Section Datacenter Security: Protection Beyond OS LifeCycle 1
Not so fun Facts from the Symantec ISTR 2017 Report Zero-Day Vulnerability, annual total Legitimate tools, annual total 6,000 5 5,000 4,000 3,000 4,958 4,066 3,986 MILLION 4 3 4.6m 3.2m 2,000 2 2.0m 1,000 1 0 2014 2015 2016 Mimikatz PsExec WCE 1. A new 0-day discovered every week 2. Legitimate administrative and pen tools used against target 2
Attack surface - When Patches matter MS16-087 A 20-year old Vulnerability sitting in Plain sight Enterprise OS Oracle s Colossal Patch 276 Vulnerabilities, 159 remotely exploitable without authentication, 28 with CVSS > 9.0 Enterprise Software The much maligned player 52 Vulns with 33 remotely exploitable End-user Browser Spread laterally within the network with Watering Holes Compromise Mission Critical Systems! Large Attack Surface for a Foot in the door 3
Exploit Kits trend 2015-2016 Rank Exploit Kit 2015 (%) 2016 (%) 1 Custom Kits 38.9 37.9 2 Angler 13.3 22.2 3 Spartan 7.3 11.9 4 RIG 2.0 7.9 5 Magnitude 1.1 5.8 6 Neutrino 1.3 5.8 7 VIP 24.8 3.2 8 Nuclear 4.0 1.6 9 Fiesta 2.5 1.0 10 G01 Pack 2.2 0.8 4
Hands On! Application Services Guest OS Front End Back End DataStore Hypervisor HW 5
What s The Story? Never Touching the running Machine Services uptime Service Deployment in different Stages: Test environment Pre-production environment Production environment Compliance Check Patch Deployment Time Increase exposition Exposition increase attack surface Legacy OS Legacy Applications Custom Applications 6
Data Center Security Technical Overview Section 7
SECURE DATACENTER INFRASTRUCTURE WITH DCS: SERVER ADVANCED VIRTUALIZATION PLATFORMS CLOUD PROVIDERS / PLATFORMS CONTAINERS FILE INTEGRITY MEMORY PROTECTION NETWORK CONTROLS DEVICE CONTROLS APPLICATION CONTROL SIMPLICITY Consistently manage security across physical, virtual, public, and private clouds VISIBILITY Centralized security, monitoring, and hardening across platforms and applications AGILITY Align security and IT Ops with automated and orchestrated security down to the application layer OPENSTACK KEYSTONE 8
WHAT MAKES A STRONG, AGILE SECURITY STRATEGY FOR THE SDDC? ANTIMALWARE & THREAT PROTECTION DYNAMIC WORKLOADS PERIMETER & NETWORK SECURITY COMPLIANCE & HARDENING Designed for performance & resource optimization, not just an endpoint protection client Support the migration and co-mingling of workloads with varied trust levels Visibility and control of internal VM to VM traffic Automated asset discovery, configuration and validation Support & Simplify Security Across Traditional and Next Gen IT with: Security embedded into the Platform protecting hosts and guests Application-level security controls and policies for workloads anywhere Security integrated with DevOps Automation Tools & Processes provides faster provisioning, reduces Rogue IT instances and ensures timely protection. 9
DATA CENTER SECURITY STRATEGY IS A LIFECYCLE ASSESS Conduct Asset Auto Discovery Assess Server Configuration Report Against Mandates and Standards Aggregate Risk Scores Prioritize Remediation ORCHESTRATE Aggregate, Automate and Orchestrate Security Policy Across Products Enable application-level security Automate Security Provisioning and Response Across Platforms PROTECT Monitor and Harden Physical, Virtual, and Cloud Protect Current and Next-gen Data centers Secure Virtual Desktops Protect Application and File Stores 10
Introduction to Symantec Data Center Security for Virtual Environment o Symantec DataCenter Security provides: o Agentless antimalware and network intrusion protection o Reputation-based services for files and URLs o In-guest file quarantine o Seamless integration with VMware NSX and vcenter o Single-instance security service per host o Automated and simplified security provisioning workflow o Out-of-box integration with multiple security products Data 11
Symantec Datacenter Security architecture for Virtual Environment Guest Virtual Machines Security Virtual Appliance (SVA) SVA Provides Agentless Anti-Malware and Intrusion Detection/Prevention SVA is deployed to each ESXi host as the Datacenter Protection Service SVA supports up to 200 guest VMs on a single ESXi host 12
Symantec Datacenter Security architecture for Virtual Environment Operations Director SDCSS/SA SDCSS Server LiveUpdate Security Response Insight Reputation Orchestration Support Unified Management Console (UMC) 13
Overall Summary and Takeaways Symantec Data Center Security Server Provides: o Advanced security controls for virtual environments o Infrastructure performance enhancements o Automation of security policy provisioning Making security of virtual environments possible via.. o Agentless antimalware and Network Intrusion protection o Integration with VMware NSX and vcenter and other security solutions 14
USE CASES Section 15
AGENTLESS HOST AND GUEST THREAT PROTECTION FOR VIRTUAL ASSETS WITH DATA CENTER SECURITY Fully integrated with VMware (NSX/vCNS/vShield) Lower OPEX Manage complexity Reduce boot storms Auto deployment of Hypervisorbased security virtual appliance (SVA) Always-on security for hosts and virtual guests Data Center Security service for VMware NSX/vCNS/vShield Security Orchestration and integration with DCS: Server Advanced and third-party security tools Agile security provisioning and threat response for hosts & virtual guests 16
SYMANTEC DATA CENTER SECURITY DELIVERS AGILE, AGENTLESS THREAT PROTECTION Use Case : New business application deployment Problem Response Action Result IT asset provisioning takes minutes but security provisioning takes days Security is the bottleneck for scaling out the new services IT service request Capture security and compliance attributes during IT service requests Security requests for new IT assets sent to security admin Viruses are detected, blocked, and logged Rapid 7 Nexpose (via Operations Director integration) runs vulnerability scans & risk assessment Security is deployed quicker; mitigating rogue and unsecure IT assets Increased business responsiveness Server is protected throughout its lifecycle Operations Director automatically creates task for security admin Operations Director recommends antimalware, NIPs, firewall (via Palo Alto integration), and hardening Symantec Advantage: Automated Always On Agent-less 17 17
CRITICAL CUSTOMER PORTAL AUTOMATICALLY PROTECTED AGAINST ZERO-DAY EXPLOIT Use Case : Mission critical web server must be secure and highly available Problem Response Action Result Multiple applications and subcomponents, each with their own vulnerabilities Each component must be secure and compliant without downtime Symantec Data Center Security: Server Advanced has Out-of-the-box sandboxes to secure each tier of the infrastructure Attacker attempts to install malicious file through an IIS zero-day exploit Attack is blocked as IIS is not allow to install software or modify the OS Customer portal maintains security and availability despite zero day vulnerability on whitelisted application Symantec Advantage: Application Whitelisting Out-of-the-box Hardening 18 18
PROTECT CUSTOMER FILES Use Case : Mission critical web server must secure web pages files Problem Response Action Result Unauthorized users could be able to change, add, remove files Malicious Users could be able to access to files Symantec Data Center Security: Server Advanced has Host Integrity and Audit Trail Capabilities Attacker attempts to install malicious file through unauthorized access Attack is blocked because DCSSA agent is monitoring Server File System avoiding unauthorized users Customer portal maintains integrity and original contets Symantec Advantage: Host Integrity Files Integrity and Audit Trail 19 19
PROTECT LEGACY MICROSOFT OS SERVER Use Case : Protect legacy Microsoft Windows 2003 server Problem Response Action Result Microsoft Windows Server 2003 is not more supported by Microsoft Lack of security Patches Symantec Data Center Security: Server Advanced still support Microsoft Windows server 2003 Once Installed DCSSA agent, is possible to enable Application Control, Mitigation Exploits control and Host Integrity modules It will be possible to keep legacy server protected Symantec Advantage: Support Legacy OS 20
DOMAIN CONTROLLER LOCKDOWN Use Case : Protect Domain Controller server Problem Response Action Result Microsoft Domain Controller breach Lack of security Symantec Data Center Security: Create restrictive white list policy Integrated DCS:SA events with third party SIEM solution for alerting/analysis Once Installed DCSSA agent, is possible to enable Application Control, Mitigation Exploits control and Host Integrity modules It will be possible to keep AD servers protected Symantec Advantage: Support Windows Services such as AD, MSSQL 21
Thanks Presenter Alessandro Ghezzi Date 7/6/2017 Alessandro_ghezzi@symantec.com Sunil Venanzini Sunil_venanzini@symantec.com