1 Zero Trust “Lite” Architecture to Securely Future-Proof your NetworkJeremy Dorrough – RVASEC 2017 Chris, Jake and Karen

2 Disclaimer Opinions expressed in this presentation are my own. I am speaking for myself, not Optiv, nor anyone else.

3 About Me 10+ years in IT Security industryWorked in defense, utility & financial sectors Presented at Defcon, UNC, JMU, RISE, FBI Infragard CISSP, GIAC GPPA, CCSK, CISM, CEH, PCNSE Currently a Client Solutions Architect at OPTIV

4 Agenda 3 Tier Architecture History of Zero TrustDefinition of Zero Trust and key terms Current events related to Zero Trust Challenges I’ve experienced with Zero Trust My suggestions to successfully embrace Zero Trust

5 3-Tier Architecture

6

7

8 3-Tier Architecture PCI, HIPAA, PII, PHI, FISM, Company Competitive Data

9 Challenges Limited visibility once traffic is TrustedLack of enforcement options in Trusted zones Typically relied on layer-4 enforcement Application designs increasingly diverge from 3-tier topology Cloud offerings move critical data to offsite locations making perimeter protections useless BYOD increases risk of introducing threats inside Trusted zones External connections are difficult to control once given access to any internal Trusted resource

10 What is Zero Trust? VP, Principal Analyst, Forrester Research

11 -“No More Chewy Centers: Introducing The ZeroTrust Model Of Information Security” September 14, 2010Philip Cummings, stole credit reports Equifax, Transunion, Experian

12 Breaches since 2010… Databreaches.net Playstation- 77 million lulzsecHome Depot – 56 million Target – 70 million Yahoo million Ebay – 145 million LinkedIn- 117 million DropBox – 68 million Adobe – 36 million UPS- 4 million Living Social – 50 million JP Morgan – 76 million Tumblr – 65 million

13 Zero Trust FundamentalsUntrusted

14 Zero Trust FundamentalsAll resources are accessed in a secure manner regardless of location. Access control is on a “need-to-know” basis and is strictly enforced. Verify and never trust. Inspect and log all traffic. The network is designed from the inside out.

15 Zero Trust TerminologySegmentation Gateway (SG) – High speed security device providing Firewall, IPS, WAF, NAC, VPN and Encryption services Microcore and Perimeter (MCAP) – Physically segmented by SG interface zone that shares similar functionality and global policy attributes Data Acquisition Network (DAN) – Facilitates the extraction of network data – typically, packets, syslog, or SNMP messages to a central inspection point MGMT Server – Backplane that acts as a jump host in separate MCAP for management of devices

16 Segmentation Gateway (SG)Next Generation Firewall Spec’d to handle very high throughput Virtual offering to support cloud and fabric environments Needs to integrate with user identity strategy Automated rule base support Compatible with DAN

17 Microcore and Microperimeters (MCAP)Every Interface connected to SG Creates protected L2 switching zone Members of MCAP should share similar functionality and global policy attributes Can be more specific than traditional DMZ

18 Data Acquisition Network (DAN)Confined network dedicated to log analysis All traffic to and from each SA interface logged Security Information and Event Management (SIEM) Network Analysis and Visibility (NAV) Enables quicker TTR and event discovery

19 Network Design WLAN MCAP WWW MCAP Users MCAP Application MCAP3rd Party MCAP MGMT MCAP DAN MCAP Database MCAP

20 …Recommendation 2 – Reprioritize Federal Information Security Efforts Towards a Zero Trust Model…“ “” 13 recommendations 2nd only to “Ensure Angcy CIOs are Empowered, Accountable, and Competent” OMB should provide guidance to agencies to promote a zero trust IT security model. The OPM data breaches discovered in 2014 and 2015 illustrate the challenge of securing large, and therefore high-value, data repositories when defenses are geared toward perimeter defenses. In both cases the attackers compromised user credentials to gain initial network access, utilized tactics to elevate their privileges, and once inside the perimeter, were able to move throughout OPM’s network, and ultimately accessed the “crown jewel” data held by OPM. The agency was unable to visualize and log network traffic which led to gaps in knowledge regarding how much data was actually exfiltrated by attackers. To combat the advanced persistent threats seeking to compromise or exploit federal government IT networks, agencies should move towards a “zero trust” model of information security and IT architecture.

21 “ https://cloud.google.com/beyondcorp/ ”

22 Limits I find within Zero TrustCostly in time and money to redesign large enterprise network Virtualization segmentation adds complexity Organizations may not be equipped to make use of additional logging data Network infrastructure may not support throughput/connectivity to route all traffic to Security Gateway Possibly limits productivity if user experience is degraded

23 My Suggestions when Rolling out Zero TrustClassify data based on business criticality Identify data flows Prepare log analytic tools for total network visibility All access mediums must support user identification Deploy SG with critical MCAPs first Any new systems should be deployed in MCAP

24 Classify Data Forrester suggest using “Unclassified, Toxic, Radioactive” scale Aligned data classification with business impact Difficult but imperative step and often skipped Tools available to help locate data based on pattern match Ongoing process as new data will continue to be created Internal training should align to data classification strategies

25 Identify data flows Map data lifecycle of critical dataIdentify all points of possible compromise This exercise creates blueprints for MCAP segmentation

26 Prepare DAN toolsets Forecast throughput and flow metricsFactor in future growth expectations Develop configuration strategy to obtain all relevant logging Upgrade or acquire tools as necessary

27 Implement Holistic User IdentificationAssign username to every packet that is generated by end user Choose tools that integrate Imperative for automated security policy Agent, Cert, Captive Portal, AD Logs, Exchange Logs, Syslog, etc.

28 Deploy SG in phased approachPlace SG in nucleus of network Prioritize segmentation based on business criticality User MCAP will likely be most challenging Utilize sample user groups Minimize downtime by leveraging DAN output

29 Continually Reassess MCAP Business AlignmentPolicies and Procedures should reinforce Zero Trust strategy Recurring review of Data delineation All new business functions should undergo review process BEFORE adoption Future compliance requirements become much easier once Zero Trust model is deployed

30 Final Thoughts Trust will be exploited therefore “Untrust and Verify”No Silver Bullet Zero Trust is a theoretical end state End results should yield higher security posture with less operational overhead

31 ?

32