GuidePoint Security Overview

Joe Leonard| CTO & VP Security Strategy

 GUIDEPOINT SECURITY SERVICES

Threat
Digital
Identity&&Attack
Forensics
TechnologyAccess
Governance,
Cloud Security
Application Simulation
&&Incident
Management
Solutions
Risk
Security Response
Compliance Services
Services
Services
Services include:
include:
Services include:
include:
include:

Security
Active
Incident
Cloud
IAM Architecture
Directory
Response
Security
Business
Strategy Review
Security
Retainer
Health
Resilience
Application ReviewAssessment
Check
Assessments
Security Program
Our
We Our
Our
OurOur
cloud
offer team
DFIR
team
team ofof
team
security
tactical white
ofIAM
security
GRC hatyou
helps hackers'
prepare
practitioners
architecture
practitioners
professional
assessment and mimics
can
and for,
help
services
strategy real-world
respond
you
professionals
consultants
help
Your attacks
to
Can
solutionsand
develop
provide
provideto
organization
to help
efficiently
anyou
assist identify
Identity
with
you resolve
gain
with exploitable
strategy
an
guidance security
control
all yourtoand
in-depth of your
proactive attack
incidents
roadmap
assessment
develop or
AWS,
and vectors
to
that
enhance
Azure,
reactive Firewall
IoT asAssessment
Incident
Assessments
Cloud Response
Security
Implementation
CISO Services
Assessment
a Service
Application services
Security Assessment
in
that your
Minimize
gives
Your
Google,
application bestorganization’s
business
isinformation
senior
Oracle, SaaS
security security
or ITa program.
impact.
forleadership
your business.infrastructure,
comprehensive
Multi-Cloud
efforts. security
technical
environment
withcontrol
review.
a “Securityimplementations
We focus
First” and human
on strategy.
numerous Our behavior.
areasservices
of your cover all NGFW
Cloud
Mobile asApplication
Penetration
Ransomwarea Service
Testing
Security
Identity
Compliance Investigation
Engineering
Governance
Assessment andand
Security Response
& Administration
Advisory (IGA)
AssessmentServices
network
aspects of cloudsecurity, emailand
security andhelp
the the
youoption to digital
with your
Data
Cloud
CloudSecurity
Threat
Penetration
Access
Risk Hunting
Security Testing
andModeling
Discovery
Strategy
Assessments
Management
Application Threat Services
& Architecture
(AM)
validate security technologies deployed on the
transformation.
endpoint. Security
TedTabletop
ContainerAnalytics
Teaming/Purple
PrivilegedExercises
RansomwareSecurity
Access as aArchitecture
Service
Teaming
Readiness
Management
Assessment
(PAM)
Application Security Review

Zero
Social Trust
Incident
Security
Scan Workshop
Engineering
Response
Program
& Verify Enablement
Review and Strategy

Vulnerability
Incident
Third
Secure Response
Party
CodeManagement
Risk Plan Development
Management
Review

Vulnerability
IR Playbook
Secure Management
& Runbook
Configuration asCreation
a Service
Review

Wireless
DigitalSecurity
Training Forensics
Assessment
Services
& Education
Zero Trust
Mike Louis, Senior Security Architect
Why do we need a new ➢ Mobile Workers Will Be 60% of the Total U.S.
Workforce by 2024, (IDC)
Model? ➢ Perimeter security controls are limited with the
increase of cloud and mobile applications

➢ Traditional “perimeter-based models” i.e. VPN

“Perimeters are Dead!”
remote access, perimeter FW, don’t work

➢ Digital Cloud Transformations and The Mobility

Revolution ---> Forced Digital Transformation
“The old hard-shell model of security isn’t
sustainable in light of the need for ➢ Identity + Enforcement + Visibility need to be
businesses to open up their networks to combined to form policy to support Enterprise
partners, consultants and clients” - Paul Applications
Simmonds, Jericho Forum “De-
Parameterization”
 Trusted Model
Printer
Internal
E-Mail
Wireless Applications
Storage
Backup

• Applications, Users and Data resided within Wired Remote Gateway(s)

a Trusted, closed network with easily Desktops Web Filtering
governed security controls and processes. DMZ
• All Assets under Corporate Control Corporate
Devices Web Server(s)
• Limited Internal Visibility Partner Gateways
VPN
• Traditional, Perimeter Based Model
BlackBerry’s
ERP (SAP etc.)
Active Directory

Internet and External Business

Image Source: STR-W12 – P Simmonds – RSA 2019

 Semi Trust Model Internal Guest
Managed Printers
Wireless
Wireless E-Mail
Access Office Apps
Storage/Backup
Back Office

Servers
Wired Storage
• Digital Transformation  Disruption Desktops Containers
of Trust Networking
• Some Outsourced Services
Corporate DevOps
• Applications Everywhere
Laptops B2C Cloud Services
• Users working from Anywhere
• Third Party Vendor Access Middleware

Corporate
Smartphones Legacy Security
Stack

3rd Parties BYOD Devices

Devices
Image Source: STR-W12 – P Simmonds – RSA 2019
 Zero Trust Model
Wireless Photocopier / Printer
Partner Access E-Mail
Direct Office Apps
Connection Storage/Backup
Back Office

Servers
• Heavy Cloud and Mobile Use Wired Storage
• Mixed Ownership of Assets Desktop Containers
• SAAS/IAAS/PAAS B2C Cloud Services
• Containers/Micro-Services Corporate
• IOT/OT Security Devices DevOps
• 3rd Party Vendor Access Common
B2C Cloud Services

Plant /
Manufacturing 3rd Party laptops BYOD IOT

Image Source: STR-W12 – P Simmonds – RSA 2019

 • End to End Strategy, Not Just an Architecture

• There is No Perimeter, Every Network is Hostile

• Never Trust, Always Verify

Tenets of
Zero Trust • Prevent Lateral Movement, Contain Breaches

• Identity vs Network Centric

• Full Visibility and Monitoring

• Automate Security Policy

 Zero Trust Architecture Pillars
Trust and Identity
• Verified Identity of Devices
• Verified Identity of Users
• Verified Location of Users/Devices
• Business Role and Function
• Time of Day
• Security Posture (AV, EDR, etc)
• Employee or Guest/Contractor
What you need
• Complete List of Business Assets
• Protected Identity Store (AD, Okta, etc)
• Multi-Factor Authentication
• PKI or Device Level Certificates
• Privilege Access Management
• Posture Assessment (Optional)
• Confidential Computing
Policy Enforcement
• Enforces Network Access Policy
• Leverages Identity in Access Policy
• Governs Client-Server and Server-Server
Access Policy
• Centrally Managed and Enforced
• Client or Network Based Deployment
What you need
• Network Policy Enforcement Engine
(FW/CASB/Proxy/Network)
• Centralized Policy Engine
• Automated Deployment
• Defined Business Roles/Authorizations
Visibility and Monitoring
• Application Profiling
• Client-Server/Server-Server Traffic Profile
• Required for designing access policies
• Required for validating access policies
• Detecting abnormal traffic flows or violations
• Homegrown Application
What you need
• Network Traffic Analytics Engines (NDR)
• Application Traffic Profiling
• System Logs for Visualization
• Network Topology Maps
• Sensor Networks and Taps
 Use Case Approach
NIST 800-207

● “Organizations should seek to incrementally implement zero trust principles, process changes, and
technology solutions that protect their data assets and business functions by use case”

○ Identity Governance and Identity Access Management

○ Software Defined Perimeter and Zero Trust Network Access
○ Micro-segmentation
○ Application Sandboxing/Secure Enclave
○ Data Security “Least Privilege”
Reference Architecture and Maturity
Model
 • NIST 800-207
• Planning for a Zero Trust
Architecture: Draft (RFC)
• Zero Trust Architecture 101
• Zero Trust Maturity Model • DoD Zero Trust Reference Architecture
• Cloud Security Architecture

• Achieving Mission Assurance for Enterprises Today and Tomorrow

• Moving the U.S. Government Towards a Zero Trust Architecture

 NIST Zero Trust
Architecture

-> Establish Trust ---- Enforce Access Policy based on Least Privilege - Monitor and Maintain-->Refine
Process
 Zero Trust Maturity Model (CISA)

• Determine your Zero Trust Maturity

• Most Customers already have some ZT capabilities
• Get your Identity controls in order (foundational)
Building Use Cases
 Zero Trust Network Access
- Software Defined Perimeter
- Secure Web Gateway/SASE Controls
- Reverse Proxy

Micro-Segmentation/Nano-Segmentation

- Software Defined Segmentation

- Agent vs Agentless
- Network Access Control (IOT, OT, Endpoint)

Common Use Cases Identity/Trust Management

- IDAM/IGA/PAM + Posture
- Adaptive MFA, Password less
- MDM, PKI Device Management
- Confidential Compute/Encryption as a Service
- Conditional Access
- User Validation
Monitoring and Visibility
- Network Detection and Response/Application Finger Printing
- SIEM Use Cases + Compliance Tools
- UEBA/Insider Threat

Discover
• Identify key stakeholders
• Review Zero Trust Business
Drivers
• Capture use cases and
requirements
• Review existing Architecture
Zero Trust Solution Development
Assess
• Identify High Value Assets
and Classification Policy
• ZTA Use Case Architecture
Gap Analysis
• Determine Success Criteria
• Zero Trust Roadmap
Design
• Technology Selection
Process
• Gap Remediation
• Detailed Design Document
& Signoff
• Review and update Zero
Trust Roadmap
• Update Zero Trust
Business Outcomes
Build
• Develop Zero Trust
Configuration Policies
• Test and Validate Policies in
Pilot Groups
• Document Exception Process
and Perform Final Policy
Tuning
• Zero Trust Policy Rollout
(Phased)
• Next Day Support
Maintain
• Knowledge Transfer and
Operational Training
• Exception and Change
Remediation Training
• Configuration and Device
Management Procedure
• Quarterly Health checks &
Best Practice Assessment
• Visibility and Violation
Monitoring Tuning
Zero Trust Use Case
 Review Zero Trust Business Drivers
● Work from Anywhere, Secure Cloud Applications
● Limit Access to Role and Entitlements
● Proliferation of SaaS apps
● Premise-based Trust is inadequate for securing workforce
● Hire from Anywhere, Secure access

Capture High-Level Zero Trust Use Cases

Z E R O T R U S T ● Finance - Zero Trust Remote Access + App Micro-Segmentation

M E T H O D O L O G Y ● Legal – Data Leakage Protection/Identity/Micro-Segmentation
● Development - Zero Trust Remote Access/Micro-Segmentation
● Human Resources - Identity Governance - User Onboard/Float/Offboard
+ User Validation

Identify Review Security Architecture

● Evaluate security capabilities to include review of People, Processes and
Technology
● Provide Gap Analysis on each component

Identify key stakeholders

● CISO
● Application Developers
● Business Asset Owners
 Identify High Value Assets and Classification Policy
● PCI Zones, Finance Servers, Legal Assets

Security Architecture Required Per Use Case

● Remote Access VPN, SWG, etc

Zero Trust Gap Analysis

Z E R O T R U S T ● Missing technical/administrative controls
M E T H O D O L O G Y
● Controls augmentation/modification

Assess Deep Dive Security tool review

● Review of security tooling configuration / implementation to assess
● feasibility within a Zero Trust Architecture

Create Test plan for POC

● Outcomes Required

● Test Plan and Identified Users/Departments

Zero Trust Roadmap

● Multiple Phase

● Key Milestones, Deliverables, and Dependencies

 Proof of Concept buildout/test
● Align buildout to established POC test plan
● Establish testing timeline

Review POC results /w Stakeholders

● Document and review initial findings of POC
● Make any necessary adjustments based on review/feedback in preparation
Z E R O T R U S T for Pilot group
M E T H O D O L O G Y

Review and update Zero Trust Roadmap

Validate ● Incorporate any changes / feedback encountered to align roadmap to POC

results

Transfer to pilot / production

● Conduct pilot group / production testing with predefined resources

Capture Zero Trust Business Outcomes

● Ensure pilot testing results align with established business outcomes
● Re-evaluate Risk after successful pilot group testing
 Review Final Results
● Review Business Outcome Alignment

Project Engagement Closeout

● Lessons Learned
● Documentation Final Review and Follow-up

Z E R O T R U S T
M E T H O D O L O G Y
Review Next Steps
● Scopes and Proposals for Transform and Maintain Phases
Pilot Scope ● Additional Pilots/Testing

Complete
 Security Gaps Remediation
● Remediate enterprise dependencies for production rollout

Production Deployment
● Department Rollouts for ZTNA Use Cases
● Policy Tuning and Final Adjustments
Z E R O T R U S T
M E T H O D O L O G Y
Update Security Processes
● Document Operational Procedures
● Staff training for upgrades and MACDs
Transform
Automation and Orchestration Planning
● Workflow Designs and Process Review
● Automation Policy Testing

Documentations and Metrics for Business Outcomes

● Executive Level Metric Identification and Validation
● Operational Reporting Design
 Zero Trust Transfer to Operations
● Security Operations Process Review
● Staff Knowledge Transfer for Support of Use Cases

Continuous Visibility and Reporting

● Reports for visibility and troubleshooting
● Executive level reporting and metrics
Z E R O T R U S T
M E T H O D O L O G Y
● SOC dashboards for monitoring violations

Scheduled Review and Update of Zero Trust Roadmap

Maintain ●
●
Future Use Cases
Least Privilege Strategy review

Automated Security Processes

● Security Policy Automation and Remediation
● Security Product Integrations/API

Operational Manual
● Monitoring Use Cases for Least Privilege
● Data Sources
● Dashboards and Reporting
 Assess and Evaluate
• Zero Trust Readiness, Planning and Design
• Zero Trust Cloud Readiness Design
• Identity Access Management Assessment/Design
• Product Evaluations and Pilots

Technology Solution Services

• Zero Trust Deployment for Remote Access
Lifecycle Solutions • Zero Trust Deployment for DLP/CASB
• Zero Trust SIEM Use Cases for SOC
• Identity Access Management/Identify Governance

Platform As a Service
• Platform-As-A-Service for Zero-Trust

Managed Security Services

• Partners with Managed Security providers for MDR, EDR,
VM, Network Security, DLP, WAF, DDoS and more
• Products/platforms as a service
Questions