THREAT PROTECTION FOR VIRTUAL SYSTEMS #ILTACON #ILTA156

Similar documents
Securing the Modern Data Center with Trend Micro Deep Security

White Paper. Securing the virtual infrastructure without impacting performance

KASPERSKY ENDPOINT SECURITY FOR BUSINESS

Kaspersky Cloud Security for Hybrid Cloud. Diego Magni Presales Manager Kaspersky Lab Italia

MOVE AntiVirus page-level reference

Kaspersky Security for Virtualization Frequently Asked Questions

Tips and Tricks on Building Agentless Antivirus Scanners for Virtual Desktops

Trend Micro deep security 9.6

Copyright 2011 Trend Micro Inc.

1 Page Compass Investors, LLC P.O. Box 94 Kenilworth, IL

The McAfee MOVE Platform and Virtual Desktop Infrastructure

IS B10 - Securing Your Virtual Data Centers: The Future of Endpoint and Server Security

Symantec Endpoint Protection

Live Attack Visualization and Analysis. What does a Malware attack look like?

LIGHT AGENT OR AGENTLESS

Ret h i n k i n g Security f o r V i r t u a l Envi r o n m e n t s

Expand Virtualization. Maintain Security.

Table of Contents HOL-PRT-1464

Network Security Protection Alternatives for the Cloud

Stopping Advanced Persistent Threats In Cloud and DataCenters

PCI DSS Compliance. White Paper Parallels Remote Application Server

The Evolution of Data Center Security, Risk and Compliance

Deep Security 9.5 Supported Features by Platform

This document provides instructions for the following products.

Networking and Security Services Compatibility Guide Last Updated: February 14, 2018 For more information go to vmware.com.

Securing the Software-Defined Data Center

CYBER SECURITY MALAYSIA AWARDS, CONFERENCE & EXHIBITION (CSM-ACE) Securing Virtual Environments

Symantec Endpoint Protection 12

Meltdown and Spectre Mitigation. By Sathish Damodaran

Securing the SMB Cloud Generation

Tips and Tricks on Building Agentless An4virus Scanners for VMware View Virtual Desktops

Whitepaper. Endpoint Strategy: Debunking Myths about Isolation

Presentation by Brett Meyer

CYBER SECURITY. formerly Wick Hill DOCUMENT* PRESENTED BY I nuvias.com/cybersecurity I

McAfee MOVE AntiVirus Installation Guide. (McAfee epolicy Orchestrator)

Cyber Essentials Questionnaire Guidance

The vsphere 6.0 Advantages Over Hyper- V

Symantec Antivirus Manual Removal Tool Corporate Edition 10.x

5 Performance-Boosting vsphere Features You re Missing out on

Uninstall Mcafee Agent Cannot Be Removed

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Sophos for Virtual Environments. startup guide -- Sophos Central edition

Datacenter Security: Protection Beyond OS LifeCycle

Symantec Data Center Security: Server, Monitoring Edition, and Server Advanced 6.7 MP3 Overview Guide

Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

Trend Micro SMB Endpoint Comparative Report Performed by AV-Test.org

The Virtualisation Security Journey: Beyond Endpoint Security with VMware and Symantec

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Ensure Virtualization Security and Improve Business Productivity with Kaspersky

KASPERSKY SECURITY FOR VIRTUALIZATION LIGHT AGENT. Quick Deployment Guide.

GFI Product Comparison. GFI WebMonitor 2015 vs. McAfee Web Gateway

SecureAPlus User Guide. Version 3.4

ESAP Release Notes

How To Manually Uninstall Symantec Antivirus Corporate Edition 10.x Client

Deep Security 9.6 SP1. Supported Features by Platform

FluidFS Antivirus Integration

Symantec Endpoint Protection Family Feature Comparison

ESAP. Release Notes Build. Oct Published. Document Version

ESAP Release Notes

Kaspersky Managed Service Providers Program

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

Operating system hardening

Deep Security 9.5 Supported Features by Platform

Trend Micro SMB Endpoint Comparative Report Performed by AV-Test.org

SentinelOne Technical Brief

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Disclaimer CONFIDENTIAL 2

Commercial Product Matrix

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

BITDEFENDER GRAVITYZONE TANEL JEVSTIGNEJEV ALTACOM

Endpoint Security Transformed. Isolation: A Revolutionary New Approach

Securing Your Virtual World Harri Kaikkonen Channel Manager

Symantec Ransomware Protection

Citrix XenServer 7.3 Feature Matrix

Automated Security for the Real-time Enterprise with VMware NSX and Trend Micro Deep Security Chris Van Den Abbeele, Global Solution Architect, Trend

Securing Your Virtual Data Centers:

White Paper. The impact of virtualization security on your VDI environment

Endpoint Security and Virtualization. Darren Niller Product Management Director May 2012

Norton 360 vs trend micro vs mcafee vs symantec: which anti-virus solution is best

FILELESSMALW ARE PROTECTION TEST OCTOBER2017

SentinelOne Technical Brief

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

Web Gateway Security Appliances for the Enterprise: Comparison of Malware Blocking Rates

Discount Bitdefender Security for SharePoint website for free software ]

DOCUMENT* PRESENTED BY

McAfee Endpoint Security for Servers Product Guide

Annexure E Technical Bid Format

ESAP. Release Notes. Build. Published. June Document Version

ESAP. Release Notes. Release, Build Published Document Version November

Trend Micro Enterprise Endpoint Comparative Report Performed by AV-Test.org

Internet Security Application Control

SAFEGUARDING YOUR VIRTUALIZED RESOURCES ON THE CLOUD. May 2012

Three Security Options That Can Jeopardize Your Virtual ROI

SYMANTEC DATA CENTER SECURITY

Deep Security 9.5 SP1 Supported Features by Platform

Ceedo Client Family Products Security

Dynamic Datacenter Security Solidex, November 2009

Deep Security 9. A Server Security Platform for Physical, Virtual, Cloud. Territory Sales Manager SEE, Trend Micro. Copyright 2011 Trend Micro Inc.

CS 356 Operating System Security. Fall 2013

McAfee Endpoint Security for Servers Product Guide. (McAfee epolicy Orchestrator)

Transcription:

THREAT PROTECTION FOR VIRTUAL SYSTEMS #ILTACON #ILTA156

JIM P. NIXON Application Support Manager Seyfarth Shaw LLP jnixon@seyfarth.com

IN THE PAST, TRADITIONAL SOLUTIONS DIDN T THINK ABOUT VIRTUAL WORKLOADS

OVERVIEW OF TECHNOLOGIES

TODAYS APPROACHES TO SECURING WINDOWS Traditional Signature based scanning & blocking Application Control Uses a number of methods for controlling applications Privilege Management - Applications run with standard privileges unless exceptions are made.

APPLICATION CONTROL Application Whitelisting Deny by default and execute only trusted executables Application Blacklisting Opposite of whitelisting Application sandboxing The use of virtualization to control application access privileges & behavior by policy

APPLICATION WHITELISTING Arguably the best for security but terrible for the end-user and administrator Difficult to manage Adding and removing applications is time consuming and require a full-time role Whitelist database creation - Must use monitoring tools to recorded trusted application behavior Can be used with verified publisher lists with certificate checking Patching could be difficult if file hashes or signatures change

APPLICATION BLACKLISTING The basis of anti-virus software and the most commonly used method Much easier on administrators and end-users since it only targets software that is known to be malicious Considered to be inadequate on its own with the modern threats that exist today Provides the best system performance when used with image pre-scanning

APPLICATION SANDBOXING Applications are isolated and only access system resources exposed in the container they run in Isolates untrusted applications & code Includes virtualized OS s, virtual files & folders memory, etc.. Usually driven by policy from a centralized platform Can cause problems with integration points since applications my not be aware of one another

PRIVILEGE MANAGEMENT Applications generally run with standard user privileges regardless of user permissions on the machine Legacy applications can be configured to run with elevated privileges if the user account is restricted Centrally managed by policy Commonly used with blacklisting technologies as a layered approach

TRADITIONAL ANTI-VIRUS & MALWARE OPTIONS Agents are installed on each virtual guest and managed centrally Full load of processing done within each guest with no information shared centrally or with other guests Signature/String based and Heuristic scanning Reliance on downloaded signatures being up to date Scheduled definition updates and scans

TRADITIONAL SCANNING ARCHITECTURE

PERFORMANCE CONCERNS WITH VIRTUAL ENVIRONMENTS Traditional agents installed in guests could run scheduled tasks simultaneously, causing performance issues with virtualization hosts Non-persistent VDI guests may need to re-download older definition files after reboots Default or misconfigured polices could impact scalability

IN THE END, ALL OF THIS LEADS TO A POOR SYSTEM PERFORMANCE!

WHAT TECHNIQUES ARE VENDORS USING TO SOLVE THIS?

WHAT TECHNIQUES ARE VENDORS USING TO SOLVE THIS? Offloading A light agent is installed in each guest which offloads scanning and other tasks Image pre-scanning - creates a hash database, safe list to reduce scanning overhead Best practice polices that improve performance but adhere to your company's security policies

HOW OFFLOADING WORKS One type of offloading communicates to a dedicated scanning server over the network One advantage with using the network is that the dedicated scanning VM s can be on different physical hosts The second type of offloading is direct communication with the hypervisor Directly communicating with the hypervisor could save additional resources from the network offload method Pre-scanning the image allows a allows light version of the agent to forward files to the scanning server over the network

OFFLOADING ARCHITECTURE

LIGHT AGENT VS. AGENTLESS Agentless solutions use hypervisor aware integration points Agentless solutions tend to have less features (e.g. only file and network level protection) Light agents can be as full featured as traditional solutions (e.g. firewall, memory scanning, process protection)

COMMON BEST PRACTICES WHEN CONFIGURING SCANNING POLICES Disable security add-in s and use gateway products for Exchange and web browsing Exclude hypervisor recommended file locations (VMware tools, etc..) Disable scanning on reads if possible Disable heuristic scanning if possible Use Windows native firewall instead of the security vendor

TESTING RECOMMENDATIONS (ALWAYS TEST!) Use eicar to test AV excluded directories Make sure needed utilities are not restricted or broken by you solution Monitor processor and storage overhead with your favorite tool For VDI, scalability testing with your favorite tool

SOLUTIONS AVAILABLE TODAY

COMMON FEATURES OF VIRTUAL AWARE SOLUTIONS Uses offloading to a network scanning appliance (SVA) Supports tight integrations with the most common hypervisors (e.g. agentless) Pre-scanning of golden images Some have default exclusions for broker and hypervisor components

BITDEFENDER GRAVITYZONE Multiplatform can we used on any hypervisor platform Virtual aware default settings Agentless uses vshield for file system access New HVI Hypervisor Introspection feature for XenServer 7 users agentless, real-time memory scanning and monitoring

MCAFEE MOVE MULTIPLATFORM & AGENTLESS Multiplatform can we used on any hypervisor platform Agentless option uses VMware vsheild, NSX or vcns for high-speed hypervisor integration

KASPERSKY VIRTUALIZATION SECURITY Agentless uses vshield or NSX for file system access Supports wildcard exclusions

TREND MICRO DEEP SECURITY Agentless uses vshield or NSX Integrates with various cloud platforms, including Azure, Amazon EC2 and Vmware vcloud

BROMIUM ADVANCED ENDPOINT SECURITY Different approach which uses microvirtualization to isolate processes vsentry combines proactive isolation and contextual enforcement Seamless to end users One of the few solutions that can deal with 0-day threats

EXCELLENT RESOURCE FOR UNDERSTANDING ANTIVIRUS IMPACT ON VDI

THE PROJECT VRC TEAM EVALUATED THE FOLLOWING SOLUTIONS Microsoft Forefront (discontinued) McAfee MOVE & Enterprise editions Symantec Enterprise Edition

RESULTS.. Microsoft Forefront (discontinued) had the least overhead when pre-scans were performed McAfee MOVE 2.0 was second even with offloading.. Symantec Enterprise Edition came in last.

BUT!

NO REAL WINNER SINCE THEY WORK SO DIFFERENTLY ON DIFFERENT PLATFORMS

REFERENCES Bromium Advanced Endpoint Security ProjectVRC Whitepapers and analysis Trend Micro Deep Security Kaspersky Virtualization Security McAfee -MOVE Bitdefender - GravityZone

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback