copyright 2010 trend micro inc. security and compliance challenges in the virtualized data centre...
Post on 22-Dec-2015
214 views
TRANSCRIPT
Copyright 2010 Trend Micro Inc.
Security and Compliance challenges in the Virtualized data centre
John Burroughs , CISSP
Solution Architect , EMEA Trend Micro, Inc.
A Better Way with Trend Micro Deep Security
Copyright 2010 Trend Micro Inc.
Virtualization On The Rise
10 X Growth in next 3 years: 58 Million Virtual Machines by 201210 X Growth in next 3 years:
58 Million Virtual Machines by 2012
Through 2012, 60 percent of virtualized servers will be less secure than the physical servers they replace** **Gartner, Inc
Copyright 2010 Trend Micro Inc.
Securing Servers the Traditional Way
App
OS
NetworkIDS / IPS ESX Server
App
OS
App
OS
AppAV AppAV AppAV
• Anti-virus: Local, agent-based protection
in the VM
• IDS / IPS : Network-based device or
software solution
Copyright 2010 Trend Micro Inc.
Virtualisation & Cloud Computing Create New Security Challenges
4
Hypervisor
Inter-VM attacks PCI Mobility Cloud Computing
Copyright 2010 Trend Micro Inc.
Virtualisation Security Challenges• Same threats as in physical environments
• New challenges:
04/19/23
Security Challenges Compliance Challenge
Inter VM Traffic Network SegmentationIDS/IPS
Concentration of VM with Mixed Trust Levels
Network SegmentationIDS/IPS
Variable State- Instant ON, Reverted, Paused, Copied, Restarted...
Network SegmentationIDS/IPSPatch ManagementAnti VirusIntegrity Monitoring
VM Movement Network SegmentationIDS/IPS
VM Sprawl Network SegmentationIDS/IPS
Copyright 2010 Trend Micro Inc.
Resource contention
Typical AV Console
3:00am Scan
Security Inhibitors to Virtualization
Copyright 2010 Trend Micro Inc.
DEEP SECURITY
Comprehensive, cost-effective and modular security that complements network defenses, for physical and virtualized servers
NSS LabsDeep Security is the first product to pass NSS Labs’ PCI Suitability testing for Host Intrusion Prevention Systems (HIPS).
Copyright 2010 Trend Micro Inc.
Who do hosts need to be self defending?
• 5th Largest payments processor in the US
• Security Breach occurred May 2008; disclosed January 20th 2009
• Largest criminal breach of card data to date (130 Million records), costing them over $68 Million– Albert Gonzalez sentenced to 20 years in Prison March 2010
• Attack– Entered Network (DMZ) via Web Application (via the SQL
injection) and installed Malware– Propagated a packet sniffer to machines in the Transaction
Network via Corporate Network– Same techniques used to attack Hannaford, 7-eleven, JC
Penny
Copyright 2010 Trend Micro Inc.9
IDS / IPS
Web Application Protection
Application Control
Firewall
Deep Packet Inspection
IntegrityMonitoring
Log Inspection
Anti-Virus
Detects and blocks known and zero-day attacks that target vulnerabilities
Shields web application vulnerabilities Provides increased visibility into,
or control over, applications accessing the network
Reduces attack surface. Prevents DoS & detects reconnaissance scans
Detects malicious and unauthorized changes to directories, files, registry keys…
Optimizes identification of important security events across multiple log files
Detects and blocks malware (viruses & worms, Trojans)
Trend Micro Deep Security
Protection is delivered via Agent and/or Virtual Appliance
5 protection modules
Copyright 2010 Trend Micro Inc.
Trend Micro Deep SecurityAgentless protection for VMware servers
10
Security Virtual Appliance• Firewall
• IDS/ IPS
• Anti-virus
• Virtual Appliance secures VMs from the outside, without changes to the VM
• VMware APIs enable o FW, IDS/IPS at hypervisor layero Agentless AV scanning via hypervisor
• Virtual Appliance isolates security for better-than-physical protection
VMware APIs
Copyright 2010 Trend Micro Inc.
Security Virtual Appliance
vSphere (ESX)Introspection API’sIntrospection API’s
Anti Malware-On Access- On Demand
Anti Malware-On Access- On Demand
Guest VMs
OSKernelKernel
VMToolsVMTools
IDS/IPS-Virtual Patch- App Control
IDS/IPS-Virtual Patch- App Control
FirewallFirewall
EndPointSEC APIEndPointSEC APIVMsafe-net APIVMsafe-net API
Security Virtual Appliance
Copyright 2010 Trend Micro Inc.
The Opportunity with Agentless Anti-malware
Virtual Appliance
Agent
vShield Endpoint
AgentAgent
vSphere
Today using vShield EndpointPreviously
• More manageable: No agents to configure, update, patch
• Faster performance: Freedom from AV Storms
• Stronger security: Instant ON protection + tamper-proofing
• Higher consolidation: Inefficient operations removed
Copyright 2010 Trend Micro Inc.
ESX Memory Utilization
13
# of Guest VMs
Anti-Virus “B”
Anti-Virus “Y”
Anti-Virus “R”
13
Copyright 2010 Trend Micro Inc.
ESX Network Utilization Signature update for 10 agents
14
Anti-Virus “B”
Time (Seconds)
Anti-Virus “Y”
Anti-Virus “R”
14
Copyright 2010 Trend Micro Inc.
Deep Security 7.5 Integrates vShield Endpoint & VMsafe
• Agent-Less Real Time Scan– Triggers notifications to AV engine on file open/close– Provides access to file data for scanning
• Agent-Less Manual and Schedule Scan– On demand scans are coordinated and staggered– Traverses guest file-system and triggers notifications to the AV
engine
• Integrates with vShield Endpoint (in vSphere 4.1)
• Zero Day Protection– Trend Micro SPN Integration
• Agent-Less Remediation– Active Action, Delete, Pass, Quarantine, Clean
• API Level Caching– Caching of data and results to minimize data traffic and optimize performance
Virtual Appl.
vShield Endpoint
SPN
Copyright 2010 Trend Micro Inc.
Deep Security Product Components
Deep SecurityManager
Security Center
Alerts
SecurityProfiles
SecurityUpdates
Reports
IT InfrastructureIntegration• vCenter• SIEM• Active Directory• Log correlation• Web services
16
Deep Security Agent
Deep Security Virtual Appliances
PHYSICAL VIRTUAL CLOUD
Copyright 2010 Trend Micro Inc.
Addressing Payment Card Industry (PCI) Requirements
18
Key Deep Security features & capabilities
(1.) – Network Segmentation
(1.x) – Firewall
(5.x) – Anti-virus*
(6.1) – Virtual Patching**
(6.6) – Web Application Protection
(10.6) – Review Logs Daily
(11.4) – Deploy IDS / IPS
(11.5) – Deploy File Integrity Monitoring
* Available in Deep Security 7.5 for VMware vSphere environments** Compensating control subject to QSA approval
Copyright 2010 Trend Micro Inc.
The Compliance Mandate
“I can’t get a project funded unless it’s about compliance”
- Anonymous CISO
Most influential factor on security spending
$ 9.2B technology spend
in 2010
Copyright 2010 Trend Micro Inc.
Solution Scenarios
SECURITYDefense-in-Depth
OPERATIONSVirtual Patching
COMPLIANCEPCI Compliance
VIRTUALIZAZTIONVirtualization Security
Copyright 2010 Trend Micro Inc.
VDI-Intelligence
• Increases consolidation rates• Prevents resource contention• Pays for itself
Comprehensive Protection
• Smart Protection Network• Local Cloud support• Virtual patching plug-in
Introducing OfficeScan 10.5Industry‘s first VDI-aware endpoint security
5
Best for Windows 7• Logo certification• 32 bit and 64 bit• Extensible plug-in architecture
Enterprise-class management• Scalability
• Role-based administration• Active Directory Integration
Copyright 2010 Trend Micro Inc.
IT Environment ChangesChallenge: Securing virtual desktops
• Malware risk potential: Identical to physical desktops– Same operating systems
– Same software
– Same vulnerabilities
– Same user activities
=> Same risk of exposing corporate and sensitive data
• New challenges, unique to VDI:– Identify endpoints virtualization status
– Manage resource contention
• CPU
• Storage IOPs
• Network
Copyright 2010 Trend Micro Inc.
OfficeScan 10.5 has VDI-Intelligence
• Detects whether endpoints are physical or virtual– With VMware View– With Citrix XenDesktop
• Serializes updates and scans per VDI-host– Controls the number of concurrent scans and updates per VDI host– Maintains availability and performance of the VDI host– Faster than concurrent approach
• Leverages Base-Images to further shorten scan times– Pre-scans and white-lists VDI base-images– Prevents duplicate scanning of unchanged files on a VDI host– Further reduces impact on the VDI host
Copyright 2010 Trend Micro Inc.
Certifications
• Common Criteria
• Evaluation Assurance Level 3 Augmented (EAL 3+) – Achieved certification across more platforms (Windows,
Solaris, Linux) than any other host-based intrusion prevention product.
– Deep Security 7.5 Registered for EAL 4+
• NSS Labs– Third Brigade Deep Security is the first product to pass
NSS Labs’ PCI Suitability testing for Host Intrusion Prevention Systems (HIPS).
27© Third Brigade, Inc.
Copyright 2010 Trend Micro Inc.
Recommendation Scans
• The server being protected is analyzed to determine:– OS, service pack and patch level– Installed applications and version– DPI rules are recommended to shield the unpatched vulnerabilities from attacks– As patches, hotfixes, and updates are applied over time, the Recommendation Scan
will:• Recommend new rules for assignment• Recommend removal of rules no longer required after system patching
– Recommendations for DPI, Integrity Monitoring, and Log Inspection rules are supported
Copyright 2010 Trend Micro Inc.
Microsoft Active Protections Program
• Microsoft Active Protections Program (MAPP)– Program for security software vendors– Members receive security vulnerability information from the Microsoft
Security Response Center (MSRC) in advance of Microsoft’s monthly security update
– Members use this information to deliver protection to their customers after the Microsoft Security Bulletins have been published
• Trend Micro’s protection is delivered to customers within 2 hours of Microsoft Security Bulletins being published
– This enables customers to shield their vulnerable systems from attack – Systems can then be patched during the next scheduled maintenance window