Sponsored by Mcfee Securing Data Center Servers: Review of Mcfee Data Center Security Suite Products ugust 2012 SNS Whitepaper Written by: Jim D. Hietala Bull s-eye on Servers Page 2 Products Reviewed Page 4 Herding Elephants: Integration and Central Reporting Page 7 Product Review Page 11
Introduction In today s threat landscape, protecting servers and information assets in the data center is critical. In addition, with the rapid adoption of virtualization technologies, enterprises must apply traditional security controls, as well as brand new ones, to very different virtualized server environments. Security for server environments has evolved over the past few years. Security technologies have typically emerged as new point solutions that address specific vulnerabilities. In the present, dynamic threat world, it is no longer acceptable to leave gaps and disconnects between security policies and the configurations of multiple point solutions. Similarly, centralizing event information from these different server security technologies makes sense. This paper explores threats to data center servers, along with key security controls required to effectively protect them, and reviews how the Mcfee portfolio of server products aligns with these controls. The products contain many important components of server security to protect database, file and storage servers, where most intellectual property and regulated data types are stored. During our evaluation, the various security components we reviewed performed as advertised (See Table 1). Category Managing Server Vulnerabilities ntimalware Other Server Security Controls Central Management Integration with epo Products Virtual Patching for Databases Vulnerability Manager for Databases Virus Scan Enterprise MOVE V pplication Control Database ctivity Monitoring Global Threat Intelligence epolicy Orchestrator SIEM Virtual Patching for Databases Vulnerability Manager for Databases pplication Control Database ctivity Monitoring Global Threat Intelligence SIEM Score B B B B Table 1: Overall Report Card: Mcfee Server Security SNS nalyst Program 1 Securing Data Center Servers: Review of Mcfee Data Center Security Suite Products
Bull s-eye on Servers ttackers target data center servers because the highly valuable data they contain: Intellectual Property (IP), customer lists and private regulated data, including account numbers and credit card details, are all generally stored and processed on servers. Of the 855 data breaches analyzed in the 2012 Verizon data breach investigations report, 1 four of the five most common categories of threat events were directed at servers. Many other findings from the Verizon report touch on server security, as described in Table 2. Verizon Key Findings Of breaches, 95% resulted in malware being installed by the remote attacker. Server Security Requirements This finding heightens the importance of malware prevention security controls of various types, including antivirus, application control and whitelisting. The four most commonly found functions in malware are: Keystroke logging (66%) Sending data to external locations (43%) Backdoors (29%) Disabling or interfering with security controls (26%) In 85% of cases, the time between initial attack and initial compromise was minutes or less. In 60% of cases, data was exfiltrated in hours or less. In remaining cases, data exfiltration took days or more. From initial compromise to discovery of a breach, the time span was hours in 2% of cases, days in 13%, weeks in 29% and months or years in 56%. Configuration management and application control/ whitelisting to prevent keystroke capturing malware from being installed Monitoring outbound traffic flows for data leakage; should include ability to decrypt packets Detection of anomalous behavior Configuration management, change control and monitoring security events Implement rapid, effective patch management to prevent intrusions and on-threat intelligence as it relates to the organization s environment. Behavior-based detective controls should detect unusual movements of data, alert to issues, and provide means to deeply inspect content and to-and-from data when exfiltration is assumed. udit logs and SIEMs with rapid incident response are necessary to defend against the threat and to react quickly to attempted intrusions. Table 2: ttacks on Data Center Servers, Compiled from the Verizon Data Breach Report (www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf) 1 Verizon 2012 Data Breach Investigations Report, www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf SNS nalyst Program 2 Securing Data Center Servers: Review of Mcfee Data Center Security Suite Products
Bull s-eye on Servers (CONTINUED) In other words, security managers must deploy various technologies to securely provision servers, manage vulnerabilities over time, protect access to information, rapidly identify threats as they appear and improve network security operations, as shown in Figure 1. System Configuration System configuration management Patch management Change control Malware & Vulnerabilities ntimalware Vulnerability management Server Security Control Categories Other Security Controls Threat intelligence pplication protection Database activity monitoring File integrity & change control Host intrusion prevention Security Management Security policy management SIEM Figure 1: Server Protections Mcfee s Data Center Security Suites cover all these server control areas, which are discussed in the following sections. SNS nalyst Program 3 Securing Data Center Servers: Review of Mcfee Data Center Security Suite Products
Products Reviewed The entire server security lineup from Mcfee consists of a wide range of individual products addressing these server security components. The system provides detailed information in each category it services, which feeds into the products global threat intelligence and Security Information and Event Management (SIEM) system for correlation and analysis. The tools correlate enough information to analyze attacks against vulnerability and system information for auditing, incident response and, ultimately, overall system improvement. Mcfee s server security tools include the following, among others. The items on this list, except for the last three, are the subjects of this functional review: pplication Control In many data center server environments, application whitelisting is an effective supplement to signature-based antimalware. Mcfee pplication Control provides whitelisting for servers. Whitelisting is one of the technologies specified in SNS Critical Control 2, Inventory of uthorized and Unauthorized Software. Virus Scan Enterprise Signature-based antimalware software remains a basic security best practice, and compliance mandates such as the Payment Card Industry Data Security Standard (PCI DSS) specifically require antivirus protections. ntimalware control is one of the SNS 20 Critical Security Controls. Virus Scan Enterprise is Mcfee s antimalware solution for physical data center servers. MOVE V For virtual servers, a different approach to antimalware protection is required to avoid adverse effects on performance. MOVE V is Mcfee s virtual server antimalware solution. Database ctivity Monitoring (DM) To protect database servers, database activity monitoring technologies can spot intrusion attempts in real time and can block attacks that attempt to violate security policy in real time. SNS Critical Control 16, ccount Monitoring and Control, involves monitoring accounts and access attempts, including those for key systems such as databases. Database ctivity Monitoring is Mcfee s DM product offering. Virtual Patching for Databases Patching critical databases is important to security, but operational considerations can get in the way of timely application of vendor patches. Mcfee s solution to this is Virtual Patching for Databases (formerly vptch), which allows virtual patches to be applied without taking production databases offline. Patching is an important component of SNS Critical Control 4, Continuous Vulnerability ssessment and Remediation. Database Vulnerability Monitoring Finding and fixing vulnerabilities in databases is important to data center server security; it is also a part of SNS Critical Control 4. Mcfee s Database Vulnerability Monitoring provides this capability. SNS nalyst Program 4 Securing Data Center Servers: Review of Mcfee Data Center Security Suite Products
Products Reviewed (CONTINUED) epolicy Orchestrator (epo) Mcfee s epo provides a centralized view into many management functions across all of the products reviewed for this paper. Visibility into which Mcfee products are installed, at what version level, and which operating system (OS) version is in place, including patch and service pack identification, are all available through epo. SIEM SIEM systems are important tools for addressing SNS Critical Control 14, Maintenance, Monitoring and nalysis of udit Logs. SIEM systems collect security events from across the IT environment. udit logging and SIEM capabilities are foundational to SNS Critical Control 18, Incident Response Capability. The Mcfee SIEM product combines feeds from Global Threat Intelligence (GTI), network discovery and other inputs to provide security situational awareness. GTI Threat intelligence combines visibility into new vulnerabilities and specific threats with actual system inventory information used to identify high-risk systems requiring immediate mitigation. Mcfee s GTI product uses threat research inputs collected from its customer base to help experts make more informed security decisions. Change Control Managing changes to server system configurations is fundamental to security and is a requirement of PCI DSS; it is also part of SNS Critical Control 3, Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers (which encompasses secure configurations and change management). Mcfee Change Control provides this capability for data center servers. E-mail Security E-mail servers require signature-based agents to detect and deal with viruses, worms and malicious files and programs. Mcfee s Email Security provides this function for e-mail servers. Security for Microsoft SharePoint Collaboration platforms such as SharePoint require malware protection that can examine the files stored in their data repositories. Mcfee Security for Microsoft SharePoint provides antimalware capabilities for SharePoint. Mcfee bundles these products into several distinct suites aimed at different server security environments: Mcfee Data Center Security Suite for Database, including Database ctivity Monitor and Database Vulnerability Manager Mcfee Data Center Security Suite for Server, including pplication Control Server, VirusScan Enterprise, VirusScan Enterprise-Linux Server, MOVE VDI and epolicy Orchestrator Mcfee Data Center Security Suite for Server Hypervisor Edition, including pplication Control Server, VirusScan Enterprise, VirusScan Enterprise-Linux Server, MOVE VDI and epolicy Orchestrator Mcfee Data Center Security Suite for Virtual Desktop Infrastructure, including pplication Control Desktop, VirusScan Enterprise, VirusScan Enterprise-Linux Desktop, MOVE VDI and epolicy Orchestrator SNS nalyst Program 5 Securing Data Center Servers: Review of Mcfee Data Center Security Suite Products
Products Reviewed (CONTINUED) In this functional review, we pay particular attention to Mcfee s security for applications, databases, file and storage servers. The setup environment for the products was a mix of physical and virtual servers, which included multiple instances of Windows 2008 Server and a mix of workstations running Windows 7 and XP. n instance of epolicy Orchestrator provided configuration control over, and visibility into, the systems in the test environment and the security products installed on each. Mcfee Vulnerability Manager for Databases (v4.5) ran on a Microsoft SQL Server 2008 R2 installation (v10.50.1600.1). Various workstations had Mcfee epo agent software, Virus Scan Enterprise, Change Control and pplication Control installed. The Mcfee epo agent software delivers many of the capabilities described in the individual products to client workstations and servers. SNS nalyst Program 6 Securing Data Center Servers: Review of Mcfee Data Center Security Suite Products
Herding Elephants: Integration and Central Reporting One of the most important takeaways from this review is the value of having all of these security technologies managed by a single system, such as epo. This hits home when reporting incident activity across multiple systems to provide accurate visibility into events and risk. By leveraging the data generated by the various products, epo provides real-time risk status for each system. To obtain relevant and actionable information about risks, the security analyst needs to know each system s OS, installed applications and versions, patches installed (or not yet installed), status of any countermeasures specific to each specific threat on each system, and the severity of the threat or specific risk. Pulling this information together from disparate point systems would be frustrating at best. On the other hand, epo does the hard work for the security analyst by consolidating this information from the different products in the suite. Mcfee epo includes functionality and a set of built-in reports (from Mcfee Risk dvisor) that assign risk scores to assets in the network, as shown in Figure 2. Figure 2: epo Risk Dashboard SNS nalyst Program 7 Securing Data Center Servers: Review of Mcfee Data Center Security Suite Products
Herding Elephants: Integration and Central Reporting (CONTINUED) By pulling all this information together, epo gives security analysts a leg up by reducing the barrage of alerts and organizing the data as actionable and coherent event information. fter configuring the various components in our review environment, epo distilled the findings down into a list of top ten assets, ranked by risk, showing where we needed to focus attention to fix things and reduce risk in the environment. For example, during our testing, epo identified a specific threat (from MS09-001, SMB Buffer Overflow) and showed that 76 systems in the test environment were at risk, requiring a patch to remediate this vulnerability. Mcfee epo also provided detail on the patch history for this vulnerability from the vendor, as well as a link to the original security bulletin announcing the vulnerability. In addition, Mcfee epo provided information on available countermeasures for the vulnerability from Mcfee products, with notes about coverage. The built-in dashboards and reports were easy to access and let us quickly identify such key concerns as which systems are unpatched and which are the top specific threats by risk score in the network, as shown in Figure 3. Figure 3: epo Report Showing Which Systems re at Risk SNS nalyst Program 8 Securing Data Center Servers: Review of Mcfee Data Center Security Suite Products
Herding Elephants: Integration and Central Reporting (CONTINUED) Mcfee epo organizes the dashboards into a number of logical groupings, including risks, threats, compliance, patch status and security bulletins. From any of the dashboards, it took one-click access to drill down on any asset and determine, for example, why a particular system had the highest risk score. Drilling down on assets produced a couple of useful charts showing how this asset is at risk and what action to take to reduce or eliminate risks, as shown in Figure 4. Figure 4: epo Drill Down Report for a Specific Threat on a Specific System SNS nalyst Program 9 Securing Data Center Servers: Review of Mcfee Data Center Security Suite Products
Herding Elephants: Integration and Central Reporting (CONTINUED) nother standout feature is how the Mcfee agents listen for new systems on the local subnet and report back to epo on any rogue (previously unknown) systems detected. This provides security operations staff with an early heads-up on new systems being introduced into the data center. Mcfee epo provides several reports describing data collected on rogue systems in the environment. nother system, Mcfee pplication Control, includes the option of creating whitelists. Combined with system discovery and baselining, whitelists can intelligently protect the network from unknown malicious applications simply by not allowing anything beyond the approved baseline applications to run. In this review, Mcfee pplication Control proved to be highly configurable, allowing us to easily create rules limiting application execution to only authorized applications. On a database server, it was simple to establish a whitelist policy authorizing MS SQL and related installer and update applications to run. This, in effect, creates a deny by default posture for all other applications on the database server. Overall, the Mcfee server security solutions provide a comprehensive approach to securing data center servers, including change and patch management, antivirus, application control, vulnerability management, threat intelligence and database activity monitoring. With these technologies, security managers can secure a wide range of data center computing servers, including web servers, application servers, database servers, mail servers and SharePoint servers. In the next section, we go over features and functions to show how Mcfee server protection comes together to create this level of visibility and context around servers and their applications that organizations critically need for audit and protection. SNS nalyst Program 10 Securing Data Center Servers: Review of Mcfee Data Center Security Suite Products
Product Review From a security management standpoint, Mcfee epo brings together a full complement of server security products under a common policy management platform. s well as the products listed in Table 2, epo s coverage includes Mcfee Security for Email Servers, Mcfee Change Control and Mcfee Security for Microsoft SharePoint, which were not included in this review. Controls/Features ntimalware, scanning for known malware Controls to manage physical and virtual server environments pplication whitelisting identifies approved applications and disallows applications that are not on the approved list Convenience of centralized rule formation and deployment utomated patch management for databases (critical for attack prevention, remediation and audit, and saves bottlenecks in testing/system downtime) Database activity monitoring (detects internal/external SQL and other attacks, and enforces separation of duties) Priority High High High Medium Reviewer Observation/Comments Reviewing this capability encompassed several Mcfee products: Test scans were performed across a mixed server population of ten servers with Mcfee VirusScan Enterprise, which is used to protect physical servers. VirusScan Enterprise is highly configurable in terms of scan settings and actions (including cleaning or quarantining). Testing used MOVE V for securing virtual servers. Traditional antimalware products used in virtual environments can cause load and performance issues at system startup. Mcfee MOVE V offloads virus scanning to a virtual appliance for better overall performance across the virtual server farm. Configuring MOVE V involved identifying the primary and secondary MOVE V servers, specifying when scan actions should occur (for example, when writing to or reading from disk), actions to take on threat occurrence and quarantine policy. Mcfee pplication Control provides whitelisting control to allow authorized applications and deny unauthorized applications from installing or running. pplication Control allows for collections of applications to be developed and saved in rule groups and then easily deployed across similar systems in the network. In this review, the degree to which the product could be configured to lock down server application execution was excellent. Highly granular controls for whitelisting applications are provided, including identification of specific binaries, installers and updaters related to each product, as well as trusted directories for the product. Patching takes time to test and certify, which leaves gaps for attackers to exploit. Mcfee s Virtual Patching for Databases addresses this problem by allowing virtual patches to be easily and dynamically applied against database vulnerabilities. It reports to epo on database security status, but because it is not yet fully integrated with epo, it was not part of our evaluation. Mcfee Database ctivity Monitoring tracks all database access to detect attacks and log access events. For example, in our review, DM provided reports to detect (and log) system administrators accessing data in databases directly (i.e., bypassing applications), which could be an indicator of a threat event. Table is continued on the next page. SNS nalyst Program 11 Securing Data Center Servers: Review of Mcfee Data Center Security Suite Products
Product Review (CONTINUED) Controls/Features Manages vulnerabilities in databases, files and storage systems (protects against threats and setting system baselines) Threat intelligence for visibility into new threats as they emerge (provides situational awareness and correlation to locate and report on risk in IT systems, as well as ranking based upon the threat, system patch status and existence of mitigating controls) Central management and reporting (provides full view of policy configurations) Security information and event management (integrates event information from various logs and systems; key capabilities include speedy collection and processing from distributed collectors, and correlation and ranking) Priority Medium High Medium High Reviewer Observation/Comments Mcfee Vulnerability Manager for Databases discovers databases on the network, performs scans of popular databases, determines patch levels and identifies vulnerabilities. The scan output prioritizes vulnerabilities identified by severity. Vulnerability Manager for Databases presently reports to epo on database security posture; however, it has a separate console for management and cannot be configured from epo. We did not include this in our evaluation. Extending Mcfee Threat Intelligence through a corporate network requires use of the GTI Proxy and a plug-in to the Mcfee agent software. With these pieces in place, servers can leverage file and network reputation risk information developed by Mcfee s global threat research services to make better security decisions in real time. This capability can shorten the time to react to new threats by leveraging security research and actual threat observations happening on a global basis and by mapping these threats quickly into observations being captured in the enterprise network. Recent malware events including Flame, where the malware was hidden for a long period of time, underscore why threat intelligence is essential. GTI provides much of the detail around specific threats described in epo, including when the threat was first created in Mcfee labs, and vendor recommendations on patches/fixes. We did not include this in our evaluation. Testing the central management capability of Mcfee epolicy Orchestrator involved using epo to configure the various security software products used in this review, evaluate the data produced by them and produce dashboards and reports. Mcfee epo brings these disparate products and technologies together in a unified console in a logical way. Using epo for configuration and reporting was very straightforward in our mixed review environment. Key menu views provided by epo included a system tree, policy configuration, queries and reports, and dashboards. n extensive library of dashboards and prebuilt reports comes with epo. It was simple to create customer queries and to export data and perform log and report analysis in other applications. sample query created and run in testing involved having epo report on the number of V engines in the test environment that were at the latest version (8.8). For those systems, epo also showed us how many were using the latest virus definition (or DT) file, and how many were using an older DT file. This query showed that out of 221 total systems, 27 were using the latest DT file and 194 were using an older version. Security information and event management is done by Mcfee s Enterprise Security Manager (ESM) software. The critical requirements for SIEM platforms revolve around distributed architectures and throughput. Extremely fast collection and processing of event information is critical due to the staggering number of events produced by security sensors and log systems. System architecture must use distributed event collection to support the volumes of events required. ESM s system architecture uses distributed collectors to boost overall throughput and correlates security events with the threat intelligence product and with risk scores, which highlights for security managers the highest concern events occurring across the network. ESM, which is being integrated with the NitroSecurity SIEM acquired by Mcfee in November 2011, was not included in this review. Table 3: Mcfee Product Review Details SNS nalyst Program 12 Securing Data Center Servers: Review of Mcfee Data Center Security Suite Products
Conclusion The threat to data center servers is real. Data center environments have different security and operational concerns from client devices, including performance and availability requirements that are core to the business. It takes a variety of technical controls and approaches to manage risk in target-rich server environments, including application whitelisting and virtual patching that help mitigate performance and downtime concerns. These security technologies cannot exist in isolation. So, perhaps the most critical aspect of data center server security is managing the many server security components under a common security umbrella. Mcfee s epo gets an on its scorecard for bringing the various security components together in a common management framework. With epo, it was easy to spot the highest risks in the data center test environment and to determine the patch status for any given system, what security components were installed, and where the risks for the system came from. The system tree view made it simple to navigate the test environment. The evaluation clearly showed integration to be a strong point, and this will only get better as some of the more recent additions to the product family (Mcfee Vulnerability Manager for Databases, Virtual Patching for Databases and SIEM) are fully integrated into epo. SNS nalyst Program 13 Securing Data Center Servers: Review of Mcfee Data Center Security Suite Products
bout the uthor Jim D. Hietala, GIC GSEC and CISSP, heads security standards activities for a major IT industry standards group. He has led the development of a number of IT security standards. Jim is an active participant in the SNS nalyst/expert program. frequent speaker at industry conferences, he has published numerous articles on information security, risk and compliance topics in publications including the ISS Journal, Risk Factor, Bank ccounting & Finance, SC Magazine and Cutter IT Journal. security industry veteran, he has held leadership roles at a number of security technology startups. He holds a B.S. in marketing from Southern Illinois University. SNS would like to thank its sponsor: SNS nalyst Program 14 Securing Data Center Servers: Review of Mcfee Data Center Security Suite Products