managing security in the age of devops
TRANSCRIPT
Managing Security in the Age of DevOps
Taiwan InfoSec Conference 2016
Andy Leung
Security Architect, Centre of Excellence
Agenda
DevOps Framework
Security Framework 傳統安全架構
Security Trends and Challenges 安全趨勢及挑戰
SD SN: Software-Defined Secure Network
軟體定義網絡安全架構
Juniper’s SDSN Building Blocks 安全工具組合和配搭
開發以及營運團隊緊密架構
The DevOps Framework
DevOps success case studies
Large enterprises like Amazon, Facebook, Netflix, Sony Pictures, … all gain efficiency and report success after building the Devops culture.
Breaking down the walls
What is DevOps?
Source: http://techtalk.e-conomic.com/devops-from-developing-to-delivery/
• Software or systems development methodology
• Stresses communication, collaboration, and integration between developers, implementers and operators.
• Encourage rapid development and Automation
• Minimize detrimental effects of change through Automation and Orchestration
• Change in Mindset as in Methods
DevOps Cycle vs Security Cycle TEAMING UP TO REVOLUTIONIZE SERVICE DELIVERY
• Changes (software) functionality frequently to quickly move improvements into production • Iterative, repetitive and requires frequent changes but still allows high availability • Minimize detrimental effects of change through Automation and Orchestration
Development cycle
Operations cycle
Traditional Security Framework
Source: NIST Cyber Security Framework http://www.nist.gov/cyberframework/
鑑定
保護
偵察
對應
Network Director
Bare Metal
Leaf
Spine
Hypervisor
Server
VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM
vRouter vRouter vRouter vRouter vRouter
DLE
CA
NDA
NDA NDA NDA
Security Challenges for Cloud Services Multi-vendors cloud network makes threat detection harder
CA CA CA
• Delivery end-to-end network
performance and application
security
• Multiple physical and virtual layers
for deployment
• Need co-ordination between teams
for better application security and
user experience
Challenges
IDENTIFY
鑑定
Most network security strategies focus on security at the perimeter only– outside in. Is securing the perimeter really enough?
Today’s Enterprise: Perimeter security model
Trust model: trust what’s inside the network
Visibility relies mostly on perimeter firewalls
Evolving threats requires adaptability
Security layered on top of network
Inline
Anti-Malware
Inline
Intrusion
Prevention
Unified Threat
Management
Application
Security
Data Loss
Prevention
PROTECT 保護
Everything on Your Network is a Potential Threat
Normal and Abnormal Behavior
Normal operation: call home beacons, energy utilization
Is this normal? How to mitigate risk?
Aberrant behavior: bursting traffic, abnormal high data download rate
DETECT 偵察
Data Breach Trends
Source: Verizon 2015 Data Breach Investigations Report
RESPONSE 對應
Challenges to Security Sector
“Security platforms are a good first step but we need more, we need a holistic security ecosystem — my challenge to the security industry.”
Hug Tatton-Brown, General manager, security portfolio at BT
Why the security sector needs collaboration to stay ahead?
SD SN
軟體定義網絡安全架構
15
Stop talking about Network Security. Start talking about Secure Networks.
A Change in Mindset
Realize threats are everywhere. They are already inside. They walked in your front door
Recognize perimeter security isn’t enough
Detection and Enforcement should be enabled anywhere
Acknowledge security is everyone’s problem – horizontal and vertical
Definition
• SDSN 1. Software-Defined Secure Networks
2. A new Security Solution allows you to operate the entire network as a single enforcement domain where every element is a policy enforcement point.
The Software Defined Secure Network
17
Create and centrally manage intent based policy directly aligned to business objectives
Gather & distribute threat intelligence, from multiple sources – know who the bad guys are faster
Leverage cloud economics for real time analysis – find the bad guys faster
Enforce policy to the threat feed information, real time across the network – adapt the network real-time
Operate network as single enforcement domain, every element becomes a policy enforcement point
Detection 檢測
Policy 政策
Enforcement 執行
Software Defined Secure Network: Policy, Detection & Enforcement 政策,檢測及執行
Your Enterprise Network
Leverage entire network and ecosystem for threat intelligence and detection
Utilize any point of the network as a point of enforcement
Dynamically execute policy across all network elements including third party devices
Threat Intelligence
Enforcement
Detection
Enforcement
Detection
Bottoms Up and Tops Down Approach – Cloud-based
Threat Defense
Dynamic and Adaptive Policy Engine
Policy
SOFTWARE DEFINED SECURE NETWORK
BUILDING BLOCKS
安全工具組合和配搭
Your Enterprise Network
Where to Start – Modernize Your Perimeter
Upgrade your perimeter to make it adaptable
Next Generation Firewall is Current Generation Firewall – simplify and remove niche security appliances
Utilize Cloud Economics for Instant Intelligence that Leads to More Effective Detection
Juniper Cloud Security
Sky Advanced Threat Prevention
Spotlight Secure
Threat Intelligence
SRX Series
Physical Firewall
vSRX
Virtual Firewall
Your Enterprise Network
Converse With Your Network Deploy Policy Engine that Communicates with Your Network Analytics Capability Based on Network Data
Juniper Cloud Security
Sky Advanced Threat Prevention
Spotlight Secure
Threat Intelligence
Customizable UI Provides Data Correlation
Utilize All Network Elements as Detection & Enforcement Points
Future: Intent Based Policy Engine to Communicate Across Any Network Element
Security Director
Mgmt/UI: Policy, App Visibility, Threat Map, Events
Security Policy Controller
Third Party Network Elements
Juniper Network Elements
Automation Framework
SECURITY
DEVICES
PARTNERS
POLICY ENGINE
Standardized Interfaces
CONTROL PLANE
DATA PLANE
CONTROL PLANE
DATA PLANE
CONTROL PLANE
DATA PLANE
CONTROL PLANE
DATA PLANE
NETCONF YANG RESTful Thrift
Open Convergence Framework (OCF)
Automation and Orchestration
"BEFORE" SNAPSHOT
"AFTER" SNAPSHOT
"COMPARE" SNAPSHOTS
ospf-int-checks { command show ospf interface; iterate ospf-interface { is-gt neighbor-count, 0 { info OSPF interfaces must have at least 1 neighbor; err "OSPF interface %s does not have any neighbors", interface-name; } } }
bsmith@server$ jsnap --snap preupgrade -l bsmith -t ABC ABCsnapshot.conf bsmith password: Connecting to bsmith@ABC ... CONNECTED. EXEC: 'show ospf interface' ... SAVE: 'ABC__ospf-int-checks__preupgrade.xml' ...
bsmith@server$ jsnap --check preupgrade, postupgrade -t ABC ABCsnapshot.conf --------------------------------------------------------------- CHECKING SECTION: ospf-int-checks --------------------------------------------------------------- + TEST PASSED: OSPF interfaces must have at least 1 neighbor
Network Testing Automation
Juniper’s Security Vision From Network Security to Secure Networks
Only one in the industry with building blocks for tomorrow’s Software Defined Secure Network
Simplified Policy and Management across all network elements
Adaptable Security Solution based on real time threat intelligence information
Cost Effective Detection and Enforcement utilizing the entire network to protect you
The Juniper Software Defined Secure Network dynamically adapts to changing threat landscape…so
you don’t have to!
Thank You