Security and Compliance challenges in the Virtualized data centre

judgedrunkshipServers

Nov 17, 2013 (3 years and 8 months ago)

85 views

Copyright 2010 Trend Micro Inc.

Security and Compliance challenges in the
Virtualized data centre

John Burroughs , CISSP

Solution Architect , EMEA Trend Micro, Inc.

A Better Way with Trend Micro Deep Security

Copyright 2010 Trend Micro Inc.

Virtualization On The Rise

10 X Growth in next 3 years:

58 Million Virtual Machines by 2012

Through 2012, 60 percent of virtualized servers will be less secure
than the physical servers they replace**


**Gartner, Inc

Copyright 2010 Trend Micro Inc.

Securing Servers the Traditional Way


App

OS

Network

IDS / IPS

ESX Server

App

OS

App

OS

App

AV

App

AV

App

AV


Anti
-
virus: Local, agent
-
based protection





in the VM



IDS / IPS

: Network
-
based device or





software solution

Copyright 2010 Trend Micro Inc.

Virtualisation & Cloud Computing
Create New Security Challenges

3

Hypervisor

Inter
-
VM

attacks

PCI

Mobility

Cloud Computing

Copyright 2010 Trend Micro Inc.

Virtualisation Security Challenges


Same threats as in physical environments


New challenges:



11/17/2013

Security Challenges

Compliance Challenge

Inter

VM Traffic

Network

Segmentation

IDS/IPS

Concentration of VM with Mixed
Trust Levels

Network Segmentation

IDS/IPS

Variable State

-

Instant

ON,
Reverted, Paused,
Copied, Restarted...

Network

Segmentation

IDS/IPS

Patch Management

Anti Virus

Integrity Monitoring

VM Movement

Network Segmentation

IDS/IPS

VM Sprawl

Network

Segmentation

IDS/IPS

Copyright 2010 Trend Micro Inc.


Resource contention

Typical AV

Console

3:00am Scan

Security Inhibitors to Virtualization

Copyright 2010 Trend Micro Inc.

6

DEEP SECURITY


Comprehensive, cost
-
effective and modular
security that complements network defenses,

for physical and virtualized servers

NSS Labs

Deep Security is
the first product

to pass
NSS Labs’
PCI Suitability testing
for Host Intrusion Prevention
Systems (HIPS).

Copyright 2010 Trend Micro Inc.

Who do hosts need to be self
defending?


5
th

Largest payments processor in the US


Security Breach occurred May 2008; disclosed
January 20
th

2009


Largest criminal breach of card data to date (130
Million records), costing them over $68 Million


Albert Gonzalez sentenced to 20 years in Prison March 2010


Attack


Entered Network (DMZ) via Web Application (via the SQL
injection) and installed Malware


Propagated a packet sniffer to machines in the Transaction
Network via Corporate Network


Same techniques used to attack Hannaford, 7
-
eleven, JC
Penny



Copyright 2010 Trend Micro Inc.

8

IDS / IPS

Web Application Protection

Application Control

Firewall

Deep Packet Inspection

Integrity

Monitoring

Log

Inspection

Anti
-
Virus

Detects and blocks known and
zero
-
day attacks that target
vulnerabilities

Shields web application
vulnerabilities

Provides increased visibility into,
or control over, applications
accessing the network

Reduces attack surface.
Prevents DoS & detects
reconnaissance scans

Detects malicious and
unauthorized changes to
directories, files, registry keys…

Optimizes identification of
important security events
across multiple log files

Detects and blocks malware
(viruses & worms, Trojans)

Trend Micro Deep Security


Protection is delivered via Agent and/or Virtual Appliance

5 protection modules

Copyright 2010 Trend Micro Inc.

Trend Micro Deep Security

Agentless protection for VMware servers

9

Security Virtual Appliance



Firewall



IDS/ IPS



Anti
-
virus



Virtual Appliance secures VMs from the


outside, without changes to the VM




VMware APIs enable

o

FW, IDS/IPS at hypervisor layer

o

Agentless AV scanning via


hypervisor




Virtual Appliance isolates security for


better
-
than
-
physical protection


VMware APIs

Copyright 2010 Trend Micro Inc.

Security

Virtual Appliance

vSphere (ESX)

Introspection API’s

Anti Malware

-
On Access

-

On Demand

Guest VMs

OS


Kernel

VMTools

IDS/IPS

-
Virtual Patch

-

App Control

Firewall

EndPointSEC

API

VMsafe
-
net API

Security Virtual Appliance

Copyright 2010 Trend Micro Inc.

The Opportunity with Agentless Anti
-
malware

Virtual

Appliance

Agent

vShield Endpoint

Agent

Agent

vSphere

Today using vShield Endpoint

Previously


More manageable:
No agents to configure, update, patch


Faster performance:
Freedom from AV Storms


Stronger security:
Instant ON protection + tamper
-
proofing


Higher consolidation:
Inefficient operations removed


Copyright 2010 Trend Micro Inc.

ESX Memory Utilization

12

# of Guest VMs

Anti
-
Virus “B”

Anti
-
Virus “Y”

Anti
-
Virus “R”

12

Copyright 2010 Trend Micro Inc.

ESX Network Utilization

Signature update for 10 agents

13

Anti
-
Virus “B”

Time (Seconds)

Anti
-
Virus “Y”

Anti
-
Virus “R”

13

Copyright 2010 Trend Micro Inc.

Deep Security 7.5 Integrates vShield Endpoint &
VMsafe


Agent
-
Less Real Time Scan


Triggers notifications to AV engine on file open/close


Provides access to file data for scanning


Agent
-
Less Manual and Schedule Scan


On demand scans are coordinated and staggered


Traverses guest file
-
system and triggers notifications to the AV
engine


Integrates with
vShield

Endpoint (in
vSphere

4.1)


Zero Day Protection


Trend Micro SPN Integration


Agent
-
Less Remediation


Active Action, Delete, Pass, Quarantine, Clean


API Level Caching


Caching of data and results to minimize data


traffic and optimize performance

Virtual

Appl.

vShield Endpoint

SPN

Copyright 2010 Trend Micro Inc.

Deep Security
Product Components

Deep Security

Manager

Security Center

Alerts

Security

Profiles

Security

Updates

Reports

IT Infrastructure

Integration



vCenter



SIEM



Active Directory



Log correlation



Web services


15

Deep Security

Agent

Deep Security

Virtual Appliances

PHYSICAL

VIRTUAL

CLOUD

Copyright 2010 Trend Micro Inc.

Copyright 2010 Trend Micro Inc.

Addressing Payment Card Industry
(PCI) Requirements

1
7

Key Deep Security features & capabilities



(1.)


Network Segmentation



(1.x)



Firewall



(5.x)


Anti
-
virus*



⠶⸱⤠


Virtual Patching**



(6.6)


Web Application Protection



(10.6)


Review Logs Daily



⠱ㄮ㐩



Deploy
IDS / IPS



⠱ㄮ㔩1


Deploy File Integrity

Monitoring

*
Available in Deep Security 7.5 for VMware vSphere environments

** Compensating control subject to QSA approval

Copyright 2010 Trend Micro Inc.

The Compliance Mandate

“I can’t get a project funded
unless it’s about compliance”





-

Anonymous CISO

Most

influential factor
on security spending

$ 9.2B technology spend

in 2010

Copyright 2010 Trend Micro Inc.

Solution Scenarios

SECURITY

Defense
-
in
-
Depth

OPERATIONS

Virtual Patching

COMPLIANCE

PCI Compliance

VIRTUALIZAZTION

Virtualization Security

Copyright 2010 Trend Micro Inc.

VDI
-
Intelligence


Increases consolidation rates


Prevents resource contention


Pays for itself

Comprehensive Protection


Smart Protection Network


Local Cloud support


Virtual patching plug
-
in

Introducing OfficeScan 10.5

Industry‘s first VDI
-
aware endpoint security

5

Best for Windows 7


Logo certification


32 bit and 64 bit


Extensible plug
-
in architecture

Enterprise
-
class
management


Scalability


Role
-
based administration


Active Directory Integration

Copyright 2010 Trend Micro Inc.

IT Environment Changes

Challenge:

Securing virtual desktops


Malware risk potential: Identical to physical desktops


Same operating systems


Same software


Same vulnerabilities


Same user activities

=>
Same risk of exposing corporate and sensitive data


New challenges, unique to VDI:


Identify endpoints virtualization status


Manage resource contention


CPU


Storage IOPs


Network

Copyright 2010 Trend Micro Inc.

OfficeScan 10.5 has VDI
-
Intelligence


Detects whether endpoints are physical or virtual


With VMware View


With Citrix XenDesktop


Serializes updates and scans per VDI
-
host


Controls the number of concurrent scans and updates per VDI host


Maintains availability and performance of the VDI host


Faster than concurrent approach


Leverages Base
-
Images to further shorten scan times


Pre
-
scans and white
-
lists VDI base
-
images


Prevents duplicate scanning of unchanged files on a VDI host


Further reduces impact on the VDI host

Copyright 2010 Trend Micro Inc.

Thank You

Copyright 2010 Trend Micro Inc.

Certifications


Common Criteria


Evaluation Assurance Level 3 Augmented (EAL 3+)


Achieved certification
across more platforms
(Windows,
Solaris, Linux)
than any other
host
-
based intrusion
prevention product.


Deep Security 7.5 Registered for EAL 4+




NSS Labs


Third Brigade Deep Security is
the first product

to pass
NSS Labs’
PCI Suitability testing
for Host Intrusion
Prevention Systems (HIPS).


26

© Third Brigade, Inc.

Copyright 2010 Trend Micro Inc.

Recommendation Scans


The server being protected is analyzed to determine:


OS, service pack and patch level


Installed applications and version


DPI rules are recommended to shield the unpatched vulnerabilities from attacks


As patches, hotfixes, and updates are applied over time, the Recommendation Scan
will:


Recommend new rules for assignment


Recommend removal of rules no longer required after system patching


Recommendations for DPI, Integrity Monitoring, and Log Inspection rules are
supported

Copyright 2010 Trend Micro Inc.

Microsoft Active Protections Program


Microsoft Active Protections Program (MAPP)


Program for security software vendors


Members receive security vulnerability information from the Microsoft
Security Response Center (MSRC) in advance of Microsoft’s monthly
security update


Members use this information to deliver protection to their customers
after the Microsoft Security Bulletins have been published



Trend Micro’s protection is delivered to customers
within 2 hours

of
Microsoft Security Bulletins being published


This enables customers to shield their vulnerable systems from attack


Systems can then be patched during the next scheduled maintenance window