliance checks
Threat–centric
vulnerability management
18T
s
M
k
y
Microsegmentation
b
o
x
s
e
c
u
r
i
t
y
.
c
o
m
TM
19 19T
s2
M
k0
y
b
o
Compliance Security Challenges
x
s
e
c
u
r
i
t
y Many Access Paths
.
c
o
• A given organization can use 10’s of security groups which creates 100’s of access
m combination
Heterogeneous Environment
• All enterprises have a good mix of physical networks, virtual SDNs and cloud environments.
combination of traditional ACLs and the implementation of the correct security tags on the
SDN
East-West Traffic
• Cyber attackers now deploy malwares with lateral movement capabilities, verifying network
access requires end-to-end analysis and not just “choke points”
Incorrect Asset Tagging
• Assets which are accidently tagged with an incorrect security tag will create unwanted
access path in the network
TM
20Change Tracking & Management
Example 1: I need to add another Mail Server
Physical Virtual
Create another VM instance and
Modify the Mail_Servers object on the
assign it to the Mail Servers Security
policy
Group
Note: change is not on the policy
Security Group:
Mail Servers
21Change Tracking & Management
Example 2: I want to add access to HTTPs in port=443
Physical Virtual
Modify the rules in all the relevant Modify the rule in the security
firewalls group
Web (security tag)
Source Dest. Service
Any App 80/TCP 443/TCP
Web Servers App Servers
22Change Tracking – Change Types
• Security Group Policy Change
– Add/Modify/Delete Rule
– Object Changes
23Change Tracking – Change Types cont.
• Security Groups Changes
– Creation of a security group
– Modification of a security group (Added/Removed Assets)
– Deletion of a security group
24Change Management (1)
Add Access - Different traffic scenarios:
1. East-West Traffic
2. North-South Traffic
3. Between Cloud Traffic
Path Identification & Verification
Relevant Security Groups
Virtual Firewalls/Edge Gateways
Physical Networks & Firewalls
25Change Management (2)
Security Group based requests
• Add/Modify/Delete Rule of Security Group
• Create Security Group
• Delete Security Group
• Add Asset to Security Group
• Remove Asset from Security Group
26Rule Life Cycle Management
Recertification Auto Ticket
Date? Generation
Creation Recertification Deprovision
Workflow Workflow Workflow
Policy Recertify
Violations? or Reject
Validate request
Path analysis
Approval
Risk analysis Rule or Object
Deprovision rule, IP,
Provisioning with metadata Usage?
object or service
Reconciliation
Reconciliation
27
27Domande?
28Grazie e arrivederci
Vi aspettiamo al nostro stand nell’area
espositiva!
29You can also read
