White Paper The Dynamic Nature of Virtualization Security

Transcription

1 White Paper The Dynamic Nature of Virtualization Security The need for real-time vulnerability management and risk assessment

2 Introduction Virtualization is radically shifting how enterprises deploy, deliver, and manage applications and data. It offers tremendous benefits for business efficiency and agility: resource consolidation for controlling costs, greater scalability and higher utilization of existing assets and applications, and flexibility for adapting assets to meet current business demands. Forrester asserts: Virtualization is the norm; deploying a physical server is the exception. It found that server virtualization is nearly ubiquitous, that 85 percent of organizations have adopted or are planning to adopt x86 server virtualization, and that 79 percent of firms have or are planning to institute a virtualization first policy. By 2014, Forrester predicts that 75 percent of all servers will be virtualized. ( The CISO s Guide to Virtualization Security, by Rick Holland, et al., Forrester Research, Inc., January 12, 2012.) Similarly, Information Week reports that adoption of server virtualization has grown to 97 percent in survey-respondent data centers. It also reports similar adoption rates in storage virtualization (86 percent), application virtualization (88 percent), and desktop virtualization (76 percent). ( Next-Generation VM Security, by Kurt Marko, Information Week reports, June 2012). As more enterprises virtualize their infrastructures, they also face new threat vectors. In the rush to virtualize applications and other assets and realize the fiscal and management benefits of virtualization, IT managers must continue to protect IT infrastructures from hacking incidents, inadvertent insider damage, and malware attacks. Servers, applications, networks, and end-user devices are becoming dynamic and unpredictable. Virtualized assets are susceptible to the same threats and vulnerabilities as traditional assets but traditional security devices offer limited visibility into virtualized environments, where assets and their security postures are constantly changing. Incidents in virtualized servers can escalate rapidly and cause considerable damage. Determining the risk level associated with a given vulnerability remains vital to prioritizing mitigation tasks. The cornerstones of a proactive security strategy are vulnerability management and risk assessment. However, traditional scan-and-patch vulnerability scanning approaches are inadequate for dynamic, virtualized environments. Traditional scanners cannot track changes in real time, so they cannot accurately measure constantly changing risks. Anyone charged with securing IT assets needs to understand the dynamic security risks inherent to virtualized environments, and more importantly, what to do to mitigate those risks. With security infrastructures lagging behind virtualization adoption, a vulnerability management solution that provides immediate risk assessment plays a critical role in helping security managers protect virtualized assets and data. Forrester recommends: You must extend your vulnerability management program into your virtual environment. Server hardening, including patch management and configuration management, is a core element of vulnerability management. A number of good resources are available to assist you with hardening your virtual servers. You must also ensure that you are conducting regular vulnerability assessments, including scanning and penetration testing, of the environment. You should include virtualization-specific penetration tests to validate the hardening and security controls of the environment. (Forrester, Ibid., p. 9) Scheduled scans remain useful in virtualized environments, but the dynamic character of virtualization presents new kinds of risk. The constantly fluctuating environment requires continuous and comprehensive security monitoring to detect changes as they happen.

3 The vulnerability management solution should include these capabilities: Deployable as a virtual machine (VM) Discover and scan VMs as they spin up and down for vulnerabilities and misconfigurations. Detect snapshot rollbacks and scan after restores Track asset migrations and proactively monitor their security postures To better understand the need for these capabilities, consider the challenges and solutions below. Challenge: On or Off? Virtual machines spin up and down all day long. Some VMs may activate many times a day, while others may spin up once a month. An IT administrator can provision, operate, and delete a VM before a traditional vulnerability scanner can check it for vulnerabilities. Periodic scans assign inactive VMs a risk score of 0. There s inherent risk if that potentially-vulnerable VM spins up again before the next periodic scan kicks off. Solution: Automated Discovery and Scanning Security managers need to know when VMs become active, so they have the option to scan them immediately and assess their risk levels. Without requiring operator intervention, the vulnerability management solution should be able to interact with the hypervisor to detect VMs as they come online and maintain an accurate database of discovered resources. More importantly, a security manager should have the option to configure the vulnerability management solution to automatically scan critical resources when they spin up and issue a scan report upon completion. Challenge: Snapshot Rollbacks Storage snapshots are a valuable data protection capability. However, a rollback or restore may expose a VM, and the system it resides upon, to a previously fixed vulnerability. For example, rollbacks may revert a VM to an older software version that needs critical patching. A periodic scan may not discover this exposure for days or weeks. Another scenario is a rollback reinstates a configuration error or other vulnerability that is exploitable by malware, and a malware attack may have caused the crash. Solution: Rollback Detection and Automated Scanning If the vulnerability management solution is in communication with the hypervisor, it should be able to detect rollbacks and restores and send an alert to the management console. The security manager should have the option to configure the vulnerability management solution to automatically scan assets after a rollback or restore and issue a scan report upon completion. For example, such scans can immediately verify that software versions remain compliant with policies after a rollback, or expose the exploitable errors or vulnerabilities and allow security managers to mitigate them.

4 Challenge: Virtual Machine Migration Live migrations of VMs to other hosts, using features such as VMware vmotion, helps server managers adjust server utilization and maintain performance levels without service interruption. Migrations may be a proactive management task, but more often they occur as a result of a catastrophic failure. Some failures, such as loss of an asset pool, can trigger migrations to another asset pool or even to another site. The security manager needs visibility to track migrations as they happen, verifying that security posture of migrated assets does not change. Solution: Automated Scanning Vulnerability assessments can help security managers determine the cause and type of such a failure. They need visibility not only within an asset pool or site, but among multiple pools or sites in the case of co-located or distributed data centers. The hypervisor detects the migration, and the vulnerability management solution should recognize it and send an alert to the security manager. Again, the security manager should have the option to configure the vulnerability management software to automatically scan migrated assets and issue a scan report upon completion. What About Hypervisor Security? A 2009 IBM report suggested that the hypervisor platform contained dozens of vulnerabilities. This report sparked industry discussions that securing a virtualized environment presents a new set of risks, but emphasized securing the hypervisor itself. Hypervisor vulnerabilities are static. Conventional scanners can identify these vulnerabilities, and administrators can remediate them using conventional scan-and-patch processes. The IBM study failed to address the dynamic nature of the entire virtualized infrastructure. There is general agreement that the hypervisor is an ideal location to deploy security solutions such as anti-malware systems. That said, in a 2011 report, Forrester addressed the security of the hypervisor and concluded that it introduces some marginal risk to the server environment but that concerns are largely overblown. (Forrester, Ibid., p. 6.) Solution: Rapid7 Security Risk Intelligence Rapid7 Security Risk Intelligence is a data-driven approach to risk assessment and vulnerability management that weighs the value of data sets when measuring risk. Rapid7 offers a powerful combination of innovative vulnerability management and penetration testing solutions along with deep security expertise to identify and prioritize the dynamic security risks of virtualized environments. Rapid7 Nexpose is the industry s first vulnerability management solution with capabilities, such as Continuous Discovery, designed specifically for virtualized environments. Working closely with VMware, Rapid7 continues to add virtualization-specific capabilities into Nexpose, its vulnerability management and risk-assessment solution. Nexpose is the only third party vulnerability management solution included in the VMware security reference architecture. Additionally, Rapid7 Metasploit can be used in conjunction with Nexpose to validate risk in IT environments based on actual exploitability of vulnerabilities, both in physical and in virtual environments.

5 How Rapid7 Can Help Rapid7 is a leader in security risk intelligence that can help you gain valuable insight into your security posture, through both products and services. Headquartered in Boston, MA, Rapid7 was founded in In response to the increasing security threat environment, the company developed its award-winning vulnerability management solution Nexpose. In 2009, Rapid7 acquired Metasploit, the leading penetration testing platform with the world s largest quality assured exploit database. The combination of both products has resulted in the company s integrated security risk intelligence portfolio, designed to provide organizations with unique insight into their threat and risk posture. Rapid7 also has a professional services unit that conducts product deployments and trainings as well as security assessments. If you have questions on how you could improve your organization s security posture, would like to evaluate Rapid7 s vulnerability management or penetration testing products, or would like to talk to Rapid7 s professional services team, please contact Rapid7 at info@rapid7.com, call , or visit