The session will be focusing how cloud-native security platform can continuously discovers workloads, identifies risk, and enforces security policies in any multi-cloud environment. Additionally it will also cover the Automated policy generation through agent-less security controls makes protecting data and applications the easiest thing to do in the cloud.
The Speaker of the session will be Dr. Ratinder Paul Singh Ahuja, Founder and Chief Research and Development Officer, Shield X, USA
Dr. Ratinder leads ShieldX and its mission as its central pivot point. Drawing from a career as a successful serial entrepreneur and corporate leader, he brings his unique blend of business acumen, industry network and deep technical knowledge.
At his previous start-ups, Internet Junction, Webstacks and Reconnex he served as Chief Technology Officer and Vice President of the Mobile and Network Security Business Units. His knowledge of innovation and emerging trends in networking, network security, and data-loss prevention are derived from years of industry experience. Dr. Ahuja holds a BS in Electronics & Electrical Engineering from Thapar University, in India, and a Masters and Ph.D. in Computer Engineering from Iowa State University. Dr. Ahuja has been granted 61 patents for security-based technologies, and has presented in many public forums, including the Content Protection Summit, IC3, IEEE Computer Society, McAfee FOCUS, and the Cloud Expo.
3. About ShieldX
Founded in 2016 - Headquarters in San Jose, CA
• Venture Funding:
• Industry Recognition:
• Notable Customers:
4. Equifax Breach: Perception vs Reality
Perception
Cause was a vulnerability in
Apache Struts
Reality
1. Failure of the chokepoint
approach
2. Lack of E/W visibility,
security policies & control
“…key factors that led to the breach were in the areas of identification, detection,
segmentation, and data governance….”
3 Databases
48 Databases
Lateral
Movement
WebApp Server
Firewall,
IDPS,
DLP,
WAF,
WSG
7. Source: Gartner 2019
Security zone cleanup
Security zones have proliferated in
many organizations
Microsegmentation can bring order to
the security zone chaos
Risk of Flat Networks & Vulnerable Systems in Data Centers
Lack of Application Tiering
Lack of Tier Isolation
Lack of Application Isolation
Lack of Microsegmentation within tiers
9. ShieldX : Protecting the multi-cloud data center
WHAT
WHY
HOW
ShieldX protects multi cloud data centers from the risk of lateral movement
which lead to attacks such as ransomware, data loss and service disruption.
Most multi-cloud data centers are designed without proper network segmentation,
application tier isolation and have vulnerable systems. These flat networks and
vulnerable systems create a compliance dilema and allow for cyber attacks to
propagate.
ShieldX Elastic Security Platform automates network and threat prevention
security policy generation and security control deployment.
WHO
ShieldX is acquired by CIO & CISO teams that are responsible for multi-cloud
datacenter network security policies & controls, threat prevention and
compliance.
10. Compliance
in multi cloud environments
Key Challenges
Risk of flat networks and
vulnerable systems in data centers
and cloud environments
Digital transformation
ShieldX Capabilities
AI enabled-fine grained
automated policy
discovery and
enforcement
ElasticDPI-enabled
microsegmentation Agentless
11. What happens when the auditor calls?
Regulation Requirement Impact
PCI Install and maintain firewall to
protect cardholder data.
Use microsegmentation to
support operational effectiveness
of maintaining firewall
configuration/auditing.
SWIFT Generate real-time application
dependency map, impose
segmentation and provide
validation.
Use microsegmentation mapping
to generate dependency map,
automate segmentation and
automate validation.
HIPPA Implement means of access
control including username and
PIN.
Prevent users from even
accessing the network where
sensitive data is stored.
GDPR Prevent access to
communications networks.
Use microsegmentation to
prevent unauthorized users from
accessing GDPR records.
12. The move to hybrid/multi-cloud increases sensitive data risk
The walled garden
Application zones with
infrastructure protection
Internet
Firewall
Firewall
Firewall
Firewall
DMZ
Business
Tier
Web
Tier
Data
Tier
CLOUD
Moving to the cloud dissolves boundaries
Traditional infrastructure protection is not viable
WebTier Data TierDMZ
Business
Tier
Challenges
Ephemeral workloads
Lack of visibility
Impossible to set policy
Can’t orchestrate
Flat networks and vulnerable
systems
Virtual firewall
Physical hair pinning
Manual segmentation
Agents
Native controls
Market Options
13. Source: Gartner 2019
Security zone cleanup
Security zones have proliferated in
many organizations
Microsegmentation can bring order to
the security zone chaos
14. Microsegmentation is the foundation
Source: Gartner 2019
Segmentation decisions must not be isolated from other security layers. Setup rules
for balancing segmentation and complementary controls requirements.
15.
16. ShieldX Architecture
ShieldX
Management
Plane
ShieldX
Data Planes
Inspect and
secure traffic
Management Network
Adaptive
Intention Engine
Infrastructure
Controller
Visibility
Controls
Service Chain
Microservices
Backplane
Network
Segment interface
microservices
(SI) connect
to networks
Networks to
Monitor
17. Automating Network Security & Threat Prevention
Mathematically Precise
Policy Automation
Asset Visibility / Application Visibility Control Automation
Works in Multi-cloud
Continuous
asset discovery
Multi-tiered
application view
Network
Security
Policy
Automated
Control
Deployment
TransformSecurity Policy
TransformSecurity Policy
Layer 3-4
• Tier Generation
• Micro-segmentation
• Tier isolation
• Zoning
Threat
Prevention
Security
Policy
Layer 7
• Lateral movement
prevention
• Virtual patching
Compliance
• PCI
• SWIFT
• GDPR
• HIPAA
Risk Reduction
• Eliminate risk of
flat networks and
vulnerable
systems
Traffic Evidence / Tags
19. Autogenerated multi-tiered
application view
Auto generated Network & Threat prevention policy
Automated tier generation; automated network security policies generation, forward
testing and automated control deployment
20. Agentless workload security
Any workload, any cloud—secured at the most granular Level
Discover Automate Secure
• Workloads, data and
infrastructure
• How do they communicate?
• Automate security policies and
controls
• Update instantly and perpetually
• Instrument policies across
clouds
• Alert when attempted
breaches
Consolidation Deploys quickly
Visibility
Elastically
scalable
21. ShieldX security controls
Virtual Patching
Visibility
DPI-enabled
Microsegmentation
Lateral Movement Prevention
TLS traffic decryption and termination
Microsegmentation and Application based ACLs
Data Discovery in Motion
Anomaly detection
Attack Tracking via Indicator of Pivot
Threat detection and prevention
Network-based malware detection, blocking and
detonation with ShieldX Cloud or FireEye
URL classification and reputation based detection
and blocking
Attack packet logging
22. The ShieldX Advantage
Cloud Readiness
Traditional Vendors
Checkpoint
Cisco
Fortinet
Palo Alto
Juniper
Infrastructure Vendors
AWS+VFW
ACI+VFW
NSX+VFW
Azure
AWS
NSX
New Entrants
vArmour
Illumio
CloudPassage
Manual Automation/Scalability
23. “[ShieldX] gives us a lower dollar-per-protected-megabyte than a traditional firewall...”
—Alaska Airlines
Life After
Deploying
ShieldX
Lower Cost to
Deliver Security
Improved efficiency
Risk Reduction
• Reduce firewall footprint
• Consume fewer network resources
• Reduce maintenance costs
• Automated policy and control setup as well as ongoing management
• Accelerated network investigations while reducing spend on network
analytics, e.g., NextHop
• Real time policy and configuration updates
• Threat detection with DPI
• Automated fine grain control
24. U N C O M P R O M I S E D
U N L I M I T E D
U N P A R A L L E L E D
www.shieldx.com
26. ShieldX Security Use Cases
Datacenter Multi-Cloud SCADA ISP/Telco MSSP
East/West risk
visibility, threat
prevention &
micro-
segmentation
Multi-cloud risk
visibility, threat
prevention &
micro-
segmentation
Isolation and
exploit prevention
of critical networks
and assets.
Critical
infrastructure
protection
Malware and
threat prevention
for subscribers
Highly virtualized
and orchestrated
solution allows
MSSPs to offer
security services
with economics 7
scale
27. Public Case Studies & Reviews
Alaska Airlines: https://www.itcentralstation.com/product_reviews/shieldx-review-53633-by-brian-
talbert
My favorite quote:
“The Adaptive Intention Engine is fantastic. It allows us to develop security policies using the language of
our internal customers. It's machine-learning applied to security workflows. That allows us to much more
easily construct the policies that will protect those workflows.”
IDT: https://www.itcentralstation.com/product_reviews/shieldx-review-53190-by-cio0ee7
My favorite quote:
“ShieldX has been designed from the very beginning to work well in cloud environments. It understands
autoscaling, automation,and auto-configuration.These are the things which are important in today's
operating environment.”
LHM: https://www.itcentralstation.com/product_reviews/shieldx-review-60870-by-branden-emia
Highlights:
Before ShieldX, we didn't have much of a security posture. We were trying to get there. We tried Illumio
and bought the product, but it just seemed very difficult at the time. So, we decided to transition to
ShieldX.
28. Notable POCs & Use Cases
Enterprise Industry Use Case
NTT Telcom VMWare ESXi risk visibility, threat prevention, micro segmentation
ATT Telcom Multi-Cloud risk visibility, threat prevention, micro segmenation
Scotia Bank Financials Azure cloud threat prevention
State Farm Insurance VMWare ESXi threat prevention and microsegmentation
Flextronics Manufacturing Multi-cloud threat prevention and micro segmentation
NASDAQ Financials Multi-cloud threat preventon and micro segmetation
US Bank Financials Azure cloud threat prevention
Fresenius Medical Medical Services VMWare ESXi
Amerisource Bergen Pharmaceutical service Azure risk visibility and threat detection
Lumentum Manufacturing Multi-cloud risk visibility, threat prevention and micro segmentation
BSNL India ISP/Telco Prevent malware and threat propagation for subscribers. Critical infrastructure protection
DEN Networks Cable ISP Prevent malware and threat propagation for subscribers. Critical infrastructure protection
29. Risk of Flat Networks & Unpatched systems
• Optimal Segmentation & Virtual Patching
DPI
X
Virtual Patch
Segmentation
Logical segmentation and virtual patching become the
compensating controls for the risk introduced by flat
networks and residual vulnerabilities of unpatched systems
that typically lead to lateral movement.
LateralMovement