What CISO’s fear and why? Metrics of effective security. Mike Ruiz May 2017
Mike Ruiz Presenter Bio 20 Years in Tech Department Leader and Innovator Network Security and Transformation Emerging Technologies Mike Ruiz Systems Engineer, Zscaler
What CISOs fear?
How Do You Get Clean Internet WATER to People and why does it matter?
What a proven ineffective filtration system looks like Here’s a real-world example Source: Global 50 company, Actual Internet Gateway diagram
Here’s a real-world example The problem is that it's too expensive, complex and slow to deploy all of this security hardware everywhere… Here’s a real-world example Source: Global 50 company, Actual Internet Gateway diagram
Unprotected / Filtered Largely Unprotected / Filtered @ Event Airport Cafe Hotel Home
What happens when I come back to the office? Event Airport Cafe Hotel Home 10
Application transformation is happening already Users are leaving the corporate network Connections are following the path of least resistance ? ? ? Headquarters Hub and Spoke Architecture Cloud and mobility play a very important part of business today as they make us more productive, more agile, and more competitive, but they also cause some fundamental changes in the business — primarily how, when, and where we work. The number of apps leaving the confines of the data center for the cloud continues to grow, Office 365 probably being the most prominent right now, and traffic patterns are following. When apps were run in the data center, it was the center of gravity and all traffic flowed there. Now that apps are moving to the cloud, traffic patterns are moving to the cloud as well. With some customers, anywhere from 60- 90% of all traffic is now destined for the Internet. And users are no longer tethered to their desks — they’re connecting to apps wherever and whenever they want on the devices that are most convenient for them. And if, on average, each employee uses 2-3 devices to connect to your network and to the Internet directly, each of these users represents a gateway. Despite all of this innovation and technological advancement, the underlying security and access infrastructure dates back to the ‘90s and has never really evolved. It’s centered around securing the network to protect your users and apps. How do you secure this new world of cloud computing? How do you secure a network you don’t control? Building a bigger box and putting it in the data center won’t work. If you don’t control the network (Internet), how can you secure it? The traditional network security stack is irrelevant.
What Questions should we be able to answer?
When the board asks, “Have we been compromised?” With Zscaler, you can identify, in real time, all threats, by threat type and botnet-infected machines calling Command and Control (C&C) servers. User C&C Botnet This user became infected with the Zeus Trojan, which is used to install CryptoLocker. It tried calling Russia over 2K times. Chart of top 25 user & botnet domain pairs, the count of events for that user & domain pair, and the threat associated these requests zeus and njrat infections are prevalent legacy infections of torpig, citadel, esaprof, and buzus These botnets have been taken down or are no longer very active, but infected hosts should be remediated - Additional detail for top four of these threats in the case studies
When the auditor asks, “Which cloud apps are we using?” Gain visibility into all of the cloud applications being used by your employees and define granular access policies to control their usage and reduce your risk. Webmail Do you allow access to Russian webmail? Media and file sharing Can you prioritize business apps like Office 365 over media and files sharing traffic? Development Do you where you intellectual property is being stored?
When the business asks, “Can we scale Office 365?” NO YES Hot! Office 365 tends to use a lot of bandwidth and overwhelm even the latest firewall appliances!
How clean is our Internet?
How do I enable transformation easily and safely?
Metrics of effective security Active inline security both on and off network Visibility into the new normal… HTTPS Visibility of good and malicious activity Application visibility, control, and forecasting
An architectural approach for secure IT transformation External Internal SAAS PUBLIC CLOUD OPEN INTERNET PRIVATE DC DC APPS Allows internal apps to behave like cloud apps Security and Access Control Secure the network Secure Policy-Based Access connecting the right user, to the right app or service ON-THE-GO HQ / BRANCHES IoT To secure this new world you need to break free from the whole notion of securing the network. Assume every network is a Starbucks hotspot. To secure this new world, security and access controls need to leverage the power and scale of the cloud. Policies should securely connect the right user to the right app or service — not the network. Over 9 years ago, Zscaler built a cloud security platform to do just that — you simply connect all users, devices, and locations to the Zscaler cloud and policies provide secure access to external services and apps on the open Internet and SaaS apps. It also provides secure access to internal apps that reside in the AWS platform, Azure, and even your data center. In fact, our cloud security platform allows internal apps to behave like Salesforce.com. By moving your security and access controls to the cloud, you have a foundation that allows for network and application transformation.
Zscaler Purpose-built Multi-Tenant Internet Access Platform ACCESS CONTROL CLOUD FIREWALL URL FILTERING BANDWIDTH CONTROL DNS FILTERING THREAT PREVENTION ADVANCED PROTECTION ANTI-VIRUS CLOUD SANDBOX DNS SECURITY DATA PROTECTION FILE TYPE CONTROLS DATA LOSS PREVENTION CLOUD APPS (CASB) Powered by Patented Technologies SSMA All security engines fire with each content scan – only microsecond delay ByteScanTM Each outbound/inbound byte scanned, native SSL scanning PageRiskTM Risk of each object computed inline, dynamically NanoLogTM 50:1 compression, real-time global log consolidation PolicyNow Polices follow the user for Same on-premise, off-premise protection Purchase what you need and you can always expand with a click of a button The Zscaler cloud security platform was purpose-built as a multi-tenant architecture and is powered by patented technologies. We architected the platform for performance and scale, and paid particular attention to maintaining user privacy. We never store content and we only write log files to disk in a location of your choice. We built the proxy based next-gen firewall that handles all ports and all protocols. We are not a just a Web proxy. It’s only one aspect of the platform. SSMA – in a single scan we fire all of our engines ByteScan – we scan all inbound and outbound traffic, including native SSL- inspection. Every page consists of hundreds of objects pulling from different sources, including CDNs and ad networks. All pose a threat. So we scan it all, regardless of the domain reputation PageRisk – here we correlate information about the Web object and page and perform dynamic scoring of the content to determine it’s risk level NanoLog – this is how we process log files, a functionality that is unique to Zscaler. It is one of the main reasons we can provide near real-time access of logs for all users in all locations within 1-2 minutes. We apply WAN op techniques and can even anonymize log files, and only those that know the user ID can associate a log file to a user The platform consists of a series of tightly integrated services, and we categorize them into 3 buckets: Access Control, a cloud firewall that is a full next-gen firewall with a best-of-breed DPI engine, bandwidth control to prioritize business apps like Office 365 over other Internet traffic; DNS filtering, which some of our customers use for guest Wi-Fi to enforce an AUP; and of course URL filtering, which is pretty much table stakes. For threat prevention we offer AV, DNS security, and a cloud sandbox with unique capabilities like patient zero quarantine. Appliance sandboxes are extremely expensive and most customers can’t afford to use them for all traffic. So they often deploy them in tap mode and loosely chain them together with other appliances. Sandboxing is essential to protect against zeroday threats and the only effective way to consume it is via a cloud service. What really differentiates our security is our Advanced Threat Protection — which allows us to deliver better security. Advanced Threat Protection uses the underlying technologies we described earlier to inspect all content, identify patterns in callbacks to C&Cs and phishing sites, and look for cross- site scripts and code that’s been obfuscated to avoid detection. The third pillar is data protection. It only takes a few clicks to attach any confidential file in Gmail and send it out. By default no document saving acme confidential should be sent out over Gmail. And since we were already inspecting traffic, adding another engine was relatively straightforward. A lot of our larger customers have on-premises DLP and we complement them by adding protection to branches and mobile users. We can also tie it in with the on-premises DLP solution by sending it information for policies enforced. Other Zscaler data protection services include inline CASB functionality where we can block file types, and limit a user to only view Facebook without being able to post content or upload files.
Common Zscaler Private Access use cases SECURE PARTNER ACCCESS Should partners/contractors be on your corporate network via VPN? Only grant partners access to a server in the data center, not the network. (dev teams, contractors) ACCESS INTERNAL APPS LIKE SALESFORCE You moved private apps to a modern IaaS but your access is still legacy VPN. Securely access private apps without requiring VPN or having to deploy infrastructure. M&A and Divestitures Do you feel comfortable in connecting the two networks to access each company’s apps? Provide named users access to named apps without merging networks. VPN REPLACEMENT Is your VPN slow? Is it a security risk? Users get access to specific apps. They are never brought onto the network and apps are never exposed to the Internet – no hardware needed. We are seeing adoption across 4 primary use cases — VPN replacement being the obvious one, but also by securing their partner access. Recall the Target breach in which the vendor had network access. Only provide access to the app they need. Another use case demonstrates the need to eliminate any networking changes required to move apps to AWS. Here, one customer was using outsourced developers and didn’t want to bring them onto the network. And not quite as prominent, but companies going through an M&A or divestiture see Zscaler Private Access as a fast and secure way of providing access without merging the infrastructure. DC APPS
How secure are you? securitypreview.zscaler.com Run a quick and safe security test to find out. securitypreview.zscaler.com