Strategies for the Eroding Network Perimeter: Defend the Perimeter or Retreat to Higher Ground

Kenneth Haertling
VP & Chief Security Officer TELUS Corporation
Session ID: TECH-402 Session Classification: Intermediate

IP-based firewalls were sufficient limited holes punched in firewall employees worked autonomously within physical enterprise environment today. IP-based firewalls are no longer sufficient ƒ ƒ ƒ ƒ numerous holes in firewall shift in employee work styles with “mobile workers” ƒ ƒ network perimeter is eroding at a rapid pace ƒ ƒ employee network is no longer trusted employee space is little more than a DMZ offshore contractors remote employees mobile  devices ƒ presentation objectives ƒ ƒ ƒ possible solutions to address lessons learned key takeaways 2 .Introduction ƒ fundamental shift over last decade in perimeter traffic ƒ ten years ago.

insider trading info bid/procurement selection data customer privacy service assurance/product integrity intellectual  property ƒ cost of impact ƒ ƒ ƒ financial brand/reputation sustained competitive advantage financial  results data competitive strategy ƒ tension between prevention vs.Threat landscape ƒ areas of impact (due to porous network perimeter) ƒ ƒ ƒ ƒ ƒ ƒ intellectual property competitive strategy financial results. cost ƒ risk management focus ƒ ƒ ƒ prevent mitigate accept customer privacy 3 .

Outsourcing/Offshoring ƒ offshoring is a key portion of business at TELUS enterprise past 94% ƒ impact to network perimeter ƒ ƒ ƒ offshore requires access to data to function offshore requires tools to be productive present 51% offshore contractors offshore employees offsite contractors results in more holes punched in already porous perimeter ƒ challenging to secure data ƒ sensitive data shifting outside enterprise control ƒ customer phone numbers ƒ credit card numbers data exposed both local and offshore ƒ 4 .

Mobile Employees ƒ objective to have employees work from wherever whenever TELUS Employees office mobile home Past 95% 5% 0% Present 60% 30% 10% Future 30% 40% 30% ƒ key drivers ƒ ƒ ƒ corporate real estate cost high salaries for urban areas attracting new young talent ƒ impact to network perimeter ƒ ƒ ƒ employees require access to data to function employees require tools to be productive results in more holes punched in already porous perimeter 5 .

public WiFi.Mobile Devices ƒ industry mobile trends ƒ ƒ ƒ shift from purpose-built enterprise devices (Blackberry) to consumer built devices (Android. home WiFi. corporate WiFi and telco network for all purposes a laptop requiring full remote access 6 . Apple) difficult to prevent employees from bringing devices from home effective mobile device management is difficult ƒ TELUS implementation of BYOS (Smartphone) ƒ ƒ ƒ wireless carriers must be progressive in adoption of technology joint use work and personal device intermixing personal and private data arming employee base with devices to pull our data TELUS Role back office sales Subsidy $350 $850 Refresh 2 yrs 1 yrs Monthly $ $15 $15 ƒ Tablet evolution ƒ ƒ ƒ ƒ deeper level of file manipulation (building/editing docs) access to enterprise applications/SaaS hop between home DSL. corporate network.

 document sharing. virtualization outsourcing.Tsunami of Ingress/Egress traffic ƒ information overload: trends at TELUS Item ingress/egress points data passing through  perimeter security inspection  points Increase 20x 100x 5x Drivers web portals. mobile device data.  VPN tunnels. content filtering. mobile devices firewalls. IDS/IPS. DLP ƒ security inspection tool evolution ƒ ƒ ƒ honeymoon climbing the mountain reach exhaustion and give up ƒ impossible task of synthesizing tsunami of data ƒ how to tune security devices to clearly call out actionable security response ƒ proliferation of encryption blinding security inspection 7 . work from home.

Eroding Network Perimeter Past enterprise  Present offshore/outsourcing mobile employees network  segmentation perimeter hardening mobile devices cloud computing internet virtualization ingress/egress data  management offshore contractors remote  employees mobile  devices Exponential data growth 8 .

etc) challenging to protect data at rest on less than trusted networks ƒ new surgical approach ƒ proactive posture ƒ data awareness (understand threat.Understand Your Data ƒ understand problem space ƒ ƒ ƒ most security solutions are poor proxies for data security understand your data. people) ƒ data classification (understand vital data) surgical application of data security controls is key recognize key projects. users. data. and behaviour 10% of users leverage 80% of companies highly sensitive data PCI analogy ƒ failed when tried to include  entire enterprise network in  scope ƒ failed when tried to make  extensive use of encryption ƒ succeeded in surgical focus on  credit card data and use of   tokenization ƒ original approach ƒ ƒ ƒ secure all data everywhere (reactive) variety of technical solutions (encryption. initiatives with robust security consider specific solutions ƒ ƒ ƒ encryption tokenization obfuscation ƒ ƒ ƒ secure data tokenization tokenization 9 . data erasure/destruction.

data centres. international/subsidiaries flat enterprise network ‐ onshore employees ‐ offshore employees ‐ data centre onshore  data centre layered defence segment data centres onshore employee network offshore employee network segment international operations internet harden perimeter(s) internet 10 .Network Segmentation ƒ typical enterprise networks today are flat ƒ ƒ no segmentation between data centre and employee environments most enterprises are hard on the exterior. squishy in the middle Consider the following… 70% of enterprises have a flat  network and do not segment  employees from data centres 22% of hacks come from insiders IT adoption ƒ can no longer trust internal employee network ƒ ƒ ensure segmentation in right areas with DMZ approach employees.

harden traditional perimeter ƒ ƒ ƒ ƒ extremely difficult and expensive to do well default approach – assess from risk perspective appropriate for high value enterprise environment (ie. Nuclear power plant) may be fighting a losing battle ƒ harvest perimeter ƒ ƒ ƒ consider risk appetite cost constraints finite dollars protecting most critical infrastructure 11 . crunchy exterior soft.Perimeter Hardening (Where) ƒ traditional perimeter/approaches Percentage of companies leveraging: IP‐based firewalls intrusion prevention content filtering data loss prevention application‐based firewalls 99% 65% 30% 15% 10% hard. DoD. gooey centre  ƒ double down.

Perimeter Hardening (How) ƒ data centre perimeter ƒ optimal point for robust data security controls ƒ need to move up the stack ƒ ƒ right layer of inspection (layer 3 vs. layer 7) true data inspection ƒ technology ƒ ƒ ƒ ƒ ƒ ƒ ƒ IP-based firewalls application based firewalls IDS/IPS content filtering data loss prevention DDoS prevention SIEM application presentation session transport network data link physical offshore contractors remote  employees mobile  devices ƒ advantages of higher layer defences ƒ ƒ ƒ ƒ fine-grained policy management application visibility and application control. anomaly detection control over users and data content fused intelligence and policy 12 .

000 32. offshore key control for asset and data security TELUS virtualized desktops supported employees/ contractors total employees/ contractors 2009 500  1000 35.000 2011 8.000 40. virtualization was thought to be the solution virtualization is effective for only 85% of the job functions and required applications 13 .000 ƒ merits of virtualization ƒ protect the data ƒ data never at rest outside the data centre ƒ provide views into data protecting identity/credentials is vital ƒ ƒ ƒ assume being key-logged authenticate by clicking on-screen keyboard ƒ lessons learned ƒ ƒ in 2010.000 45.Virtualization of Desktops ƒ popularity of desktop virtualization ƒ ƒ ƒ 62% of companies use virtualization enabler for at home.000 2013 16.000 16.

Managing Ingress/Egress Traffic ƒ key themes ƒ ƒ ƒ reduce total volume of data only inspect high risk data ensure data not encrypted at inspection points Item data passing  through perimeter ingress/egress points security inspection  points Decrease 1/10 1/5 1/2 ƒ analogy of department store ƒ ƒ review every customer through front door (employee enterprise network) only inspect customers in electronics & jewellery counters (data centre) ƒ risk acceptance and prioritization ƒ ƒ DMZ view of employee enterprise network protect the crown jewels of the data centre ƒ surgical application of operations resources ƒ ƒ focus on data centre traffic feedback loop: detect ► respond ► tuning ► repeat 14 .

Lessons Learned ƒ surgically apply security controls ƒ ƒ understand your data. and behaviour 10% of users control 80% of critical data ƒ ƒ partner with business on offshoring enable employees to bring their own devices ƒ wireless ambassadors ƒ ƒ device management is a poor proxy for data security virtualization is not the magic bullet that solves everything ƒ virtualization works 85% of the time ƒ overload of security event data which is largely unactionable 15 . users.

Takeaways .Apply Short term: (30 days) ƒ ƒ traditional network perimeter becoming less effective ƒ ƒ don’t trust your enterprise network and view it as a DMZ don’t manage devices. manage the data security embrace new technology Medium term: (60-90 days) ƒ ƒ virtualization ƒ ƒ ƒ ensure data is never at rest outside the data centre focus hardening on data centre focus at appropriate layer of OSI model offshore contractors remote employees mobile devices surgical application of controls Long term: (90-180 days) ƒ ƒ layered defence ƒ ƒ segment your data centres deploy SIEM and robust security controls at data centre perimeter know and manage your data 16 .

utoronto.com Links 2011 Rotman-TELUS Security Study http://www.rotman.haertling@telus.ca/securitystudy/ 17 .Questions? Contact information Kenneth Haertling VP & Chief Security Officer TELUS Corporation kenneth.

18 .

Sign up to vote on this title
UsefulNot useful