Best Practices in Virtualization & Cloud Security with Symantec DCS

Best Practices in Virtualization & Cloud Security with Symantec DCS Nathaphon K. Technical Consultant Symantec Data Center Security 1

Would You Would You Ever Leave Ever Leave Your Doors Your Doors Unlocked? Unlocked?

why are SERVERS AT RISK? Contain valuable information Always available Security vulnerabilities Unauthorized configuration changes Insider abuse and targeted attacks SIXTY-SEVEN PERCENT of breaches (hacked) occur on servers NINETY-FOUR PERCENT of stolen data is from servers

Virtual & Physical Share Security Concerns Configuration Hardening Access Rights Management Hypervisor settings Implement least privileged access Server Instances settings Prevent access escalation

But Virtual Introduces New Challenges Separation of Instances on a Shared Host Limited Logging and Reporting Threats jumping across instances Logging for failed actions Compliance and legal issues as workloads move across zones Activity logging is not attributable

Effective Security Addresses Both Physical and Virtual Configuration Hardening Access Rights Management Separation of Instances on a Shared Host Limited Logging and Reporting Hypervisor settings Implement least privileged access Threats jumping across instances Logging for failed actions Server Instances settings Prevent access escalation Compliance and legal issues as workloads move across zones Activity logging is not attributable

NSX Extensibility: Partner Integration NSX API NSX Controller Network Gateway Services Network Security Platform Partner Extensions Security Services Application Delivery Services 7

Moving Forward Software Defined Security Our competitor was a clear first mover in Agentless 1.0 >> or VShield Symantec leads with innovations and integrations to VMware for Agentless 2.0 and the go-forward NSX platforms for VMware s SDDC NAM FY15 SKO Pre-work Session 8

How do Symantec and VMware Work! 1 1 2 Symantec Manager 3 VMware NSX Networking & Security 6 4 5 SYMC SVA 1. Import OVA and register AV Security Service 2. Publish new Symantec AV Security Policy Profile 3. Deploy AV Security Service to Cluster 4. Create new Security Policy (w/ AV) 5. Apply Security Policy to Security Group 6. Tag Networking & Security upon AV detection Endpoint Service VM VM Security Group Symantec Data Center Security 9

Data Center Security: Server 6.0 (Agent-less) Integrated Protection Natively Integrated into VMware NSX (VShield2) platform Always on agent-less file based antivirus protection Symantec Reputation engine to prevent false positives (both good & bad file insight database) Automatic provision-less scale out as data center grows Underlying VMware technology provides Networking and Security extensibility Our security controls and policies integrate into the VMware fabric and security partner ecosystem to support automated security enforcement and dynamic workflows Symantec Data Center Security 10

Symantec Global Intelligence Network (GIN) Identifies more threats, takes action faster & prevents impact Calgary, Alberta Dublin, Ireland San Francisco, CA Mountain View, CA Culver City, CA Austin, TX Pune, India Chengdu, China Chennai, India Taipei, Taiwan Tokyo, Japan New Center at Singapore Available now, fast response Worldwide Coverage Global Scope and Scale Rapid Detection 24x7 Event Logging Attack Activity 240,000+ sensors 200+ countries and territories Malware Intelligence 150M client, server, gateways monitored Global coverage Vulnerabilities 35,000+ vulnerabilities 11,000 vendors 80,000 technologies Spam/Phishing 5M decoy accounts 8B+ email messages/day 1B+ web requests/day Preemptive Security Alerts Information Protection Threat Triggered Actions SEP 12 Press Briefing 11

VMware vsphere Threats and What s we protect? vcenter Database vsphere Client vcenter Server Datastores ESX/ESXi Host Threats Rouge Clients Client Hijacking Disgruntled Admin Mis-configurations SSL certificate Malware Unauthorized Access vcenter Server vsphere Client Cluster Datacenter Datastores

Is signature based enough to protect zero day attack??? DCS User Control DCS Firewall/AppControl Antimalware Network Firewall/IPS Presentation Identifier Goes Here 13

Why does pure SVA solution is not enough We need to Stop Internal & External Attacks To Servers Monitor and lock down files and configurations Monitor and lock down application behaviors Prevent unauthorized executables Monitor access rights changes Malware installed to capture data and change configurations Application Exploit attack to gain access Entry as an email attachment or file link Unauthorized server access File Server Email Server Application Server Web Server Agent-less still need VMware tool installed in guest OS And some time VMware tool Can not prevent something like these Unauthorized changes to privileges & information Monitor and prevent access changes Domain Controller Server Database Server Internet Backdoor entry enables unauthorized access SOURCE: NIST Guide to General Server Security Prevent inappropriate access Critical System Protection Deep Dive 14

Where does hacker break your system? And how Data Center Security: Server Advance protected it Data Center Security Advance Registry Ensure Registry Integrity Config Files Ensure File Integrity Portable Storage Devices Prevent Data Leakage Applications Prevent Targeted/Advanced Malware Memory Ensure Memory Protection Operating System Prevent Rootkits Critical System Protection Deep Dive

Symantec Server Protection Un-compromised at Black Hat 3 Year-in-a-row Proven Security at Capture The Flag Challenges Challenge: Flags hidden across un-patched Windows and Linux systems Main flag protected with CSP CORE out-of-the box prevention policy 50+ skillful hackers/pen-testers from DoD, NSA, DISA, Anonymous, etc. Attacks Techniques used: Backtrack 5 and custom tools used during penetration attempts Zero day attack used and stopped on protected system Recompiled version of Flamer stopped by CSP out of the box policy Outcome: No one was able to capture the flag now three years in a row Hackers said if they would have known that Sandboxing was used, maybe not worth the time they put into it 16

Data Center Security: Server Advanced 6.0 Scale Up Protection with DCS agent Additional Security in addition to the included Data Center Security: Server Simplified Server Hardening Protection strategy based policy wizard Protected Whitelisting, Hardened, Basic Expert knowledge in Server applications not required With Application discovery and reputation Select Application(s) and Protection(Sandbox) Out of the box default sandboxes Out of the box application-centric sandboxes for common complex apps (domain controller, database, mail and web servers) Include IPS and IDS functionality Symantec Data Center Security 17

Our agent has minimal overhead Typical CPU Usage Memory 1-6% depending upon policies used and the amount of IO usage on the system Windows - typically 25-40MB Unix typically 40-80MB Disk space Requires a minimum of 100MB disk space Additional disk space may be used if agent log files are not purged periodically Critical System Protection Deep Dive 18

Where is the system security industry going? Least Privilege Application Control (LPAC) Based on Fundamental Security Principles and highly effective Proactive protection against malware (known & unknown) The containment model limits the potential for exploitation Applicable to all environments and applications Dramatically improves security posture and reduces IT costs Also known as Sandboxing Notable Industry Examples Windows UAC Google Chrome Adobe Reader X Android OS SELinux But OS sandbox leave security hole on admin account Embedded Security: A View from Symantec 19

How does Server Advanced Security Work? -> Signature-less technology Intrusion Detection AUDITING & ALERTING SYSTEM CONTROLS NETWORK PROTECTION EXPLOIT PREVENTION -Monitor file integrity in realtime for compliance. -Alert/notify for early response. -Lockdown configuration settings. -Enforce security policy. -Restrict device access. Intrusion Prevention -Close back doors. -Limit connectivity by app. -Restrict traffic flow. -Prevent zero-day attacks. -Application White Listing, and -De-escalate privileges i.e. sandbox. -Restrict behaviors. -Buffer overflow protection. Symantec Data Center Security 20

How does Data Center Security technically work? It is all about behavior Services or Daemons DNS Server Kernel RPC Etc. Host Interactive Applications Chrome Outlook CMD Etc. Most programs require a limited set of resources and access rights to perform normal functions But most programs have privileges and resource rights far beyond what is required attacks readily exploit this gap Granular Resource Constraints Files Registry Network File system and Configuration info Defaults for Service and Interactive Default containment jail creates a sandbox or containment jail for one or more programs (processes) using a policy that defines least privilege controls or acceptable resource access behaviors Devices Memory Usage of Ports and Devices Process Access Control Critical System Protection Deep Dive 21

Policy Strategy Selection with policy wizard Whitelisting (maximize security) The user adds the application and its sandbox to the whitelist Default deny security posture applications not listed in the whitelist are not allowed to run. Hardened (Additional security) Symantec defined sandboxes included in policy for known applications Blocks software installation, protects DCP resources, protects OS resources, protects raw local disk, application data protection by default Basic (Minimize Operational Risk) Symantec defined sandboxes included in policy for known applications Blocks software installation and protects DCP resources by default Increased protection

Reputation (from Global Intelligent Network) Data for the SDCS:SA Reputation display is: Drawn from Symantec Insight s file-based reputation database Provided for existing applications as: Trusted Good Unproven Poor Bad If data is not available, Pending is displayed. Reputation is not available for custom applications defined by the user. Process Reputation is displayed in the events under the Monitors tab.

Easy customization by using Hash, Publisher, and Signature Flags New attributes that can be used to identify a process when: Creating or editing an application Creating or editing a sandbox rule Attributes include: Hash Hash of the executable file on disk for a specific process MD5 and SHA256 hash algorithms are supported. Publisher Name of the publisher (Signer CN) represented in the digital certificate associated with the executable file Signature Flags Digital signature related data Includes: OS Components, Microsoft Signed, Symantec Signed, Signed and Trusted, Interactive Process, Service Process 24

Extending Coverage to Broader Platforms >> we can protect your virtual infrastructure along with your existing physical system in one console Controller servers Kiosks / ATMs CSP SCADA systems Medical devices Flexible licensing Thin clients Point of sale / Payment processors 25

Advanced IT Analytics Reporting Provides multi dimensional reporting Flexible ad-hoc/custom reporting Federated reporting across multiple siloed DCS deployments

Use case 1: DC prevention The domain controller prevention features enable you to: Protect Active Directory (AD) data File data AD database files Log files Settings Registry data Windows Server Active Directory Service parameter settings for NTDS and NT File Replication Service (NTFRS)

Use case 2: Database Workload Prevention Feature The database workload prevention features enable you to: Protect SQL Server data, including: File data Database and transaction log files Operations log files Backups Templates and other settings Registry data Service parameter settings for: SQL Server Oracle RDBMS Policy enforces least privilege access to the database data User configuration is not required. Sandboxes requiring read or write access are granted access, and all others are denied any access.

Use case 3: PCI standard compliance/admin abuse prevention Secure Network Protection Server Host Firewall System and Application Exploit Prevention & System Controls Audit System and Application Event and Text Log Monitoring Host based Real-time Prevention and Detection Broad OS and application coverage Monitor Respond System and Application File, Configuration and Registry Monitoring Block changes from unauthorized users/apps Run actions in response to events SCSP Product Overview 29

Use case 4: Vmware ESX/Hyper-V protection VMware agent-less + agent protection Hyper-V agent protection VM Advanced Security SVA Essential Security Hardened Virtual Infrastructure Presentation Identifier Goes Here 30

Use case 5: POS/Kiosk/ATM system protection Contain valuable cardholder data Unauthorized applications can be installed Security vulnerabilities exist Target of insider abuse and attacks Data leakage through removable media EIGHT-FIVE PERCENT of breaches in 2011 involved POS terminals and servers NINETY-SEVEN PERCENT of stolen data is from servers Presentation Identifier Goes Here 31

Use case 6: patch mitigations Presentation Identifier Goes Here 32

Use case 7: Zero day/target attack protection Enforce least privilege access to the critical data Sandboxes requiring read or write access are granted access, and all others are denied any access. Presentation Identifier Goes Here 33

License The title on the management console will always be Symantec Security: Server regardless of the offerings HIDS/HIPS (Client) HIDS/HIPS (Server) HIDS/HIPS (vsphere) SCSP v5.2.x X X X Agentless AV SDCS:S v6.0 X X SDCS:SA v6.0 X X X X SCSP Client v6.0 X

Robust Security for the Data Centre Assess people and processes Single plane of glass on security posture Scan physical & virtual environment for vulnerabilities without agent Evaluate systems against international or customized benchmarks CCS Dashboard & Reports Evaluate ESX against CIS hardening benchmark Control & monitor VMware administrative, access & configuration workflow CCS Vulnerability Manager CCS Standards Manager Critical System Protection VM1 VM2 VM3 Harden & protect guest VM s with same protection policies as physical servers Server Monitor & protect hypervisor configuration Harden & protect systems from harm Admin CCS Assessment Manager VMware Admins ESX/ESXi vcenter Physical Harden vcenter based on VMware hardening guidelines CCS Virtual Security Manager Virtual

Summary Policy based approach + admin control Broad cross platform coverage with a single console Minimal system performance overhead Comprehensive out-of-the-box policies and templates Elevates from reactive to comprehensive proactive Critical System Protection Deep Dive 36

Symantec Solutions Policy Compliance Identity Remediation Reporting Classification Threats Encryption Ownership Discovery 37