Presentation Title

Download Report

Transcript Presentation Title

Security and Compliance challenges in the
Virtualized data centre
A Better Way with Trend Micro Deep Security
John Burroughs , CISSP
Solution Architect , EMEA Trend Micro, Inc.
Copyright 2010 Trend Micro Inc.
Virtualization On The Rise
10 X Growth in next 3 years:
58 Million Virtual Machines by 2012
Through 2012, 60 percent of virtualized servers will be less secure
than the physical servers they replace**
**Gartner, Inc
Copyright 2010 Trend Micro Inc.
Securing Servers the Traditional Way
Network
IDS / IPS
AV
AppApp
AV
AppApp
AV
AppApp
OS
OS
OS
ESX Server
• Anti-virus: Local, agent-based protection
in the VM
• IDS / IPS : Network-based device or
software solution
Copyright 2010 Trend Micro Inc.
Virtualisation & Cloud Computing
Create New Security Challenges
Inter-VM
attacks
PCI Mobility Cloud Computing
Hypervisor
3
Copyright 2010 Trend Micro Inc.
Virtualisation Security Challenges
• Same threats as in physical environments
• New challenges:
Security Challenges
Compliance Challenge
Inter VM Traffic
Network Segmentation
IDS/IPS
Concentration of VM with Mixed
Trust Levels
Network Segmentation
IDS/IPS
Variable State
- Instant ON, Reverted, Paused,
Copied, Restarted...
Network Segmentation
IDS/IPS
Patch Management
Anti Virus
Integrity Monitoring
VM Movement
Network Segmentation
IDS/IPS
VM Sprawl
Network Segmentation
IDS/IPS
7/17/2015
Copyright 2010 Trend Micro Inc.
Security Inhibitors to Virtualization
Resource contention
3:00am Scan
Typical AV
Console
Copyright 2010 Trend Micro Inc.
DEEP SECURITY
Comprehensive, cost-effective and modular
security that complements network defenses,
for physical and virtualized servers
NSS Labs
Deep Security is the first product to pass NSS Labs’
PCI Suitability testing for Host Intrusion Prevention
Systems (HIPS).
Copyright 2010 Trend Micro Inc.
Who do hosts need to be self
defending?
• 5th Largest payments processor in the US
• Security Breach occurred May 2008; disclosed
January 20th 2009
• Largest criminal breach of card data to date (130
Million records), costing them over $68 Million
– Albert Gonzalez sentenced to 20 years in Prison March 2010
• Attack
– Entered Network (DMZ) via Web Application (via the SQL
injection) and installed Malware
– Propagated a packet sniffer to machines in the Transaction
Network via Corporate Network
– Same techniques used to attack Hannaford, 7-eleven, JC
Penny
Copyright 2010 Trend Micro Inc.
Trend Micro Deep Security
5 protection modules
Deep Packet Inspection
IDS / IPS
Shields web application
vulnerabilities
Web Application Protection
Application Control
Reduces attack surface.
Prevents DoS & detects
reconnaissance scans
Optimizes identification of
important security events
across multiple log files
Detects and blocks known and
zero-day attacks that target
vulnerabilities
Provides increased visibility into,
or control over, applications
accessing the network
Firewall
Integrity
Monitoring
Detects malicious and
unauthorized changes to
directories, files, registry keys…
Log
Inspection
Anti-Virus
Detects and blocks malware
(viruses & worms, Trojans)
Protection is delivered via Agent and/or Virtual
Appliance
8
Copyright 2010 Trend Micro Inc.
Trend Micro Deep Security
Agentless protection for VMware servers
Security Virtual Appliance
• Firewall
• IDS/ IPS
• Anti-virus
VMware APIs
• Virtual Appliance secures VMs from the
outside, without changes to the VM
• VMware APIs enable
o FW, IDS/IPS at hypervisor layer
o Agentless AV scanning via
hypervisor
• Virtual Appliance isolates security for
better-than-physical protection
9
Copyright 2010 Trend Micro Inc.
Security Virtual Appliance
Guest VMs
Security
Virtual Appliance
OS
IDS/IPS
-Virtual Patch
- App Control
Kernel
Anti Malware
-On Access
- On Demand
Firewall
VMsafe-net API
EndPointSEC API
VMTools
Introspection API’s
vSphere (ESX)
Copyright 2010 Trend Micro Inc.
The Opportunity with Agentless Anti-malware
Previously
Agent Agent
Today using vShield Endpoint
Agent
Virtual
Appliance
vSphere
vShield Endpoint
• More manageable: No agents to configure, update, patch
• Faster performance: Freedom from AV Storms
• Stronger security: Instant ON protection + tamper-proofing
• Higher consolidation: Inefficient operations removed
Copyright 2010 Trend Micro Inc.
ESX Memory Utilization
Anti-Virus “B”
Anti-Virus “Y”
Anti-Virus “R”
# of Guest VMs
12
12
Copyright 2010 Trend Micro Inc.
ESX Network Utilization
Signature update for 10 agents
Anti-Virus “B”
Anti-Virus “Y”
Anti-Virus “R”
Time (Seconds)
13
13
Copyright 2010 Trend Micro Inc.
Deep Security 7.5 Integrates vShield Endpoint &
VMsafe
• Agent-Less Real Time Scan
– Triggers notifications to AV engine on file open/close
– Provides access to file data for scanning
• Agent-Less Manual and Schedule Scan
– On demand scans are coordinated and staggered
– Traverses guest file-system and triggers notifications to the AV
engine
SPN
• Integrates with vShield Endpoint (in vSphere 4.1)
• Zero Day Protection
– Trend Micro SPN Integration
Virtual
Appl.
• Agent-Less Remediation
– Active Action, Delete, Pass, Quarantine, Clean
• API Level Caching
– Caching of data and results to minimize data
traffic and optimize performance
vShield Endpoint
Copyright 2010 Trend Micro Inc.
Deep Security Product Components
PHYSICAL
VIRTUAL
CLOUD
Deep Security
Agent
Deep Security
Virtual Appliances
Security
Profiles
IT Infrastructure
Integration
• vCenter
• SIEM
• Active Directory
• Log correlation
• Web services
Alerts
Deep Security
Manager
Security Center
Security
Updates
Reports
15
Copyright 2010 Trend Micro Inc.
Copyright 2010 Trend Micro Inc.
Addressing Payment Card Industry
(PCI) Requirements
Key Deep Security features & capabilities
 (1.) –
Network Segmentation
 (1.x) – Firewall
 (5.x) – Anti-virus*
 (6.1) – Virtual Patching**
 (6.6) – Web Application Protection
 (10.6) – Review Logs Daily
 (11.4) – Deploy IDS / IPS
 (11.5) – Deploy File Integrity Monitoring
* Available in Deep Security 7.5 for VMware vSphere environments
** Compensating control subject to QSA approval
1
Copyright 2010 Trend Micro Inc.
The Compliance Mandate
Most influential factor
on security spending
$ 9.2B technology spend
in 2010
“I can’t get a project funded
unless it’s about compliance”
- Anonymous CISO
Copyright 2010 Trend Micro Inc.
Solution Scenarios
SECURITY
OPERATIONS
Defense-in-Depth
Virtual Patching
VIRTUALIZAZTION
COMPLIANCE
Virtualization Security
PCI Compliance
Copyright 2010 Trend Micro Inc.
Introducing OfficeScan 10.5
Industry‘s first VDI-aware endpoint security
VDI-Intelligence
5
• Increases consolidation rates
• Prevents resource contention
• Pays for itself
Comprehensive Protection
• Smart Protection Network
• Local Cloud support
• Virtual patching plug-in
Best for Windows 7
• Logo certification
• 32 bit and 64 bit
• Extensible plug-in architecture
Enterprise-class
• Scalability
management
• Role-based administration
• Active Directory Integration
Copyright 2010 Trend Micro Inc.
IT Environment Changes
Challenge: Securing virtual desktops
• Malware risk potential: Identical to physical desktops
–
–
–
–
Same operating systems
Same software
Same vulnerabilities
Same user activities
=> Same risk of exposing corporate and sensitive data
• New challenges, unique to VDI:
– Identify endpoints virtualization status
– Manage resource contention
• CPU
• Storage IOPs
• Network
Copyright 2010 Trend Micro Inc.
OfficeScan 10.5 has VDI-Intelligence
• Detects whether endpoints are physical or virtual
– With VMware View
– With Citrix XenDesktop
• Serializes updates and scans per VDI-host
– Controls the number of concurrent scans and updates per VDI host
– Maintains availability and performance of the VDI host
– Faster than concurrent approach
• Leverages Base-Images to further shorten scan times
– Pre-scans and white-lists VDI base-images
– Prevents duplicate scanning of unchanged files on a VDI host
– Further reduces impact on the VDI host
Copyright 2010 Trend Micro Inc.
Thank You
Copyright 2010 Trend Micro Inc.
Certifications
• Common Criteria
• Evaluation Assurance Level 3 Augmented (EAL 3+)
– Achieved certification across more platforms (Windows,
Solaris, Linux) than any other host-based intrusion
prevention product.
– Deep Security 7.5 Registered for EAL 4+
• NSS Labs
– Third Brigade Deep Security is the first product to pass
NSS Labs’ PCI Suitability testing for Host Intrusion
Prevention Systems (HIPS).
© Third Brigade, Inc.
Copyright 2010 Trend Micro Inc.
26
Recommendation Scans
• The server being protected is analyzed to determine:
–
–
–
–
OS, service pack and patch level
Installed applications and version
DPI rules are recommended to shield the unpatched vulnerabilities from attacks
As patches, hotfixes, and updates are applied over time, the Recommendation Scan
will:
• Recommend new rules for assignment
• Recommend removal of rules no longer required after system patching
– Recommendations for DPI, Integrity Monitoring, and Log Inspection rules are
supported
Copyright 2010 Trend Micro Inc.
Microsoft Active Protections Program
• Microsoft Active Protections Program (MAPP)
– Program for security software vendors
– Members receive security vulnerability information from the Microsoft
Security Response Center (MSRC) in advance of Microsoft’s monthly
security update
– Members use this information to deliver protection to their customers
after the Microsoft Security Bulletins have been published
• Trend Micro’s protection is delivered to customers within 2 hours of
Microsoft Security Bulletins being published
– This enables customers to shield their vulnerable systems from attack
– Systems can then be patched during the next scheduled maintenance window
Copyright 2010 Trend Micro Inc.