copyright 2010 trend micro inc. security and compliance challenges in the virtualized data centre...

Copyright 2010 Trend Micro Inc.

Security and Compliance challenges in the Virtualized data centre

John Burroughs , CISSP

Solution Architect , EMEA Trend Micro, Inc.

A Better Way with Trend Micro Deep Security


Virtualization On The Rise

10 X Growth in next 3 years: 58 Million Virtual Machines by 201210 X Growth in next 3 years:

58 Million Virtual Machines by 2012

Through 2012, 60 percent of virtualized servers will be less secure than the physical servers they replace** **Gartner, Inc


Securing Servers the Traditional Way

App

OS

NetworkIDS / IPS ESX Server

App

OS

App

OS

AppAV AppAV AppAV

• Anti-virus: Local, agent-based protection

in the VM

• IDS / IPS : Network-based device or

software solution


Virtualisation & Cloud Computing Create New Security Challenges

4

Hypervisor

Inter-VM attacks PCI Mobility Cloud Computing


Virtualisation Security Challenges• Same threats as in physical environments

• New challenges:

04/19/23

Security Challenges Compliance Challenge

Inter VM Traffic Network SegmentationIDS/IPS

Concentration of VM with Mixed Trust Levels

Network SegmentationIDS/IPS

Variable State- Instant ON, Reverted, Paused, Copied, Restarted...

Network SegmentationIDS/IPSPatch ManagementAnti VirusIntegrity Monitoring

VM Movement Network SegmentationIDS/IPS

VM Sprawl Network SegmentationIDS/IPS


Resource contention

Typical AV Console

3:00am Scan

Security Inhibitors to Virtualization


DEEP SECURITY

Comprehensive, cost-effective and modular security that complements network defenses, for physical and virtualized servers

NSS LabsDeep Security is the first product to pass NSS Labs’ PCI Suitability testing for Host Intrusion Prevention Systems (HIPS).


Who do hosts need to be self defending?

• 5th Largest payments processor in the US

• Security Breach occurred May 2008; disclosed January 20th 2009

• Largest criminal breach of card data to date (130 Million records), costing them over $68 Million– Albert Gonzalez sentenced to 20 years in Prison March 2010

• Attack– Entered Network (DMZ) via Web Application (via the SQL

injection) and installed Malware– Propagated a packet sniffer to machines in the Transaction

Network via Corporate Network– Same techniques used to attack Hannaford, 7-eleven, JC

Penny

Copyright 2010 Trend Micro Inc.9

IDS / IPS

Web Application Protection

Application Control

Firewall

Deep Packet Inspection

IntegrityMonitoring

Log Inspection

Anti-Virus

Detects and blocks known and zero-day attacks that target vulnerabilities

Shields web application vulnerabilities Provides increased visibility into,

or control over, applications accessing the network

Reduces attack surface. Prevents DoS & detects reconnaissance scans

Detects malicious and unauthorized changes to directories, files, registry keys…

Optimizes identification of important security events across multiple log files

Detects and blocks malware (viruses & worms, Trojans)

Trend Micro Deep Security

Protection is delivered via Agent and/or Virtual Appliance

5 protection modules


Trend Micro Deep SecurityAgentless protection for VMware servers

10

Security Virtual Appliance• Firewall

• IDS/ IPS

• Anti-virus

• Virtual Appliance secures VMs from the outside, without changes to the VM

• VMware APIs enable o FW, IDS/IPS at hypervisor layero Agentless AV scanning via hypervisor

• Virtual Appliance isolates security for better-than-physical protection

VMware APIs


Security Virtual Appliance

vSphere (ESX)Introspection API’sIntrospection API’s

Anti Malware-On Access- On Demand

Anti Malware-On Access- On Demand

Guest VMs

OSKernelKernel

VMToolsVMTools

IDS/IPS-Virtual Patch- App Control

IDS/IPS-Virtual Patch- App Control

FirewallFirewall

EndPointSEC APIEndPointSEC APIVMsafe-net APIVMsafe-net API

Security Virtual Appliance


The Opportunity with Agentless Anti-malware

Virtual Appliance

Agent

vShield Endpoint

AgentAgent

vSphere

Today using vShield EndpointPreviously

• More manageable: No agents to configure, update, patch

• Faster performance: Freedom from AV Storms

• Stronger security: Instant ON protection + tamper-proofing

• Higher consolidation: Inefficient operations removed


ESX Memory Utilization

13

# of Guest VMs

Anti-Virus “B”

Anti-Virus “Y”

Anti-Virus “R”

13


ESX Network Utilization Signature update for 10 agents

14

Anti-Virus “B”

Time (Seconds)

Anti-Virus “Y”

Anti-Virus “R”

14


Deep Security 7.5 Integrates vShield Endpoint & VMsafe

• Agent-Less Real Time Scan– Triggers notifications to AV engine on file open/close– Provides access to file data for scanning

• Agent-Less Manual and Schedule Scan– On demand scans are coordinated and staggered– Traverses guest file-system and triggers notifications to the AV

engine

• Integrates with vShield Endpoint (in vSphere 4.1)

• Zero Day Protection– Trend Micro SPN Integration

• Agent-Less Remediation– Active Action, Delete, Pass, Quarantine, Clean

• API Level Caching– Caching of data and results to minimize data traffic and optimize performance

Virtual Appl.

vShield Endpoint

SPN


Deep Security Product Components

Deep SecurityManager

Security Center

Alerts

SecurityProfiles

SecurityUpdates

Reports

IT InfrastructureIntegration• vCenter• SIEM• Active Directory• Log correlation• Web services

16

Deep Security Agent

Deep Security Virtual Appliances

PHYSICAL VIRTUAL CLOUD


Addressing Payment Card Industry (PCI) Requirements

18

Key Deep Security features & capabilities

(1.) – Network Segmentation

(1.x) – Firewall

(5.x) – Anti-virus*

(6.1) – Virtual Patching**

(6.6) – Web Application Protection

(10.6) – Review Logs Daily

(11.4) – Deploy IDS / IPS

(11.5) – Deploy File Integrity Monitoring

* Available in Deep Security 7.5 for VMware vSphere environments** Compensating control subject to QSA approval


The Compliance Mandate

“I can’t get a project funded unless it’s about compliance”

- Anonymous CISO

Most influential factor on security spending

$ 9.2B technology spend

in 2010


Solution Scenarios

SECURITYDefense-in-Depth

OPERATIONSVirtual Patching

COMPLIANCEPCI Compliance

VIRTUALIZAZTIONVirtualization Security


VDI-Intelligence

• Increases consolidation rates• Prevents resource contention• Pays for itself

Comprehensive Protection

• Smart Protection Network• Local Cloud support• Virtual patching plug-in

Introducing OfficeScan 10.5Industry‘s first VDI-aware endpoint security

5

Best for Windows 7• Logo certification• 32 bit and 64 bit• Extensible plug-in architecture

Enterprise-class management• Scalability

• Role-based administration• Active Directory Integration


IT Environment ChangesChallenge: Securing virtual desktops

• Malware risk potential: Identical to physical desktops– Same operating systems

– Same software

– Same vulnerabilities

– Same user activities

=> Same risk of exposing corporate and sensitive data

• New challenges, unique to VDI:– Identify endpoints virtualization status

– Manage resource contention

• CPU

• Storage IOPs

• Network


OfficeScan 10.5 has VDI-Intelligence

• Detects whether endpoints are physical or virtual– With VMware View– With Citrix XenDesktop

• Serializes updates and scans per VDI-host– Controls the number of concurrent scans and updates per VDI host– Maintains availability and performance of the VDI host– Faster than concurrent approach

• Leverages Base-Images to further shorten scan times– Pre-scans and white-lists VDI base-images– Prevents duplicate scanning of unchanged files on a VDI host– Further reduces impact on the VDI host


Thank You


Certifications

• Common Criteria

• Evaluation Assurance Level 3 Augmented (EAL 3+) – Achieved certification across more platforms (Windows,

Solaris, Linux) than any other host-based intrusion prevention product.

– Deep Security 7.5 Registered for EAL 4+

• NSS Labs– Third Brigade Deep Security is the first product to pass

NSS Labs’ PCI Suitability testing for Host Intrusion Prevention Systems (HIPS).

27© Third Brigade, Inc.


Recommendation Scans

• The server being protected is analyzed to determine:– OS, service pack and patch level– Installed applications and version– DPI rules are recommended to shield the unpatched vulnerabilities from attacks– As patches, hotfixes, and updates are applied over time, the Recommendation Scan

will:• Recommend new rules for assignment• Recommend removal of rules no longer required after system patching

– Recommendations for DPI, Integrity Monitoring, and Log Inspection rules are supported


Microsoft Active Protections Program

• Microsoft Active Protections Program (MAPP)– Program for security software vendors– Members receive security vulnerability information from the Microsoft

Security Response Center (MSRC) in advance of Microsoft’s monthly security update

– Members use this information to deliver protection to their customers after the Microsoft Security Bulletins have been published

• Trend Micro’s protection is delivered to customers within 2 hours of Microsoft Security Bulletins being published

– This enables customers to shield their vulnerable systems from attack – Systems can then be patched during the next scheduled maintenance window

copyright 2010 trend micro inc. security and compliance challenges in the virtualized data centre...

Documents

emea trend micro

modular security

security inhibitors

deep security comprehensive

new security challenges

virtualization slide

us security breach

transaction network