trend micro dec 6 toronto vmug

Copyright 2011 Trend Micro Inc.

Peter Cresswell - Trend Micro Canada CISSP ISSAP CISA CISM

Virtualization Security: Physical. Virtual. Cloud.


VMWorld 2011: Partners for Security

Improves Security

by providing the most

secure virtualization infrastructure,

with APIs, and certification programs

Improves Virtualization

by providing security solutions

architected to fully exploit

the VMware platform

• VMware #1 Security Partner

• Trend Micro: 2011 Technology Alliance Partner of

the Year


VIRTUALIZATION/CLOUD: Securing the Journey


Virtual Cloud

Physical

4

Server Virtualization

Desktop Virtualization

Windows/Linux/Solaris

Private Cloud

Hybrid Cloud

Public Cloud

Journey to the Cloud


Millions of computers

have been compromised

by ZeuS

Trend Micro finds

over 70% of

enterprise networks

contain active malicious

malware

Threat Landscape • Malware

• Advanced Persistent Threats

• Botnets

• Espionage


6

# of days until

vulnerability is

first exploited,

after patch is

made available

2003

MS- Blast

28 days

2004

Sasser

18 days

2005

Zotob

10 days

2006 …

WMF

Zero-day Zero-day

Exploits are happening

before patches

are developed

2010

IE zero-day

More Profitable

More Sophisticated

More Frequent

More Targeted

Key Trends: Data-centric threat environment

http://www.networkworld.com/news/2010/031110-ie-zero-day-exploit-code-goes.html?page=1




Threats are more targeted

RSA Europe Two groups from the same country teamed up to launch a sophisticated attack against RSA Security's systems last March, EMC's security division said.

Unspecified information gained during the attack paved the way towards an unsuccessful attack against a defence contractor (self-identified as Lockheed Martin), senior RSA execs said during the opening of the RSA Conference in London on Tuesday.

"Two groups were involved in the attack," Thomas Heiser, RSA Security president, said during a keynote at the conference. "Both are known to authorities but they have never worked together before."

"The attack involved a lot of preparation," he added

Trend Micro Confidential 12/22/2011 7

The Register


Key Trends: Compliance Imperative

8

More standards: • PCI, SAS70, HIPAA, ISO 27001, FISMA / NIST 800-53, MITS…

More specific security requirements • Virtualization, Web applications, EHR, PII…

More penalties & fines • HITECH, Breach notifications, civil litigation

• PIPEDA- Risk based breach notification. Bill C29 to make breach notification mandatory.

• Alberta PIPA Bill 54 amended May 2010 to mandate notification of breaches.

• Quebec QPPIPS similar to PIPEDA with additional civil liabilities.

• California SB1386 – Data breach of unencrypted data notification

• Industry Regs - HITECH, HIPAA, PCI, SOX, HIPAA, FISMA, Basel II…


SECURING THE VIRTUALIZED DATACENTER

Classification 12/22/2011 9


Virtual Cloud

Physical

10


Desktop Virtualization

Windows/Linux/Solaris

Private Cloud

Hybrid Cloud

Public Cloud

Identifying Security Challenges in the Virtual/Cloud

• New platforms don‘t change the threat landscape

• Each platform adds unique security risks


The Fundamentals

Many third party courses and best practices covering:

• Hypervisor lockdown

• Virtual Network design and configuration

• VM security configuration

• VDI security architecture and configuration

• Storage security issues


SANS 579: Virtualization Security

Architecture and Design


P2V: Security Challenge

Virtualization driven by:

• increased density

• consolidated resources

• ‗green‘ IT

Yet ―virtually unaware‖ security controls directly impact the organization‘s ability to achieve the desired performance, density and ROI goals.



Resource Contention 1

Typical AV

Console 3:00am Scan

Automatic antivirus scans

overburden the system

Virtualization

Security Inhibitors

Antivirus Storm

13



Instant-on Gaps 2

Active

Dormant

Reactivated with

out-of-date security

New VMs

Cloned VMs must have a configured

agent and updated pattern files

Virtualization

Security Inhibitors

14



Attacks can spread across VMs

Virtualization

Security Inhibitors

Inter-VM Attacks / Blind Spots 3

Instant-on Gaps 2

15



Complexity of Management 4


Instant-on Gaps 2

Patch

agents

Rollout

patterns

Provisioning

new VMs

Reconfiguring

agents

VM sprawl inhibits compliance

Virtualization

Security Inhibitors

16


Deep Security 8

A Server Security Platform for Physical, Virtual, Cloud

Available Aug 30, 2011


Virtual Cloud

Physical

The Deep Security server security platform Server Application and Data Security for:

18

Deep Packet Inspection

IDS / IPS Web App.

Protection

Application

Control

Firewall Integrity

Monitoring Antimalware

Log

Inspection

Copyright 2011 Trend Micro Inc. 19

Server-Centric Security

19

―De-Militarized Zone‖ (DMZ)

Mission Critical Servers Business

Servers

/ Endpoints

Firewall Firewall IDS/IPS

IDS/IPS

Gateway (Malware)

5/28/2009

Firewall & IDS/IPS

File Integrity Monitoring & Log Inspection

Anti-Malware


DS 8.0 Overview

12/22/2011 20


Deep Security 8 Agent

21

• New Agent-based AV for physical Windows and Linux* systems,

virtual servers, and virtual desktops in local mode

• Web reputation services through integration with Smart Protection

Network protects systems/users from access to malicious websites

WEB REPUTATION

SERVICES

Anti-malware

Deep Packet

Inspection

Integrity

Monitoring

Firewall

Log

Inspection

VDI Local Mode


IDS / IPS

Web Application Protection

Application Control

Firewall


Log

Inspection

Anti-Virus

Detects and blocks known and

zero-day attacks that target

vulnerabilities Shields web application

vulnerabilities Provides increased visibility into,

or control over, applications

accessing the network

Reduces attack surface.

Prevents DoS & detects

reconnaissance scans

Detects malicious and

unauthorized changes to

directories, files, registry keys…

Optimizes the

identification of important

security events buried in

log entries

Detects and blocks malware

(web threats, viruses &

worms, Trojans)

Trend Micro Deep Security Server & application protection

5 protection modules

Integrity

Monitoring


Over 100 applications protected Deep Security rules shield vulnerabilities in these common applications

Operating Systems Windows (2000, XP, 2003, Vista, 2008, 7), Sun Solaris (8, 9, 10), Red Hat EL (4, 5), SuSE

Linux (10,11)

Database servers Oracle, MySQL, Microsoft SQL Server, Ingres

Web app servers Microsoft IIS, Apache, Apache Tomcat, Microsoft Sharepoint

Mail servers Microsoft Exchange Server, Merak, IBM Lotus Domino, Mdaemon, Ipswitch, IMail,,

MailEnable Professional,

FTP servers Ipswitch, War FTP Daemon, Allied Telesis

Backup servers Computer Associates, Symantec, EMC

Storage mgt servers Symantec, Veritas

DHCP servers ISC DHCPD

Desktop applications Microsoft (Office, Visual Studio, Visual Basic, Access, Visio, Publisher, Excel Viewer,

Windows Media Player), Kodak Image Viewer, Adobe Acrobat Reader, Apple Quicktime,

RealNetworks RealPlayer

Mail clients Outlook Express, MS Outlook, Windows Vista Mail, IBM Lotus Notes, Ipswitch IMail Client

Web browsers Internet Explorer, Mozilla Firefox

Anti-virus Clam AV, CA, Symantec, Norton, Trend Micro, Microsoft

Other applications Samba, IBM Websphere, IBM Lotus Domino Web Access, X.Org, X Font Server prior,

Rsync, OpenSSL, Novell Client

23


vShield

Securing the Private Cloud End to End: from the Edge to the Endpoint

Edge

vShield Edge

Secure the edge of

the virtual datacenter

Security Zone

vShield App and

Zones

Application protection from

network based threats

Endpoint = VM

vShield Endpoint

Enables offloaded anti-virus

Virtual Datacenter 1 Virtual Datacenter 2

DMZ PCI

compliant HIPAA

compliant

Web View VMware

vShield

VMware

vShield

VMware vShield Manager


vShield

Endpoint Antivirus

Agentless 2

Security

Virtual

Machine v

S

p

h

e

r

e

Agentless

VMsafe

APIs

IDS / IPS


Application Control

Firewall

1

Security agent

on individual VMs

Log Inspection

4 Agent-based

Integrates

with

vCenter

Trend Micro Deep Security

Integrity Monitoring vShield

Endpoint

3 Agentless

Deep Security 8 Agentless Security for VMware

Integrity Monitoring

3


Agentless Anti-Virus

26

Agent-less Anti-Virus for VMware

Protection for virtualized

desktops and datacenters

Trend Micro Deep Security

Anti-malware

A virtual appliance that detects

and blocks malware (web threats,

viruses & worms, Trojans).

VMware vShield Endpoint

Enables offloading of antivirus

processing to Trend Micro Deep

Security Anti-malware – a

dedicated, security-hardened VM.

The first and only agentless anti-virus solution architected for VMware

Better Manageability

Higher Consolidation

Faster Performance

Stronger Security

The idea

The components

Customer

Benefits

Differ-

entiator


VM VM VM

The Old Way

Security

Virtual

Appliance VM VM VM

With Agent-less Integrity Monitoring

VM

Better Manageability

Zero Added Footprint

Faster Performance

Stronger Security

• Zero added footprint: Integrity monitoring in the same virtual appliance

that also provides agentless AV and Deep Packet Inspection

• Stronger Security: Expands the scope of protection to hypervisors

• Order of Magnitude savings in manageability

• Virtual Appliance avoids performance degradation from FIM storms

Agentless Integrity Monitoring


Agent-less Security Architecture

OS

Kernel

BIOS

ESX 4.1

vSphere Platform

Guest VM

OS

Trend Micro

Deep Security Manager

vShield Endpoint ESX Module

vCenter

Thin Driver

vShield Manager

Trend Micro product

components

vShield Endpoint

Components

VMware

Platform

VI

Admin

Security

Admin APPs

APPs APPs

Trend Micro Deep Security Virtual Appliance

Anti-Malware

- Real-time Scan

- Scheduled &

Manual Scan

FIM

Network Security

IDS/IPS

- Web App Protection

- Application Control

Firewall

Trend Micro filter driver

VMsafe-net API

vShield Endpoint API

Legend



Complexity of Management 4


Instant-on Gaps 2

Virtualization

Addressing Security Inhibitors

Solution: Agentless Security

Services from a separate scanning

VM

Solution: Dedicated scanning VMs

with layered protection

Solution: VM-aware security with

virtualization platform integration

Solution: Integration with

virtualization management

consoles such as VMware vCenter

29


DEEP SECURITY

Security built for

virtualization helps

maximize

consolidation rates,

operational

efficiencies and

cost savings

Virtualization


Deep Security: Agentless Security Benefits

• Higher VM density − Agentless AV enables 2-3 times

more desktop VMs

− Enables 40-60% more server VMs

• Better manageability − No security agents to configure,

update & patch

− Integrated AV, FIM & IDS/IPS simplifies security mgmt

• Stronger security − Added security (FIM, IDS/IPS, etc.)

through virtual appliance

− Instant ON protection

− Tamper-proofing

• Faster performance – Freedom from AV and FIM storms

31

Previously

Agentless server security platform


DEEP SECURITY

Shield

vulnerabilities in

critical systems,

until, or without,

patching

Virtual Patching

Copyright 2011 Trend Micro Inc. Classification 12/22/2011 33

Four Key Strategies:

•patching applications and always using the latest version of

an application;

•keeping operating systems patched;

•keeping admin rights under strict control (and forbidding the

use of administrative accounts for e-mail and browsing);

•whitelisting applications.


Recap: Virtual Patching with Deep Security

Filtered Traffic

Allow known good

Raw Traffic

Stop known bad

Shield known

vulnerabilities

Shield unknown

vulnerabilities

and protect

specific applications

Stateful Firewall

Exploit Rules

Vulnerability Rules

Smart Rules

1

2

3

4

Deep

packet

insp

ecti

on

Over 100 applications

shielded including:

Operating Systems

Database servers

Web app servers

Mail servers

FTP servers

Backup servers

Storage mgt servers

DHCP servers

Desktop applications

Mail clients

Web browsers

Anti-virus

Other applications


DEEP SECURITY

A security and

compliance solution

that addresses

multiple PCI and

other regulatory

requirements cost-

effectively

Compliance


IDS / IPS


Application Control

Firewall


Integrity

Monitoring

Log

Inspection

Recap: Deep Security for PCI compliance

Addressing 7 PCI Regulations

and 20+ Sub-Controls Including:

(1.) Network Segmentation

(1.x) Firewall

(5.x) Anti-virus

(6.1) Virtual Patching*

(6.6) Web App. Protection

(10.6) Daily Log Review

(11.4) IDS / IPS

(11.5) File Integrity Monitoring

* Compensating Control

Anti-

Malware

Physical

Servers

Virtual

Servers

Cloud

Computing

Endpoints

& Devices


Emerging Governance

• PCI Virtualization Special Interest Group (SIG) formed during the 2009 RSA Conference – SIG Objective: Provide clarification on the use of

virtualization in accordance with the PCI DSS

– After a 2+ year process, the SIG submitted recommendations to the PCI SSC working group for consideration

– Trend has been a contributing member of the SIG from the very first call

– Opinions on the SIG varied widely • Leading edge: Embrace virtualization and the

direction towards cloud computing

• Conservative: Recommend dedicated hypervisor environments and restrict consolidation of system components – defer use of the cloud

Classification 12/22/2011 39


Security in a Cloudy World



Cloud is a computing style, not a location….

Trend Micro Confidential 12/22/2011 41 41


Hybrid Cloud

Public Cloud

Private Cloud

Consolidation

Flexibility

Speed

IaaS

Agility

Cost Management

Peak load flexibility

Integration of 3rd Party Solutions

Capital Expense Elimination

Flexibly match cost to demand

Virtualization will inevitably lead to Cloud Computing models Gartner, 2011


• Gartner

– 15% of workloads will be cloud based by 2014

• Information Week

− 17% of businesses in public cloud

− 28% using, 30% planning for private cloud

Businesses are moving into the cloud

But for businesses to truly invest in the cloud…

• Must be interchangeable with on-site data center deployments

• Must retain similar levels of security and control

• Must provide data privacy and support compliance requirements

Adoption of Cloud Computing

42


n

• Your data is mobile — has it moved?

• Who can see your information?

• Who is attaching to your volumes?

• Do you have visibility into who has

accessed your data?

Public IaaS Clouds

Security and Privacy are #1 Concerns

Name: John Doe

SSN: 425-79-0053

Visa #: 4456-8732…

Data can be moved and

leave residual data behind

Rogue server

access

No visibility to

data access

Name: John Doe

SSN: 425-79-0053

Visa #: 4456-8732…

43


Who is responsible for security?

• With IaaS the customer is responsible for security

• With SaaS or PaaS the service provider is responsible for security

– Not all SaaS or PaaS services are secure

– Can compromise your endpoints that connect to the service

– Endpoint security becomes critical

Public Cloud

PaaS

Public Cloud

IaaS

Servers Virtualization &

Private Cloud

End-User (Enterprise) Service Provider

Public Cloud

SaaS

Public Cloud

Who Has Control?

44


So who is responsible?


The majority of cloud computing providers surveyed do not believe their organization views the

security of their cloud services as a competitive advantage. Further, they do not consider cloud

computing security as one of their most important responsibilities and do not believe their

products or services substantially protect and secure the confidential or sensitive information of

their customers.

The majority of cloud providers believe it is their customer’s responsibility to secure the cloud

and not their responsibility. They also say their systems and applications are not always

evaluated for security threats prior to deployment to customers.

Buyer beware – on average providers of cloud computing technologies allocate10 percent or

less of their operational resources to security and most do not have confidence that customers’

security requirements are being met.

Cloud providers in our study say the primary reasons why customers purchase cloud resources

are lower cost and faster deployment of applications. In contrast, improved security or

compliance with regulations is viewed as an unlikely reason for choosing cloud services.

The majority of cloud providers in our study admit they do not have dedicated security

personnel to oversee the security of cloud applications, infrastructure or platforms.

conducted by Ponemon Institute LLC

Publication Date: April 2011


Accountability

• Ultimately who is responsible will pale beside the governance which dictates who is accountable

• Accountability will rest with the data owner by most governance regimes

• Cloud computing due diligence means you must own and control your data – wherever it resides and moves



Working on Cloud GRC


Cloud Security Alliance GRC Stack

The Cloud Security Alliance GRC Stack provides a toolkit for

enterprises, cloud providers, security solution providers, IT auditors

and other key stakeholders to instrument and assess both private and

public clouds against industry established best practices, standards

and critical compliance requirements

https://cloudsecurityalliance.org/


Patient Medical Records Credit Card Payment

Information Sensitive Research Results Social Security Numbers

• Compliance support

• Custody of keys—SaaS

or virtual appliance

• No vendor lock-in

• Trusted server access

• Control for when and

where data is accessed

• Unreadable to outsiders

• Obscured data on

recycled devices

AES Encryption

128, 192, & 256 bits

Policy-based

Key Management

Auditing, Reporting,

& Mobility

Encryption with Policy-based

Key Management

What is the Solution?

Data Protection in the Cloud


Cloud Security – Modular Protection

Compliance

49

Template

Integrity

VM

Isolation

Real-time

Protection

Data

Protection

Security that Travels with the VM

Self-Defending VM Security in the Cloud

• Agent on VM allows travel between cloud solutions

• One management portal for all modules

• SaaS security deployment option


Patient Medical Records Credit Card Payment

Information Sensitive Research Results Social Security Numbers

Encryption with Policy-based

Key Management

• Data is unreadable

to unauthorized users

• Policy-based key management

controls and automates key

delivery

• Server validation authenticates

servers requesting keys

SecureCloud 2

Total Cloud Protection System, application and data security in the cloud

Deep Security 8

Modular protection for

servers and applications

• Self-Defending VM Security

in the Cloud

• Agent on VM allows travel

between cloud solutions

• One management portal for

all modules

Context

Aware

50


SecureCloud 2 Enterprise Deployment Options

Trend Micro

SaaS Solution

Key Management

Deployment Options

Encryption Support

Or

Data Center

Software Application VM VM VM VM

VM VM VM VM

SecureCloud

Console

Private

Clouds

Public

Clouds

vSphere

Virtual

Machines

VM VM VM VM

51


SecureCloud – New In 2.0

• FIPS 140-2 Certification

– Exchange of Mobile Armor encryption agent

– Gives Trend access to Fed / Gov accounts

• DSM Integration

– Greatly improves ability to build robust authentication policies

– Begins integration of two cutting edge technologies

– Additional integration – unified management console

• Total Cloud Protection Bundle

– New bundle connects both products

– Gives protection across all infrastructures – PVC

– Defines a place to manage and protect all future environments

12/22/2011 52

52


SecureCloud Benefits

• Access cloud economics and agility by removing data privacy concerns.

• Segregate data of varied trust levels to avoid breach and insider threat

• Reduce complexity and costs with policy-based key management

• Boost security with identity- and integrity-based server authentication

• Move freely among clouds knowing that remnant data is unreadable

Trend Micro Confidential12/22/2011 53


Physical

Reduce Complexity

Virtual

Increase Efficiency

Cloud

Deliver Agility

• Integrate security—server, web, email,

endpoint, network

• Improve security and availability

• Lower costs

• Apply VM-aware security

• Ensure higher VM densities

• Get better performance and better protection

• Encrypt with policy-based key management

• Deploy self-defending VMs in the cloud

• Use security that travels with your data

Use Data Center Security to Drive Your Business Forward

Securing Your Journey to the Cloud

54


Final Thoughts



Rethinking Security Controls in a Cloud-Service Envronment

The end of ‗physical‘ thinking

Focus on the Data Center

– Protection focused on (v)applications and data

Security Controls are a property of the Virtual Application

– not the device where it is accessed

– not the plumbing on which it is executed

You are accountable for your data

– whatever cloud it lives in

– own your data protection controls



Deep Security Summary of highlights

A fully integrated server security platform

Only solution to offer specialized protection for physical virtual and cloud

First and only agentless anti-malware – nearly a 1000 customers have

purchased

Only solution to also offer agentless FW, IDS/IPS and FIM in the same

appliance

Only solution in its category to be FIPS and EAL4+ certified

Top ratings for

Virtualization

Security

All

Others

77.1%

Trend

Micro

22.9%

Source: Worldwide Endpoint

Security 2010-2014 Forecast

and 2009 Vendor Shares, IDC

Trend Micro

13%

All Others

Combined

87%

Source: 2011 Technavio –

Global Virtualization Security

Management Solutions


Trend Micro: VMware #1 Security Partner and 2011 Technology Alliance Partner of the Year

Improves Security

by providing the most

secure virtualization infrastructure,

with APIs, and certification programs

Improves Virtualization

by providing security solutions

architected to fully exploit

the VMware platform

2011 2010 2009 2008

Feb: Join

VMsafe

program

RSA: Trend Micro

announces Coordinated

approach & Virtual pricing

And shows Vmsafe demo

VMworld: Trend Micro

virtsec customer

May: Trend

acquires

Third Brigade

RSA: Trend Micro

announces virtual

appliance

July:

CPVM

GA

Nov: Deep Security 7

with virtual appliance

Q4: Joined EPSEC

vShield Program

Dec: Deep Security

7.5

w/ Agentless

AntiVirus

2010:

>100 customers

>$1M revenue

Q1: VMware buys

Deep Security for

Internal VDI Use

RSA: Trend Micro

Demos Agentless

Sale of DS 7.5

Before GA

VMworld: Announce

Deep Security 7.5

Vmworld: Announce

Deep Security 8

& vShield OEM


Thank You! www.cloudjourney.com

Peter Cresswell