we, 09:00-10:00 is b10 - securing your virtual data ...vox.veritas.com › legacyfs › online ›...

1

IS B10 - Securing Your Virtual Data Centers: The Future of Endpoint and Server Security

Paul Murgatroyd Principal Product Manager

Chip Epps Principal Product Manager

WE, 09:00-10:00

SYMANTEC VISION 2012

Agenda

2

The Virtual Data Center 1

Monitoring ESXi and Hardening vCenter 2

Protecting the Guest 3

SEP, SCSP, and “DCP” Roadmaps 4

Resources 5


There are really two points to consider:

LB Backup HA

Management Server

Virtual Machines

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Hypervisor SMP Storage

Enterprise Servers

Enterprise Network

Enterprise Storage

3



LB Backup HA

Management Server

Virtual Machines

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Apps

OS


Enterprise Servers

Enterprise Network

Enterprise Storage

Protecting your Virtual Infrastructure:

• Hypervisor

• Control Software

• Supporting Applications

4



LB Backup HA

Management Server

Virtual Machines

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Apps

OS


Enterprise Servers

Enterprise Network

Enterprise Storage

Protecting your Virtual Infrastructure:

• Hypervisor

• Control Software

• Supporting Applications

Protecting your Virtual Machines:

• OS

• Applications

• Inter-VM Communications

5


Why Virtualize – Promises of Cloud Computing…

Clouds Leaders

Traditional IT

Servers per Admin 50 5,000

5 days 15 mins

20% 75%

Time to Provision Server

Server Utilization

6


But… Vulnerabilities Still Exist

7


75%

Of x86 Servers will be virtual by 2014

85%

Planning to adopt x86 virtualization

“The CISO’s Guide To Virtualization Security” January 2012

8


Servers Are Different from Desktops…

… Server Protection is Different from Endpoint Protection

vs.

9

69% of Breaches

95% of Records

Malware

81% of Breaches

99% of Records

Hacking Servers Desktops/Laptops


Servers are the Primary Target

“ …. More often endpoints / user

devices simply provide an initial

“foothold” into the organization, from

which the intruder stages the rest of

their attack.”

97% of stolen data is from

Servers

SYMANTEC VISION 2012 11

What is Virtual Infrastructure Protection?

Monitoring ESXi & Hardening vSphere


Virtual Infrastructure Still Requires Attention

12


Securing vSphere 5 Infrastructure with SCSP

13

VMware ESXi

VM support and Resource Management

Infrastructure Agents (NTP, Syslog, etc.)

VMkernel

WMWare Management Framework

Agentless Hardware

Monitoring

Agentless Systems Mgmt

vCLI for Config and

Support

OS

vCLI

CSP Agent

VMWare vCenter Server 5.0 (64 bit Windows)

vCenter Server SQL DB

64-bit Windows OS

Tomcat Web Service

vCenter Server

LDAP

manage

Protecting the Virtualization Management Universe

• Automate implementation of VMware Hardening Guidelines • vCenter IPS Policy :

– Enhanced Windows Strict policy to protect application components including: vCenter Server, vCenter Orchestrator, vCenter Update Mgr. Infrastructure components e.g., SQL Express DB, Tomcat,

JRE vCenter application program files and sensitive directories

(certificates and logs) – Restricts vCenter network port access to trusted programs – Can protect the following tools accessing vCenter from desktops,

laptops, client access VM’s or even Jump hosts: vSphere Client, vSphere CLI, vSphere Power CLI, vSphere

Web Client

• vCenter IDS Policy Highlights: – vCenter Windows Detection Policy

Pre-tuned Windows Baseline Policy detects user/group changes, login failures, etc.

– vCenter Application Detection Policy Pre-tuned Windows Policy performs real-time FIM of vCenter

binaries / configurations and monitors vCenter logs Addresses gap in existing vCenter monitoring and log

forwarding capabilities

Virtual Guest Server Protection

• CSP can be installed in each guest virtual machine (virtual server) to lock down the OS / application, specific to each virtual server’s use-case

Virtual Infrastructure Protection

• CSP Agent deployed within a specific guest VM (1 per ESXi server) to monitor ESXi

• Mechanics of Monitoring ESXi: – Uses vCLI to access ESXi log/config files to send over to SCSP

agent – Accesses guest VM config files through the vCLI interface and

send to SCSP agent – Enables a new ESXi IDS policy to monitor config/access – Create customized reports specific to ESXi configuration

• ESXi IDS Policy Highlights:

– Monitors the full suite of critical VMware host configuration files (22 files) accessible through vCLI for: ESXi host command line interface (CLI) login failures and

successes Critical configuration changes to ESXi host Administrative web access


Automatically Harden and Monitor Per VMware’s vSphere Hardening Guidelines

14

• Pre-defined global and granular policies

• Lockdown the Windows Server with industry’s leading critical system protection

• Harden the vCenter application against unauthorized access, executables or configuration changes

• Directly monitor your ESXi host configurations for unauthorized changes

• Harden your individual ESX/ESXi Guest VMs


What is Agent-less?

Introspection & vNetwork Analysis


Is Symantec going to

Support vShield… and When…

Yes, now in SEP 12.1.2 Jaguar!


Roadmap Progress

17

Re-architect Security for Changing Threat

Environment

Optimize Features for Virtualized

Environment

Maximize Integration with Platforms, and

Introspection-Zoning Infrastructure

Phase 1

Phase 2

Phase 3

Done – Insight and SONAR

Done – Shared Insight Cache & vCenter Hardening

Done– vShield & vSphere integration

Maximize Architecture for Cloud

– Service Delivery Phase 4 Currently in development…


SEP RU2: vShield Use Case – vSIC

ESXi Host

Network

SVA GVM

SEP Client

GVM

SEP Client

GVM

SEP Client

VMware vShield Endpoint / VMTools

Shared Insight Cache (vSIC)

18


Shared Insight Cache for Virtual Environments (vSIC)

– vShield Endpoint enabled scan cache to optimize performance for scanning

– Moves the SEP 12.1 Shared Insight Cache into a Security Virtual Appliance

– Uses vShield Endpoint as the communication channel between SEP and the cache

– Same performance benefit as SEP 12.1 cache

• Significant resource reduction for persistent VDI

• Limited impact for non-persistent VDI and server applications

19


How Apply Traditional Security as Agentless?

20

Firewall NIPS Reputation AV HIPS

ETC

Behavioral


SEP 12.1 vs. Trend Micro Deep Security 8.0

16%

20%

100% 64%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Symantec Endpoint Protection 12.1 Trend Deep Security 8 (Agentless)

Compromised

Neutralized

Defended

21

% o

f sa

mp

les

May 2012

Bas

elin

e M

axim

um


SEP 12.1 – Built for Virtual Environments

22

Resource Leveling

Virtual Image Exception

Virtual Client

Tagging

Insight and Shared Insight

Cache

Together – up to 90% reduction in disk IO

Offline Image Scanning

•Scan Elimination

•Scan De-duplication

•Scan Randomization


New Approaches: Insight Enhanced Scanning

23

Insight Scanning - Requires scan of un-trusted files only - Scans based on user activity

Traditional Scanning - Requires scan of every file - Scans on defined schedule

On a typical system, 80% of active applications can be skipped!


SEP 12 vs. Trend Micro Deep Security 8 -Virtual Machine Performance

24 24

April 2012

•40% reduction in I/0 •60% reduction in scan time


Roadmap

25


Disclaimer

“This information is about pre-release software. Any unreleased update to the product or other planned modification is subject to ongoing evaluation by Symantec and therefore subject to change. This information is provided without warranty of any kind, express or implied. Customers who purchase Symantec products should make their purchase decision based upon features that are currently available.”

26 26


VM

A Perspective…

27

Maximum Security

Hardened Virtual Infrastructure

Maximum Guest

Security

Maximum Host Security

Bre

adth

of

Secu

rity

Ris

k

Baseline Security

SVA

Today Tomorrow Service-Oriented,

Hybrid Security Model

Bronze

Silver

Gold

Service Levels


Dynamic, Transparent, Beyond-Physical Security On a Hardened Infrastructure across Managed/Unmanaged VMs

28

Secu

rity

Eff

ecti

ven

ess

Agent-less Protection (All VMs)

Hardened Virtual Infra.

Agented (Managed)

Long Term

Hardened Infrastructure hardened by SYMC

Baseline Security

Rogue VM Protected Agentlessly by SYMC

Full Security

VM fully protected with SYMC Agents

Agent (SCSP + SEP)

Agentless

Agent-less Protection (All VMs)


Agented VMs

(Managed)

Agen

ted

Valu

e-Ad

d

Medium Term

Agen

tless B

aseline

Agented VMs

(Managed)


Today


CYQ1 Q2 Q4 Q3 CYQ1 Q2 Q4 Q3 CYQ1

Roadmap for Symantec Endpoint and Server Security

29

“DCP”

SEP

2013

2013 Apr Jul Oct 2014 Apr Jul Oct 2015

Endpoint Protection “McLaren” FIPS Support Mac IPS Bug Fixes

Endpoint Protection “Ferrari” Mac Firewall & Management Linux Management Network-based Definitions Performance/Content Improvements

Server Protection “Ferrari” Agentless Protection (VMware) Provisioning via vCenter Application Whitelisting for Windows

Endpoint Protection “Porsche” New Management Server Enhanced Reporting Endpoint Security Product Integrations

Server Protection “Porsche” New Management Server Enhanced Reporting Agented anti-malware Agentless Protection (non-VMware)


Shared Content

Shared Insight Cache (nSIC)

Next Steps for SEP Shared Content- NetDefs

30

ESXi Host

Network

GVM

SEP Client

GVM

SEP Client

GVM

SEP Client

Shared Network Definitions (nDef)


What is “Data Center Protection”?

“Data Center Protection

(DCP)”

Agentless AV and IPS

Virtual Security SVA’s

CSP Sandboxing + Application Whitelisting

Controls

SYMANTEC VISION 2012 32 32

Next Steps for Agentless Protection

ESXi 5.1

SYMC EPSEC

SVA

VM

VM Tools

VM

VM Tools

AV SVA (EPSEC API)

• Agentless file scanning (AV/AM) • Deployed at vSphere Host level • Via EPSEC APIs and vShield Endpoint/

VMtools- now free with vSphere 5.1 • Engine and content exist in one

place, within the SVA • Security policy can be specific to each

VM

N-IPS SVA (NetX API)

• Agentless Network IPS protection • Deployed at network level (for

DPI) • Via NetX API and vCloud

Networking and Security- must purchase vCNS

• Security policy can be specific to isolated virtual network or per VM workload

SYMC NetX SVA

ESXi 5.1

SYMC EPSEC

SVA

VM

VM Tools

VM

VM Tools

ESXi 5.1

SYMC EPSEC

SVA

VM

VM Tools

VM

VM Tools

vCenter Plug-in

• VMware Admin view (incl: vCOPs)

• Deployment • Environment

information


Next Steps for Server Lockdown Protection Workflow

33

Inspect System

Rate Applications

Manage Change

1. Identify applications via system inspection

2. Determine application reputation

– Identifies known good applications via Trusted Publishers, application checksums, and/or reputation service

3. Specify how to manage change via Trusted Updaters – Incorporates internal change processes into security policy

1

2

3

Specify Whitelist

4

Sandbox Applications

5

Review Protection

6

4. Select Whitelisted and Blacklisted Applications – Provides a Default Deny security posture for generic servers – Override via Trusted User/Group and Trusted Directories

5. Provide out-of-box security for common applications

– Admins can select sandboxing controls for the OS and workload (web servers, database servers, domain controllers, …)

6. View Security Summary and Overall Risk Profile – Identifies gaps based on the controls selected and server profile


Data Center The Offerings

34

End

Use

r:

Des

kto

p/L

apto

p

Dat

a C

en

ter:

Se

rver

(V

irtu

al, P

hys

ical

)

Symantec Endpoint

Protection (SEP)

SEP

CSP 1. Agented system lockdown

(with whitelisting)

2. Agented monitoring

Today Ferrari

SEP

Critical Systems

Protection(CSP)

SEP

Porsche

Common Management

Agentless 1. VMware

CSP 1. Agented system lockdown

(with whitelisting)

2. Agented monitoring

Agentless 1. Multiple hypervisors

SEP

SEP

Management Consoles


• Maintain SEP footprint in virtual environments by removing the problem of update storms (images with outdated defs)

• Full SEP protection including SONAR and Web protection in virtual environments (multiple layers of defense)

• Hypervisor agnostic - performant solution for any virtual environment

• Easy virtual administrator buy-in, due to less operational friction (install, patch, …)

• Performance: Single instance of the protection engines and content

• Protection: Immediate up to date coverage for new, rogue, or dormant VMs

• Protection: Less risk of security tampering at guest

Solves SEP def update IO issue, primarily for non–persistent VDI

Foundation for protecting the Software Defined Data Center

35

Agentless Protection Capabilities Why Have Both NetDefs and Agentless?

SEP +

NetDefs

“DCP” (with agentless)


Virtual Security “Top-to-Bottom”

36

Hardened Infrastructure Hardened by SYMC

Baseline Security

Rogue VM Protected Agentlessly by SYMC

Maximum Security

VM fully protected with SYMC Agents

Agent (SCSP + SEP)

Agentless

Hardened Infrastructure

• Hardening infrastructure (Hypervisor kernel-level file monitoring, management hardening)

• Server Management capabilities for patch, change management, discovery, inventory etc.

1

Baseline Security for All VMs (agent-less for unmanaged VMs) through SVA

• Enhanced Agent-less via Security Virtual Appliance enabling IPS, Deep Packet Inspection, File Integrity Monitoring , AV, etc.

• Zoning through workflow integration to drive actions based on security posture

2

Full Security for Managed VMs (agented) through SCSP and SEP

• In-guest agent thinning supporting introspection and differentiated security (Shared AV Definitions, reduced memory etc.)

3

vServer Farm

Hypervisor

Management Infrastructure

Hypervisor

Cloud

Security

VDI

Host/VM

SVA

SVA


Other Sessions to Attend

37

Breakouts

• WE, 17:15-18:15; VMware: the Virtualization Journey: Managing and Proving Compliance with VMware and Symantec – P1/Room 114

• ST B05 TH, 09:00-10:00; Symantec Reference Architecture for Business Critical Virtualization – P1/Room 112

• IS B09 TH, 0:900-10:00; SONAR, Insight, Skeptic and GIN- The Symantec Secret Sauce – P1/Room 114

• IS B27 TH, 13:45 – 14:45, Symantec Protection Engine: gives almost any application or OS the ability to scan for threats – P1/Room 115

• IS B07 TH, 13:45 - 14:45, The Roadmap for Symantec infrastructure Protection Products – P1/Room 114

LABS

• IS L03 WE, 10:30-11:30; Security Virtualized Environments – P1/Room 119

• IS L06 WE, 15:45-16:45; Protect Servers and Defend against APTs with Symantec SCSP – P1/Room 119

• IS L07 WE, 17:15-18:15; Lock down your Virtual environment with SCSP – P1/Room 119

• IS L02 TH, 11:45-12:45; Migrating to SEP 12.1 from an earlier version or another vendor’s product – P1/Room 119


Additional Resources

Symantec Virtualization Security site on symantec.com

• http://go.symantec.com/virtualization-security

– “Securing the Virtual Data Center” white paper

– VMware and Symantec Joint Press Release - http://bit.ly/yQ6dxH

– Solution overviews

• Coming Soon:

– VDI Best Practices White Paper

– Joint VMware Reference Architecture (via QSA Coalfire)

38

http://bit.ly/yQ6dxH

Thank you!

Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Paul Murgatroyd [email protected]

Chip Epps [email protected]

39

mailto:[email protected]

mailto:[email protected]

we, 09:00-10:00 is b10 - securing your virtual data ...vox.veritas.com › legacyfs › online ›...

Documents