Presentation Title
Download
Report
Transcript Presentation Title
Securing Your Virtual World
Arnoud Hablous
Enterprise Sales Manager
Copyright 2009 Trend Micro Inc.
Agenda
• The Strategy of Trend Micro
• The Benefits of Virtualization
• The Challenge of Virtualization Security
• The Host Defends Itself
• Data is Secure and Controlled in the Public Cloud
• Securing the Computing Chain
Copyright 2009 Trend Micro Inc.
Threat Environment Evolution to Crimeware
Web Threats
Intelligent
Botnets
Crimeware
• Information
Stealing
Spyware
Complexity
• Botnet Enabled
• Multi-Vector
Spam
Mass Mailers
• MultiComponent
• Web
Polymorphic
Vulnerabilities
Worm Outbreaks
• Rapid Variants
• Single Instance
• Single Target
• Regional
Attacks
• Silent, Hidden
• Hard to Clean
7/20/2015
Copyright 2009 Trend Micro Inc.
3
Trend Micro Smart Protection Network
Security Made Smarter
WEB
REPUTATION
Threats
FILE
REPUTATION
EMAIL
REPUTATION
Threat Collection
Management
SaaS/Managed
Partners
• ISPs
• Routers
• Etc.
Cloud
Endpoint
Gateway
Off Network
Messaging
7/20/2015
Classificati
Copyright 2009 Trend Micro Inc.
4
The Changing Datacenter
PHYSICAL
VIRTUAL
CLOUD
“By 2012, more than 40% of x86 architecture
server loads in enterprises will be running in
virtual machines”
(October 7, 2009)
7/20/2015
Copyright 2009 Trend Micro Inc.
5
The Benefits of Virtualisation
£
Reduce IT
Capital Expense
by 50%
Reduce
Administration
overhead
And more…
Reduce IT
operational
expense
Reduce
Carbon
Footprint
Classification 7/20/2015
Copyright 2009 Trend Micro Inc.
Increase
Flexibility
6
Software Vulnerabilities Are Being Targeted
Gas refineries at Defcon 1 as SCADA
exploit goes wild
Critical Windows vulnerability under
attack, Microsoft warns
September 8, 2008: Gasoline refineries,
manufacturing plants and other critical
facilities that rely on computerized
control systems just became more
vulnerable to tampering or sabotage
with the release of attack code that
exploits a security flaw in a widely used
piece of software.
May 28, 2009 Microsoft has warned of a
critical security bug in older versions
of its Windows operating system that is
already being exploited in the wild to
remotely execute malware on
vulnerable machines.
Next-gen SQL injection opens server
door: 1 in 10 sites naked
April 2, 2009 A vulnerability estimated to
affect more than 1 in 10 websites could go
lethal with the finding that it can be used
to reliably take complete control of the
site's underlying server.
Copyright 2009 Trend Micro Inc.
Same threats as:
“99.9% of records
were compromised from
servers and applications”
“79% of records breached
involved SQL injection”
2009 Data Breach Investigations Report
conducted by Verizon Business RISK Team
7/20/2015
Copyright 2009 Trend Micro Inc.
8
Evolution of Information Security Technology
“Evolution of Information Security Technology”, Dan Hitchcock, Microsoft, Oct 2005
Copyright 2009 Trend Micro Inc.
Virtualisation Creates Security Challenges
New Model
Old Model
Infrastructure security protects
applications & servers
App1
App2
App3
App4
OS
OS
OS
OS
HW
HW
HW
HW
Virtual servers and apps move, change…
IPS needs reconfiguration…
so does firewall……where is file OS ?…
VM1
VM2
VM3
App1
App2
App3
OS1
OS2
OS3
Hypervisor
VM4
App4
OS4
Copyright 2009 Trend Micro Inc.
VMs Need Specialised Protection
Same threats in virtualised servers as physical.
–
–
–
–
–
Software Vulnerability Exploits
Patch Management
Web ApplicationThreats
Policy & Compliance
System & Data Integrity
New challenges:
1. Dormant VMs
2. Resource contention
3. VM Sprawl
4. Inter-VM traffic
5. vMotion
Copyright 2009 Trend Micro Inc. 11
The Compliance Imperative
More standards:
• PCI, SAS70, HIPAA, ISO 27001, FISMA / NIST 800-53, MITS…
More specific security requirements
• Virtualization, Web applications, EHR, PII…
More penalties & fines
• HITECH, Breach notifications, civil litigation
“
DMZ consolidation using virtualization will be a "hot
spot” for auditors, given the greater risk of misconfiguration and lower visibility of DMZ policy
violation. Through year-end 2011, auditors will
challenge virtualized deployments in the DMZ more
than non-virtualized DMZ solutions.
”
-- Neil MacDonald, Gartner, June 2009
Copyright 2009 Trend Micro Inc. 12
Nemertes Research 2009
•
Compliance drives security spending
– 80% of security practitioners say it’s the
primary justification*
•
Using existing controls may pass an
audit but lacks the monitoring, logging
and access controls to prove
compliance at all times for the virtual
infrastructure
– The dynamics of virtualization make it
particularly challenging to track information
flow
* Nemertes Research Benchmark survey where 2,500+
IT executives share strategies, costs, vendor satisfaction
Copyright 2009 Trend Micro Inc. 13
Virtualization Auditing Challenges …
• Audit procedures not prescriptive
– Many auditors lack expertise and knowledge wrt virtualization
– PCI Virtualization SIG working on guidance, but …
• High consolidation of different server types
– At odds with traditional recommendation of single function servers
• Mobility of VMs
– VMs are not ‘tied’ to any one physical server or physical location
• Virtual environments continuously evolving
– VM state cannot be assumed (cloned, paused, offline)
– Configuration errors easily propagated
Classification 7/20/2015
Copyright 2009 Trend Micro Inc. 14
Dynamic Datacenter
PHYSICAL
Servers
under attack
VIRTUAL
Servers virtual
and in motion
7/20/2015
Copyright 2009 Trend Micro Inc. 15
CLOUD
Servers in
the open
Vision for the New Datacenter Security Model
“The virtual host must protect itself”
Self-secured
Application
App FW, IPS, AV…
VM & Network
Security
Integration
VM1
VM3
App1
App3
OS1
OS3
Hypervisor
Copyright 2009 Trend Micro Inc.
Server & application protection for:
VIRTUAL
PHYSICAL
Deep Packet
Inspection
Firewall
Integrity
Monitoring
CLOUD
Log
Inspection
Anti –
Malware
Q3/2010
Within the DSVA
Copyright 2009 Trend Micro Inc. 17
Data is secure and controlled
in the Public Cloud
Copyright 2009 Trend Micro Inc.
Who Has Control?
Servers
Private Cloud
(Virtualization)
Public Cloud
IaaS
Public Cloud Public Cloud
PaaS
SaaS
End-User (Enterprise)
Service Provider
Copyright 2009 Trend Micro Inc. 19
Public Cloud
Multiple customers on
one physical server –
potential for attacks via
the hypervisor
Shared network inside
the firewall
Internet
Shared
Firewall
Shared firewall –
Lowest common
denominator – less fine
grained control
Shared Storage
Virtual Servers
Easily copied machine
images – who else has
your server?
Classification 7/20/2015
Copyright 2009 Trend Micro Inc. 20
Shared storage – is
customer segmentation
secure against attack?
Attack options
You
• Trivially easy
– Share the same bank of servers
• Same network – attack the VLAN
• Same storage – attack the segmentation
Attacker
• Realistically achievable
– Share the same physical hardware*
• Same hypervisor – is it vulnerable?
You
Attacker
*Source: http://cseweb.ucsd.edu/~hovav/papers/rtss09.html
Classification 7/20/2015
Copyright 2009 Trend Micro Inc. 21
Enterprise Solution
Public Cloud Data Protection
Enterprise Manages Directly
Copyright 2009 Trend Micro Inc. 22
Conclusion
• Public Cloud offers key benefits
• But also high risk
• To benefit fully from this new opportunity
we need a new generation of security products
designed for the cloud
Classification 7/20/2015
Copyright 2009 Trend Micro Inc. 23
Public Cloud – Private Security
Multiple customers on
one physical server –
potential for attacks via
the hypervisor
Shared network inside
the firewall
Doesn’t matter – the
edge of my virtual is
firewalled
Doesn’t matter – treat
the LAN as public
Internet
Shared
Storage
Shared
Firewall
Shared firewall –
Lowest common
denominator – less fine
grained control
Doesn’t matter – treat
the LAN as public
Easily copied machine
images – who else has
your server?
Doesn’t matter – They
can start my server but
only I can unlock my
data
Classification 7/20/2015
Virtual
Servers
Copyright 2009 Trend Micro Inc. 24
Shared storage – is
customer segmentation
secure against attack?
Doesn’t matter – My
data is encrypted (no
breadcrumbs)
Securing Your Virtual World
Thank You
Copyright 2009 Trend Micro Inc.