NET3420BU Introducing VMware s Transformative Data Center Endpoint Security Solution Vijay Ganti Director, Product Management VMware Christopher Frenz Director of Infrastructure Interfaith Medical Center VMworld 2017 Content: Not for publication #VMworld #NET3420BU
Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have not been determined. #NET3420BU CONFIDENTIAL 2
Where to Focus Infiltration Propagation Extraction Exfiltration Stop infiltration Stop exfiltration #NET3420BU CONFIDENTIAL 3
We re Protecting the Wrong Thing #NET3420BU CONFIDENTIAL 4
Mass Complexity Propagation Known good Unknown Known bad Extraction #NET3420BU CONFIDENTIAL 5
From our current model Focused on malicious behavior Highly complex and noisy Exposed, i.e., untrusted monitoring, limited context Manual and lacking orchestration #NET3420BU CONFIDENTIAL 6
Applying Least Privilege at an Application Level VMworld 2017 Content: Not for publication To a new model Focused on good (intended) behavior Simpler and smaller problem set Better signal to noise ratio Actionable and behavior-based alerts and responses #NET3420BU CONFIDENTIAL 7
Unique Properties of the Virtualization Layer It s in a unique position to understand the application Application Intended State Runtime State #NET3420BU CONFIDENTIAL 8
Unique Properties of the Virtualization Layer It s in a unique position to deliver isolation: maintain a separate trust domain for security Application Isolation #NET3420BU CONFIDENTIAL 9
Unique Properties of the Virtualization Layer It s in a unique position to deliver a high degree of automation Application Isolation Automation #NET3420BU CONFIDENTIAL 10
Application Isolation Automation We can leverage the unique properties of cloud and virtualization to secure critical applications #NET3420BU CONFIDENTIAL 11
AppDefense: Least Privilege Control for the DataCenter Application Control Runtime Anomaly Detection & Response Intentional State Communications Untrusted Zone (Guest) Processes Runtime Anomaly Detection Trusted Zone (ESXi) OS Kernel Remediation Comprehensive view/grouping of VMs in the datacenter, their intended state, and allowed behavior VMworld 2017 Content: Not for publication Monitor the real time state of the OS and user applications - alert and control process, network, and kernel events Process Analysis Built-in process analysis engine gives overall process maliciousness as well as specific traits that are potentially suspicious Orchestrate Remediation Our infrastructure reach provides a more effective way to orchestrate remediation during a security incident #NET3420BU CONFIDENTIAL 12
Gathering Intended State Intentional State Intended State Runtime State #NET3420BU CONFIDENTIAL 13
Gathering Intended State Intentional State VMworld 2017 Infrastructure Events (vra, vcenter, NSX, Chef, Puppet, AWS, etc) Developer Workflow (Maven, Ansible, Jenkins, etc) Runtime Behavior (Agents, Netflow, Policy Changes, etc) Machine context Control and security policies Network topology Application flows down to process level Content: Not for publication Code signing/authorization Process and network behavior Ideal for brownfield apps #NET3420BU CONFIDENTIAL 14
Leveraging Isolation Untrusted Zone (Guest) Application Behavior OS Runtime Attestation Secure Context Store Trusted Zone (Kernel) Virtual Enclave Great Context Lacks Isolation Security In Software Goldilocks Security In Hardware Great Isolation Lacks Context #NET3420BU CONFIDENTIAL 15
Providing Automated Remediation Remediation #NET3420BU CONFIDENTIAL 16
AppDefense Architecture Cloud NSX Manager On-Prem vcenter NSX Manager vcenter vra Security manager will always be a cloud deployment. We will use a proxy to configure policy and auth to mgmt networks Security Manager Security Management Proxy Config/ Policy Sync Security Management Proxy VMC Workloads Goldilocks Secure Enclave Goldilocks Host Module On-Prem Workloads Goldilocks Secure Enclave Goldilocks Host Module Guest Host Guest Host #NET3420BU CONFIDENTIAL 17
Interfaith Beta Experience
WannaCry Ransomware Ransomware attack of pandemic proportions #NET3420BU CONFIDENTIAL 19
Defense in Depth Against Ransomware A defense in depth based guide consisting of 45 suggested controls in the following categories Perimeter Defenses Network Defenses Endpoint Defenses Server Side Defenses SIEM and Log Management Backup and Recovery Awareness Training Incident Response IoT VMworld 2017 Content: Not for https://www.owasp.org/images/4/4a/ Anti-RansomwareGuidev1-5.pdf publication #NET3420BU CONFIDENTIAL 20
Criteria for Evaluation 70-90% of malware seen by an organization is unique to that organization according to the 2015 Verizon Data Breach Report Signature based defenses that match known malware or malicious behaviors are no longer sufficient for detecting and stopping threats Looking for a signatureless approach to securing servers that compliments other controls in our defense in depth strategy. Tested to see how well AppDefense would block an attack that successfully bypassed other security controls VMworld 2017 Content: Not for publication #NET3420BU CONFIDENTIAL 21
OWASP Mutillidae VMworld 2017 A deliberately vulnerable web application for training security testing skills Content: Not for publication #NET3420BU CONFIDENTIAL 22
XAMPP on Virtual Machine VMworld 2017 Content: Not for XAMPP is installed on a Windows 2012 R2 virtual machine that is running App Defense publication #NET3420BU CONFIDENTIAL 23
Mutillidae VMworld 2017 Content: Not for Mutillidae unzips into the htdocs folder of the Apache install and can be accessed via a Web browser publication #NET3420BU CONFIDENTIAL 24
App Defense Baseline VMworld 2017 Content: Not for App Defense monitors the VM for a period of 2 weeks to learn the typical behavior of the VM with regards to processes that establish inbound or outbound network connections publication #NET3420BU CONFIDENTIAL 25
DNS Lookup with Mutillidae The DNS lookup function passes the provided input to a system call that uses nslookup Inputs are not properly sanitized so lets append something to our domain name OS Command Injection google.com& C:\Program Files\Internet Explorer\iexplorer.exe google.com #NET3420BU CONFIDENTIAL 26
App Defense Alarm VMworld 2017 Content: Not for The OS command injection attempt to use IE to access an external resource caused app defense to block the connection attempt and trigger an alarm publication #NET3420BU CONFIDENTIAL 27
The Good AppDefense prevented internet explorer from connecting to the Web site used in the OS command injection This is a similar scenario to OS command injection being used to download malware or an exploit The alerts feature was very responsive and could provide a SOC a near real-time warning of a potential intrusion attempt The learning mode of AppDefense made the set up comparatively easy since rules and behaviors for the baseline were learned almost entirely during the learning period VMworld 2017 Content: Not for publication #NET3420BU CONFIDENTIAL 28
Areas for Improvement AppDefense currently only blocks processes that seek to establish network connections and not any process that does not normally run AppDefense could potentially be circumvented when the server executes scripts via interpreters (such as python.exe) as a part of its normal behavior by placing a malicious script with the same name as the one normally called on the server Support for older OSes (e.g. Windows 2008 R2) would be desirable even with a more limited feature set #NET3420BU CONFIDENTIAL 29
Demo