securing the unified virtual data center with CA and Cisco ...
Securing Your Virtual Data Centersvox.veritas.com › legacyfs › online › veritasdata › SR...
Transcript of Securing Your Virtual Data Centersvox.veritas.com › legacyfs › online › veritasdata › SR...
1
Securing Your Virtual Data Centers:The Future of Endpoint and Server Security
Chip Epps, Symantec, PM Virtualization Security
Papi Menon, VMware, PM vShield Endpoint
Securing your Virtual Data Centers
Agenda
The Virtual Data Center1
VMware Update2
Our Vision and Strategy3
SYMANTEC VISION 2012 2
Our Vision and Strategy3
SEP and SCSP4
Resources5
Securing your Virtual Data Centers
Do Any Of These Statements Sound Familiar?
“I’m a security professional and I think I know I need to do
something, but I don’t know WHY.”
“I’m a security professional and I need to do something
differently? Really?”
“I’m a security professional and I need to do something
differently? Really?”
!
?
SYMANTEC VISION 2012
“I’m a security professional and I think I know I need to
do something, but I don’t know WHAT.”
“I’m a virtualization technology implementer and I’m
making the security decisions since my security team isn’t.”
3
?
!
?
Securing your Virtual Data Centers
Why Virtualize – Promises of Cloud Computing…
Clouds Leaders
Traditional IT
Servers per Admin 50 5,000
Time to
SYMANTEC VISION 2012
5 days 15 mins
20% 75%
Time to Provision Server
Server Utilization
4Securing your Virtual Data Centers
75%85%
“The CISO’s Guide To Virtualization Security” January 2012
SYMANTEC VISION 2012
75%Of x86 Servers will be virtual by 2014
85%Planning to adopt x86 virtualization
5Securing your Virtual Data Centers
Servers Are Different from Desktops…
vs.
MalwareHackingServers Desktops/Laptops
SYMANTEC VISION 2012
… Server Protection is Different from Endpoint Protection
6
69% of Breaches
95% of Records
81% of Breaches
99% of Records
Securing your Virtual Data Centers
Servers are the Primary Target
%
SYMANTEC VISION 2012
“ …. More often endpoints / user
devices simply provide an initial
“foothold” into the organization, from
which the intruder stages the rest of
their attack.”
%of stolen data is from
Servers
Securing your Virtual Data Centers
Defining the Virtual Data Center
New Protection Required
Resource
Management Framework
App DataApp
SYMANTEC VISION 2012 8
ResourcePool
ESXi Hosts/Hypervisor
OS
App DataStore
VMDK
OS
App
Securing your Virtual Data Centers
And its Logical Characteristics
Highly Dynamic and Zoned
VDC
vApp
App DBWeb
vApp vApp vApp
SYMANTEC VISION 2012 9
Template
Securing your Virtual Data Centers
Defining the Virtual <–> Security Landscape
x86 Server Virtualization Infrastructure Endpoint Protection Platforms
SYMANTEC VISION 2012Symantec Data Center – Endpoint Security 10
Cloud Infrastructure Suite
vCloud Director 1.5vCloud Director 1.5
vShield Security 5.0vShield Security 5.0
The VMware Cloud Infrastructure Suite
vCenter Operations 1.0vCenter Operations 1.0
Virtualized Security &Edge Functions
Policy, Reporting, Self-Service
Monitoring & Management
New
New
New
11
vSphere 5.0
vCenter SRM 5.0vCenter SRM 5.0
High Performance Resource Control, Pooling
& Scheduling
Business ContinuityNew
New
Overview of vShield and vCenter Configuration Manager
vShield App with
Data SecurityvShield EndpointvShield Edge
vCenter Configuration
Manager
• Segment and isolate at
org level
• Firewall (IP), VPN, Web
load balancer, NAT,
DHCP, static routing…
• Segment and isolate
based on security,
compliance
• Firewall (vNIC), security
groups, sensitive data
discovery
• Partner enablement
platform for endpoint
security
• AV, File Integrity
Monitoring, and more
• IT compliance management across
the stack
• Controls validation, compliance
reporting, change management,
patching, and more
12
Framework for Orchestrating and Managing VMware and Third Party
Networking and Security Services
VMware
Data Security
VMware
…..
VMware Services Partner Services
Networking partnersSecurity partners
13
VMware vShield Manager(VSM)
Open Partners Interfaces
We’ve come a long way, but even more exciting times ahead!
• New 3rd Party network service insertion for more
2012
2013 and
beyond
2011!!
14
service insertion for more solution choice
• Shipping products from endpoint security vendors
• Improved Usability and High Availability
• Improved automation with data security triggers, vCenter Orchestrator plugin
2011
• New 3rd party endpoint service insertion for solution choice
• New Data Security – discovery of sensitive data
• New Security Automation using APIs and scripts
• Scalable and agile networking and security products
!!
Virtual… Vulnerabilities Still Exist
SYMANTEC VISION 2012 15Securing your Virtual Data Centers
Symantec Protection for the Virtual Data Center
• SCSP: Critical System ProtectionManagement
• SEP: Symantec Endpoint Protection
• SCSP: Critical System ProtectionGuestVM
SYMANTEC VISION 2012 16
• SCSP: Critical System Protection
• Protection EngineData Store
• SCSP: Critical System ProtectionHypervisor
Securing your Virtual Data Centers
VM
A Perspective…
ExpandedSecurityMaximum
Guest Security
Bre
ad
th o
f S
ecu
rity
TodayService-Oriented,
Hybrid Security Model
SYMANTEC VISION 2012 17
Security
MaximumHost Security
Bre
ad
th o
f S
ecu
rity
Securing your Virtual Data Centers
VM
A Perspective…
ExpandedSecurity
Bre
ad
th o
f S
ecu
rity
Ris
k
SVA
TomorrowService-Oriented,
Hybrid Security Model
Bronze
Silver
Gold
ServiceLevels
SYMANTEC VISION 2012 18
Hardened Virtual Infrastructure
Bre
ad
th o
f S
ecu
rity
Ris
k
Baseline Security
Bronze
Securing your Virtual Data Centers
Dynamic, Transparent, Beyond-Physical SecurityOn a Hardened Infrastructure across Managed/Unmanaged VMs
Se
curi
ty E
ffe
ctiv
en
ess
Agent-less Protection(All VMs)
Agented(Managed)
Long Term
Agent-less
AgentedVMs
(Managed)
Ag
en
ted
V
alu
e-A
dd
Medium Term
AgentedVMs
(Managed)
Today
SYMANTEC VISION 2012 19
Se
curi
ty E
ffe
ctiv
en
ess
(All VMs)
Hardened Virtual Infra.
Hardened Infrastructure hardened by SYMC
Baseline SecurityBaseline Security
Rogue VM Protected Agentlessly by SYMC
Full Full Security
VM fully protected with SYMC Agents
Agent (SCSP + SEP)
Agentless
Agent-less Protection(All VMs)
Hardened Virtual Infra.
Ag
en
ted
A
dd
Ag
en
tless
Ba
selin
e(Managed)
Hardened Virtual Infra.
Securing your Virtual Data Centers
What is Agent-less?
Introspection
&
SYMANTEC VISION 2012 20
&
vNetworkAnalysis
Securing your Virtual Data Centers
Is Symantec going to
Support vShield…
and When…
SYMANTEC VISION 2012 21
and When…
Yes, SEP Jaguar and Beyond!
Securing your Virtual Data Centers
Question: How Best to Apply Traditional Security?
FirewallContentFiltering
NIPS Reputation AV HIPS
ETC�
SYMANTEC VISION 2012 22
ETC�
Securing your Virtual Data Centers
SEP 12.1 vs. Trend Micro Deep Security 8.0
100% 64%
60%
70%
80%
90%
100%
Compromised
% o
f sa
mp
les
May 2012
Ma
xim
um
SYMANTEC VISION 2012
16%
20%
0%
10%
20%
30%
40%
50%
Symantec Endpoint Protection 12.1 Trend Deep Security 8 (Agentless)
Compromised
Neutralized
Defended
23
% o
f sa
mp
les
Ba
seli
ne
Securing your Virtual Data Centers
Roadmap Progress
Re-architect Security for Changing Threat
Environment
Optimize Features for Virtualized
Environment
Phase 1
Phase 2
Done – Insight and SONAR
Done – Shared Insight Cache& vCenter Hardening
SYMANTEC VISION 2012 24
Maximize Integration with Platforms, and
Introspection-Zoning Infrastructure
Phase 32012 In progress – vShield & vSphere
integration
MaximizeArchitecture for Cloud
– Service Delivery
Phase 4 Currently in development…
Securing your Virtual Data Centers
New Approaches: Insight Enhanced Scanning
On a typical system, 80% of active
SYMANTEC VISION 2012 25
Insight Scanning- Requires scan of un-trusted files only
- Scans based on user activity
Traditional Scanning- Requires scan of every file
- Scans on defined schedule
On a typical system, 80% of active
applications can be skipped!
Securing your Virtual Data Centers
SEP 12.1 – Built for Virtual Environments
ResourceVirtual Image Virtual Insight and Offline Image
•Scan Elimination
•Scan De-duplication
•Scan Randomization
SYMANTEC VISION 2012 26
Resource
Leveling
Virtual Image
Exception
Virtual
Client
Tagging
Insight and
Shared Insight
Cache
Together – up to 90% reduction in disk IO
Offline Image
Scanning
Securing your Virtual Data Centers
SEP 12 vs. Trend Micro Deep Security 8 -Virtual Machine Performance
April 2012
•40% reduction in I/0
SYMANTEC VISION 2012 2727
•40% reduction in I/0•60% reduction in scan time
Securing your Virtual Data Centers
RU2: Shared Insight Cache for Virtual Environments
– vShield Endpoint enabled scan cache to optimize performance for scanning
– Moves the SEP 12.1 Shared Insight Cache into a Security Virtual Appliance
– Uses vShield Endpoint as the communication channel
SYMANTEC VISION 2012
communication channel between SEP and the cache
– Same performance benefit as SEP 12.1 cache
• Significant resource reduction for persistent VDI
• Limited impact for non-persistent VDI and server applications
28Securing your Virtual Data Centers
Ferrari: “Shared Content” for Virtual Environments
– vShield Endpoint enabled Shared Antivirus Definitions
– Removes the need to update definitions in each Guest VM
– One update process per ESXi Host on the vShield enabled SVA
Goal: reduce IO and CPU from definition update process by 90+% at the host level
SYMANTEC VISION 2012
– One update process per ESXi Host on the vShield enabled SVA
– Updated definitions available to guests immediately on start up with no update overhead
– Significantly improves performance in all environments, servers, non-persistent VDI and persistent VDI
– Solves key management issues with non-persistent VDI deployments
29Securing your Virtual Data Centers
Shared Content (Definitions and Insight Cache)
Network
SEP Client
SEP Client
SEP Client
Network Based Defs Cache
LiveUpdate
SYMANTEC VISION 2012 30
ESXi Host
SVAGVM
Client
GVM
Client
GVM
Client
VMware vShield Endpoint / VMTools
Share Insight Cache
Securing your Virtual Data Centers
Virtual Infrastructure Still Requires Attention
SYMANTEC VISION 2012 31Securing your Virtual Data Centers
SCSP MP3: Securing vSphere 5.0 Infrastructure
Protecting the VirtualizationManagement Universe
• Automate implementation of VMware Hardening Guidelines
• vCenter IPS Policy :– Enhanced Windows Strict policy to protect application components
including:� vCenter Server, vCenter Orchestrator, vCenter Update Mgr.� Infrastructure components e.g., SQL Express DB, Tomcat,
JRE� vCenter application program files and sensitive directories
(certificates and logs)– Restricts vCenter network port access to trusted programs– Can protect the following tools accessing vCenter from desktops,
VMWare vCenter Server 5.0(64 bit Windows)
vCenter
Server
SQL DB
64-bit Windows OS
Tomcat
Web Service
vCenter
Server
LDAP
manage
SYMANTEC VISION 2012 32
– Can protect the following tools accessing vCenter from desktops, laptops, client access VM’s or even Jump hosts:
� vSphere Client, vSphere CLI, vSphere Power CLI, vSphere Web Client
• vCenter IDS Policy Highlights:– vCenter Windows Detection Policy
� Pre-tuned Windows Baseline Policy detects user/group changes, login failures, etc.
– vCenter Application Detection Policy � Pre-tuned Windows Policy performs real-time FIM of vCenter
binaries / configurations and monitors vCenter logs� Addresses gap in existing vCenter monitoring and log
forwarding capabilitiesVMware ESXi
VM support VM support and Resource Management
Infrastructure Infrastructure Agents (NTP, Syslog, etc.)
VMkernel
WMWareWMWareManagement Framework
Agentless Hardware
Monitoring
Agentless SystemsMgmt
vCLI for Config and
Support
OS
vCLI
CSPAgent
Securing your Virtual Data Centers
Virtual Security “Top-to-Bottom”
Hardened Infrastructure
• Hardening infrastructure (Hypervisor kernel-level file monitoring, management hardening)
• Server Management capabilities for patch, change management, discovery, inventory etc.
1
Baseline Security for All VMs (agent-less for unmanaged VMs) through SVA
• Enhanced Agent-less via Security Virtual Appliance enabling
2
vServer Farm
Hypervisor
Hypervisor
SVA
SVA
SYMANTEC VISION 2012 33
Hardened Infrastructure hardened by SYMC
Baseline Baseline Security
Rogue VM Protected Agentlessly by SYMC
Full Full Security
VM fully protected with SYMC Agents
Agent (SCSP + SEP)
Agentless
• Enhanced Agent-less via Security Virtual Appliance enablingIPS, Deep Packet Inspection, File Integrity Monitoring , AV, etc.
• Zoning through workflow integration to drive actions based on security posture
Full Security for Managed VMs (agented) through SCSP and SEP
• In-guest agent thinning supporting introspection and differentiated security (Shared AV Definitions, reduced memory etc.)
3
Management Infrastructure
Cloud
Security
VDI
Host/VM
Securing your Virtual Data Centers
Other Sessions to Attend
SEP
• WE, 1:00-2:00, SR B20, Michael Marfise, Scott Sawoya, Symantec Endpoint Protection 12: Hundreds of Millions of New Pieces of Malware Mean You Have to Do Things Differently
• WE; 4:45-5:45, SR B27, Kevin Haley, Archana Rajan, SONAR, Insight, Skeptic and GIN - The Symantec Secret Sauce
LABS
• TH, 9:00-10:00, SR L06, Elisha Riedlinger, Migrating to Symantec Endpoint Protection 12.1
• TH, 10:15-11:15 & 1:00-2:00, SR L08, Paul Murgatroyd, Troubleshooting Symantec Endpoint Protection 12.1
• TH, 11:30-12:30, SR L07, Scott Sawoya, Configuring Protection Technologies with Symantec Endpoint Protection 12.1
SYMANTEC VISION 2012 34
SCSP:
• TH, 1:00-2:00, SR B22, Percy Wadia, Prashant Khandelwal, Stop Server Incursions and Unauthorized Access: How to Defend Against Common APT Attacks
LABS
• WE, 3:30-04:30, SR L21, Colin Gibbens, Protect Servers and Defend Against APTs with Symantec Critical System Protection
• TH, 9:00-10:00, SR L22, Colin Gibbens, Lock Down a Virtual Environment with Symantec Critical System Protection
Protection Engine
• TH, 1:00-2:00, SR B11, Ian McShane, Symantec Protection Engine: for Cloud Services and Storage
Securing your Virtual Data Centers
Additional Resources
Symantec Virtualization Security site on symantec.com
• http://go.symantec.com/virtualization-security
– “Securing the Virtual Data Center” white paper
– VMware and Symantec Joint Press Release - http://bit.ly/yQ6dxH
– Solution overviews
SYMANTEC VISION 2012
– Solution overviews
• Coming Soon:
– VDI Best Practices White Paper
– Joint VMware Reference Architecture
35Securing your Virtual Data Centers
Thank you!Thank you!
Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Chip Epps [email protected]
Papi Menon [email protected]
36Securing your Virtual Data Centers