Securing Your Virtual Data Centersvox.veritas.com › legacyfs › online › veritasdata › SR...

1

Securing Your Virtual Data Centers:The Future of Endpoint and Server Security

Chip Epps, Symantec, PM Virtualization Security

Papi Menon, VMware, PM vShield Endpoint

Securing your Virtual Data Centers

Agenda

The Virtual Data Center1

VMware Update2

Our Vision and Strategy3

SYMANTEC VISION 2012 2

Our Vision and Strategy3

SEP and SCSP4

Resources5


Do Any Of These Statements Sound Familiar?

“I’m a security professional and I think I know I need to do

something, but I don’t know WHY.”

“I’m a security professional and I need to do something

differently? Really?”

“I’m a security professional and I need to do something

differently? Really?”

!

?

SYMANTEC VISION 2012

“I’m a security professional and I think I know I need to

do something, but I don’t know WHAT.”

“I’m a virtualization technology implementer and I’m

making the security decisions since my security team isn’t.”

3

?

!

?


Why Virtualize – Promises of Cloud Computing…

Clouds Leaders

Traditional IT

Servers per Admin 50 5,000

Time to


5 days 15 mins

20% 75%

Time to Provision Server

Server Utilization

4Securing your Virtual Data Centers

75%85%

“The CISO’s Guide To Virtualization Security” January 2012


75%Of x86 Servers will be virtual by 2014

85%Planning to adopt x86 virtualization


Servers Are Different from Desktops…

vs.

MalwareHackingServers Desktops/Laptops


… Server Protection is Different from Endpoint Protection

6

69% of Breaches

95% of Records

81% of Breaches

99% of Records


Servers are the Primary Target

%


“ …. More often endpoints / user

devices simply provide an initial

“foothold” into the organization, from

which the intruder stages the rest of

their attack.”

%of stolen data is from

Servers


Defining the Virtual Data Center

New Protection Required

Resource

Management Framework

App DataApp


ResourcePool

ESXi Hosts/Hypervisor

OS

App DataStore

VMDK

OS

App


And its Logical Characteristics

Highly Dynamic and Zoned

VDC

vApp

App DBWeb

vApp vApp vApp


Template


Defining the Virtual <–> Security Landscape

x86 Server Virtualization Infrastructure Endpoint Protection Platforms

SYMANTEC VISION 2012Symantec Data Center – Endpoint Security 10

Cloud Infrastructure Suite

vCloud Director 1.5vCloud Director 1.5

vShield Security 5.0vShield Security 5.0

The VMware Cloud Infrastructure Suite

vCenter Operations 1.0vCenter Operations 1.0

Virtualized Security &Edge Functions

Policy, Reporting, Self-Service

Monitoring & Management

New

New

New

11

vSphere 5.0

vCenter SRM 5.0vCenter SRM 5.0

High Performance Resource Control, Pooling

& Scheduling

Business ContinuityNew

New

Overview of vShield and vCenter Configuration Manager

vShield App with

Data SecurityvShield EndpointvShield Edge

vCenter Configuration

Manager

• Segment and isolate at

org level

• Firewall (IP), VPN, Web

load balancer, NAT,

DHCP, static routing…

• Segment and isolate

based on security,

compliance

• Firewall (vNIC), security

groups, sensitive data

discovery

• Partner enablement

platform for endpoint

security

• AV, File Integrity

Monitoring, and more

• IT compliance management across

the stack

• Controls validation, compliance

reporting, change management,

patching, and more

12

Framework for Orchestrating and Managing VMware and Third Party

Networking and Security Services

VMware

Data Security

VMware

…..

VMware Services Partner Services

Networking partnersSecurity partners

13

VMware vShield Manager(VSM)

Open Partners Interfaces

We’ve come a long way, but even more exciting times ahead!

• New 3rd Party network service insertion for more

2012

2013 and

beyond

2011!!

14

service insertion for more solution choice

• Shipping products from endpoint security vendors

• Improved Usability and High Availability

• Improved automation with data security triggers, vCenter Orchestrator plugin

2011

• New 3rd party endpoint service insertion for solution choice

• New Data Security – discovery of sensitive data

• New Security Automation using APIs and scripts

• Scalable and agile networking and security products

!!

Virtual… Vulnerabilities Still Exist

SYMANTEC VISION 2012 15Securing your Virtual Data Centers

Symantec Protection for the Virtual Data Center

• SCSP: Critical System ProtectionManagement

• SEP: Symantec Endpoint Protection

• SCSP: Critical System ProtectionGuestVM


• SCSP: Critical System Protection

• Protection EngineData Store

• SCSP: Critical System ProtectionHypervisor


VM

A Perspective…

ExpandedSecurityMaximum

Guest Security

Bre

ad

th o

f S

ecu

rity

TodayService-Oriented,

Hybrid Security Model


Security

MaximumHost Security

Bre

ad

th o

f S

ecu

rity


VM

A Perspective…

ExpandedSecurity

Bre

ad

th o

f S

ecu

rity

Ris

k

SVA

TomorrowService-Oriented,

Hybrid Security Model

Bronze

Silver

Gold

ServiceLevels


Hardened Virtual Infrastructure

Bre

ad

th o

f S

ecu

rity

Ris

k

Baseline Security

Bronze


Dynamic, Transparent, Beyond-Physical SecurityOn a Hardened Infrastructure across Managed/Unmanaged VMs

Se

curi

ty E

ffe

ctiv

en

ess

Agent-less Protection(All VMs)

Agented(Managed)

Long Term

Agent-less

AgentedVMs

(Managed)

Ag

en

ted

V

alu

e-A

dd

Medium Term

AgentedVMs

(Managed)

Today


Se

curi

ty E

ffe

ctiv

en

ess

(All VMs)

Hardened Virtual Infra.

Hardened Infrastructure hardened by SYMC

Baseline SecurityBaseline Security

Rogue VM Protected Agentlessly by SYMC

Full Full Security

VM fully protected with SYMC Agents

Agent (SCSP + SEP)

Agentless

Agent-less Protection(All VMs)


Ag

en

ted

A

dd

Ag

en

tless

Ba

selin

e(Managed)



What is Agent-less?

Introspection

&


&

vNetworkAnalysis


Is Symantec going to

Support vShield…

and When…


and When…

Yes, SEP Jaguar and Beyond!


Question: How Best to Apply Traditional Security?

FirewallContentFiltering

NIPS Reputation AV HIPS

ETC�


ETC�


SEP 12.1 vs. Trend Micro Deep Security 8.0

100% 64%

60%

70%

80%

90%

100%

Compromised

% o

f sa

mp

les

May 2012

Ma

xim

um


16%

20%

0%

10%

20%

30%

40%

50%

Symantec Endpoint Protection 12.1 Trend Deep Security 8 (Agentless)

Compromised

Neutralized

Defended

23

% o

f sa

mp

les

Ba

seli

ne


Roadmap Progress

Re-architect Security for Changing Threat

Environment

Optimize Features for Virtualized

Environment

Phase 1

Phase 2

Done – Insight and SONAR

Done – Shared Insight Cache& vCenter Hardening


Maximize Integration with Platforms, and

Introspection-Zoning Infrastructure

Phase 32012 In progress – vShield & vSphere

integration

MaximizeArchitecture for Cloud

– Service Delivery

Phase 4 Currently in development…


New Approaches: Insight Enhanced Scanning

On a typical system, 80% of active


Insight Scanning- Requires scan of un-trusted files only

- Scans based on user activity

Traditional Scanning- Requires scan of every file

- Scans on defined schedule

On a typical system, 80% of active

applications can be skipped!


SEP 12.1 – Built for Virtual Environments

ResourceVirtual Image Virtual Insight and Offline Image

•Scan Elimination

•Scan De-duplication

•Scan Randomization


Resource

Leveling

Virtual Image

Exception

Virtual

Client

Tagging

Insight and

Shared Insight

Cache

Together – up to 90% reduction in disk IO

Offline Image

Scanning


SEP 12 vs. Trend Micro Deep Security 8 -Virtual Machine Performance

April 2012

•40% reduction in I/0


•40% reduction in I/0•60% reduction in scan time


RU2: Shared Insight Cache for Virtual Environments

– vShield Endpoint enabled scan cache to optimize performance for scanning

– Moves the SEP 12.1 Shared Insight Cache into a Security Virtual Appliance

– Uses vShield Endpoint as the communication channel


communication channel between SEP and the cache

– Same performance benefit as SEP 12.1 cache

• Significant resource reduction for persistent VDI

• Limited impact for non-persistent VDI and server applications


Ferrari: “Shared Content” for Virtual Environments

– vShield Endpoint enabled Shared Antivirus Definitions

– Removes the need to update definitions in each Guest VM

– One update process per ESXi Host on the vShield enabled SVA

Goal: reduce IO and CPU from definition update process by 90+% at the host level


– One update process per ESXi Host on the vShield enabled SVA

– Updated definitions available to guests immediately on start up with no update overhead

– Significantly improves performance in all environments, servers, non-persistent VDI and persistent VDI

– Solves key management issues with non-persistent VDI deployments


Shared Content (Definitions and Insight Cache)

Network

SEP Client

SEP Client

SEP Client

Network Based Defs Cache

LiveUpdate


ESXi Host

SVAGVM

Client

GVM

Client

GVM

Client

VMware vShield Endpoint / VMTools

Share Insight Cache


Virtual Infrastructure Still Requires Attention

SYMANTEC VISION 2012 31Securing your Virtual Data Centers

SCSP MP3: Securing vSphere 5.0 Infrastructure

Protecting the VirtualizationManagement Universe

• Automate implementation of VMware Hardening Guidelines

• vCenter IPS Policy :– Enhanced Windows Strict policy to protect application components

including:� vCenter Server, vCenter Orchestrator, vCenter Update Mgr.� Infrastructure components e.g., SQL Express DB, Tomcat,

JRE� vCenter application program files and sensitive directories

(certificates and logs)– Restricts vCenter network port access to trusted programs– Can protect the following tools accessing vCenter from desktops,

VMWare vCenter Server 5.0(64 bit Windows)

vCenter

Server

SQL DB

64-bit Windows OS

Tomcat

Web Service

vCenter

Server

LDAP

manage


– Can protect the following tools accessing vCenter from desktops, laptops, client access VM’s or even Jump hosts:

� vSphere Client, vSphere CLI, vSphere Power CLI, vSphere Web Client

• vCenter IDS Policy Highlights:– vCenter Windows Detection Policy

� Pre-tuned Windows Baseline Policy detects user/group changes, login failures, etc.

– vCenter Application Detection Policy � Pre-tuned Windows Policy performs real-time FIM of vCenter

binaries / configurations and monitors vCenter logs� Addresses gap in existing vCenter monitoring and log

forwarding capabilitiesVMware ESXi

VM support VM support and Resource Management

Infrastructure Infrastructure Agents (NTP, Syslog, etc.)

VMkernel

WMWareWMWareManagement Framework

Agentless Hardware

Monitoring

Agentless SystemsMgmt

vCLI for Config and

Support

OS

vCLI

CSPAgent


Virtual Security “Top-to-Bottom”

Hardened Infrastructure

• Hardening infrastructure (Hypervisor kernel-level file monitoring, management hardening)

• Server Management capabilities for patch, change management, discovery, inventory etc.

1

Baseline Security for All VMs (agent-less for unmanaged VMs) through SVA

• Enhanced Agent-less via Security Virtual Appliance enabling

2

vServer Farm

Hypervisor

Hypervisor

SVA

SVA


Hardened Infrastructure hardened by SYMC

Baseline Baseline Security

Rogue VM Protected Agentlessly by SYMC

Full Full Security

VM fully protected with SYMC Agents

Agent (SCSP + SEP)

Agentless

• Enhanced Agent-less via Security Virtual Appliance enablingIPS, Deep Packet Inspection, File Integrity Monitoring , AV, etc.

• Zoning through workflow integration to drive actions based on security posture

Full Security for Managed VMs (agented) through SCSP and SEP

• In-guest agent thinning supporting introspection and differentiated security (Shared AV Definitions, reduced memory etc.)

3

Management Infrastructure

Cloud

Security

VDI

Host/VM


Other Sessions to Attend

SEP

• WE, 1:00-2:00, SR B20, Michael Marfise, Scott Sawoya, Symantec Endpoint Protection 12: Hundreds of Millions of New Pieces of Malware Mean You Have to Do Things Differently

• WE; 4:45-5:45, SR B27, Kevin Haley, Archana Rajan, SONAR, Insight, Skeptic and GIN - The Symantec Secret Sauce

LABS

• TH, 9:00-10:00, SR L06, Elisha Riedlinger, Migrating to Symantec Endpoint Protection 12.1

• TH, 10:15-11:15 & 1:00-2:00, SR L08, Paul Murgatroyd, Troubleshooting Symantec Endpoint Protection 12.1

• TH, 11:30-12:30, SR L07, Scott Sawoya, Configuring Protection Technologies with Symantec Endpoint Protection 12.1


SCSP:

• TH, 1:00-2:00, SR B22, Percy Wadia, Prashant Khandelwal, Stop Server Incursions and Unauthorized Access: How to Defend Against Common APT Attacks

LABS

• WE, 3:30-04:30, SR L21, Colin Gibbens, Protect Servers and Defend Against APTs with Symantec Critical System Protection

• TH, 9:00-10:00, SR L22, Colin Gibbens, Lock Down a Virtual Environment with Symantec Critical System Protection

Protection Engine

• TH, 1:00-2:00, SR B11, Ian McShane, Symantec Protection Engine: for Cloud Services and Storage


Additional Resources

Symantec Virtualization Security site on symantec.com

• http://go.symantec.com/virtualization-security

– “Securing the Virtual Data Center” white paper

– VMware and Symantec Joint Press Release - http://bit.ly/yQ6dxH

– Solution overviews


– Solution overviews

• Coming Soon:

– VDI Best Practices White Paper

– Joint VMware Reference Architecture


Thank you!Thank you!

Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Chip Epps [email protected]

Papi Menon [email protected]


Securing Your Virtual Data Centersvox.veritas.com › legacyfs › online › veritasdata › SR...

Documents

Transcript of Securing Your Virtual Data Centersvox.veritas.com › legacyfs › online › veritasdata › SR...