1
IS B10 - Securing Your Virtual Data Centers: The Future of Endpoint and Server Security
Paul Murgatroyd Principal Product Manager
Chip Epps Principal Product Manager
WE, 09:00-10:00
SYMANTEC VISION 2012
Agenda
2
The Virtual Data Center 1
Monitoring ESXi and Hardening vCenter 2
Protecting the Guest 3
SEP, SCSP, and “DCP” Roadmaps 4
Resources 5
SYMANTEC VISION 2012
There are really two points to consider:
LB Backup HA
Management Server
Virtual Machines
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Hypervisor SMP Storage
Enterprise Servers
Enterprise Network
Enterprise Storage
3
SYMANTEC VISION 2012
There are really two points to consider:
LB Backup HA
Management Server
Virtual Machines
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Hypervisor SMP Storage
Enterprise Servers
Enterprise Network
Enterprise Storage
Protecting your Virtual Infrastructure:
• Hypervisor
• Control Software
• Supporting Applications
4
SYMANTEC VISION 2012
There are really two points to consider:
LB Backup HA
Management Server
Virtual Machines
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Hypervisor SMP Storage
Enterprise Servers
Enterprise Network
Enterprise Storage
Protecting your Virtual Infrastructure:
• Hypervisor
• Control Software
• Supporting Applications
Protecting your Virtual Machines:
• OS
• Applications
• Inter-VM Communications
5
SYMANTEC VISION 2012
Why Virtualize – Promises of Cloud Computing…
Clouds Leaders
Traditional IT
Servers per Admin 50 5,000
5 days 15 mins
20% 75%
Time to Provision Server
Server Utilization
6
SYMANTEC VISION 2012
But… Vulnerabilities Still Exist
7
SYMANTEC VISION 2012
75%
Of x86 Servers will be virtual by 2014
85%
Planning to adopt x86 virtualization
“The CISO’s Guide To Virtualization Security” January 2012
8
SYMANTEC VISION 2012
Servers Are Different from Desktops…
… Server Protection is Different from Endpoint Protection
vs.
9
69% of Breaches
95% of Records
Malware
81% of Breaches
99% of Records
Hacking Servers Desktops/Laptops
SYMANTEC VISION 2012
Servers are the Primary Target
“ …. More often endpoints / user
devices simply provide an initial
“foothold” into the organization, from
which the intruder stages the rest of
their attack.”
97% of stolen data is from
Servers
SYMANTEC VISION 2012 11
What is Virtual Infrastructure Protection?
Monitoring ESXi & Hardening vSphere
SYMANTEC VISION 2012
Virtual Infrastructure Still Requires Attention
12
SYMANTEC VISION 2012
Securing vSphere 5 Infrastructure with SCSP
13
VMware ESXi
VM support and Resource Management
Infrastructure Agents (NTP, Syslog, etc.)
VMkernel
WMWare Management Framework
Agentless Hardware
Monitoring
Agentless Systems Mgmt
vCLI for Config and
Support
OS
vCLI
CSP Agent
VMWare vCenter Server 5.0 (64 bit Windows)
vCenter Server SQL DB
64-bit Windows OS
Tomcat Web Service
vCenter Server
LDAP
manage
Protecting the Virtualization Management Universe
• Automate implementation of VMware Hardening Guidelines • vCenter IPS Policy :
– Enhanced Windows Strict policy to protect application components including: vCenter Server, vCenter Orchestrator, vCenter Update Mgr. Infrastructure components e.g., SQL Express DB, Tomcat,
JRE vCenter application program files and sensitive directories
(certificates and logs) – Restricts vCenter network port access to trusted programs – Can protect the following tools accessing vCenter from desktops,
laptops, client access VM’s or even Jump hosts: vSphere Client, vSphere CLI, vSphere Power CLI, vSphere
Web Client
• vCenter IDS Policy Highlights: – vCenter Windows Detection Policy
Pre-tuned Windows Baseline Policy detects user/group changes, login failures, etc.
– vCenter Application Detection Policy Pre-tuned Windows Policy performs real-time FIM of vCenter
binaries / configurations and monitors vCenter logs Addresses gap in existing vCenter monitoring and log
forwarding capabilities
Virtual Guest Server Protection
• CSP can be installed in each guest virtual machine (virtual server) to lock down the OS / application, specific to each virtual server’s use-case
Virtual Infrastructure Protection
• CSP Agent deployed within a specific guest VM (1 per ESXi server) to monitor ESXi
• Mechanics of Monitoring ESXi: – Uses vCLI to access ESXi log/config files to send over to SCSP
agent – Accesses guest VM config files through the vCLI interface and
send to SCSP agent – Enables a new ESXi IDS policy to monitor config/access – Create customized reports specific to ESXi configuration
• ESXi IDS Policy Highlights:
– Monitors the full suite of critical VMware host configuration files (22 files) accessible through vCLI for: ESXi host command line interface (CLI) login failures and
successes Critical configuration changes to ESXi host Administrative web access
SYMANTEC VISION 2012
Automatically Harden and Monitor Per VMware’s vSphere Hardening Guidelines
14
• Pre-defined global and granular policies
• Lockdown the Windows Server with industry’s leading critical system protection
• Harden the vCenter application against unauthorized access, executables or configuration changes
• Directly monitor your ESXi host configurations for unauthorized changes
• Harden your individual ESX/ESXi Guest VMs
SYMANTEC VISION 2012 15
What is Agent-less?
Introspection & vNetwork Analysis
SYMANTEC VISION 2012 16
Is Symantec going to
Support vShield… and When…
Yes, now in SEP 12.1.2 Jaguar!
SYMANTEC VISION 2012
Roadmap Progress
17
Re-architect Security for Changing Threat
Environment
Optimize Features for Virtualized
Environment
Maximize Integration with Platforms, and
Introspection-Zoning Infrastructure
Phase 1
Phase 2
Phase 3
Done – Insight and SONAR
Done – Shared Insight Cache & vCenter Hardening
Done– vShield & vSphere integration
Maximize Architecture for Cloud
– Service Delivery Phase 4 Currently in development…
SYMANTEC VISION 2012
SEP RU2: vShield Use Case – vSIC
ESXi Host
Network
SVA GVM
SEP Client
GVM
SEP Client
GVM
SEP Client
VMware vShield Endpoint / VMTools
Shared Insight Cache (vSIC)
18
SYMANTEC VISION 2012
Shared Insight Cache for Virtual Environments (vSIC)
– vShield Endpoint enabled scan cache to optimize performance for scanning
– Moves the SEP 12.1 Shared Insight Cache into a Security Virtual Appliance
– Uses vShield Endpoint as the communication channel between SEP and the cache
– Same performance benefit as SEP 12.1 cache
• Significant resource reduction for persistent VDI
• Limited impact for non-persistent VDI and server applications
19
SYMANTEC VISION 2012
How Apply Traditional Security as Agentless?
20
Firewall NIPS Reputation AV HIPS
ETC
Behavioral
SYMANTEC VISION 2012
SEP 12.1 vs. Trend Micro Deep Security 8.0
16%
20%
100% 64%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Symantec Endpoint Protection 12.1 Trend Deep Security 8 (Agentless)
Compromised
Neutralized
Defended
21
% o
f sa
mp
les
May 2012
Bas
elin
e M
axim
um
SYMANTEC VISION 2012
SEP 12.1 – Built for Virtual Environments
22
Resource Leveling
Virtual Image Exception
Virtual Client
Tagging
Insight and Shared Insight
Cache
Together – up to 90% reduction in disk IO
Offline Image Scanning
•Scan Elimination
•Scan De-duplication
•Scan Randomization
SYMANTEC VISION 2012
New Approaches: Insight Enhanced Scanning
23
Insight Scanning - Requires scan of un-trusted files only - Scans based on user activity
Traditional Scanning - Requires scan of every file - Scans on defined schedule
On a typical system, 80% of active applications can be skipped!
SYMANTEC VISION 2012
SEP 12 vs. Trend Micro Deep Security 8 -Virtual Machine Performance
24 24
April 2012
•40% reduction in I/0 •60% reduction in scan time
SYMANTEC VISION 2012
Roadmap
25
SYMANTEC VISION 2012
Disclaimer
“This information is about pre-release software. Any unreleased update to the product or other planned modification is subject to ongoing evaluation by Symantec and therefore subject to change. This information is provided without warranty of any kind, express or implied. Customers who purchase Symantec products should make their purchase decision based upon features that are currently available.”
26 26
SYMANTEC VISION 2012
VM
A Perspective…
27
Maximum Security
Hardened Virtual Infrastructure
Maximum Guest
Security
Maximum Host Security
Bre
adth
of
Secu
rity
Ris
k
Baseline Security
SVA
Today Tomorrow Service-Oriented,
Hybrid Security Model
Bronze
Silver
Gold
Service Levels
SYMANTEC VISION 2012
Dynamic, Transparent, Beyond-Physical Security On a Hardened Infrastructure across Managed/Unmanaged VMs
28
Secu
rity
Eff
ecti
ven
ess
Agent-less Protection (All VMs)
Hardened Virtual Infra.
Agented (Managed)
Long Term
Hardened Infrastructure hardened by SYMC
Baseline Security
Rogue VM Protected Agentlessly by SYMC
Full Security
VM fully protected with SYMC Agents
Agent (SCSP + SEP)
Agentless
Agent-less Protection (All VMs)
Hardened Virtual Infra.
Agented VMs
(Managed)
Agen
ted
Valu
e-Ad
d
Medium Term
Agen
tless B
aseline
Agented VMs
(Managed)
Hardened Virtual Infra.
Today
SYMANTEC VISION 2012
CYQ1 Q2 Q4 Q3 CYQ1 Q2 Q4 Q3 CYQ1
Roadmap for Symantec Endpoint and Server Security
29
“DCP”
SEP
2013
2013 Apr Jul Oct 2014 Apr Jul Oct 2015
Endpoint Protection “McLaren” FIPS Support Mac IPS Bug Fixes
Endpoint Protection “Ferrari” Mac Firewall & Management Linux Management Network-based Definitions Performance/Content Improvements
Server Protection “Ferrari” Agentless Protection (VMware) Provisioning via vCenter Application Whitelisting for Windows
Endpoint Protection “Porsche” New Management Server Enhanced Reporting Endpoint Security Product Integrations
Server Protection “Porsche” New Management Server Enhanced Reporting Agented anti-malware Agentless Protection (non-VMware)
SYMANTEC VISION 2012
Shared Content
Shared Insight Cache (nSIC)
Next Steps for SEP Shared Content- NetDefs
30
ESXi Host
Network
GVM
SEP Client
GVM
SEP Client
GVM
SEP Client
Shared Network Definitions (nDef)
SYMANTEC VISION 2012
What is “Data Center Protection”?
“Data Center Protection
(DCP)”
Agentless AV and IPS
Virtual Security SVA’s
CSP Sandboxing + Application Whitelisting
Controls
SYMANTEC VISION 2012 32 32
Next Steps for Agentless Protection
ESXi 5.1
SYMC EPSEC
SVA
VM
VM Tools
VM
VM Tools
AV SVA (EPSEC API)
• Agentless file scanning (AV/AM) • Deployed at vSphere Host level • Via EPSEC APIs and vShield Endpoint/
VMtools- now free with vSphere 5.1 • Engine and content exist in one
place, within the SVA • Security policy can be specific to each
VM
N-IPS SVA (NetX API)
• Agentless Network IPS protection • Deployed at network level (for
DPI) • Via NetX API and vCloud
Networking and Security- must purchase vCNS
• Security policy can be specific to isolated virtual network or per VM workload
SYMC NetX SVA
ESXi 5.1
SYMC EPSEC
SVA
VM
VM Tools
VM
VM Tools
ESXi 5.1
SYMC EPSEC
SVA
VM
VM Tools
VM
VM Tools
vCenter Plug-in
• VMware Admin view (incl: vCOPs)
• Deployment • Environment
information
SYMANTEC VISION 2012
Next Steps for Server Lockdown Protection Workflow
33
Inspect System
Rate Applications
Manage Change
1. Identify applications via system inspection
2. Determine application reputation
– Identifies known good applications via Trusted Publishers, application checksums, and/or reputation service
3. Specify how to manage change via Trusted Updaters – Incorporates internal change processes into security policy
1
2
3
Specify Whitelist
4
Sandbox Applications
5
Review Protection
6
4. Select Whitelisted and Blacklisted Applications – Provides a Default Deny security posture for generic servers – Override via Trusted User/Group and Trusted Directories
5. Provide out-of-box security for common applications
– Admins can select sandboxing controls for the OS and workload (web servers, database servers, domain controllers, …)
6. View Security Summary and Overall Risk Profile – Identifies gaps based on the controls selected and server profile
SYMANTEC VISION 2012
Data Center The Offerings
34
End
Use
r:
Des
kto
p/L
apto
p
Dat
a C
en
ter:
Se
rver
(V
irtu
al, P
hys
ical
)
Symantec Endpoint
Protection (SEP)
SEP
CSP 1. Agented system lockdown
(with whitelisting)
2. Agented monitoring
Today Ferrari
SEP
Critical Systems
Protection(CSP)
SEP
Porsche
Common Management
Agentless 1. VMware
CSP 1. Agented system lockdown
(with whitelisting)
2. Agented monitoring
Agentless 1. Multiple hypervisors
SEP
SEP
Management Consoles
SYMANTEC VISION 2012
• Maintain SEP footprint in virtual environments by removing the problem of update storms (images with outdated defs)
• Full SEP protection including SONAR and Web protection in virtual environments (multiple layers of defense)
• Hypervisor agnostic - performant solution for any virtual environment
• Easy virtual administrator buy-in, due to less operational friction (install, patch, …)
• Performance: Single instance of the protection engines and content
• Protection: Immediate up to date coverage for new, rogue, or dormant VMs
• Protection: Less risk of security tampering at guest
Solves SEP def update IO issue, primarily for non–persistent VDI
Foundation for protecting the Software Defined Data Center
35
Agentless Protection Capabilities Why Have Both NetDefs and Agentless?
SEP +
NetDefs
“DCP” (with agentless)
SYMANTEC VISION 2012
Virtual Security “Top-to-Bottom”
36
Hardened Infrastructure Hardened by SYMC
Baseline Security
Rogue VM Protected Agentlessly by SYMC
Maximum Security
VM fully protected with SYMC Agents
Agent (SCSP + SEP)
Agentless
Hardened Infrastructure
• Hardening infrastructure (Hypervisor kernel-level file monitoring, management hardening)
• Server Management capabilities for patch, change management, discovery, inventory etc.
1
Baseline Security for All VMs (agent-less for unmanaged VMs) through SVA
• Enhanced Agent-less via Security Virtual Appliance enabling IPS, Deep Packet Inspection, File Integrity Monitoring , AV, etc.
• Zoning through workflow integration to drive actions based on security posture
2
Full Security for Managed VMs (agented) through SCSP and SEP
• In-guest agent thinning supporting introspection and differentiated security (Shared AV Definitions, reduced memory etc.)
3
vServer Farm
Hypervisor
Management Infrastructure
Hypervisor
Cloud
Security
VDI
Host/VM
SVA
SVA
SYMANTEC VISION 2012
Other Sessions to Attend
37
Breakouts
• WE, 17:15-18:15; VMware: the Virtualization Journey: Managing and Proving Compliance with VMware and Symantec – P1/Room 114
• ST B05 TH, 09:00-10:00; Symantec Reference Architecture for Business Critical Virtualization – P1/Room 112
• IS B09 TH, 0:900-10:00; SONAR, Insight, Skeptic and GIN- The Symantec Secret Sauce – P1/Room 114
• IS B27 TH, 13:45 – 14:45, Symantec Protection Engine: gives almost any application or OS the ability to scan for threats – P1/Room 115
• IS B07 TH, 13:45 - 14:45, The Roadmap for Symantec infrastructure Protection Products – P1/Room 114
LABS
• IS L03 WE, 10:30-11:30; Security Virtualized Environments – P1/Room 119
• IS L06 WE, 15:45-16:45; Protect Servers and Defend against APTs with Symantec SCSP – P1/Room 119
• IS L07 WE, 17:15-18:15; Lock down your Virtual environment with SCSP – P1/Room 119
• IS L02 TH, 11:45-12:45; Migrating to SEP 12.1 from an earlier version or another vendor’s product – P1/Room 119
SYMANTEC VISION 2012
Additional Resources
Symantec Virtualization Security site on symantec.com
• http://go.symantec.com/virtualization-security
– “Securing the Virtual Data Center” white paper
– VMware and Symantec Joint Press Release - http://bit.ly/yQ6dxH
– Solution overviews
• Coming Soon:
– VDI Best Practices White Paper
– Joint VMware Reference Architecture (via QSA Coalfire)
38
Thank you!
Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Paul Murgatroyd [email protected]
Chip Epps [email protected]
39