Session: SAI3237SU, Tom Corn, Sr. VP Security Products
Network exploitation is easier today due to the distributed nature of applications and components. Hack one layer, and you can move across boundaries via application firewall holes. We need to shrink the attack surface area. Least privilege. Align controls to applications. Microsegmentation is network layer least privilege. Securing the network can align security with applications. New notion of least privilege compute. This new concept is ‘ensuring good’ vs. ‘chasing bad’.
AppDefense: Capture; Detect; Respond
Capture: Intended state & runtime state. Hypervisor can see what’s running and what’s provisioned. Intended state engine hooks into vCenter and provisioning systems (Puppet, Chef, vRealize) and automation frameworks (Jenkins, Ansible, etc.). Machine learning kicks in and uses ESXi. Break this information into manifests for each VM and placed into a protective zone. A monitoring process is also in the protected zone. If something changes, AppDefense is aware. A library of incident responses (suspend, snapshot, block, alarm, quarantine, etc.) is included. Security teams will get notified and can work with the application teams.
Security ecosystem: Palo Alto, IBM Security, Symantec, RSA, Carbon Black, Trend, SecureWorks, etc.
Shows a 3-tier application (web server, app, SQL database). Shows the manifest file for the service tiers. The ‘security’ guy comes on stage to review the application prior to app deployment. Next a hacker comes on stage to break into the app.
Kill chain (3 attacks): Exploitation, Extraction, Exfiltration
Hacker shows an SQL injection attack that opens a remote TCP connection to metasploit. The remote shell is a Windows CMD shell with admin rights. He then uses a PowerShell script to extract the data from SQL. He then uses a python script to exfil the data.
AppDefense has puppet integration, and crawls Puppet config. AppDefense now knows about all the app tiers, and configuration and pulls that in. It auto-discovers ports, protocols, and visually displays a map. AppDefense can also pull in reputation data from third parties. After 10 days of learning, 90 pre-verified behaviors are captured. Only one needs manual review. For the manual review you can click ‘send to owner’ and sends to an Android mobile phone app for approval. The app owner can then approve or reject from their phone.
Now that the verified scope is done, you can then put the app into protected mode. The hypervisor will now start monitoring behaviors. Gives you a choice of remediation options (block, alert, snapshot, power off, suspend, quarantine). Admin is presented with the short list of rules they can enable/disable or make automatic or manual.
Resumes hacking attempt
Shows that the Python injection attack on the login page no longer works. The outbound connection is blocked. If somehow the attacker gets in another method, he launched his powershell script to extract the data. He was using a legit connection, but the process that does the connection is bad and AppDefense stops that.
Now they show the AppDefense console and the alarms triggered from the hacking attempts. AppDefense looks at the CLI that launches the connection and verifies that it is valid. For example, connecting to the DB via 1433 is normally allowed but AppDefense can see a powershell was making the connection and not the app and block it. Basic IP/port block/allow is not enough.
The hacker now looks inside the VM for the process that is blocking his actions. He then launches a script that injects into the security process some custom code. The AppDefense response to the tampering is to take an action, which is to suspend the VM. The hacker was then booted out.