Copyright 2011 Trend Micro Inc.
Peter Cresswell - Trend Micro Canada CISSP ISSAP CISA CISM
Virtualization Security: Physical. Virtual. Cloud.
Copyright 2011 Trend Micro Inc.
VMWorld 2011: Partners for Security
Improves Security
by providing the most
secure virtualization infrastructure,
with APIs, and certification programs
Improves Virtualization
by providing security solutions
architected to fully exploit
the VMware platform
• VMware #1 Security Partner
• Trend Micro: 2011 Technology Alliance Partner of
the Year
Copyright 2011 Trend Micro Inc.
Virtual Cloud
Physical
4
Server Virtualization
Desktop Virtualization
Windows/Linux/Solaris
Private Cloud
Hybrid Cloud
Public Cloud
Journey to the Cloud
Copyright 2011 Trend Micro Inc.
Millions of computers
have been compromised
by ZeuS
Trend Micro finds
over 70% of
enterprise networks
contain active malicious
malware
Threat Landscape • Malware
• Advanced Persistent Threats
• Botnets
• Espionage
Copyright 2011 Trend Micro Inc.
6
# of days until
vulnerability is
first exploited,
after patch is
made available
2003
MS- Blast
28 days
2004
Sasser
18 days
2005
Zotob
10 days
2006 …
WMF
Zero-day Zero-day
Exploits are happening
before patches
are developed
2010
IE zero-day
More Profitable
More Sophisticated
More Frequent
More Targeted
Key Trends: Data-centric threat environment
Copyright 2011 Trend Micro Inc.
Threats are more targeted
RSA Europe Two groups from the same country teamed up to launch a sophisticated attack against RSA Security's systems last March, EMC's security division said.
Unspecified information gained during the attack paved the way towards an unsuccessful attack against a defence contractor (self-identified as Lockheed Martin), senior RSA execs said during the opening of the RSA Conference in London on Tuesday.
"Two groups were involved in the attack," Thomas Heiser, RSA Security president, said during a keynote at the conference. "Both are known to authorities but they have never worked together before."
"The attack involved a lot of preparation," he added
Trend Micro Confidential 12/22/2011 7
The Register
Copyright 2011 Trend Micro Inc.
Key Trends: Compliance Imperative
8
More standards: • PCI, SAS70, HIPAA, ISO 27001, FISMA / NIST 800-53, MITS…
More specific security requirements • Virtualization, Web applications, EHR, PII…
More penalties & fines • HITECH, Breach notifications, civil litigation
• PIPEDA- Risk based breach notification. Bill C29 to make breach notification mandatory.
• Alberta PIPA Bill 54 amended May 2010 to mandate notification of breaches.
• Quebec QPPIPS similar to PIPEDA with additional civil liabilities.
• California SB1386 – Data breach of unencrypted data notification
• Industry Regs - HITECH, HIPAA, PCI, SOX, HIPAA, FISMA, Basel II…
Copyright 2011 Trend Micro Inc.
Virtual Cloud
Physical
10
Server Virtualization
Desktop Virtualization
Windows/Linux/Solaris
Private Cloud
Hybrid Cloud
Public Cloud
Identifying Security Challenges in the Virtual/Cloud
• New platforms don‘t change the threat landscape
• Each platform adds unique security risks
Copyright 2011 Trend Micro Inc.
The Fundamentals
Many third party courses and best practices covering:
• Hypervisor lockdown
• Virtual Network design and configuration
• VM security configuration
• VDI security architecture and configuration
• Storage security issues
Trend Micro Confidential 12/22/2011 11
SANS 579: Virtualization Security
Architecture and Design
Copyright 2011 Trend Micro Inc.
P2V: Security Challenge
Virtualization driven by:
• increased density
• consolidated resources
• ‗green‘ IT
Yet ―virtually unaware‖ security controls directly impact the organization‘s ability to achieve the desired performance, density and ROI goals.
Trend Micro Confidential 12/22/2011 12
Copyright 2011 Trend Micro Inc.
Resource Contention 1
Typical AV
Console 3:00am Scan
Automatic antivirus scans
overburden the system
Virtualization
Security Inhibitors
Antivirus Storm
13
Copyright 2011 Trend Micro Inc.
Resource Contention 1
Instant-on Gaps 2
Active
Dormant
Reactivated with
out-of-date security
New VMs
Cloned VMs must have a configured
agent and updated pattern files
Virtualization
Security Inhibitors
14
Copyright 2011 Trend Micro Inc.
Resource Contention 1
Attacks can spread across VMs
Virtualization
Security Inhibitors
Inter-VM Attacks / Blind Spots 3
Instant-on Gaps 2
15
Copyright 2011 Trend Micro Inc.
Inter-VM Attacks / Blind Spots 3
Complexity of Management 4
Resource Contention 1
Instant-on Gaps 2
Patch
agents
Rollout
patterns
Provisioning
new VMs
Reconfiguring
agents
VM sprawl inhibits compliance
Virtualization
Security Inhibitors
16
Copyright 2011 Trend Micro Inc.
Deep Security 8
A Server Security Platform for Physical, Virtual, Cloud
Available Aug 30, 2011
Copyright 2011 Trend Micro Inc.
Virtual Cloud
Physical
The Deep Security server security platform Server Application and Data Security for:
18
Deep Packet Inspection
IDS / IPS Web App.
Protection
Application
Control
Firewall Integrity
Monitoring Antimalware
Log
Inspection
Copyright 2011 Trend Micro Inc. 19
Server-Centric Security
19
―De-Militarized Zone‖ (DMZ)
Mission Critical Servers Business
Servers
/ Endpoints
Firewall Firewall IDS/IPS
IDS/IPS
Gateway (Malware)
5/28/2009
Firewall & IDS/IPS
File Integrity Monitoring & Log Inspection
Anti-Malware
Copyright 2011 Trend Micro Inc.
Deep Security 8 Agent
21
• New Agent-based AV for physical Windows and Linux* systems,
virtual servers, and virtual desktops in local mode
• Web reputation services through integration with Smart Protection
Network protects systems/users from access to malicious websites
WEB REPUTATION
SERVICES
Anti-malware
Deep Packet
Inspection
Integrity
Monitoring
Firewall
Log
Inspection
VDI Local Mode
Copyright 2011 Trend Micro Inc. 22
IDS / IPS
Web Application Protection
Application Control
Firewall
Deep Packet Inspection
Log
Inspection
Anti-Virus
Detects and blocks known and
zero-day attacks that target
vulnerabilities Shields web application
vulnerabilities Provides increased visibility into,
or control over, applications
accessing the network
Reduces attack surface.
Prevents DoS & detects
reconnaissance scans
Detects malicious and
unauthorized changes to
directories, files, registry keys…
Optimizes the
identification of important
security events buried in
log entries
Detects and blocks malware
(web threats, viruses &
worms, Trojans)
Trend Micro Deep Security Server & application protection
5 protection modules
Integrity
Monitoring
Copyright 2011 Trend Micro Inc.
Over 100 applications protected Deep Security rules shield vulnerabilities in these common applications
Operating Systems Windows (2000, XP, 2003, Vista, 2008, 7), Sun Solaris (8, 9, 10), Red Hat EL (4, 5), SuSE
Linux (10,11)
Database servers Oracle, MySQL, Microsoft SQL Server, Ingres
Web app servers Microsoft IIS, Apache, Apache Tomcat, Microsoft Sharepoint
Mail servers Microsoft Exchange Server, Merak, IBM Lotus Domino, Mdaemon, Ipswitch, IMail,,
MailEnable Professional,
FTP servers Ipswitch, War FTP Daemon, Allied Telesis
Backup servers Computer Associates, Symantec, EMC
Storage mgt servers Symantec, Veritas
DHCP servers ISC DHCPD
Desktop applications Microsoft (Office, Visual Studio, Visual Basic, Access, Visio, Publisher, Excel Viewer,
Windows Media Player), Kodak Image Viewer, Adobe Acrobat Reader, Apple Quicktime,
RealNetworks RealPlayer
Mail clients Outlook Express, MS Outlook, Windows Vista Mail, IBM Lotus Notes, Ipswitch IMail Client
Web browsers Internet Explorer, Mozilla Firefox
Anti-virus Clam AV, CA, Symantec, Norton, Trend Micro, Microsoft
Other applications Samba, IBM Websphere, IBM Lotus Domino Web Access, X.Org, X Font Server prior,
Rsync, OpenSSL, Novell Client
23
Copyright 2011 Trend Micro Inc.
vShield
Securing the Private Cloud End to End: from the Edge to the Endpoint
Edge
vShield Edge
Secure the edge of
the virtual datacenter
Security Zone
vShield App and
Zones
Application protection from
network based threats
Endpoint = VM
vShield Endpoint
Enables offloaded anti-virus
Virtual Datacenter 1 Virtual Datacenter 2
DMZ PCI
compliant HIPAA
compliant
Web View VMware
vShield
VMware
vShield
VMware vShield Manager
Copyright 2011 Trend Micro Inc.
vShield
Endpoint Antivirus
Agentless 2
Security
Virtual
Machine v
S
p
h
e
r
e
Agentless
VMsafe
APIs
IDS / IPS
Web Application Protection
Application Control
Firewall
1
Security agent
on individual VMs
Log Inspection
4 Agent-based
Integrates
with
vCenter
Trend Micro Deep Security
Integrity Monitoring vShield
Endpoint
3 Agentless
Deep Security 8 Agentless Security for VMware
Integrity Monitoring
3
Copyright 2011 Trend Micro Inc.
Agentless Anti-Virus
26
Agent-less Anti-Virus for VMware
Protection for virtualized
desktops and datacenters
Trend Micro Deep Security
Anti-malware
A virtual appliance that detects
and blocks malware (web threats,
viruses & worms, Trojans).
VMware vShield Endpoint
Enables offloading of antivirus
processing to Trend Micro Deep
Security Anti-malware – a
dedicated, security-hardened VM.
The first and only agentless anti-virus solution architected for VMware
Better Manageability
Higher Consolidation
Faster Performance
Stronger Security
The idea
The components
Customer
Benefits
Differ-
entiator
Copyright 2011 Trend Micro Inc. 27
VM VM VM
The Old Way
Security
Virtual
Appliance VM VM VM
With Agent-less Integrity Monitoring
VM
Better Manageability
Zero Added Footprint
Faster Performance
Stronger Security
• Zero added footprint: Integrity monitoring in the same virtual appliance
that also provides agentless AV and Deep Packet Inspection
• Stronger Security: Expands the scope of protection to hypervisors
• Order of Magnitude savings in manageability
• Virtual Appliance avoids performance degradation from FIM storms
Agentless Integrity Monitoring
Copyright 2011 Trend Micro Inc.
Agent-less Security Architecture
OS
Kernel
BIOS
ESX 4.1
vSphere Platform
Guest VM
OS
Trend Micro
Deep Security Manager
vShield Endpoint ESX Module
vCenter
Thin Driver
vShield Manager
Trend Micro product
components
vShield Endpoint
Components
VMware
Platform
VI
Admin
Security
Admin APPs
APPs APPs
Trend Micro Deep Security Virtual Appliance
Anti-Malware
- Real-time Scan
- Scheduled &
Manual Scan
FIM
Network Security
IDS/IPS
- Web App Protection
- Application Control
Firewall
Trend Micro filter driver
VMsafe-net API
vShield Endpoint API
Legend
Copyright 2011 Trend Micro Inc.
Inter-VM Attacks / Blind Spots 3
Complexity of Management 4
Resource Contention 1
Instant-on Gaps 2
Virtualization
Addressing Security Inhibitors
Solution: Agentless Security
Services from a separate scanning
VM
Solution: Dedicated scanning VMs
with layered protection
Solution: VM-aware security with
virtualization platform integration
Solution: Integration with
virtualization management
consoles such as VMware vCenter
29
Copyright 2011 Trend Micro Inc. 30
DEEP SECURITY
Security built for
virtualization helps
maximize
consolidation rates,
operational
efficiencies and
cost savings
Virtualization
Copyright 2011 Trend Micro Inc.
Deep Security: Agentless Security Benefits
• Higher VM density − Agentless AV enables 2-3 times
more desktop VMs
− Enables 40-60% more server VMs
• Better manageability − No security agents to configure,
update & patch
− Integrated AV, FIM & IDS/IPS simplifies security mgmt
• Stronger security − Added security (FIM, IDS/IPS, etc.)
through virtual appliance
− Instant ON protection
− Tamper-proofing
• Faster performance – Freedom from AV and FIM storms
31
Previously
Agentless server security platform
Copyright 2011 Trend Micro Inc. 32
DEEP SECURITY
Shield
vulnerabilities in
critical systems,
until, or without,
patching
Virtual Patching
Copyright 2011 Trend Micro Inc. Classification 12/22/2011 33
Four Key Strategies:
•patching applications and always using the latest version of
an application;
•keeping operating systems patched;
•keeping admin rights under strict control (and forbidding the
use of administrative accounts for e-mail and browsing);
•whitelisting applications.
Copyright 2011 Trend Micro Inc. 34
Recap: Virtual Patching with Deep Security
Filtered Traffic
Allow known good
Raw Traffic
Stop known bad
Shield known
vulnerabilities
Shield unknown
vulnerabilities
and protect
specific applications
Stateful Firewall
Exploit Rules
Vulnerability Rules
Smart Rules
1
2
3
4
Deep
packet
insp
ecti
on
Over 100 applications
shielded including:
Operating Systems
Database servers
Web app servers
Mail servers
FTP servers
Backup servers
Storage mgt servers
DHCP servers
Desktop applications
Mail clients
Web browsers
Anti-virus
Other applications
Copyright 2011 Trend Micro Inc.
DEEP SECURITY
A security and
compliance solution
that addresses
multiple PCI and
other regulatory
requirements cost-
effectively
Compliance
Copyright 2011 Trend Micro Inc.
IDS / IPS
Web Application Protection
Application Control
Firewall
Deep Packet Inspection
Integrity
Monitoring
Log
Inspection
Recap: Deep Security for PCI compliance
Addressing 7 PCI Regulations
and 20+ Sub-Controls Including:
(1.) Network Segmentation
(1.x) Firewall
(5.x) Anti-virus
(6.1) Virtual Patching*
(6.6) Web App. Protection
(10.6) Daily Log Review
(11.4) IDS / IPS
(11.5) File Integrity Monitoring
* Compensating Control
Anti-
Malware
Physical
Servers
Virtual
Servers
Cloud
Computing
Endpoints
& Devices
Copyright 2011 Trend Micro Inc.
Emerging Governance
• PCI Virtualization Special Interest Group (SIG) formed during the 2009 RSA Conference – SIG Objective: Provide clarification on the use of
virtualization in accordance with the PCI DSS
– After a 2+ year process, the SIG submitted recommendations to the PCI SSC working group for consideration
– Trend has been a contributing member of the SIG from the very first call
– Opinions on the SIG varied widely • Leading edge: Embrace virtualization and the
direction towards cloud computing
• Conservative: Recommend dedicated hypervisor environments and restrict consolidation of system components – defer use of the cloud
Classification 12/22/2011 39
Copyright 2011 Trend Micro Inc.
Cloud is a computing style, not a location….
Trend Micro Confidential 12/22/2011 41 41
Server Virtualization
Hybrid Cloud
Public Cloud
Private Cloud
Consolidation
Flexibility
Speed
IaaS
Agility
Cost Management
Peak load flexibility
Integration of 3rd Party Solutions
Capital Expense Elimination
Flexibly match cost to demand
Virtualization will inevitably lead to Cloud Computing models Gartner, 2011
Copyright 2011 Trend Micro Inc.
• Gartner
– 15% of workloads will be cloud based by 2014
• Information Week
− 17% of businesses in public cloud
− 28% using, 30% planning for private cloud
Businesses are moving into the cloud
But for businesses to truly invest in the cloud…
• Must be interchangeable with on-site data center deployments
• Must retain similar levels of security and control
• Must provide data privacy and support compliance requirements
Adoption of Cloud Computing
42
Copyright 2011 Trend Micro Inc.
n
• Your data is mobile — has it moved?
• Who can see your information?
• Who is attaching to your volumes?
• Do you have visibility into who has
accessed your data?
Public IaaS Clouds
Security and Privacy are #1 Concerns
Name: John Doe
SSN: 425-79-0053
Visa #: 4456-8732…
Data can be moved and
leave residual data behind
Rogue server
access
No visibility to
data access
Name: John Doe
SSN: 425-79-0053
Visa #: 4456-8732…
43
Copyright 2011 Trend Micro Inc.
Who is responsible for security?
• With IaaS the customer is responsible for security
• With SaaS or PaaS the service provider is responsible for security
– Not all SaaS or PaaS services are secure
– Can compromise your endpoints that connect to the service
– Endpoint security becomes critical
Public Cloud
PaaS
Public Cloud
IaaS
Servers Virtualization &
Private Cloud
End-User (Enterprise) Service Provider
Public Cloud
SaaS
Public Cloud
Who Has Control?
44
Copyright 2011 Trend Micro Inc.
So who is responsible?
Trend Micro Confidential 12/22/2011 45
The majority of cloud computing providers surveyed do not believe their organization views the
security of their cloud services as a competitive advantage. Further, they do not consider cloud
computing security as one of their most important responsibilities and do not believe their
products or services substantially protect and secure the confidential or sensitive information of
their customers.
The majority of cloud providers believe it is their customer’s responsibility to secure the cloud
and not their responsibility. They also say their systems and applications are not always
evaluated for security threats prior to deployment to customers.
Buyer beware – on average providers of cloud computing technologies allocate10 percent or
less of their operational resources to security and most do not have confidence that customers’
security requirements are being met.
Cloud providers in our study say the primary reasons why customers purchase cloud resources
are lower cost and faster deployment of applications. In contrast, improved security or
compliance with regulations is viewed as an unlikely reason for choosing cloud services.
The majority of cloud providers in our study admit they do not have dedicated security
personnel to oversee the security of cloud applications, infrastructure or platforms.
conducted by Ponemon Institute LLC
Publication Date: April 2011
Copyright 2011 Trend Micro Inc.
Accountability
• Ultimately who is responsible will pale beside the governance which dictates who is accountable
• Accountability will rest with the data owner by most governance regimes
• Cloud computing due diligence means you must own and control your data – wherever it resides and moves
Trend Micro Confidential 12/22/2011 46
Copyright 2011 Trend Micro Inc.
Working on Cloud GRC
Trend Micro Confidential 12/22/2011 47
Cloud Security Alliance GRC Stack
The Cloud Security Alliance GRC Stack provides a toolkit for
enterprises, cloud providers, security solution providers, IT auditors
and other key stakeholders to instrument and assess both private and
public clouds against industry established best practices, standards
and critical compliance requirements
https://cloudsecurityalliance.org/
Copyright 2011 Trend Micro Inc.
Patient Medical Records Credit Card Payment
Information Sensitive Research Results Social Security Numbers
• Compliance support
• Custody of keys—SaaS
or virtual appliance
• No vendor lock-in
• Trusted server access
• Control for when and
where data is accessed
• Unreadable to outsiders
• Obscured data on
recycled devices
AES Encryption
128, 192, & 256 bits
Policy-based
Key Management
Auditing, Reporting,
& Mobility
Encryption with Policy-based
Key Management
What is the Solution?
Data Protection in the Cloud
Copyright 2011 Trend Micro Inc.
Cloud Security – Modular Protection
Compliance
49
Template
Integrity
VM
Isolation
Real-time
Protection
Data
Protection
Security that Travels with the VM
Self-Defending VM Security in the Cloud
• Agent on VM allows travel between cloud solutions
• One management portal for all modules
• SaaS security deployment option
Copyright 2011 Trend Micro Inc.
Patient Medical Records Credit Card Payment
Information Sensitive Research Results Social Security Numbers
Encryption with Policy-based
Key Management
• Data is unreadable
to unauthorized users
• Policy-based key management
controls and automates key
delivery
• Server validation authenticates
servers requesting keys
SecureCloud 2
Total Cloud Protection System, application and data security in the cloud
Deep Security 8
Modular protection for
servers and applications
• Self-Defending VM Security
in the Cloud
• Agent on VM allows travel
between cloud solutions
• One management portal for
all modules
Context
Aware
50
Copyright 2011 Trend Micro Inc.
SecureCloud 2 Enterprise Deployment Options
Trend Micro
SaaS Solution
Key Management
Deployment Options
Encryption Support
Or
Data Center
Software Application VM VM VM VM
VM VM VM VM
SecureCloud
Console
Private
Clouds
Public
Clouds
vSphere
Virtual
Machines
VM VM VM VM
51
Copyright 2011 Trend Micro Inc.
SecureCloud – New In 2.0
• FIPS 140-2 Certification
– Exchange of Mobile Armor encryption agent
– Gives Trend access to Fed / Gov accounts
• DSM Integration
– Greatly improves ability to build robust authentication policies
– Begins integration of two cutting edge technologies
– Additional integration – unified management console
• Total Cloud Protection Bundle
– New bundle connects both products
– Gives protection across all infrastructures – PVC
– Defines a place to manage and protect all future environments
12/22/2011 52
52
Copyright 2011 Trend Micro Inc.
SecureCloud Benefits
• Access cloud economics and agility by removing data privacy concerns.
• Segregate data of varied trust levels to avoid breach and insider threat
• Reduce complexity and costs with policy-based key management
• Boost security with identity- and integrity-based server authentication
• Move freely among clouds knowing that remnant data is unreadable
Trend Micro Confidential12/22/2011 53
Copyright 2011 Trend Micro Inc.
Physical
Reduce Complexity
Virtual
Increase Efficiency
Cloud
Deliver Agility
• Integrate security—server, web, email,
endpoint, network
• Improve security and availability
• Lower costs
• Apply VM-aware security
• Ensure higher VM densities
• Get better performance and better protection
• Encrypt with policy-based key management
• Deploy self-defending VMs in the cloud
• Use security that travels with your data
Use Data Center Security to Drive Your Business Forward
Securing Your Journey to the Cloud
54
Copyright 2011 Trend Micro Inc.
Rethinking Security Controls in a Cloud-Service Envronment
The end of ‗physical‘ thinking
Focus on the Data Center
– Protection focused on (v)applications and data
Security Controls are a property of the Virtual Application
– not the device where it is accessed
– not the plumbing on which it is executed
You are accountable for your data
– whatever cloud it lives in
– own your data protection controls
Trend Micro Confidential 12/22/2011 56
Copyright 2011 Trend Micro Inc.
Deep Security Summary of highlights
A fully integrated server security platform
Only solution to offer specialized protection for physical virtual and cloud
First and only agentless anti-malware – nearly a 1000 customers have
purchased
Only solution to also offer agentless FW, IDS/IPS and FIM in the same
appliance
Only solution in its category to be FIPS and EAL4+ certified
Top ratings for
Virtualization
Security
All
Others
77.1%
Trend
Micro
22.9%
Source: Worldwide Endpoint
Security 2010-2014 Forecast
and 2009 Vendor Shares, IDC
Trend Micro
13%
All Others
Combined
87%
Source: 2011 Technavio –
Global Virtualization Security
Management Solutions
Copyright 2011 Trend Micro Inc.
Trend Micro: VMware #1 Security Partner and 2011 Technology Alliance Partner of the Year
Improves Security
by providing the most
secure virtualization infrastructure,
with APIs, and certification programs
Improves Virtualization
by providing security solutions
architected to fully exploit
the VMware platform
2011 2010 2009 2008
Feb: Join
VMsafe
program
RSA: Trend Micro
announces Coordinated
approach & Virtual pricing
And shows Vmsafe demo
VMworld: Trend Micro
virtsec customer
May: Trend
acquires
Third Brigade
RSA: Trend Micro
announces virtual
appliance
July:
CPVM
GA
Nov: Deep Security 7
with virtual appliance
Q4: Joined EPSEC
vShield Program
Dec: Deep Security
7.5
w/ Agentless
AntiVirus
2010:
>100 customers
>$1M revenue
Q1: VMware buys
Deep Security for
Internal VDI Use
RSA: Trend Micro
Demos Agentless
Sale of DS 7.5
Before GA
VMworld: Announce
Deep Security 7.5
Vmworld: Announce
Deep Security 8
& vShield OEM