Three Ways to Secure Virtual Applications

Transcription

1 WHITE PAPER Detect, Scan, Prioritize, and Remediate Vulnerabilities

2 Table of Contents Subtitle 1 Headline 3 Headline 3 Sub-Headline 3 ConcIusion 3 About BeyondTrust BeyondTrust Software, Inc.

3 Virtual Application Overview Applications are virtualized by encapsulating application files and registry settings into a single package that can be deployed, managed, and updated independently from the underlying operating system (OS). The virtualized applications do not make any changes to the underlying OS and continue to behave the same across different configurations for compatibility, consistent end-user experiences, and ease of management. Virtualization has become extremely popular with 80% of enterprises having a virtualization program or project (Gartner Virtualization Reality Report). VMware s ThinApp is one of the most popular products used to virtualize an app. This whitepaper focuses on the integration and value of using VMware ThinApp technology with eeye s vulnerability management solution, Retina. Why Virtualize Applications? There are hundreds of reasons to virtualize an application and here are a few common scenarios: Simplify Windows 7 migration - Easily migrate legacy applications such as Internet Explorer 6 to 32- and 64-bit Windows 7 systems. Virtual apps enable you to eliminate costly recoding, regression testing, and support costs. Eliminate application conflicts - Isolate desktop applications from each other and from the underlying OS to avoid conflicts. For example, you can run Internet Explorer 6 seamlessly on Windows 7 alongside newer Internet Explorer browsers. Consolidate application streaming servers - Enable multiple applications and sandboxed user-specific configuration data to reside safely on the same server. Augment security policies - Deploy virtualized packages on locked-down PCs and allow end users to run applications without compromising security. Increase mobility for end users - Deploy, maintain, and update virtualized applications on USB flash drives for ultimate portability. Vulnerability Trends Security professionals must account for virtual applications as part of their standard vulnerability management process as increased popularity and exposure hasn t gone unnoticed by hackers. Vulnerabilities have been on the rise and that trend is expected to continue. In 2010, there were 8562 publicly disclosed vulnerabilities which is a 27% increase over the previous year and in % of publicly disclosed vulnerabilities do not have a vendor supplied patch. In addition, vulnerability severity has increased with the majority of vulnerabilities categorized as medium or higher (IBM X-Force 2011 Mid-year Trend and Risk Report) BeyondTrust Software, Inc.

4 Figure 1: Vulnerability Disclosures by Year Figure 2: Vulnerability Disclosures by Severity Figure 3: Vendor Patch Timeline for first half of BeyondTrust Software, Inc.

5 Anatomy of an Attack Hackers try to exploit the most users with the least amount of effort. For example, due to the prevalent use of PDF documents throughout the workplace, it is common for attackers to exploit PDF viewers, such as Adobe Reader. Assuming a user has an older, vulnerable version of Adobe Reader installed, an attacker simply sends an containing a malicious PDF file and the user is exploited upon viewing. Hackers typically use current events or spoofing to trick users into viewing attachments. One of the more popular methods is spoofing the Human Resources department with a timely subject line such as New Holiday Calendar or Benefit Changes. Since it appears safe to open a document from Human Resources, users open these attachments and are easily exploited. Exploitation of virtual applications is no different. The attacker sends the same malicious code and the user is exploited upon viewing. Virtualized applications are not installed like traditional applications as they are essentially a self-contained executable that can be installed in various locations. The end result is traditional vulnerability scanners are not able to detect virtualized vulnerabilities and in this case the Adobe Reader vulnerability would not be detected. However, Retina s scan engine can discover the vulnerable application as well as help remediate the vulnerability, such as providing an upgrade link to a newer version of Adobe Reader - which could then be repackaged and deployed as an updated and secure virtual application package. Retina is the only solution that automates vulnerability management for virtual applications. Doesn t my vulnerability scanner identify vulnerabilities in virtualized applications? Traditional vulnerability scanners are not able to detect virtual app vulnerabilities due to the way virtual apps are installed. Retina is the only solution that is able to detect where ThinApp packages have been deployed on your network. This information is used to properly scan virtual apps and ensure ThinApp applications are part of your standard vulnerability management process. ThinApp Architecture VMware defines application virtualization as the ability to deploy software without modifying the host computer or making any changes to the local operating system, file system, or registry. Using this virtualization technology, organizations can deploy custom and commercial software across the enterprise without installation conflicts, system changes, or any impact on stability. Virtualized applications such as VMware ThinApp can be run without any modifications or additions to a PC, including administrative permissions. Traditional applications that are installed and run locally utilize a variety of components such as the following: files, registry settings, Windows services, etc. Virtualizing an application encapsulates all of the components from a traditional installed application into a single EXE that functions sort of like a bubble floating on top of the operating system. From the workstation s perspective, the myriad of files and registry settings making up the virtual application are not visible all it sees is one executable. But the end result is a virtual application functioning properly on the host as if it were installed locally BeyondTrust Software, Inc.

6 Virtualizing applications does provide an additional layer of security by running the application inside a bubble, but it can be a false sense of security, as vulnerabilities still exist within the application itself. Also, it is common to virtualize older or legacy applications that a company needs to continue using legacy apps are notorious for being vulnerable. For example, if a legacy web service is installed within a virtualized environment, attackers can exploit unpatched vulnerabilities within that service. Another security benefit of virtualized applications is customizable rules of isolation, meaning a user dictates how the virtual app interacts with the host operating system. In most instances the application can see files and registry settings on host machines as if it was natively installed, but it isn t allowed to physically change files or settings. For example, any sort of run-time modification that an application may try to attempt to a file or a registry value is actually stored in a sandbox. This sandbox is nothing more than a folder that holds run-time modifications. If a run-time vulnerability is executed the change occurs in the sandbox and doesn t affect the physical host. The architecture of virtual applications makes it difficult for traditional vulnerability management solutions to understand because everything is contained in a single EXE. Retina enables security professionals to extend into the virtual world and tell you exactly what s going on from a vulnerability management perspective by looking inside the EXE. Retina s integration with ThinApp is designed to make virtual apps part of your standard vulnerability processes scan all applications (including virtualized) and manage vulnerabilities from a centralized console. Three Ways to Secure Virtualized Applications When ThinApp virtualizes an application, it s important to understand how virtualization affects the security footprint of any potential vulnerability. Here are the three main areas to focus from a vulnerability management perspective: Discover all virtual applications when the apps are not executing as well as understand where they exist on your network (servers, desktops, file shares, etc.) and where virtual apps have previously been run. Scan, prioritize, and remediate virtual application vulnerabilities Don t forget custom applications Discover Virtual Applications The biggest challenge is finding ThinApp packages since there is no registry on the physical host if you install a ThinApp package again there is just a single EXE. Retina detects ThinApp packages in a few different ways. The first method is if ThinApp is deployed using MSI (Microsoft Installer Technology), which is one of the options in the ThinApp Package Creation Wizard. If you deploy the virtual app as a standard regular piece of software it will be registered and display in Add or Remove Programs. Retina detects the application is a ThinApp version of the product, and acts accordingly. Instead of having audits look at the registry, Retina will go out and find the ThinApp package, enumerate that package, and then perform standard vulnerability checks BeyondTrust Software, Inc.

7 Not everybody uses MSI to deploy ThinApp packages and there are various ways to deploy virtual apps such as simply copying a ThinApp package to a desktop or having it on a file share. Retina has forensic functionality to check for virtual applications by essentially looking backwards to find where the actual ThinApp package exists. Lastly, if there happens to be an application that isn t using MSI, ThinApp also has the option of including scripts. Retina s script can be bundled directly within ThinApp when creating the package. This script publishes the location of ThinApp bundles. The first time you run the virtual app the keys are published for Retina s scan engine to detect. In this example, Retina found a ThinApp version of Google Chrome. At the bottom of the screenshot there are a few additional details such as where the ThinApp package actually exists, that it s a dat file, and v Even if there s not a vulnerability detected in the ThinApp package, Retina s scanner still enumerates the virtual app just as it would any normal software that is locally installed. This information is available in Retina s standard reports and virtual apps are labeled appropriately. Scan, Prioritize, and Remediate Vulnerabilities Now that Retina has detected ThinApp packages the focus changes to auditing for vulnerabilities. Also, Retina does not need to launch a ThinApp application in order to scan. Retina utilizes VMware s ThinApp API, which is extremely flexible and allows Retina to scan the file system and registry of virtual apps. Retina uses the API to examine the ThinApp s file systems and registry and treat it like a normal physical file system and registry. Retina performs standard vulnerability checks looking at file versions, registry values, and numerous other methods to detect if there s a vulnerable piece of software installed. The scanning process is completed behind the scenes and is transparent to the end user as they simply select the ThinApp audit and click run. There s nothing that needs to be installed on the target machines - it s all agentless. In addition, eeye has an optional agent, Retina Protection Agent, that can be deployed on devices that are not part of your corporate network and it reports results back to the centralized management console BeyondTrust Software, Inc.

8 This screenshot displays a vulnerability for Google Chrome Multiple Vulnerabilities ThinApp. Retina lists various risk details and how to remediate. In this case, the fix is to upgrade to a newer version of Google Chrome. A quick side note regarding risk or vulnerability severity - Retina has the ability to adjust severity of a vulnerability. If it s determined the risk is lower due to Google Chrome being deployed via ThinApp the user can adjust severity to Medium or Low. Don t Forget Custom Applications Retina has an extremely comprehensive database that includes vulnerability audits for over 1700 platforms, but it s common to virtualize custom or homegrown applications. For example, a custom application may have been developed 5 or 10 years ago, but needs to be virtualized in order to run on a newer operating system. Retina has the ability to create custom audits that look at any ThinApp package, determine the version, and list what workstations have the package deployed. In this example, we used Google Chrome again, but it can be any application that you have. Conclusion As applications are virtualized in order to minimize costs and eliminate conflicts it creates a hybrid environment on the desktop. It s important to always be conscious of the fact that risks are present inside virtual applications. Retina is the first and only solution to provide vulnerability management for applications virtualized with VMware s ThinApp Technology to: Reduce risk by ensuring ThinApp applications are properly discovered and are part of standard vulnerability management processes. Increase visibility and automate vulnerability assessment for ThinApp packages. Decrease time, effort, and cost associated with the discovery and remediation of vulnerabilities within ThinApp applications. Retina s integration with ThinApp continues eeye s theme of no-gap security management by enabling security professionals to manage risk by making ThinApp packages part of their standard vulnerability management processes BeyondTrust Software, Inc.

9 About BeyondTrust With more than 25 years of global success, BeyondTrust is the pioneer of Privileged Identity Management (PIM) and vulnerability management solutions for dynamic IT environments. More than half of the companies listed on the Dow Jones Industrial Average rely on BeyondTrust to secure their enterprises. Customers include eight of the world s 10 largest banks, seven of the world s 10 largest aerospace and defense firms, and six of the 10 largest U.S. pharmaceutical companies, as well as renowned universities. The company is privately held, and headquartered in Carlsbad, California. For more information, visit beyondtrust.com. CONTACT INFO NORTH AMERICAN SALES sales@beyondtrust.com EMEA HEADQUARTERS Suite 345 Warren Street London W1T 6AF United Kingdom Tel: + 44 (0) Fax: + 44 (0) emeainfo@beyondtrust.com CONNECT WITH US Facebook.com/beyondtrust Linkedin.com/company/beyondtrust BeyondTrust Software, Inc.