IS B10 - Securing Your Virtual Data Centers: The Future of Endpoint and Server Security

Size: px

Start display at page:

Download "IS B10 - Securing Your Virtual Data Centers: The Future of Endpoint and Server Security"

Raymond Greer
5 years ago
Views:

1 WE, 09:00-10:00 IS B10 - Securing Your Virtual Data Centers: The Future of Endpoint and Server Security Paul Murgatroyd Principal Product Manager Chip Epps Principal Product Manager 1

2 Agenda 1 The Virtual Data Center 2 Monitoring ESXi and Hardening vcenter 3 Protecting the Guest 4 SEP, SCSP, and DCP Roadmaps 5 Resources 2

3 There are really two points to consider: LB HA Backup Management Server Virtual Machines Apps Apps Apps Apps Apps Apps Apps Apps Apps SMP Hypervisor Storage Enterprise Servers Enterprise Network Enterprise Storage 3

4 There are really two points to consider: LB HA Backup Protecting your Virtual Infrastructure: Management Server Hypervisor Control Software Apps Apps Apps Virtual Machines Apps Apps Apps Apps Apps Apps Supporting Applications SMP Hypervisor Storage Enterprise Servers Enterprise Network Enterprise Storage 4

5 There are really two points to consider: LB HA Backup Protecting your Virtual Infrastructure: Management Server Hypervisor Control Software Apps Apps Apps Virtual Machines Apps Apps Apps Apps Apps Apps Supporting Applications SMP Hypervisor Storage Enterprise Servers Enterprise Network Protecting your Virtual Machines: Applications Inter-VM Communications Enterprise Storage 5

6 Why Virtualize Promises of Cloud Computing Traditional IT Clouds Leaders Servers per Admin 50 5,000 Time to Provision Server Server Utilization 5 days 15 mins 20% 75% 6

7 But Vulnerabilities Still Exist 7

8 The CISO s Guide To Virtualization Security January % 75% Planning to adopt x86 virtualization Of x86 Servers will be virtual by

9 Servers Are Different from Desktops Servers Hacking Desktops/Laptops Malware vs. 81% of Breaches 99% of Records 69% of Breaches 95% of Records Server Protection is Different from Endpoint Protection 9

10 Servers are the Primary Target 97% of stolen data is from Servers. More often endpoints / user devices simply provide an initial foothold into the organization, from which the intruder stages the rest of their attack.

11 What is Virtual Infrastructure Protection? Monitoring ESXi & Hardening vsphere 11

12 Virtual Infrastructure Still Requires Attention 12

Securing vsphere 5 Infrastructure with SCSP vcenter Server SQL DB WMWare Management Framework VMWare vcenter Server 5.

) VMware ESXi LDAP 64-bit Windows manage VM support and Resource Management CSP Agent Tomcat Web Service vcli vcli for Config and Support Agentless Systems Mgmt Agentless Hardware

port access to trusted programs CSP Can Agent can protect be the deployed installed following within in tools each accessing a guest specific vcenter virtual guest from machine VM

vsphere specific to each virtual server s use-case Web Client Mechanics of Monitoring ESXi: vcenter Uses vcli IDS to Policy access Highlights: ESXi log/config files to send over to SCSP

13 Securing vsphere 5 Infrastructure with SCSP vcenter Server SQL DB WMWare Management Framework VMWare vcenter Server 5.0 (64 bit Windows) vcenter Server VMkernel Infrastructure Agents (NTP, Syslog, etc.) VMware ESXi LDAP 64-bit Windows manage VM support and Resource Management CSP Agent Tomcat Web Service vcli vcli for Config and Support Agentless Systems Mgmt Agentless Hardware Monitoring Protecting the Virtualization Management Universe Automate implementation of VMware Hardening Guidelines vcenter IPS Policy : Enhanced Windows Strict policy to protect application components including: vcenter Server, vcenter Orchestrator, vcenter Update Mgr. Infrastructure components e.g., SQL Express DB, Tomcat, JRE vcenter application program files and sensitive directories Virtual Infrastructure Guest Server Protection (certificates and logs) Restricts vcenter network port access to trusted programs CSP Can Agent can protect be the deployed installed following within in tools each accessing a guest specific vcenter virtual guest from machine VM desktops, (1 (virtual per laptops, ESXi client server) access to to lock VM s monitor down or even ESXi the Jump hosts: / application, vsphere Client, vsphere CLI, vsphere Power CLI, vsphere specific to each virtual server s use-case Web Client Mechanics of Monitoring ESXi: vcenter Uses vcli IDS to Policy access Highlights: ESXi log/config files to send over to SCSP vcenter agent Windows Detection Policy Accesses Pre-tuned guest Windows VM config Baseline files through Policy the detects vcli user/group interface and send changes, to SCSP login agent failures, etc. vcenter Enables Application a new ESXi Detection IDS policy Policy to monitor config/access Create Pre-tuned customized Windows reports Policy specific performs to ESXi real-time configuration FIM of vcenter binaries / configurations and monitors vcenter logs ESXi IDS Addresses Policy gap Highlights: in existing vcenter monitoring and log Monitors forwarding the full capabilities suite of critical VMware host configuration files (22 files) accessible through vcli for: ESXi host command line interface (CLI) login failures and successes Critical configuration changes to ESXi host Administrative web access 13

14 Automatically Harden and Monitor Per VMware s vsphere Hardening Guidelines Pre-defined global and granular policies Lockdown the Windows Server with industry s leading critical system protection Harden the vcenter application against unauthorized access, executables or configuration changes Directly monitor your ESXi host configurations for unauthorized changes Harden your individual ESX/ESXi Guest VMs 14

15 What is Agent-less? Introspection & vnetwork Analysis 15

16 Is Symantec going to Support vshield and When Yes, now in SEP Jaguar! 16

17 Roadmap Progress Phase 1 Re-architect Security for Changing Threat Environment Done Insight and SONAR Phase 2 Phase 3 Phase 4 Optimize Features for Virtualized Environment Maximize Integration with Platforms, and Introspection-Zoning Infrastructure Maximize Architecture for Cloud Service Delivery Done Shared Insight Cache & vcenter Hardening Done vshield & vsphere integration Currently in development 17

18 SEP RU2: vshield Use Case vsic Network Shared Insight Cache (vsic) SEP Client SEP Client SEP Client SVA VMware vshield Endpoint / VMTools GVM GVM GVM ESXi Host 18

Shared Insight Cache for Virtual Environments (vsic) vshield Endpoint enabled scan cache to optimize performance for scanning Moves the SEP 12.

19 Shared Insight Cache for Virtual Environments (vsic) vshield Endpoint enabled scan cache to optimize performance for scanning Moves the SEP 12.1 Shared Insight Cache into a Security Virtual Appliance Uses vshield Endpoint as the communication channel between SEP and the cache Same performance benefit as SEP 12.1 cache Significant resource reduction for persistent VDI Limited impact for non-persistent VDI and server applications 19

20 How Apply Traditional Security as Agentless? Firewall NIPS Reputation AV Behavioral HIPS ETC 20

21 % of samples SEP 12.1 vs. Trend Micro Deep Security 8.0 May % 90% 100% 64% 80% 70% 60% 50% 40% 30% 20% 10% Baseline Maximum 20% 16% Compromised Neutralized Defended 0% Symantec Endpoint Protection 12.1 Trend Deep Security 8 (Agentless) 21

22 SEP 12.1 Built for Virtual Environments Scan Elimination Scan De-duplication Scan Randomization Virtual Image Exception Virtual Client Tagging Resource Leveling Insight and Shared Insight Cache Offline Image Scanning Together up to 90% reduction in disk IO 22

23 New Approaches: Insight Enhanced Scanning On a typical system, 80% of active applications can be skipped! Traditional Scanning - Requires scan of every file - Scans on defined schedule Insight Scanning - Requires scan of un-trusted files only - Scans based on user activity 23

24 SEP 12 vs. Trend Micro Deep Security 8 -Virtual Machine Performance April % reduction in I/0 60% reduction in scan time 24

25 Roadmap 25

26 Disclaimer This information is about pre-release software. Any unreleased update to the product or other planned modification is subject to ongoing evaluation by Symantec and therefore subject to change. This information is provided without warranty of any kind, express or implied. Customers who purchase Symantec products should make their purchase decision based upon features that are currently available. 26

Maximum Maximum Security Guest Security SVA Baseline Security

27 Breadth of Security Risk A Perspective Tomorrow Today Service-Oriented, Hybrid Security Model VM Service Levels Maximum Maximum Security Guest Security SVA Baseline Security Gold Silver Bronze Maximum Host Hardened Security Virtual Infrastructure 27

28 Security Effectiveness Dynamic, Transparent, Beyond-Physical Security On a Hardened Infrastructure across Managed/Unmanaged VMs Today Medium Term Agented VMs (Managed) Long Term Agented (Managed) Agented VMs (Managed) Agent-less Protection (All VMs) Agented Value-Add Agent-less Protection (All VMs) Hardened Virtual Infra. Hardened Virtual Infra. Agentless Baseline Hardened Virtual Infra. Agent (SCSP + SEP) Agentless Hardened Infrastructure hardened by SYMC Baseline Security Rogue VM Protected Agentlessly by SYMC Full Security VM fully protected with SYMC Agents 28

29 Roadmap for Symantec Endpoint and Server Security Endpoint Protection McLaren FIPS Support Mac IPS Bug Fixes Endpoint Protection Ferrari Mac Firewall & Management Linux Management Network-based Definitions Performance/Content Improvements SEP Endpoint Protection Porsche New Management Server Enhanced Reporting Endpoint Security Product Integrations 2013 CYQ1 Q2 Q3 Q4 CYQ1 Q2 Q3 Q4 CYQ Apr Jul Oct 2014 Apr Jul Oct 2015 Server Protection Ferrari Agentless Protection (VMware) Provisioning via vcenter Application Whitelisting for Windows Server Protection Porsche New Management Server Enhanced Reporting Agented anti-malware Agentless Protection (non- VMware) DCP 29

30 Next Steps for SEP Shared Content- NetDefs Network Shared Insight Cache (nsic) Shared Network Definitions (ndef) SEP Client GVM SEP Client GVM SEP Client GVM Shared Content ESXi Host 30

31 What is Data Center Protection? CSP Sandboxing + Application Whitelisting Controls Agentless AV and IPS Virtual Security SVA s Data Center Protection (DCP)

Next Steps for Agentless Protection VM VM Tools VM VM Tools SYMC EPSEC SVA VM VM Tools VM VM Tools SYMC EPSEC SVA VM VM Tools VM VM Tools SYMC EPSEC SVA SYMC NetX SVA ESXi 5.1 ESXi 5.

32 Next Steps for Agentless Protection VM VM Tools VM VM Tools SYMC EPSEC SVA VM VM Tools VM VM Tools SYMC EPSEC SVA VM VM Tools VM VM Tools SYMC EPSEC SVA SYMC NetX SVA ESXi 5.1 ESXi 5.1 ESXi 5.1 vcenter Plug-in VMware Admin view (incl: vcops) Deployment Environment information AV SVA (EPSEC API) Agentless file scanning (AV/AM) Deployed at vsphere Host level Via EPSEC APIs and vshield Endpoint/ VMtools- now free with vsphere 5.1 Engine and content exist in one place, within the SVA Security policy can be specific to each VM N-IPS SVA (NetX API) Agentless Network IPS protection Deployed at network level (for DPI) Via NetX API and vcloud Networking and Security- must purchase vcns Security policy can be specific to isolated virtual network or per VM workload 32

33 Next Steps for Server Lockdown Protection Workflow Inspect System Rate Applications Manage Change Specify Whitelist Sandbox Applications Review Protection 1. Identify applications via system inspection 2. Determine application reputation Identifies known good applications via Trusted Publishers, application checksums, and/or reputation service 3. Specify how to manage change via Trusted Updaters Incorporates internal change processes into security policy 4. Select Whitelisted and Blacklisted Applications Provides a Default Deny security posture for generic servers Override via Trusted User/Group and Trusted Directories 5. Provide out-of-box security for common applications Admins can select sandboxing controls for the and workload (web servers, database servers, domain controllers, ) 6. View Security Summary and Overall Risk Profile Identifies gaps based on the controls selected and server profile 33

Data Center: Server (Virtual, Physical) End User: Desktop/Laptop Data

Porsche Symantec Endpoint Protection (SEP) SEP SEP SEP Critical Systems

Agented monitoring Agentless 1. VMware SEP CSP 1.

34 Data Center: Server (Virtual, Physical) End User: Desktop/Laptop Data Center The Offerings Today Management Consoles Ferrari Common Management Porsche Symantec Endpoint Protection (SEP) SEP SEP SEP Critical Systems Protection (CSP) SEP CSP 1. Agented system lockdown (with whitelisting) 2. Agented monitoring Agentless 1. VMware SEP CSP 1. Agented system lockdown (with whitelisting) 2. Agented monitoring Agentless 1. Multiple hypervisors 34

with outdated defs) Full SEP protection including SONAR and Web protection in virtual environments (multiple layers of defense) Hypervisor agnostic - performant solution for any virtual environment

35 Agentless Protection Capabilities Why Have Both NetDefs and Agentless? SEP + NetDefs DCP (with agentless) Solves SEP def update IO issue, primarily for non persistent VDI Maintain SEP footprint in virtual environments by removing the problem of update storms (images with outdated defs) Full SEP protection including SONAR and Web protection in virtual environments (multiple layers of defense) Hypervisor agnostic - performant solution for any virtual environment Foundation for protecting the Software Defined Data Center Easy virtual administrator buy-in, due to less operational friction (install, patch, ) Performance: Single instance of the protection engines and content Protection: Immediate up to date coverage for new, rogue, or dormant VMs Protection: Less risk of security tampering at guest 35

Virtual Security Top-to-Bottom Hypervisor SVA SVA 1 Hardened Infrastructure Hardening infrastructure (Hypervisor kernel-level file monitoring, management

Hypervisor vserver Farm Cloud VDI Security Host/VM Management Infrastructure 2 3 Baseline Security for All VMs (agent-less for unmanaged VMs) through SVA Enhanced

Zoning through workflow integration to drive actions based on security posture Full Security for Managed VMs (agented) through SCSP and SEP In-guest agent

36 Virtual Security Top-to-Bottom Hypervisor SVA SVA 1 Hardened Infrastructure Hardening infrastructure (Hypervisor kernel-level file monitoring, management hardening) Server Management capabilities for patch, change management, discovery, inventory etc. Hypervisor vserver Farm Cloud VDI Security Host/VM Management Infrastructure 2 3 Baseline Security for All VMs (agent-less for unmanaged VMs) through SVA Enhanced Agent-less via Security Virtual Appliance enabling IPS, Deep Packet Inspection, File Integrity Monitoring, AV, etc. Zoning through workflow integration to drive actions based on security posture Full Security for Managed VMs (agented) through SCSP and SEP In-guest agent thinning supporting introspection and differentiated security (Shared AV Definitions, reduced memory etc.) Agent (SCSP + SEP) Agentless Hardened Infrastructure Hardened by SYMC Baseline Security Rogue VM Protected Agentlessly by SYMC Maximum Security VM fully protected with SYMC Agents 36

37 Other Sessions to Attend Breakouts WE, 17:15-18:15; VMware: the Virtualization Journey: Managing and Proving Compliance with VMware and Symantec P1/Room 114 ST B05 TH, 09:00-10:00; Symantec Reference Architecture for Business Critical Virtualization P1/Room 112 IS B09 TH, 0:900-10:00; SONAR, Insight, Skeptic and GIN- The Symantec Secret Sauce P1/Room 114 IS B27 TH, 13:45 14:45, Symantec Protection Engine: gives almost any application or the ability to scan for threats P1/Room 115 IS B07 TH, 13:45-14:45, The Roadmap for Symantec infrastructure Protection Products P1/Room 114 LABS IS L03 WE, 10:30-11:30; Security Virtualized Environments P1/Room 119 IS L06 WE, 15:45-16:45; Protect Servers and Defend against APTs with Symantec SCSP P1/Room 119 IS L07 WE, 17:15-18:15; Lock down your Virtual environment with SCSP P1/Room 119 IS L02 TH, 11:45-12:45; Migrating to SEP 12.1 from an earlier version or another vendor s product P1/Room

38 Additional Resources Symantec Virtualization Security site on symantec.com Securing the Virtual Data Center white paper VMware and Symantec Joint Press Release - Solution overviews Coming Soon: VDI Best Practices White Paper Joint VMware Reference Architecture (via QSA Coalfire) 38

39 Thank you! Paul Murgatroyd Chip Epps Copyright 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. 39

Securing Your Virtual Data Centers:

Securing Your Virtual Data Centers: The Future of Endpoint and Server Security Chip Epps, Symantec, PM Virtualization Security Papi Menon, VMware, PM vshield Endpoint 1 Agenda 1 The Virtual Data Center