Micro Segmentation and Security: The Way Forward

okay good all right so i have the best talk time because in about 30 minutes we're going to be going to get some chick-fil-a so i say that to say this anybody that wants to ask questions just remember you're holding everybody else up in here from getting free chick-fil-a right so that is my get out of jail free card right and i didn't have to pay anybody for that so first off by way of introduction i'm jack coons i am the speaker for the next 30 minutes until august 1st of this year i was a army officer over at fort gordon in what we now call the 17 series which is the cyber warfare officers

but i have about 15 to 20 years of experience prior to that doing uh both what we would refer to as intelligence activities on net and then slowly morphing to um refer to the effects on that and so i'll start off with a real quick joke here to see who gets it and by the way

what's the difference between a computer network

[Music] mess up and you scrub the apple or you figure something and you quickly break the route and it just became an effect and all of a sudden that's when you stand up and you say yeah we can do that we're not doing computer network attack not computer network so there's nobody left and i now know some questions over there so now i already know this side so [Music] same thing with computer network operations uh network administration basically

who here already

so the bottom line is this i heard the previous speaker talk about segmentation

right now if we're in this room right next to us is another one right so we have a physical acceleration right what i'm going to talk to you about is something different and actually very important because like i said i was hired on this first from the white ball building over port uh and i now probably guessed my current tour uh so it's a very interesting place to be right now in the world of cyber security because most of my adult life and from how i was brought up with remote access sanctuary going on net to get into a box to what we call a clue okay it's like calling up horizon and saying his support

holding that lady on the phone but at some point for a conversation

that guy that comes to your house that was the other thing so that is the way that i look at the world and by the way when i say the world that literally is what i'm talking about anywhere

so now i'm on the outside on the outside that is not what we do because legally you do not do things so i am looking at the problem now with another unique perspective which is one of how do i prevent things that i know that could happen potentially could happen and more importantly all right so for those of you with this brief and you saw zero day and zero trust

because microsegmentation in and of itself is kind of a boring subject but it is exciting so without further ado i'm going to jump right into this here and see if the thing works there it is now i said i'm a geek in the world

everything has a cover or another name for it right

so you all know who that is this is going to get old this is a meme right but however

with the tool sets that have been released may or may not happen bottom line is you're putting hardware onto a network right the old days of putting infrastructure into place hardware to prevent an adversary from gaining access those days that that period is slowly coming to an end right there's a new reality out there in the old days where a nation state literally took really millions of ftes full-time equivalents right people working day and night very rigorous very very clean conditions and under let's just say in the government you can use the phrase cost is no objective right spending millions of dollars to develop exquisite tools that are tailored for quite a bit that are tailored to do one special

thing right some of those things are out there right now and a board teenager can now i'm not going to be purple

that's the new reality that we're operating in right now it makes my talk very easy um here i'm going to london speaking of conference for security in europe because everyone can now where i don't have to worry about photography because everybody is accountable so what that means by a couple things the internet of things

right and a recognition of that understanding that didn't exist before right your ability under cost restrictions to protect your networks is very challenging to make that thing happen some type of regulatory compliance mechanisms

[Music]

you know ip range over here he's literally talking about he talked version six

the

everybody wants to make sure

yeah i'm a huge geek so this is another favorite one right here

defined networks looks good so what i mean by software-defined networks right and then micro-segmentation just like i said earlier microsegmentation right this is the world that we're living in right now this is what literally is happening out there and you guys are living and believing it right now all right so let's go ahead and jump into it this is why we're doing it right this is no i'm not going to bore you like this morning you guys you guys know what it is what you want to do though and what we're trying to do is from just basically saying here is my dmz and therefore everything inside my dmz i trust and therefore it's allowed

to move around and do what it wants to do right we call that as you guys know east west traffic we call that lateral movement that's about depending on what method you use out there in the world anywhere from 60 to 80 of traffic inside the data center is not even looked at because it's assumed to be safe it's assumed to be trusted right i will tell you in my world those are those are that's the place where pivot points occur that's the point where you start having people moving around and this is just going outside your thread this could be insider threat and when i say threat the threat to me is not some

perpendicular individual trying to do bad things to your network an insider threat to me is some knucklehead who doesn't know what they're doing he's moving around or changing something or just bored one day and is looking around at things that they're not supposed to the guy in operations that's looking at financial data the guy that's in finance that's looking at hr data the person that wants to know i'm making 50 000 a year and i have lunch with this guy i don't like him and i want to know how much he's making by the way we just got bonuses right that kind of stuff so that's what we're talking about here so what you want to

get to is something called zero trust or an untrust model which means literally every ip packet inside of your world has to earn the trust to communicate so for example i no longer talk to corey because corey and i have history i have to prove to corey that he and i can have a conversation back and forth so in a way you kind of get like an encryption kind of becomes a handshake between the privilege all right that's the old model little uh little fyi there does everybody know what the purpose of the mode is why do they have moats around castles by the way everybody uses this you see this all the time because there's one place

to get in and one place to get out and there's very well defined places where things are so for example this silo here would be your hr data this site over here may be your financial data stream or dac center over there you may have some uh intellectual properties sitting over there in dod you could have classified space you could have something over here and there's a one way in one way out it's well defined the perimeter is nice and easily understood what's the purpose of the mode though okay very close okay i remember remember in the beginning i said before you go there while he's right there this is why wally doesn't get asked questions because he's

that guy do you ever think

right i'm going to do one better think of the osi model everybody understand the osi model right reference that we all understand so that we can do what communicates we have a relationship with each other purposefully the actual reason that boats were existing around these things is because people would tunnel from the outside in underneath the wall and the water in the moat would actually flood the tunnel that was the purpose of the mode now think of the osi model you got applications up here right if i am really good at what i'm doing i can keep deep diving into that osi model to get through your defenses to the point where if i'm and it's not me but there are

individuals out there that literally can they can work at a machine code language level and guess what nothing stops them they will literally crunch through and grind almost right the point to all this is to reinforce the fact that in this world that we're moving in as people get more and more developed also another little bit of trivia you guys know how the uh the stairs and these things work stairs always go in a certain direction because typically you held a sword you have your shield like this you have a sword like this right so when the adversary is coming up to get you what you do is you force him to have to have his sword so every stair in an

ancient castle will go like this because what you do is you keep this sword against the wall but if i'm the guy protecting it my sword is where it's on the outside so i get to smack them [Applause] that's an important thing though for you guys though eighty percent of most i.t budgets perimeter defense why because it's easy it's well understood on risk and audit and compliant things that we have to you know do like for example i'm not a cybersecurity person i possess not one certificate of this industry recognized but guess what i probably won't be able to get a job at certain companies because they have a requirement for someone to have a

diagnosis so i have to explain i went to janet for 30 days how does jane act joint network tech was how does that relate my 30 days down in florida how does that relate to somebody who basically studied your book and kind of certified it right so this is a typical conversation but yet that's how we live right now the other question the takeaway from the slideshow is this i would challenge anybody that worked with defense cyber security tell me explain to me show me in a vizio diagram the physical and logical topology of your network tell me which perimeter looks like tell me where the boundary is on that map where it says here's the end

of my understanding and then there's this ancient dragon it says here be dragons and there's like some weird ancient antique pictures up there i would challenge you to show me that okay you all know what shadow i.t is everybody here know what shadow it is right legacy boxes shadow i.t the dude that punched something in just because something didn't work for example this morning just a joyce the guy from tal could not get his computer hooked up because right so this is the kind of conversations we all live in right but yet guess what he got hooked up how did he get hooked up because somebody in the audience brought up a cable and plugged

it in now i'm going to tell you right now if i was somebody that if i had to come here preloaded with my thing with some firmware or something sitting on that thing and i would have given it to the guy that wants cao to plug into his box so that he can plug it in you guys see where i'm going with this right this is the way the adversary thinks all right so the point is this is our world folks right and then we've got the inside what made edward snowden devastated right what made him devastating is the ability for him to get inside and basically have full hard launch of everything and look around inside the

networks now yes he used credentials from other people he did some other things but the fact is he was able to move around inside your network that's the ultimate insider threat but it could have been another knucklehead right so the the the threat may not have been edward edward snowden the threat really was the individual that let him use his identification card and his credentials to get in that's the threat right so you want to use microsegmentation to be around you guys have all seen this everyone's familiar with the kill chain right it's out there you can do the research on it this is the kill chain there's actually a new version of this the expanded cyberkill chain which talks

about the inside of the rack the key here is that most network administrators don't have the time the money the patience or the visibility to look at that eighty percent of people's traffic what's going on inside of what they consider to be their network right micro segmentation can help that that's the area that's my research that's what i'm looking at because it's very it's a very rich vein and a lot of companies are looking at it right now because we go forward here's how it works and by the way i'm going to park for a second right now because i'm going to caveat it by seeing a couple things three ways of looking at the world today

you have permanent sites right companies like a financial institution they don't want to put anything anywhere else they want to lock it down so that they know all of my financial transactions occur right here or all of my ips is right here so i want to be able to look at that data center every day then there are some i call them cloud babies there are people that literally go into amazon aws and they go i'll create my company i'm basically going to go shopping and i'm going to get some server time i'm going to get some security go to my shopping list and then they check it out and guess what there's no physical

representation of this company they're literally of the cloud born of cloud then there's a hybrid which is what most companies including dod including the intelligence agencies including pretty much everybody right now is moving to this hybrid model right so those are your three models that third hybrid model you have a permanent facility where they may keep control of their ip because it just makes them feel better at night but yet they have mobile device users that are all over the place and they want to be able to give them real time near real time access to things like applications so for example office 365. why why on earth would i want to deluge my network

administrator and have them deal with all that crap i want to have a focus on what i wanted to focus on which is protecting my ip so i'm going to host 365 with the zero up in the cloud and let that application run back and forth that microsoft worry about that's the hybrid model right but those three things are what's going on right here and that's what you're going to see here so what we have you guys can read that by the way the slides i'm not going to talk to the slides i hate slides these are here for you if you want them afterwards so you can go back and question what you're talking about but basically this is what

we do right you buy for kate and you segment all this stuff up here and then you can easily divide it this is really nothing new what i want you to get your head wrapped around is this we kind of do this already today but what we're trying to do right now and what companies are doing right now is they are literally encrypting at the packet level the relationship between communities of interest back and forth and we're going to go through a couple of things here so this is exactly the takeaway this is what it is there's a use case out there you guys can do the research there's a use case right now where a company actually not

at home a state a u.s state went from well over a hundred thousand apples right everybody's going to be right active controllers right the the definite you know the the significant signatures but the uh the actual acl they went and collapsed that from over 100 000 to about 100 by using micro segmentation right that's why microstation micro segmentation is powerful and by combining micro segmentation with software defined networks think about it like this with a software-defined network you can roll out in a matter of minutes something that you could never do with hardware because what happens with hard work what do you have to do with hardware second you have to go and place it so if you're

a company or you have a global workforce and you have to install a firewall you now have the incurred logistical cost of i've got to go and place my cisco pizza box that's sitting on a rack somewhere in a closet you have to physically go there and you've got to replace the system right software defined network you don't have to do that you get away from a lot of that stuff so you get a cost savings which is a very interesting thing um here's the other one okay so the bottom line for this though is we're already doing things like active direction we're already doing things like ldap we're already doing things in dod like you

know the other thing i just got five minutes here all right so what i'm going to do is i'm going to burn through here real quick so here's three use cases of what we got going on right we have intellectual property on the top is the challenge on the bottom is what happens when you have microsegmentation so we've already talked about intellectual properties right you have access to the corporate data centers right but the problem is everybody's stuck you don't want everybody to have that with software-defined networks and micro-segmentation you can use advanced photography we talked about 256 grades or military grade encryption right that protects creates those tunnels and it only allows those communities of

interest to go to it now here's the kicker here's the really interesting part there are companies out there right now that are literally using shims between layer 2 and layer 3. so this is not something that jack is talking to you about that's in the 2b future this is happening right now what they do is they put a shin an agent in between layer 2 and layer 3. that shim basically looks like for example mean court cory was saying hey jacker who's there if cory and i are not assigned active directors to the same community of interest i won't even respond for it i'll just drop the packets so what why is that powerful what does

that do right it denies the adversary the ability to map and understand the network in a dungeon crawler the screen stays black you're not turning lights on and learning a little bit more right you effectively cloak and darken the endnotes or the actual things that you don't want them to have authorization to right and so really the network administrator is the only one with a harry potter marauders map right that's the only thing and that is where you focus all of your resources you protect the marauders map you don't waste your money out there protecting the amorphous limiter that you challenge to even understand what it looks like i'm trying to burn through here end of life devices

for example everybody works in companies they still use xp right you guys be supportive anymore but you know what you're not going to do you're not going to turn it off and replace it why because you're probably still running and you may not even know where it is right you're not going to turn it off so you've got an end of life device sitting out there that's not supported not patched right so you can basically circle that thing and you can segment that thing off of something else right so what are you doing in a nutshell and again you gotta simply this this makes sense you're not gonna go through this security cloud kind of

already talked about what are you what are you doing really the goal with micro segmentation you can talk more offline about this you're doing two things you want to reduce the attack surface that you present to the adversary and when i say adversary i talk about everybody in the company that i work for that is not in the community of interest or a security group that they're assigned to as well as everybody outside of the company right you reduce the attack surface but then also in the business world which i'll be honest with you i never had to worry about before but it's very apparently very apparently important to commercial sector you reduce the auditor of the audit and the

regulatory service right so you have credit card information and it flows across your entire network guess what has to be guess what has to be in compliance and gets audited constantly the entire freaking network right what if you can segment that micro segment data encrypted so that the financial data only flows around here and all of the transport all the infrastructure that supports it is segmented off and encrypted away from it which is what companies are moving to right now guess what guess what doesn't get part of the map the 90 that makes it happen and the only thing that gets in it like that so you can start to see the crosshairs here and again i'm going to

burn through here because i want to get through you guys look at that that's it because i want to free up some time here how much time do i have for questions all right so we've got about five minutes for questions so anybody besides tori and wally that has a question

really giveaways or can i keep it i'm just kidding all right

wow

out there that this company has used uh but not just stuff there's about six or seven major companies that are in state obviously microsoft is moving in there um right now there's a bunch of other companies that are in there right now i don't want this to be a sales pitch because i didn't join microsoft i'm not here for this update i'm here because i'm interested in microsegmentation and the attack service and using the attackers and also by a tax service i want to remove the adversary's ability to have pivot points established and by the way with stealth what it also does is even if someone were to come in and get around micro segmentation by

literally plugging usb in by by uh doing the shift between two and three what it prevents is anything peaking out because it will not allow the peeking out to even occur so the malware will not be able to go outside the network it'll still be alive but it won't be able to touch the command control server and it won't be able to excel any data so that's huge so back to bringing all 360 what that really does to it you go in now it changes the paradigm right you're not going into this flippy how do i protect everybody everything from everybody what you do is you go in with an understanding that we're probably going to get hit we're

probably going to take it fast all the time so what we're going to do is we're going to physically and logically choose where we want to assume risk and then align all the other hardware against what we you know want to do rather than put all the sensors and everything out where we don't have any other

okay depending on your network depending on which company you're talking about depending on what your infrastructure your quality looks like you can go into your software model so they'll roll it out they'll install software on your system and then you can deploy that

depends on hardware requirements um

is like i said um you have with the software the software basically creates a tunnel out to the individual device those devices

um

anybody else all right so again apologize for the shortness but this is what they call a lightning so you're getting about six months of research into about 30 minutes appreciate your time if any questions get with me afterwards thank you you