1518 Best Practices in Virtualization & Cloud Security with Symantec

Transcription

1 1518 Best Practices in Virtualization & Cloud Security with Symantec Tues May 6, 11:00 Kevin Stultz Symantec Product Management Chip Epps Symantec Product Marketing 1

2 Agenda 1 2 Trends in Virtualization and Cloud Best Practices for Virtual Data Centers Assessing the Infrastructure Protecting the Control Plane Protecting the Workloads 3 Best Practices for Cloud Lifecycle Vendor Risk Management 3

3 IT Pressures a Constant Over the Decades Are you getting the maximum efficiency out of your infrastructure? How quickly can IT respond to LOB requests? Legislative Compliance Risk Reduction SLAs & Business Continuity Security Corp Assets & IP 4

4 60% OF ORGANIZATIONS HAVE >25 INCIDENTS EACH MONTH 1 77% HAVE ROGUE CLOUD DEPLOYMENTS 2 6X INCREASE IN MOBILE MALWARE LAST YEAR AVERAGE # OF DAYS TO DISCOVER A BREACH4 1. Ponenom Institute, 2013 State of the Endpoint 2. Symantec, Internet Security Threat Report Juniper Networks, Malware targeting mobile phones grew by 614% between 2012 and Mandiant, M-Trends 2013: Attack the Security Gap 5

5 Little v - Virtualization Consolidation Driver: Reduce Hardware and Power Costs Hypervisor Security Concerns: New Threat Surfaces Virtual/Cloud Admin Management Plane Hypervisor Network Security Zones remain unchanged 6

6 Big V - Virtualization Full Abstraction from Hardware App A App B App A App A App B Driver: Agility, Speed, and Utilization SDDC Security Concerns: Motioning Security stays with workload Demonstrate Compliance Server A Server B Server C Server D Network Security Zones Static Network Zones can impede value Can no longer just rely on physical controls With the click of a button rack(s) of servers can be removed from the data center Location of server is no longer fixed which adds new compliance challenges Attackers are already attacking the virtualization infrastructure 7

7 W-32 Crisis: Threats Target Virtual Infrastructures Researchers demonstrate guest-hopping threats W-32 Crisis significant in the wild Targeting master images 8

8 Cloud - Your Data and/or Infrastructure is Elsewhere SaaS is here to stay Salesforce Workday Concur IaaS is in use whether IT embraces it or not. To improve business agility amount of information flowing to your vendors is increasing. 9

9 While Security Requirements are Increasing PCI 3.0 Focus on maintaining controls across their business. Inventory - all hardware (virtual or physical hosts and network devices), as well as software components (custom or commercial, off-the-shelf applications, whether internal or external) within the cardholder data environment. AV is not enough must lock down Unix systems New Requirement 12.9 Additional requirement for service providers on data security merchants must explicitly agree to and document the segregation of duties with their vendors and service providers. 10

10 Virtual Data Center Practices 11

11 Software-Defined Data Center Data Center Security Automation and Management our view The SDDC The data center of the future is software-defined. It is dynamic and application-centric. Our mission is to support our customers as they evolve to the SDDC. Applications and Policies Software Defined Services Network Virtualization Compute and Storage Virtualization On-Prem/Private/Public Cloud Resources Drivers Cost Speed Flexibility Inhibitors Security Tax Complexity Compliance 12

12 Transitioning Our Security Controls and Architectures VM VM VM VM Maximum Guest Security Maximum Guest Security Advanced Security Advanced Security SVA Baseline Security Host Security Host Security Hardened Virtual Infrastructure Traditional Security Security controls specific to underlying infrastructure Security deployed at perimeter to reduce cost/effort of deployment at each workload Scales up to meet additional workload demand SDDC Security Delivered as a service by the virtualization infrastructure Security deployed on virtualization host (closer to workload) through an SVA, i.e. Agentless Scales out to meet additional workload demand (more SVAs) 13

13 Assessing the Infrastructure 14

14 Assessing the Infrastructure Discovery and Inventory Reconciliation Vulnerability/Patch assessment Configuration Standards Industry best practice Customized standards for your environment Exception process 15

15 CCS Discovery and Inventory Reconciliation New Network Discovery New Asset Discovery Reconcile with CMDB Adds Meta Data Automatically Tag/Group assets 16

16 CCS Vulnerability Manager: Advanced Vulnerability Assessment & Scanning Proactively prevents threats Covers web applications, databases servers and network devices 60k+ checks across 15k+ vulnerabilities Integrated scanners identify hidden risks Unique risk-scoring algorithm Web Service Database OS Your Data Unique Chaining Mechanism 17

17 Ongoing Assessment of IT Infrastructure & Security Configuration: Control Compliance Suite Automate assessment of security configurations Evaluate (agent and/or agent-less) Identify configuration drift 1. Define Standards 2. Managed/Unmanaged Assets Manage exceptions efficiently Support for agent-based and agentless data gathering Leverage best-in-class pre-packaged content 3. Analyze and Fix 18

18 Protecting the Control Plane 19

19 New attack surface - Protecting the Control Plane Hardening VMware vsphere Server Domain Controller Server Web Server VM Database Server VM V Center Outside VCenter DCS monitors and prevents changes across the network Infrastructure DCS monitors and prevents access changes on ESX Server VMWare ESX Server Inside VCenter VSM monitors and prevents access changes Internet VSM monitors and controls VMotion functions 20

20 Protecting the Workloads 21

21 Protecting Workloads Securing the Guest VMs On Premise In the Cloud Key Capabilities VM1 APP NON- WINDOWS OS VM2 APP WINDOWS OS ESX/ESXi SVA OS/ APP Guest Hypervisor Management Server vcenter Physical, virtual, or hybrid APP OS Agentless Threat Protections Event Monitoring File Integrity Monitoring Intrusion Detection Host Firewall File and Configuration Lock Down Admin Access Control Malware and Exploit Prevention Device Control Application Control & Whitelisting Application Sandboxing Physical Virtual Cloud 22

22 Transitioning Our Thinking - Introducing Data Center Security Server & Server Advanced v6 Making Server Security Simpler Critical System Protection Protected Application White Listing Agentless Malware Protection via VMware NSX Data Center Security: Server Advanced Data Center Security: Server 23

23 New Symantec Data Center Security Offering Leveraging VMware NSX Data Center Security: Server Frictionless AV Protection Hypervisor-based security virtual appliance Low OPEX Fully integrated with VMware NSX Always On Anywhere Protection Utilizing Symantec Best in Class AV and Insight Reputation What s Next: Guest Network Threat Protection Security Response Insight Reputation Virtual Data Center Data Center Security: Server Advanced Integrated with CSP Scale up to Full Lock Down Wizard Driven Simplified Hardening Protected Application Whitelisting and Control What s Next: Application Centric Protection Data Center Security Service for VMWare NSX 24

24 integration VMware NSX & Service Composer Services VMware ESXi with Endpoint Services VMware NSX Service Composer unifies and integrates service insertion & consumption across NSX native and 3rd party services 25

25 orchestration Symantec and VMware Symantec Manager 3 VMware NSX Networking & Security SYMC SVA 1. Import OVA and register AV Security Service 2. Publish new Symantec AV Security Policy Profile 3. Deploy AV Security Service to Cluster 4. Create new Security Policy (w/ AV) 5. Apply Security Policy to Security Group 6. Tag Networking & Security upon AV detection VM Endpoint Service VM Security Group 26

26 automation Workflow Orchestration Symantec Agentless DCS Registration Events/Actions User of GVM X tries to execute Malware VMware Infrastructure Security Group- Normal 0 i = Security Policy- AV Detect Only 3 rd Party Security System *Symantec Agentless AV (SVA) security service on Host detects Malware on GVM X via AV Detect Only policy, and denies access *Symantec Manager sets Security Tag for AV Detect *Symantec AV SVA responds to policy change associated with Quarantine group, and applies AV Clean policy to GVM X, deletes Malware on execute, and clears AV Detect Security Tag *VMware reassigns GVM X to group Quarantine *VMware restores GVM X to group Normal GVM X assigned to Normal group with AV Detect Only policy 27

27 DCS Server Advanced - Technologies Intrusion Detection AUDITING AND ALERTING SYSTEM CONTROLS NETWORK PROTECTION EXPLOIT PREVENTION Intrusion Prevention Monitor file integrity in realtime for compliance. Alert /notify for early response. Lock down configuration settings. Enforce security policies. Restrict device access. Enforce back doors. Limit connectivity by app. Restrict traffic flow. Prevent zero-day attacks. Application Whitelisting & De-escalate privileges. (i.e. Sandbox) Restrict behaviors. Buffer overflow protection. 28

28 Advanced Security Strategy Inspect System & Rate Applications Select Protection Strategy Manage Change Specify Application Controls Review Protection 1. Identify applications via system inspection and determine application reputation Provides visibility into applications running on servers Identifies known good applications via Trusted Publishers, application checksums, and/or reputation service 2. Specify a Protection Strategy 3. Specify how to manage change via Trusted Updaters Incorporates internal change processes into security policy 4. Select Whitelisted and Blacklisted Applications Provides a Default Deny security posture for generic servers Override via Trusted User/Group and Trusted Directories Admins can select sandboxing controls for the OS and workload (web servers, database servers, domain controllers) 5. View Security Summary and Impact of Selected Controls Identifies gaps based on the controls selected and server profile 29

29 What s Next? What additional security controls do you Need? Data Center Security: Server Advanced Data Center Security: Server Encryption? Data Loss Prevention? Additional Controls for Specific Applications? VDI Databases 30

30 Cloud Practices Vendor Risk Management 31

31 32

32 Assessment & Reporting of Third Party Vendor s IT Security Posture Cost-effectively scale vendor risk management program Leverage Shared Assessments content Auto-calculate risk scores based on multiple evidence sources Tier vendors based on data risk and business criticality Centralized Web-based repository Authorize or remediate vendor Continuous vendor risk monitoring Assign vendor tier Vendor Risk Manager Route and review submitted evidence Collect vendor evidence Initiate vendor assessment schedule 33

33 Other Sessions/Labs where you can see DCS Monday May 5 Session Case Studies: Safeguarding Critical Business Data and Maintaining Compliance in the Modern Data Center Lab Optimize Security and Compliance Assessments with CCS Tues May 6 Session Best Practices in Virtualization & Cloud Security with Symantec Session Roadmap: The Evolution of Data Center Security, Risk and Compliance Lab Dissecting a Cyber Attack Using a Simulation Lab Enhancing Data Center Security with VMware NSX Lab 1283: How to Use CCS to Proactively Manage Risk Wed May 7 Lab Enhance Asset Discovery and SCAP 1.2 Compliance for Continuous Monitoring with CCS Standards Manager Thur May 8 Lab Implementing Data Center Security: Server and Server Advanced Lab Dissecting a Cyber Attack Using a Simulation Session Customer Deep Dive: Securing the Modern Data Center 34

34 Thank you! Copyright 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. 35

35 Thank you! YOUR FEEDBACK IS VALUABLE TO US! Please take a few minutes to fill out the short session survey available on the mobile app the survey will be available shortly after the session ends. Watch for and complete the more extensive post-event survey that will arrive via a few days after the conference. To download the app, go to or search for Vision 2014 in the itunes or Android stores. 36