Security and Compliance challenges in the Virtualized data centre A Better Way with Trend Micro Deep Security John Burroughs , CISSP Solution Architect , EMEA Trend Micro, Inc. Copyright 2010 Trend Micro Inc. Virtualization On The Rise 10 X Growth in next 3 years: 58 Million Virtual Machines by 2012 Through 2012, 60 percent of virtualized servers will be less secure than the physical servers they replace** **Gartner, Inc Copyright 2010 Trend Micro Inc. Securing Servers the Traditional Way Network IDS / IPS AV AppApp AV AppApp AV AppApp OS OS OS ESX Server • Anti-virus: Local, agent-based protection in the VM • IDS / IPS : Network-based device or software solution Copyright 2010 Trend Micro Inc. Virtualisation & Cloud Computing Create New Security Challenges Inter-VM attacks PCI Mobility Cloud Computing Hypervisor 3 Copyright 2010 Trend Micro Inc. Virtualisation Security Challenges • Same threats as in physical environments • New challenges: Security Challenges Compliance Challenge Inter VM Traffic Network Segmentation IDS/IPS Concentration of VM with Mixed Trust Levels Network Segmentation IDS/IPS Variable State - Instant ON, Reverted, Paused, Copied, Restarted... Network Segmentation IDS/IPS Patch Management Anti Virus Integrity Monitoring VM Movement Network Segmentation IDS/IPS VM Sprawl Network Segmentation IDS/IPS 1/11/2017 Copyright 2010 Trend Micro Inc. Security Inhibitors to Virtualization Resource contention 3:00am Scan Typical AV Console Copyright 2010 Trend Micro Inc. DEEP SECURITY Comprehensive, cost-effective and modular security that complements network defenses, for physical and virtualized servers NSS Labs Deep Security is the first product to pass NSS Labs’ PCI Suitability testing for Host Intrusion Prevention Systems (HIPS). Copyright 2010 Trend Micro Inc. Who do hosts need to be self defending? • 5th Largest payments processor in the US • Security Breach occurred May 2008; disclosed January 20th 2009 • Largest criminal breach of card data to date (130 Million records), costing them over $68 Million – Albert Gonzalez sentenced to 20 years in Prison March 2010 • Attack – Entered Network (DMZ) via Web Application (via the SQL injection) and installed Malware – Propagated a packet sniffer to machines in the Transaction Network via Corporate Network – Same techniques used to attack Hannaford, 7-eleven, JC Penny Copyright 2010 Trend Micro Inc. Trend Micro Deep Security 5 protection modules Deep Packet Inspection IDS / IPS Shields web application vulnerabilities Web Application Protection Application Control Reduces attack surface. Prevents DoS & detects reconnaissance scans Optimizes identification of important security events across multiple log files Detects and blocks known and zero-day attacks that target vulnerabilities Provides increased visibility into, or control over, applications accessing the network Firewall Integrity Monitoring Detects malicious and unauthorized changes to directories, files, registry keys… Log Inspection Anti-Virus Detects and blocks malware (viruses & worms, Trojans) Protection is delivered via Agent and/or Virtual Appliance 8 Copyright 2010 Trend Micro Inc. Trend Micro Deep Security Agentless protection for VMware servers Security Virtual Appliance • Firewall • IDS/ IPS • Anti-virus VMware APIs • Virtual Appliance secures VMs from the outside, without changes to the VM • VMware APIs enable o FW, IDS/IPS at hypervisor layer o Agentless AV scanning via hypervisor • Virtual Appliance isolates security for better-than-physical protection 9 Copyright 2010 Trend Micro Inc. Security Virtual Appliance Guest VMs Security Virtual Appliance OS IDS/IPS -Virtual Patch - App Control Kernel Anti Malware -On Access - On Demand Firewall VMsafe-net API EndPointSEC API VMTools Introspection API’s vSphere (ESX) Copyright 2010 Trend Micro Inc. The Opportunity with Agentless Anti-malware Previously Agent Agent Today using vShield Endpoint Agent Virtual Appliance vSphere vShield Endpoint • More manageable: No agents to configure, update, patch • Faster performance: Freedom from AV Storms • Stronger security: Instant ON protection + tamper-proofing • Higher consolidation: Inefficient operations removed Copyright 2010 Trend Micro Inc. ESX Memory Utilization Anti-Virus “B” Anti-Virus “Y” Anti-Virus “R” # of Guest VMs 12 12 Copyright 2010 Trend Micro Inc. ESX Network Utilization Signature update for 10 agents Anti-Virus “B” Anti-Virus “Y” Anti-Virus “R” Time (Seconds) 13 13 Copyright 2010 Trend Micro Inc. Deep Security 7.5 Integrates vShield Endpoint & VMsafe • Agent-Less Real Time Scan – Triggers notifications to AV engine on file open/close – Provides access to file data for scanning • Agent-Less Manual and Schedule Scan – On demand scans are coordinated and staggered – Traverses guest file-system and triggers notifications to the AV engine SPN • Integrates with vShield Endpoint (in vSphere 4.1) • Zero Day Protection – Trend Micro SPN Integration Virtual Appl. • Agent-Less Remediation – Active Action, Delete, Pass, Quarantine, Clean • API Level Caching – Caching of data and results to minimize data traffic and optimize performance vShield Endpoint Copyright 2010 Trend Micro Inc. Deep Security Product Components PHYSICAL VIRTUAL CLOUD Deep Security Agent Deep Security Virtual Appliances Security Profiles IT Infrastructure Integration • vCenter • SIEM • Active Directory • Log correlation • Web services Alerts Deep Security Manager Security Center Security Updates Reports 15 Copyright 2010 Trend Micro Inc. Copyright 2010 Trend Micro Inc. Addressing Payment Card Industry (PCI) Requirements Key Deep Security features & capabilities (1.) – Network Segmentation (1.x) – Firewall (5.x) – Anti-virus* (6.1) – Virtual Patching** (6.6) – Web Application Protection (10.6) – Review Logs Daily (11.4) – Deploy IDS / IPS (11.5) – Deploy File Integrity Monitoring * Available in Deep Security 7.5 for VMware vSphere environments ** Compensating control subject to QSA approval 1 Copyright 2010 Trend Micro Inc. The Compliance Mandate Most influential factor on security spending $ 9.2B technology spend in 2010 “I can’t get a project funded unless it’s about compliance” - Anonymous CISO Copyright 2010 Trend Micro Inc. Solution Scenarios SECURITY OPERATIONS Defense-in-Depth Virtual Patching VIRTUALIZAZTION COMPLIANCE Virtualization Security PCI Compliance Copyright 2010 Trend Micro Inc. Introducing OfficeScan 10.5 Industry‘s first VDI-aware endpoint security VDI-Intelligence 5 • Increases consolidation rates • Prevents resource contention • Pays for itself Comprehensive Protection • Smart Protection Network • Local Cloud support • Virtual patching plug-in Best for Windows 7 • Logo certification • 32 bit and 64 bit • Extensible plug-in architecture Enterprise-class • Scalability management • Role-based administration • Active Directory Integration Copyright 2010 Trend Micro Inc. IT Environment Changes Challenge: Securing virtual desktops • Malware risk potential: Identical to physical desktops – – – – Same operating systems Same software Same vulnerabilities Same user activities => Same risk of exposing corporate and sensitive data • New challenges, unique to VDI: – Identify endpoints virtualization status – Manage resource contention • CPU • Storage IOPs • Network Copyright 2010 Trend Micro Inc. OfficeScan 10.5 has VDI-Intelligence • Detects whether endpoints are physical or virtual – With VMware View – With Citrix XenDesktop • Serializes updates and scans per VDI-host – Controls the number of concurrent scans and updates per VDI host – Maintains availability and performance of the VDI host – Faster than concurrent approach • Leverages Base-Images to further shorten scan times – Pre-scans and white-lists VDI base-images – Prevents duplicate scanning of unchanged files on a VDI host – Further reduces impact on the VDI host Copyright 2010 Trend Micro Inc. Thank You Copyright 2010 Trend Micro Inc. Certifications • Common Criteria • Evaluation Assurance Level 3 Augmented (EAL 3+) – Achieved certification across more platforms (Windows, Solaris, Linux) than any other host-based intrusion prevention product. – Deep Security 7.5 Registered for EAL 4+ • NSS Labs – Third Brigade Deep Security is the first product to pass NSS Labs’ PCI Suitability testing for Host Intrusion Prevention Systems (HIPS). © Third Brigade, Inc. Copyright 2010 Trend Micro Inc. 26 Recommendation Scans • The server being protected is analyzed to determine: – – – – OS, service pack and patch level Installed applications and version DPI rules are recommended to shield the unpatched vulnerabilities from attacks As patches, hotfixes, and updates are applied over time, the Recommendation Scan will: • Recommend new rules for assignment • Recommend removal of rules no longer required after system patching – Recommendations for DPI, Integrity Monitoring, and Log Inspection rules are supported Copyright 2010 Trend Micro Inc. Microsoft Active Protections Program • Microsoft Active Protections Program (MAPP) – Program for security software vendors – Members receive security vulnerability information from the Microsoft Security Response Center (MSRC) in advance of Microsoft’s monthly security update – Members use this information to deliver protection to their customers after the Microsoft Security Bulletins have been published • Trend Micro’s protection is delivered to customers within 2 hours of Microsoft Security Bulletins being published – This enables customers to shield their vulnerable systems from attack – Systems can then be patched during the next scheduled maintenance window Copyright 2010 Trend Micro Inc.
© Copyright 2024