Bezpečne a virtuálne. A Server Security Platform for Physical, Virtual, Cloud. Ondrej KOVÁČ. Available Aug 30, Sales Engineer, CEEUR

Transcription

1 Bezpečne a virtuálne A Server Security Platform for Physical, Virtual, Cloud Ondrej KOVÁČ Sales Engineer, CEEUR Available Aug 30, 2011

2 Trend Micro Leader in Datacenter Security - #1 in server security, #1 in virtualization security - First and only agentless security suite built for virtualization - First company to offer security for the cloud VMware Technology Alliance Partner of the Year 2

3 Access data, anytime, anywhere, from any device Journey to the Cloud Trend Micro Secures Your Journey VIRTUALIZATION Desktop / server consolidation using virtual machines PUBLIC CLOUD (SaaS, IaaS, PaaS): Delivers agility by anticipating and meeting business needs PRIVATE CLOUD: Increases automation to facilitate provisioning PHYSICAL: On premise desktop / server HYBRID CLOUD: Combination of private and public cloud F l e x i b i l i t y and o p e r a t i o n a l e f f i c i e n c y 3 Trend Micro enables you to use the cloud to further your business AND maintain control of your data, wherever it lives

4 Key Trends: Datacenter Consolidation Physical Virtual Cloud Windows/Linux/Solaris Server Virtualization Public Cloud Private Cloud Desktop Virtualization Hybrid Cloud New platforms don t change the threat landscape Each platform adds unique security risks 4

5 Key Trends: Data-centric threat environment More Profitable More Sophisticated # of days until vulnerability is first exploited, after patch is made available 28 days Exploits are happening before patches are developed More Frequent 18 days More Targeted 10 days Zero-day Zero-day 2003 MS- Blast 2004 Sasser 2005 Zotob 2006 WMF 2010 IE zero-day 5

6 Endpoint and Server Security Diverging Main Campus Mobile Workers IaaS Private Public SaaS ENDPOINT Infection via Social Engineering Heavy User Touch Environment Primarily Windows Consumerization is key trend Internet Data Center SERVER Infection via Threat Injection Locked Down Mission-Critical Env. Heterogeneous: Unix, Linux, Windows Virtualization/Cloud is key trend Branch Offices Fixed Telecommuters

7 Key Trends: The Patching Conundrum Takes days to months until patches are available and can be tested & deployed Enterprise Vulnerabilities Developers not available to fix vulnerabilities Patches are no longer being developed Can t be patched because of cost, regulations, SLA reasons Enterprises spend a third of their time on patching But ¾ of enterprises say their patching is not effective Source: InformationWeek, Analytics Report: 2010 Strategy Security Survey 7

8 Key Trends: Compliance Imperative More standards: PCI, SAS70, HIPAA, ISO 27001, FISMA / NIST , MITS More specific security requirements Virtualization, Web applications, EHR, PII More penalties & fines HITECH, Breach notifications, civil litigation DMZ consolidation using virtualization will be a "hot spot for auditors, given the greater risk of mis-configuration and lower visibility of DMZ policy violation. Through year-end 2011, auditors will challenge virtualized deployments in the DMZ more than non-virtualized DMZ solutions. -- Neil MacDonald, Gartner 8

9 Trend Micro Deep Security A server security platform for: Physical Virtual Cloud Antimalware Firewall Deep Packet Inspection IDS / IPS Web App. Protection Application Control Integrity Monitoring Log Inspection

10 Trend Micro Deep Security System, application and data security across: 5 protection modules Shields web application vulnerabilities Deep Packet Inspection IDS / IPS Web Application Protection Application Control Detects and blocks known and zero-day attacks that target vulnerabilities Provides increased visibility into, or control over, applications accessing the network Reduces attack surface. Prevents DoS & detects reconnaissance scans Firewall Anti-Virus Detects and blocks malware (web threats, viruses & worms, Trojans) Optimizes the identification of important security events buried in log entries Log Inspection Integrity Monitoring Detects malicious and unauthorized changes to directories, files, registry keys 11 Protection is delivered via Agent and/or Virtual Appliance

11 Deep Security 8 Agent-based Anti-malware Deep Packet Inspection Firewall Anti-malware WEB REPUTATION SERVICES Integrity Monitoring Log Inspection VDI Local Mode Hyper-V & Xen-based Virtual Servers New Agent-based form factor extends protection to physical operating systems Windows and Linux Agent-based AV also protects Hyper-V & Xen-based virtual servers, and virtual desktops in local mode Web reputation services through integration with Smart Protection Network protects systems/users from access to malicious websites 12

12 Deep Security 8 Agentless Security for VMware Integrates with vcenter Trend Micro Deep Security Agentless IDS / IPS Web Application Protection 1 VMsafe APIs Integrates with Intel TPM/TXT Application Control Firewall Agentless Antivirus Log Inspection Agentless Integrity Monitoring Agent-based vshield Endpoint vshield Endpoint Security agent on individual VMs Security Virtual Machine v S p h e r e

13 Deep Security 8 Integrity Monitoring Agentless Integrity Monitoring The Old Way With Agent-less Integrity Monitoring VM VM VM Security Virtual Appliance VM VM VM VM Zero Added Footprint Faster Performance Better Manageability Stronger Security Zero added footprint: Integrity monitoring in the same virtual appliance that also provides agentless AV and Deep Packet Inspection Stronger Security: Expands the scope of protection to hypervisors Order of Magnitude savings in manageability Virtual Appliance avoids performance degradation from FIM storms 14

14 Deep Security Coordinated Protection 1 Agentless Security Virtual Appliance Integrity Monitoring Anti-malware Leverages vshield Endpoint 2 IDS/IPS WAF Firewall Leverages vsphere (Vmsafe) APIs 3 Add-on Agents Log Inspection Encryption AV IDS/IPS WAF FIM Anti-malware Integrity Monitor IDS / IPS WAF Firewall VM VM vshield Endpoint APIs Add-on agents can play a strong supporting role: add protection layers not currently supported at hypervisor level provide additional defense in depth can extend protection to environments where the appliance cannot go - eg. Public Cloud and offline desktops

15 Deep Security Architecture Single Pane Scalable Redundant Deep Security Manager 1 Reports 5 Threat Intelligence Manager 2 Deep Security Agent 3 4 SecureCloud Deep Security Agent Modules: DPI & FW Anti-malware Integrity Monitoring Log Inspection Deep Security Virtual Appliance Modules: DPI & FW Anti-malware Integrity Monitoring Cloud Integration Modules: Data Protection

16 Deep Security for PCI compliance Deep Packet Inspection Addressing 7 PCI Regulations and 20+ Sub-Controls Including: IDS / IPS Web Application Protection Application Control (1.) (1.x) (5.x) Network Segmentation Firewall Anti-virus Firewall Log Inspection Integrity Monitoring Anti- Malware (6.1) Virtual Patching* (6.6) Web App. Protection (10.6) Daily Log Review (11.4) IDS / IPS Physical Servers Virtual Servers Cloud Computing Endpoints & Devices (11.5) File Integrity Monitoring * Compensating Control

17 Data Modalities That Are Addressed IN USE: CD/DVD USB Printers Copy/Paste IN MOTION: Webmail IM FTP AT REST: Sharepoint Endpoints CIFS/ Local/ NFS File Shares

18 Total Cloud Protection with Deep Security 8 and SecureCloud 2 System, application and data security in the cloud Deep Security 8 Context Aware Credit Card Payment Sensitive Social Patient SecureCloud Security Medical Research Numbers Records Results 2 Information Modular protection for servers and applications Self-Defending VM Security in the Cloud Agent on VM allows travel between cloud solutions One management portal for all modules Encryption with Policy-based Key Management Data is unreadable to unauthorized users Policy-based key management controls and automates key delivery Server validation authenticates servers requesting keys

19 Public Cloud Data Protection A security model that fits the needs of flexible operations with higher ROI/Security Public Cloud Data Protection Data Security Operation vs. System Operation (Infrastructure) Key Management vs. Data Management Applications vs. Storage

20 Policy configuration Group multiple Images & Devices to one policy Granular policies allow 1:1 mapping with devices Rules are configured based on evaluator operators.

21 Deep Security 8 Key Solution Differentiators Physical Virtual Cloud Comprehensive protection for systems, applications and data Greater operational efficiency Superior platform support Firewall IDS / IPS Web application protection Integrity monitoring Log inspection Integrated security platform Single pane of glass Agentless architecture Task automation with recommendation scans, security profiles, trusted sources, etc. Full functionality across more PVC platforms Quick support for current versions Tighter integration with eco-system Hypervisor and cloud platforms Enterprise directories, SIEM and other apps

22 Deep Security 8 Summary of highlights A fully integrated server security platform Only solution to offer specialized protection for physical virtual and cloud First and only agentless anti-malware nearly a 1000 customers have purchased Only solution to also offer agentless FW, IDS/IPS and FIM in the same appliance Only solution in its category to be FIPS and EAL4+ certified Trend Micro 22.9% Trend Micro 13% All Others 77.1% All Others Combined 87% Top ratings for Virtualization Security Source: Worldwide Endpoint Security Forecast and 2009 Vendor Shares, IDC Source: 2011 Technavio Global Virtualization Security Management Solutions

23 Trend Micro: VMware #1 Security Partner and 2011 Technology Alliance Partner of the Year Improves Security by providing the most secure virtualization infrastructure, with APIs, and certification programs Improves Virtualization by providing security solutions architected to fully exploit the VMware platform Feb: Join VMsafe program VMworld: Trend Micro virtsec customer May: Trend acquires Third Brigade Nov: Deep Security 7 with virtual appliance RSA: Trend Micro Demos Agentless Sale of DS 7.5 Before GA Dec: Deep Security 7.5 w/ Agentless AntiVirus Vmworld: Announce Deep Security 8 w/ Agentless FIM RSA: Other vendors announce Agentless RSA: Trend Micro announces Coordinated approach & Virtual pricing And shows Vmsafe demo July: CPVM GA RSA: Trend Micro announces virtual appliance VMworld: Announce Deep Security 7.5 Q4: Joined EPSEC vshield Program 2010: >100 customers >$1M revenue Q1: VMware buys Deep Security for Internal VDI Use

24 Thank you! ontact: Ondrej KOVÁČ mail: obile:

25 PCI DSS 2.0 Virtualization Guidelines PCI DSS 2.0 Virtualization Guideline 1. Hypervisor environment is in scope - Hypervisor and supporting components must be hardened - Security patches applied ASAP - Logging/monitoring of hypervisor events 2. One function per server - Physical servers had the same requirement, no change in behavior 3. Separation of duty - Consider multi-factor authentication - Access controls for both local and remote should be accessed - Review and monitor RBAC controls - Enforce least privilege where possible 4. Mixing VM s of different trust levels - In order for in-scope and out-of-scope VMs to co-exist on the same hypervisor the VMs must be isolated from each other Required Controls Deep Security DPI and FIM - Virtual Patching Prevents VMs from being compromised to attack hypervisor - FIM checks the integrity of vsphere utilizing Intel TPM/TXT Deep Security Firewall - Firewall ensures only requires ports and protocols are accessible Deep Security Manager - Support for RBAC enables separation of duty of security policies Deep Security Firewall and IDS/IPS - A combination of VLAN and per VM firewall and IDS/IPS provides the isolation and visibility into inter-vm traffic required Classification 11/10/

26 PCI DSS 2.0 Virtualization Guidelines PCI DSS 2.0 Virtualization Guideline Required Controls 5. Dormant VMs and VM snapshots - Access should be restricted - Ensure that only authorized VMs are added and removed - Recognize that VMs are dynamic and state cannot be assumed 6. Immaturity of monitoring solutions - Traditional tools do not monitor inter- VM traffic - Virtualization tools are still immature compared to their physical counterparts 7. Information leakage - Increased risk of information leakage between logical network segments & between logical components Deep Security Agentless DPI & AV - Automated VM discovery via real-time integration w/ vcenter - Dormant VMs are protected by the Virtual Appliance when first powered on eliminating stale protection policies Deep Security IDS/IPS, FIM & LI - Deep Security IDS/IPS provides visibility into inter-vm traffic - Integrity Monitoring provides visibility into unauthorized changes to guest-vms and the hypervisor - Log Inspection provides visibility into security events occurring to guest-vms Deep Security (all modules) - IDS/IPS, FIM and Log Inspection provides visibility as shown in #6 above - Firewall reduces the VMs attack surface Classification 11/10/

27 PCI DSS 2.0 Virtualization Guidelines PCI DSS 2.0 Virtualization Guideline Required Controls 8. Defense in depth - Traditional security appliances cannot protect virtual - Traditional agent-based security products can impact performance 9. VM Hardening - Harden VMs (OS & Apps) by disabling unnecessary services, ports, interfaces, and devices - Send logs off-board in near real-time - Establish limits on VM resource usage 10. Cloud Computing - Cloud service provider must provide sufficient assurance that the scope of PCI compliance is sufficient - Customer is required to provide additional necessary controls Deep Security (all modules) - Automated VM discovery via real-time integration w/ vcenter & new VMs are autoprotected w/ a default security profile - Protection for physical, server VMs, VDI, hybrid cloud, and public cloud Deep Security and VMware - IDS/IPS & firewall hardens VMs - Integrity Monitoring provides visibility into unauthorized changes to guest-vms - Log Inspection provides visibility into security events occurring to guest-vms & forwards in real-time Deep Security and SecureCloud - Deep Security protects VMs in enterprise, hybrid cloud and public cloud environments - SecureCloud provides encryption services independent of cloud provider ensuring only authorized personnel can access the data Classification 11/10/