SlideShare a Scribd company logo
1 of 50
Download to read offline
SESSION ID:
#RSAC
Dennis R Moreau
Transforming Security:
Containers, Virtualization and
the Softwarization of Controls
ASD-W03
Senior Engineering Architect
VMware Office of the CTSO
@DoctorMoreau
#RSAC
The Security Problem
2
Security breach rates and losses continue to outpace security spend in “the year of the
breach”.
IT Spend
Security Spend
Security Breaches
#RSAC
Complexity: Complex Attack Behavior
HW & FW
OS
Application
Operatin
g
Applicati
on
MMUs
SMM
UEFI
Controllers
Supply Chain…
Overflows
Insertion
Malformation …
dll injection
SVC Vulns
ROP …
OS
Application
Recon & Lateral Movement
……… …
HW & FW
IaaS
SaaS
#RSAC
Complexity: Many Required Security Controls
Source: SANS 20 Critical Cyber Controls – Fall 2014
https://www.sans.org/media/critical-security-controls/fall-2014-poster.pdf
!
#RSAC
Complexity: Many Security Control Standards
5https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf
NIST 800-53, ISO 27002, NSA Top 10,
GCHQ 10 Steps, PCI DSS, HIPAA, NERC,
CSA, FISMA, ITIL KPIs, …
#RSAC
Complexity: The Balkanization of Security
Security
Controls
Rules,
Lang &
Logic
Control
Boundary
Object
Type
Consoles
Agents
Placement
Constraints
SNORT, FW 5-tuples,
OWASP, YARA, XACML…
End Point, Network,
VLAN, Domain, Process,
OU …
User, Application,
Data Class, Service, DB…
Consoles
Logs, Alerts,
Rules, Workflow…
DB, App, OS,
NAT, LB, L4, L3 …
#RSAC
Complexity: No Finish Line
Change!Evolving
Standards
Control
Technology
Growth
Scale
Agility++
New Bus.
Need
New
Regulation
New
Threats
New
Governance
#RSAC
Complexity: IT Architecture
Highly Connected
Complex Service Protocols
EP controls with weak isolation
NW controls with weak context
EP <-> NW mismatch
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
…
App2App1 App3 App4
FW
IPS
#RSAC
Complexity is the Problem!
Misconfiguration is very common (Gartner: 95%* of FW breaches
attributable to misconfiguration)
*Gartner, Inc. “One Brand of Firewall Is a Best Practice for Most
Enterprises”. November 28, 2012.
*Gartner, Inc. “ …75 Percent of Mobile Security Breaches Will Be the Result
of Mobile Application Misconfiguration”
http://www.gartner.com/newsroom/id/2846017
We need architecturally simplified security provisioning, operation,
response and analytics.
#RSAC
Virtualization and the Softwarization of Security
Controls: Enabling Policy Simplification
10
#RSAC
Visibility: Micro-segmentation and SW
• Understand Traffic
• Here, > 80% is East-West
• Largely uninspected and
unprotected
• Ops: Clearly not optimized
Source: Networking data from Arkin.net deployments
#RSAC
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
…
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
…
App2App1 App3 App4 App2App1 App3 App4
FW
IPS
FW
IPS
Enabled by:
Network Virtualization
Containment & Protection
#RSAC
Network Virtualization
GuestvSwitch
Guest
vSwitch
Compute
Isolation
Network
Isolation
V Network Ctrl
V Server Ctrl
Provisioning
Protection
Introspection …
IP Address Space
Routing
Firewall …
#RSAC
Transport Network
Network Virtualization: Overlays
L2
L2
Tenant B
L2
L2
L2
Tenant C
L2
L2
L2
VM
VM
VM
VM
VM
VM
VM
VM
L2 IP UDP VXLAN PayloadL2 IP
PayloadL2 IP
PayloadL2 IP
PayloadL2 IP
Overlays
Controller
#RSAC
Micro-segments: A new policy primitive
App/Svc
Segment
GuestvSwitch
Guest
vSwitch
Guest vSwitch
Aligned Isolation:
• Routing
• NAT
• dFW
Policy Boundary Invariant
#RSAC
Simplify: Smaller more aligned policy
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
dFW
…
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
…
App2App1 App3 App4 App2App1 App3 App4
dFW dFW dFW
eFW eFW
Policy here crosses many
apps … App1 – App4
Policy here can align on
one App/Svc
 Much smaller policy sets
 Much more coherent policy
Policy
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
…
----------
----------
----------
----------
----------
Policy
----------
----------
----------
…
----------
----------
Policy
----------
----------
----------
----------
…
----------
----------
Policy
----------
----------
----------
…
----------
----------
Policy
----------
----------
----------
…
----------
----------
Policy
----------
----------
----------
…
----------
----------
#RSAC
Simplify: Change with less side effect
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
FW
…
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
…
App2App1 App3 App4 App2App1 App3 App4
FW FW FW
FW FW
Policy change here is coupled
across apps
Policy change here is far safer
 Much simpler mitigation
 Much safer rule deletion
Policy
----------
----------
----------
…
----------
----------
Policy
----------
----------
----------
----------
…
----------
----------
Policy
----------
----------
----------
…
----------
----------
Policy
----------
----------
----------
…
----------
----------
Policy
----------
----------
----------
…
----------
----------
Policy
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
…
----------
----------
----------
----------
----------
#RSAC
Simplify: Policy that follows the workload
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
dFW
…
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
…
App2App1 App3 App4 App2App1 App3 App4
dFW dFW dFW
eFW eFW
Only traffic steering determines
protection/visibility
Classification (SG) determines
protection & visibility
 Protection scales with hypervisors
#RSAC
Simplify: Default deny posture
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
dFW
…
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
…
App2App1 App3 App4 App2App1 App3 App4
dFW dFW dFW
eFW eFW
Default deny policy here is blunt,
coupled across apps, partial and
weakly scale-able
Default deny policy here is precise,
efficient, scale-able, …
 Recon and lateral in the DC
is much more visible and difficult
#RSAC
Simplify: Intrinsic E/W visibility/control
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
dFW
…
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
…
App2App1 App3 App4 App2App1 App3 App4
dFW dFW dFW
eFW eFW
E/W traffic hair-pinned for
visibility at the DC edge
All E/W traffic is visible and
filtered according to policy
 Complete E/W visibility & control
 No hairpin management
#RSAC
Control Placement and Segments
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
FW
SC
…
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
…
App2App1 App3 App4 App2App1 App3 App4
FW
SC
FW
SC
FW
SC
FW
SC
FW
SC
Enabled by:
Network Virtualization +
Sofwarization of Security Controls
#RSAC
Virtualization and the Softwarization of
Security Controls: Improved Alignment
22
#RSAC
≢
Align: NW/EP Control Aligned on Segments
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
FW
IPS
…
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
…
App2App1 App3 App4 App2App1 App3 App4
FW
IPS
FW
IPS
FW
IPS
FW
IPS
FW
IPS
EPEP EP
EPEP EP EPEP EP
EPEP EP
EP EP
EP EP
EPEP EP EPEP EP EP EP
EPEP EP EPEP EP EP EP
NW Policy(IF, Subnet, DHCP Scope, …)
EP Policy(Asset, HostID, SID, Svr Role, TPM…)EP Identifiers
EP Boundaries
NW Identifiers
NW Boundaries
App
Seg
EP Identifiers
EP Boundaries
NW Identifiers
NW Boundaries
≡
≡
EP
MS
NW
VMID
MSID
EP
NW
NW
P1(MSID)
PN(MSID)
…
#RSAC
Align: Coordinated Controls
24
Segment dFW WAF
Detect
Here
OWASP Rules
vFW
Block
Here
FW Rules
Then …
Expensive
detection, so …
#RSAC
Align: Coordinated Controls
25
Segment dFW WAF
OWASP Rules
vFW
FW Rules
IPS
SNORT Rules
Rule N+1
Rule N+2
…Emergent
Vulnerability
Observed
Anomaly
#RSAC
Align: Controls Context
26
Segment dFW WAF IPS AA
OWASP
Rules
SNORT
Rules
vFW
FW
Rules
Protocol
Defn
Resultant Protection Policy
Access
Rules
Order Matters: So topological context is required for many security use cases.
Visibility &
Semantics
here …
… depends on
policy and filtering
here
#RSAC
Containers and Operationally Plausible
Default Deny Policy
27
#RSAC
Sources of Plausible Micro-segment Policy
1. Provenance, Manifests & Provisioning Information
2. Application Network Behavior
3. Infrastructure Services (or Micro-services) Connectivity &
Dynamics
#RSAC
Namespace
Volume Service
Containers: App/Svc Focused Context
29
Ex. Authoritative Context
App Configuration & Resources
Resource Sharing Across Apps
Colocation of Containers
Service Components
Services within a Namespace
Network Dynamics (LB, HA, …)
Example Contextual Structure
RC
Volume Service
Pod
Container
App Env
App
Pod
Container
App Env
App
…
LB
#RSAC
Containers: EP Compliance
30
Compliance scan of Docker image
Usage: docker-oscap image IMAGE_NAME [OSCAP_ARGUMENTS]
Compliance scan of Docker container
Usage: docker-oscap container CONTAINER_NAME [OSCAP_ARGUMENTS]
"Vulnerability scan of Docker image"
Usage: docker-oscap image-cve IMAGE_NAME [--results oval-results-
file.xml [--report report.html]]
"Vulnerability scap of Docker container"
Usage: oscap-docker container-cve CONTAINER_NAME [--results oval-
results-file.xml [--report report.html]]
Ref: https://github.com/OpenSCAP/container-compliance
#RSAC
Alignment: Network Context
Hosted
Protection
Premise
Protection
LB
SVC
SVC SVC
SVC
SVC SVC
Web
Service
Web Cont Web Cart
SAP MT
SAP
DB DB
Control placement determines:
• Meaning of Log and Alert signals
• Up/Down stream interference
• Affected assets
• Mitigation options
#RSAC
But “containers don’t contain”
32
Provider
Attest:
 -----
 -----
 -----
Tenant Tenant Tenant
Audit:
 -----
 -----
 ----
Docker Engine
Operating System instance
App 1
Bins/Libs
App 2
Bins/Libs
App 2
Bins/Libs
Shared: IDs, filesystem, services, resources …
Process and Name Space Isolation
Audit:
 -----
 -----
 ----
Process/Namespace Isolation
… but could be much better
Better Isolation
Isolated Controls (independent)
Mature Security Mgmt (Gartner)
Normalized Policy Locus
Between WL and Hosting
(hybrid/multi-cloud)
Mis-alignment
https://opensource.com/business/14/7/docker-security-selinux
http://www.projectatomic.io/blog/2014/09/yet-another-reason-containers-don-t-contain-kernel-keyrings/
http://blog.docker.com/2014/06/docker-container-breakout-proof-of-concept-exploit/
Gartner: Security Properties of Containers Managed by Docker
#RSAC
Directional: Containers + Virtualization
FW (app)
IPS (app)
WAF (app)
NGFW (app)
…
WAF
IPS
NGFW
FW
Logs
Alerts
Behavior
Analytics
Where else might this behavior be expressed?...
Registry
Labels,
Provenance,
Testing
Containers
Docker Daemon
Images
Policy
Same App IDs
Same Boundaries
Shared Context
…
Aligned:
Apps
Server
Network
More actionable context, so response
is more efficient & accurate, reduced dwell time
#RSAC
Containers + Virtualization
34
VMworld 2015: NET6639 - Next Horizon for Cloud Networking and Security:
https://www.youtube.com/watch?v=RBJ-KoAM-OQ&feature=youtu.be
Provider
Attest:
 -----
 -----
 -----
Tenant Tenant Tenant
Audit:
 -----
 -----
 ---- Consistent boundary X Stack
Same identifier (msid, vmid)
Alignment … in any state
Independent verification
Authoritative context (OOB)
Control Boundary &
Controls Alignment
VM vServer & vSwitch
Docker Engine
Operating System instance
App 1
Bins/Libs
App 2
Bins/Libs
App 2
Bins/Libs
vSwitch vSwitch vSwitch
Audit:
 -----
 -----
 ----
Audit:
 -----
 -----
 ----
#RSAC
Application Blueprint Example - vRealize
35
Application structure and external connectivity are completely
exposed to inform operationally plausible security policy
#RSAC
Enterprise Infrastructure & Containers
36
Infrastructural Context
Leveraging of PBS, PBN,
Infrastructural Services
Legacy apps to cloud native apps, on
the same infrastructure
Integration of governance, CJA,
context (for logs, alerts, response
RCA, …)
…
ESX
Photon OS
ESX
Photon OS
ESX
Photon OS
KubernetesMESOS
Photon Cont 1
Photon Cont 2
Photon Cont 3
Create
Get pods
Create Kubernetes
Cluster
Photon
Machine
#RSAC
App Behavior Analysis: Arkin Example
37
Insight into application network behavior drives 1st order
operationally plausible default deny posture.
#RSAC
Container
38
Intrinsically Captures Application Structure, Provenance, and
Classification (pre-launch)
Always Current Configuration (immutability)
No “intended” vs. “actual” gap
Operations & Security perspectives
Immutability accommodates “moving target” defense techniques
Expose implicit network requirements in App context context.
Expose implicit app deployment requirements
Level of req’d awareness of virtual network topology
Req’d SVCs
#RSAC
Refining Micro-Segmentation Using
Analytics
39
#RSAC
Sources of Plausible Micro-segment Policy
1. Provenance, Manifests & Provisioning Information
2. Application Network Behavior
3. Infrastructure Services (or Micro-services) Connectivity &
Dynamics
#RSAC
Micro-Segmentation: Model & Secure
• Model apps, app tiers, regulatory
scopes, network, org boundaries,
etc.
• Default Deny: Only allow what’s
necessary, Deny everything else.
Source: Arkin.net Screenshot
#RSAC
Micro-Segmentation in Action: Modeling Security Groups
Source: Arkin.net Screenshot
Segment by applications, app
tiers, security zones, L2/L3
network boundaries, virtual-
physical boundaries,
organizational levels, etc
#RSAC
Micro-Segmentation in Action: Modeling Security Policies
Source: Arkin.net Screenshot
Inter and Intra Segment (VM to
VM) Communication
Some services require internet
access.
“Deny All” to these segments
(…and confirm it)
Allowed access to shared services
#RSAC
Micro-Segmentation in Action: Validate Compliance
Source: Arkin.net Screenshot
Runtime Effective Policy between
any two points in the Datacenter
#RSAC
Summary
45
#RSAC
Summary
46
Complexity is at the heart of today’s security challenge
Virtualization and Softwarization allows app focused placement
and policy alignment
Containerization provides the essential context for realizing an
operationally plausible default deny policy
This resulting in transformationally simpler policy and more
effective protection.
#RSAC
Apply: Assess
47
When you return to work:
Evaluate your current policy complexity
Policy set size
Policy testing workflow
Estimate its effect on security policy management
Latency in security policy updates
Estimate the degree of your “default deny” posture
Identify related instances of policy misconfiguration
#RSAC
Apply: Dev Ops
48
As move forward in DevOps:
For selected applications determine
Operationally plausible default deny posture by observed logs
Application policy requirements from container
blueprints/manifests
Application component dynamics: continuity, scaling, …
For important and cross application cutting services
Document discovery, election, failover, … protocol dynamics
#RSAC
Apply: Plausible Micro-segment Policy
Plausible Policy Information Sources
1. Provenance, Manifests & Provisioning Information
2. Application Network Behavior
3. Infrastructure Services (or Micro-services) Connectivity &
Dynamics
#RSAC
Thank You!
Questions?
Dennis R Moreau: dmoreau@vmware.com

More Related Content

What's hot

Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hackingphanleson
 
State of the art parallel approaches for
State of the art parallel approaches forState of the art parallel approaches for
State of the art parallel approaches forijcsa
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNChao Chen
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilitiesvanhoefm
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
Proposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of ThingsProposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of ThingsSeddiq Q. Abd Al-Rahman
 
Guillou-quisquater protocol for user authentication based on zero knowledge p...
Guillou-quisquater protocol for user authentication based on zero knowledge p...Guillou-quisquater protocol for user authentication based on zero knowledge p...
Guillou-quisquater protocol for user authentication based on zero knowledge p...TELKOMNIKA JOURNAL
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes  Certified Ethical HackerCEH v9 cheat sheet notes  Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerDavid Sweigert
 
Cryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar CipherCryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar CipherGopal Sakarkar
 
Moby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationMoby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationDiogo Mónica
 
International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)inventionjournals
 
Ip sec and ssl
Ip sec and  sslIp sec and  ssl
Ip sec and sslMohd Arif
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidFilip Šebesta
 
Authentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless ProtocolsAuthentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless Protocolsphanleson
 
015 spins
015 spins015 spins
015 spinsSam Ram
 

What's hot (20)

Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
 
Kerberos IV inductive analisys
Kerberos IV inductive analisysKerberos IV inductive analisys
Kerberos IV inductive analisys
 
State of the art parallel approaches for
State of the art parallel approaches forState of the art parallel approaches for
State of the art parallel approaches for
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
 
Java Crypto
Java CryptoJava Crypto
Java Crypto
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
 
Proposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of ThingsProposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of Things
 
Guillou-quisquater protocol for user authentication based on zero knowledge p...
Guillou-quisquater protocol for user authentication based on zero knowledge p...Guillou-quisquater protocol for user authentication based on zero knowledge p...
Guillou-quisquater protocol for user authentication based on zero knowledge p...
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes  Certified Ethical HackerCEH v9 cheat sheet notes  Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical Hacker
 
Cryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar CipherCryptography and Encryptions,Network Security,Caesar Cipher
Cryptography and Encryptions,Network Security,Caesar Cipher
 
Moby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationMoby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit Presentation
 
International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)
 
Ip sec and ssl
Ip sec and  sslIp sec and  ssl
Ip sec and ssl
 
spins
spinsspins
spins
 
Unit 5
Unit 5Unit 5
Unit 5
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 Security
 
Authentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless ProtocolsAuthentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless Protocols
 
015 spins
015 spins015 spins
015 spins
 

Similar to Transforming Security: Containers, Virtualization and Softwarization

Hacking a Professional Drone
Hacking a Professional DroneHacking a Professional Drone
Hacking a Professional DronePriyanka Aash
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.Priyanka Aash
 
It’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF AttacksIt’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF AttacksPriyanka Aash
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainPriyanka Aash
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Priyanka Aash
 
Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...
Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...
Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...OPNFV
 
Securing NFV and SDN Integrated OpenStack Cloud: Challenges and Solutions
Securing NFV and SDN Integrated OpenStack Cloud: Challenges and SolutionsSecuring NFV and SDN Integrated OpenStack Cloud: Challenges and Solutions
Securing NFV and SDN Integrated OpenStack Cloud: Challenges and SolutionsTrinath Somanchi
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsAlane Moran
 
E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005FNian
 
Derived Unique Token per Transaction
Derived Unique Token per TransactionDerived Unique Token per Transaction
Derived Unique Token per TransactionPriyanka Aash
 
Enhance Virtualization Stack with Intel CET and MPX
Enhance Virtualization Stack with Intel CET and MPXEnhance Virtualization Stack with Intel CET and MPX
Enhance Virtualization Stack with Intel CET and MPXPriyanka Aash
 
The Strategic Advantage of Adaptive Multi-Engine Advanced Threat Protection
The Strategic Advantage of Adaptive  Multi-Engine Advanced Threat  ProtectionThe Strategic Advantage of Adaptive  Multi-Engine Advanced Threat  Protection
The Strategic Advantage of Adaptive Multi-Engine Advanced Threat ProtectionPriyanka Aash
 
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersCommon Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersPriyanka Aash
 
Security at the Speed of the Network
Security at the Speed of the NetworkSecurity at the Speed of the Network
Security at the Speed of the NetworkHantzley Tauckoor
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android BotPriyanka Aash
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSAShannon Lietz
 
Wi fi-security-the-details-matter
Wi fi-security-the-details-matterWi fi-security-the-details-matter
Wi fi-security-the-details-matterDESMOND YUEN
 
The State of End-User Security—Global Data from 30,000+ Websites
The State of End-User Security—Global Data from 30,000+ WebsitesThe State of End-User Security—Global Data from 30,000+ Websites
The State of End-User Security—Global Data from 30,000+ WebsitesPriyanka Aash
 

Similar to Transforming Security: Containers, Virtualization and Softwarization (20)

Hacking a Professional Drone
Hacking a Professional DroneHacking a Professional Drone
Hacking a Professional Drone
 
Stop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain SecurityStop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain Security
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.
 
It’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF AttacksIt’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
 
Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...
Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...
Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...
 
Securing NFV and SDN Integrated OpenStack Cloud: Challenges and Solutions
Securing NFV and SDN Integrated OpenStack Cloud: Challenges and SolutionsSecuring NFV and SDN Integrated OpenStack Cloud: Challenges and Solutions
Securing NFV and SDN Integrated OpenStack Cloud: Challenges and Solutions
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systems
 
E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005
 
Derived Unique Token per Transaction
Derived Unique Token per TransactionDerived Unique Token per Transaction
Derived Unique Token per Transaction
 
Enhance Virtualization Stack with Intel CET and MPX
Enhance Virtualization Stack with Intel CET and MPXEnhance Virtualization Stack with Intel CET and MPX
Enhance Virtualization Stack with Intel CET and MPX
 
The Strategic Advantage of Adaptive Multi-Engine Advanced Threat Protection
The Strategic Advantage of Adaptive  Multi-Engine Advanced Threat  ProtectionThe Strategic Advantage of Adaptive  Multi-Engine Advanced Threat  Protection
The Strategic Advantage of Adaptive Multi-Engine Advanced Threat Protection
 
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersCommon Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
 
Security at the Speed of the Network
Security at the Speed of the NetworkSecurity at the Speed of the Network
Security at the Speed of the Network
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android Bot
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
 
Wi fi-security-the-details-matter
Wi fi-security-the-details-matterWi fi-security-the-details-matter
Wi fi-security-the-details-matter
 
The State of End-User Security—Global Data from 30,000+ Websites
The State of End-User Security—Global Data from 30,000+ WebsitesThe State of End-User Security—Global Data from 30,000+ Websites
The State of End-User Security—Global Data from 30,000+ Websites
 
Contrail Enabler for agile cloud services
Contrail Enabler for agile cloud servicesContrail Enabler for agile cloud services
Contrail Enabler for agile cloud services
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 

Recently uploaded (20)

IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 

Transforming Security: Containers, Virtualization and Softwarization

  • 1. SESSION ID: #RSAC Dennis R Moreau Transforming Security: Containers, Virtualization and the Softwarization of Controls ASD-W03 Senior Engineering Architect VMware Office of the CTSO @DoctorMoreau
  • 2. #RSAC The Security Problem 2 Security breach rates and losses continue to outpace security spend in “the year of the breach”. IT Spend Security Spend Security Breaches
  • 3. #RSAC Complexity: Complex Attack Behavior HW & FW OS Application Operatin g Applicati on MMUs SMM UEFI Controllers Supply Chain… Overflows Insertion Malformation … dll injection SVC Vulns ROP … OS Application Recon & Lateral Movement ……… … HW & FW IaaS SaaS
  • 4. #RSAC Complexity: Many Required Security Controls Source: SANS 20 Critical Cyber Controls – Fall 2014 https://www.sans.org/media/critical-security-controls/fall-2014-poster.pdf !
  • 5. #RSAC Complexity: Many Security Control Standards 5https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf NIST 800-53, ISO 27002, NSA Top 10, GCHQ 10 Steps, PCI DSS, HIPAA, NERC, CSA, FISMA, ITIL KPIs, …
  • 6. #RSAC Complexity: The Balkanization of Security Security Controls Rules, Lang & Logic Control Boundary Object Type Consoles Agents Placement Constraints SNORT, FW 5-tuples, OWASP, YARA, XACML… End Point, Network, VLAN, Domain, Process, OU … User, Application, Data Class, Service, DB… Consoles Logs, Alerts, Rules, Workflow… DB, App, OS, NAT, LB, L4, L3 …
  • 7. #RSAC Complexity: No Finish Line Change!Evolving Standards Control Technology Growth Scale Agility++ New Bus. Need New Regulation New Threats New Governance
  • 8. #RSAC Complexity: IT Architecture Highly Connected Complex Service Protocols EP controls with weak isolation NW controls with weak context EP <-> NW mismatch V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 FW IPS
  • 9. #RSAC Complexity is the Problem! Misconfiguration is very common (Gartner: 95%* of FW breaches attributable to misconfiguration) *Gartner, Inc. “One Brand of Firewall Is a Best Practice for Most Enterprises”. November 28, 2012. *Gartner, Inc. “ …75 Percent of Mobile Security Breaches Will Be the Result of Mobile Application Misconfiguration” http://www.gartner.com/newsroom/id/2846017 We need architecturally simplified security provisioning, operation, response and analytics.
  • 10. #RSAC Virtualization and the Softwarization of Security Controls: Enabling Policy Simplification 10
  • 11. #RSAC Visibility: Micro-segmentation and SW • Understand Traffic • Here, > 80% is East-West • Largely uninspected and unprotected • Ops: Clearly not optimized Source: Networking data from Arkin.net deployments
  • 13. #RSAC Network Virtualization GuestvSwitch Guest vSwitch Compute Isolation Network Isolation V Network Ctrl V Server Ctrl Provisioning Protection Introspection … IP Address Space Routing Firewall …
  • 14. #RSAC Transport Network Network Virtualization: Overlays L2 L2 Tenant B L2 L2 L2 Tenant C L2 L2 L2 VM VM VM VM VM VM VM VM L2 IP UDP VXLAN PayloadL2 IP PayloadL2 IP PayloadL2 IP PayloadL2 IP Overlays Controller
  • 15. #RSAC Micro-segments: A new policy primitive App/Svc Segment GuestvSwitch Guest vSwitch Guest vSwitch Aligned Isolation: • Routing • NAT • dFW Policy Boundary Invariant
  • 16. #RSAC Simplify: Smaller more aligned policy V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M dFW … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 dFW dFW dFW eFW eFW Policy here crosses many apps … App1 – App4 Policy here can align on one App/Svc  Much smaller policy sets  Much more coherent policy Policy ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- … ---------- ---------- ---------- ---------- ---------- Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- … ---------- ----------
  • 17. #RSAC Simplify: Change with less side effect V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M FW … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 FW FW FW FW FW Policy change here is coupled across apps Policy change here is far safer  Much simpler mitigation  Much safer rule deletion Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- … ---------- ---------- Policy ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- … ---------- ---------- ---------- ---------- ----------
  • 18. #RSAC Simplify: Policy that follows the workload V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M dFW … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 dFW dFW dFW eFW eFW Only traffic steering determines protection/visibility Classification (SG) determines protection & visibility  Protection scales with hypervisors
  • 19. #RSAC Simplify: Default deny posture V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M dFW … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 dFW dFW dFW eFW eFW Default deny policy here is blunt, coupled across apps, partial and weakly scale-able Default deny policy here is precise, efficient, scale-able, …  Recon and lateral in the DC is much more visible and difficult
  • 20. #RSAC Simplify: Intrinsic E/W visibility/control V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M dFW … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 dFW dFW dFW eFW eFW E/W traffic hair-pinned for visibility at the DC edge All E/W traffic is visible and filtered according to policy  Complete E/W visibility & control  No hairpin management
  • 21. #RSAC Control Placement and Segments V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M FW SC … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 FW SC FW SC FW SC FW SC FW SC Enabled by: Network Virtualization + Sofwarization of Security Controls
  • 22. #RSAC Virtualization and the Softwarization of Security Controls: Improved Alignment 22
  • 23. #RSAC ≢ Align: NW/EP Control Aligned on Segments V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M FW IPS … V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M V M … App2App1 App3 App4 App2App1 App3 App4 FW IPS FW IPS FW IPS FW IPS FW IPS EPEP EP EPEP EP EPEP EP EPEP EP EP EP EP EP EPEP EP EPEP EP EP EP EPEP EP EPEP EP EP EP NW Policy(IF, Subnet, DHCP Scope, …) EP Policy(Asset, HostID, SID, Svr Role, TPM…)EP Identifiers EP Boundaries NW Identifiers NW Boundaries App Seg EP Identifiers EP Boundaries NW Identifiers NW Boundaries ≡ ≡ EP MS NW VMID MSID EP NW NW P1(MSID) PN(MSID) …
  • 24. #RSAC Align: Coordinated Controls 24 Segment dFW WAF Detect Here OWASP Rules vFW Block Here FW Rules Then … Expensive detection, so …
  • 25. #RSAC Align: Coordinated Controls 25 Segment dFW WAF OWASP Rules vFW FW Rules IPS SNORT Rules Rule N+1 Rule N+2 …Emergent Vulnerability Observed Anomaly
  • 26. #RSAC Align: Controls Context 26 Segment dFW WAF IPS AA OWASP Rules SNORT Rules vFW FW Rules Protocol Defn Resultant Protection Policy Access Rules Order Matters: So topological context is required for many security use cases. Visibility & Semantics here … … depends on policy and filtering here
  • 27. #RSAC Containers and Operationally Plausible Default Deny Policy 27
  • 28. #RSAC Sources of Plausible Micro-segment Policy 1. Provenance, Manifests & Provisioning Information 2. Application Network Behavior 3. Infrastructure Services (or Micro-services) Connectivity & Dynamics
  • 29. #RSAC Namespace Volume Service Containers: App/Svc Focused Context 29 Ex. Authoritative Context App Configuration & Resources Resource Sharing Across Apps Colocation of Containers Service Components Services within a Namespace Network Dynamics (LB, HA, …) Example Contextual Structure RC Volume Service Pod Container App Env App Pod Container App Env App … LB
  • 30. #RSAC Containers: EP Compliance 30 Compliance scan of Docker image Usage: docker-oscap image IMAGE_NAME [OSCAP_ARGUMENTS] Compliance scan of Docker container Usage: docker-oscap container CONTAINER_NAME [OSCAP_ARGUMENTS] "Vulnerability scan of Docker image" Usage: docker-oscap image-cve IMAGE_NAME [--results oval-results- file.xml [--report report.html]] "Vulnerability scap of Docker container" Usage: oscap-docker container-cve CONTAINER_NAME [--results oval- results-file.xml [--report report.html]] Ref: https://github.com/OpenSCAP/container-compliance
  • 31. #RSAC Alignment: Network Context Hosted Protection Premise Protection LB SVC SVC SVC SVC SVC SVC Web Service Web Cont Web Cart SAP MT SAP DB DB Control placement determines: • Meaning of Log and Alert signals • Up/Down stream interference • Affected assets • Mitigation options
  • 32. #RSAC But “containers don’t contain” 32 Provider Attest:  -----  -----  ----- Tenant Tenant Tenant Audit:  -----  -----  ---- Docker Engine Operating System instance App 1 Bins/Libs App 2 Bins/Libs App 2 Bins/Libs Shared: IDs, filesystem, services, resources … Process and Name Space Isolation Audit:  -----  -----  ---- Process/Namespace Isolation … but could be much better Better Isolation Isolated Controls (independent) Mature Security Mgmt (Gartner) Normalized Policy Locus Between WL and Hosting (hybrid/multi-cloud) Mis-alignment https://opensource.com/business/14/7/docker-security-selinux http://www.projectatomic.io/blog/2014/09/yet-another-reason-containers-don-t-contain-kernel-keyrings/ http://blog.docker.com/2014/06/docker-container-breakout-proof-of-concept-exploit/ Gartner: Security Properties of Containers Managed by Docker
  • 33. #RSAC Directional: Containers + Virtualization FW (app) IPS (app) WAF (app) NGFW (app) … WAF IPS NGFW FW Logs Alerts Behavior Analytics Where else might this behavior be expressed?... Registry Labels, Provenance, Testing Containers Docker Daemon Images Policy Same App IDs Same Boundaries Shared Context … Aligned: Apps Server Network More actionable context, so response is more efficient & accurate, reduced dwell time
  • 34. #RSAC Containers + Virtualization 34 VMworld 2015: NET6639 - Next Horizon for Cloud Networking and Security: https://www.youtube.com/watch?v=RBJ-KoAM-OQ&feature=youtu.be Provider Attest:  -----  -----  ----- Tenant Tenant Tenant Audit:  -----  -----  ---- Consistent boundary X Stack Same identifier (msid, vmid) Alignment … in any state Independent verification Authoritative context (OOB) Control Boundary & Controls Alignment VM vServer & vSwitch Docker Engine Operating System instance App 1 Bins/Libs App 2 Bins/Libs App 2 Bins/Libs vSwitch vSwitch vSwitch Audit:  -----  -----  ---- Audit:  -----  -----  ----
  • 35. #RSAC Application Blueprint Example - vRealize 35 Application structure and external connectivity are completely exposed to inform operationally plausible security policy
  • 36. #RSAC Enterprise Infrastructure & Containers 36 Infrastructural Context Leveraging of PBS, PBN, Infrastructural Services Legacy apps to cloud native apps, on the same infrastructure Integration of governance, CJA, context (for logs, alerts, response RCA, …) … ESX Photon OS ESX Photon OS ESX Photon OS KubernetesMESOS Photon Cont 1 Photon Cont 2 Photon Cont 3 Create Get pods Create Kubernetes Cluster Photon Machine
  • 37. #RSAC App Behavior Analysis: Arkin Example 37 Insight into application network behavior drives 1st order operationally plausible default deny posture.
  • 38. #RSAC Container 38 Intrinsically Captures Application Structure, Provenance, and Classification (pre-launch) Always Current Configuration (immutability) No “intended” vs. “actual” gap Operations & Security perspectives Immutability accommodates “moving target” defense techniques Expose implicit network requirements in App context context. Expose implicit app deployment requirements Level of req’d awareness of virtual network topology Req’d SVCs
  • 40. #RSAC Sources of Plausible Micro-segment Policy 1. Provenance, Manifests & Provisioning Information 2. Application Network Behavior 3. Infrastructure Services (or Micro-services) Connectivity & Dynamics
  • 41. #RSAC Micro-Segmentation: Model & Secure • Model apps, app tiers, regulatory scopes, network, org boundaries, etc. • Default Deny: Only allow what’s necessary, Deny everything else. Source: Arkin.net Screenshot
  • 42. #RSAC Micro-Segmentation in Action: Modeling Security Groups Source: Arkin.net Screenshot Segment by applications, app tiers, security zones, L2/L3 network boundaries, virtual- physical boundaries, organizational levels, etc
  • 43. #RSAC Micro-Segmentation in Action: Modeling Security Policies Source: Arkin.net Screenshot Inter and Intra Segment (VM to VM) Communication Some services require internet access. “Deny All” to these segments (…and confirm it) Allowed access to shared services
  • 44. #RSAC Micro-Segmentation in Action: Validate Compliance Source: Arkin.net Screenshot Runtime Effective Policy between any two points in the Datacenter
  • 46. #RSAC Summary 46 Complexity is at the heart of today’s security challenge Virtualization and Softwarization allows app focused placement and policy alignment Containerization provides the essential context for realizing an operationally plausible default deny policy This resulting in transformationally simpler policy and more effective protection.
  • 47. #RSAC Apply: Assess 47 When you return to work: Evaluate your current policy complexity Policy set size Policy testing workflow Estimate its effect on security policy management Latency in security policy updates Estimate the degree of your “default deny” posture Identify related instances of policy misconfiguration
  • 48. #RSAC Apply: Dev Ops 48 As move forward in DevOps: For selected applications determine Operationally plausible default deny posture by observed logs Application policy requirements from container blueprints/manifests Application component dynamics: continuity, scaling, … For important and cross application cutting services Document discovery, election, failover, … protocol dynamics
  • 49. #RSAC Apply: Plausible Micro-segment Policy Plausible Policy Information Sources 1. Provenance, Manifests & Provisioning Information 2. Application Network Behavior 3. Infrastructure Services (or Micro-services) Connectivity & Dynamics
  • 50. #RSAC Thank You! Questions? Dennis R Moreau: dmoreau@vmware.com