next generation security for cloud · next generation security for cloud ... insecure vpc fails...

Next Generation Security for Cloud클라우드에있는내소중한앱과데이터를지켜라

김병장전무 ([email protected])

Palo Alto Networks, 2018/10/25 @ PASCON

TECHNOLOGY ISPART OF OUR LIVES

2 | © 2018 Palo Alto Networks. All Rights Reserved.

TRUST


Source identity @2018 Dark Reading: 2017 Smashed World’s Records for Most Data Breaches, Exposed Information by Kelly Jackson Higgins.White House Council of Economic Advisers Report. February 2018

Breaches reported in 2017

5,207Breaches reported in 2017

5,207US breach cost in 2016

$109BUS breach cost in 2016

$109B


Cloud Automation Analytics

IoT SaaS Cloud/Virtualization Mobility

CONTINUOUS EVOLUTION


Enablers of digital transformation

Distributed users, apps, and data | Delivers flexibility and speed; increases risk

DATA AND APPLICATIONS ARE EVERYWHERE

6 | © 2018, Palo Alto Networks. Confidential and Proprietary.

SAASPRIVATE

PHYSICAL

IAAS PAAS

SECURING THE CLOUD IS HARD


Fragmented Security

Human Error

Manual Security

WHAT’S NEEDED


Frictionless Deployment & Management

Advanced Application & Data Breach Prevention

Consistent Protections Across Locations & Clouds

SHARED RESPONSIBILITY MODEL

9 | © 2018, Palo Alto Networks Confidential

https://aws.amazon.com/ko/compliance/shared-responsibility-model/

SHARED RESPONSIBILITIES MODEL

• Palo Alto Networks complements native Cloud security to protect Cloud deployments

• Apply consistent policies from the network to the cloud for security and compliance

APPLICATIONS ARE INCREASINGLY USING PAAS SERVICES


On-Premises

Cloud Application

WEB

Object Storage Caching Database

IaaSPaaS

WebServer

APP

AppServer

INSUFFICIENT IAAS/PAAS SECURITY APPROACHES


Cloud NativeSecurity

Single Cloud

Cloud Security Point ProductLimited scope

Legacy Network Security

Negates cloud value

WEB


IaaSPaaS

WebServer

APP

AppServer

CRITICAL CLOUD PROTECTIONS


INLINEProtect and

Segment Cloud Workloads

API

HOSTSecure OS & App Within Workloads

APIContinuous Security & ComplianceOn-Premises

Cloud Application

WEB


IaaSPaaS

WebServer

APP

AppServer

WEB


IaaSPaaS

WebServer

APP

AppServer

WEB


IaaSPaaS

WebServer

APP

AppServer

PROTECT AND SEGMENT CLOUD WORKLOADSVM-SERIES


On-Premises

Application visibility and workload segmentation

Auto-scale based on triggers

Prevent outbound and inbound attacks

Cloud Application

CONTINUOUS COMPLIANCE AND SECURITY WITH EVIDENT

API

Is MFA Enabled?

Is any sensitive data exposed?

What services are running?

Who has access to this resource?Evident

Discover and Monitor Resources

Secure Storage Services

Compliance Reporting

TOP HIGH RISKS DETECTED WITH EVIDENT

16

Insecure VPC Fails password policy

MFA not enabled Unprotected root

58% 48%

55% 29%

SHOCKING, NO GOOD, REALLY BAD RISKS DETECTED WITH EVIDENT

17

No Non-Root Accounts S3 Global Upload/Delete

Root API Keys Detected S3 Global ACL Access

9% 8%

6% 4%

GDPR Reporting with Evident

18 | © 2018, Palo Alto Networks. All Rights Reserved.

One-click Compliance Reporting


CUSTOM COMPLIANCE SOLUTION

Create your own custom control framework

Copy, modify, edit controls from frameworks like PCI, NIST

GUI-based wizard makes set-up & configuration easy

PUBLIC CLOUD SERVICES INFRASTRUCTURE PROTECTION


1-CLICK REPORTING

MULTI-CLOUD

CONTINUOUS & REAL-TIME

BUILT FOR DEVOPS, SECOPS, COMPLIANCE

AGENTLESS

CUSTOMIZE TO MATCH YOUR POLICY

APP WORKLOAD

Lightweight Agent

Real-time Exploit and Malware Protection

Protects Unpatched Workloads

WORKLOAD PROTECTION TRAPS


Multi-method Attack Prevention

Traps Advanced Endpoint

Protections

NEW

Cloud environment

SIX YEARS OF EXPLOIT PROTECTION INNOVATION


NEW

2012/13 2014 2015 2016 2017 2018

TRAPS ADVANCED ENDPOINT PROTECTION

EXPLOIT PREVENTION MODULESGS Cookie

SysExit

CPL ProtectionROP Mitigation

Enhanced JIT Protection

Enhanced DLL Security

Child Process Protection

Exploit Kit Fingerprinting

Kernel Privilege Escalation

Dylib-Hijacking Protection

Gatekeeper Enhancement

Kernel APC Protection

Child Process Protection

DLL File Protection

ShellLink Protection

Null Dereference Protection

Shellcode & Library Preallocation

Hot Patch Protection

Font Protection

Heap Spray Checks

UASLR

DEP

DLL Security

Packed DLLs

JIT Mitigation

Brute Force Protection

Local Privilege Escalation Protection

ROP Mitigation (Linux)

JAVA

DLL Hijacking

Heap Corruption Mitigation

Heap Spray Mitigation

Null Dereference Protection

T01 Compatibility

SEH Protection

PLATFORM AUTOMATION


URL Filtering

CLOUD-DELIVERED SECURITY SERVICES

WEB


IaaSPaaS

WebServer

APP

AppServer

API

3rd party feeds

Customerdata

Amazon GuardDuty

MineMeld

Threat Prevention

Malware Analysis

PALO ALTO NETWORKS LEADERSHIP IN CYBERSECURITY


63% of the Global 2Kare Palo Alto Networks customers

29% year over yearrevenue growth*

85of Fortune 100

rely on Palo Alto Networks

#1 in Enterprise

Security

54,000+customers

in 150+ countries

Revenue trend40% CAGRFY14 - FY18

FY14 FY15 FY16 FY17 FY18

• Q4FY2018. Fiscal year ends July 31.• Gartner, Market Share: Enterprise Network Equipment by Market Segment, Worldwide, 1Q18, 14 June 2018

THANK YOU

Email: [email protected] l Twitter: @PaloAltoNtwks

next generation security for cloud · next generation security for cloud ... insecure vpc fails...

Documents