The document discusses the opportunities and challenges of securing modern IT infrastructure and applications in the software-defined data center (SDDC). It outlines three key architectural issues: 1) the need for logical segmentation around application boundaries, 2) orchestrating security policies across multiple controls, and 3) providing the right context and isolation for security tools. The document argues that virtualization provides the "Goldilocks zone" to address these issues by placing security controls and services into the virtualization layer to enable micro-segmentation, advanced context sharing between tools, and policy orchestration across applications and infrastructure. It presents a case study of how one company addressed these challenges through a virtualization-based security approach.
9. Modern Attack: targeted, interactive & stealthy
9
1
Human
Recon
2
Attack Vector
R&D
3
Delivery
Mechanism
5
Install Command
& Control I/F
4
Compromise
Primary Entry
Point
Strain B
Dormant
Strain A
Active
8
Install C2 I/F Wipe Tracks Escalate Priv
7
Lateral
Movement
6
Escalate Privileges on
Primary Entry Point
8
8
Strain A
Active
9
Wake Up & Modify
Next Dormant Strain
Attack
Identified Response
Strain B
Active
Strain A
Active
Strain C
Dormant
Strain D
Dormant
11
Parcel &
Obfuscate
10
Break into
Data Stores
12
Exfiltration
13
Cleanup
Stop Infiltration Lack visibility & control to stop exfiltration
shift from…
• Perimeter-centric
• In-line prevention
• Managing compliance
to...
• Application & user-centric
• Analytics/Out-of-band mitigation
• Managing risk
10. 3 Architectural Issues
10
As a ubiquitous abstraction layer between the applications and
the infrastructure it provides the “Goldilocks Zone” for security.
Virtualization is the Key
Logical Segmentation Problem
Lack ability to segment around
application boundaries
1. Segmentation
Compound Policy Problem
Lack mechanisms to orchestrate
policy across controls
2. Policy
Context/Isolation Tradeoff
Lack the right telemetry / “handles”
for security controls
3. Context
Common Thread: The Application
11. The Logical Segmentation Problem
CONFIDENTIAL 11
Hyper-connected
Computing Base
Lateral Movement Complex/Comingled Policy
Enforce segmentation around
application boundaries
versus the perimeter, physical zones or machines
The
Solution
We have no mechanism that
maintains the relationship
between the applications & the infrastructure.
The
Obstacle
12. The Compound Policy Problem
CONFIDENTIAL 12
C1 C2 C3
Right Place Right Order
Share State
Choke Points / Scalability
A mechanism to insert and order security controls
and policy around logical boundaries, and
a mechanism for them to publish and share state
The
Solution
No such mechanism exists.
We can insert on physical boundaries, and
share state via point integrations and correlation.
The
Obstacle
Complex Distributed Policy
?
Sharing State
13. The Context/Isolation Tradeoff
CONFIDENTIAL 13
Policy è ç Analytics
Context Isolation
Endpoint
Network
êé
ê é
HTTP://192.163.8.10:8080
HTTP://192.159.2.10:8080 HTTP://192.162.5.8:8080
Poor Handles/Telemetry
for Policy/Analytics
10.20.2.14
09:00:02:A3:D1:3D
10.18.3.13
08:00:03:A4:C2:4C
A ubiquitous mechanism for communicating
telemetry with security controls that has the
isolation properties of a network control point and
the context of an endpoint agent.
The
Solution
No such mechanism exists.
We are forced to make the tradeoff.
The
Obstacle
14. 3 Architectural Issues
CONFIDENTIAL 14
1 Common Thread: The Application
Virtualization is the Goldilocks Zone for Security
• Segment along application
boundaries and
compliance scopes
• Provision and order controls along
those boundaries
• Share context to and among controls
If we could…
• Reduce our attack surface
• Simplify our policies
• Improve the effectiveness
of all our controls
…then we can
dramatically…
Logical Segmentation Problem
Lack ability to segment around
application boundaries
1. Segmentation
Compound Policy Problem
Lack mechanisms to orchestrate
policy across controls
2. Policy
Context/Isolation Tradeoff
Lack the right telemetry/”handles”
for security controls
3. Context
21. The Call to Action
A Once in Wave Opportunity
1st Wave
Mainframe | Terminal
Millions of Users
Thousands of Apps
2nd Wave
PC | Client/Server | LAN/Internet
Hundreds of Millions of Users
Tens of Thousands of Apps
3rd Wave
Cloud/SDDC | Mobile | Social | Big Data
Billions of Users. Millions of Apps.
Trillions of Devices
Security
Teams
Security
Vendors
Virtualization
The Goldilocks Zone
for Security