Chris Van den AbbeeleKelly McBrair

SAI3313BUS

#VMworld #SAI3313BUS

Automated Security for the Real-Time Enterprise with VMware NSX and Trend Micro Deep Security

Copyright2017TrendMicroInc.2

Welcometo:AUTOMATEDSECURITYFORTHEREAL-TIMEENTERPRISEWITHVMWARENSXANDTRENDMICRODEEPSECURITY[SAI3313BUS]Presenter:ChrisVandenAbbeele,GlobalSolutionsArchitect,TrendMicroPresenter:KellyMcBrair,ITInfrastructureArchitect,PlexusCorp

JoinusWednesdayat11amfor:SKIPTHESECURITYSLOWLANEWITHVMWAREONAWS[SAI3316BUS]Presenter:BryanWebster,PrincipalArchitect,TrendMicroPresenter:Dharmesh Chovatia,LeadArchitect,GlobalCTOOffice,CapgeminiUS

VisittheVMwareSolutionExchangefora30DayTrialofTrendMicro™DeepSecurityhttps://www.trendmicro.com/product_trials/download/index/us/123

Visittrendmicro.com/vmware

Followus@trendmicro

AutomatedSecurityfortheReal-timeEnterprisewithVMwareNSXandTrendMicroDeepSecurity

KellyMcBrair,ITInfrastructureArchitect,PlexusCorp.ChrisVanDenAbbeele,GlobalSolutionArchitect,TrendMicro

Copyright2017TrendMicroInc.4

CustomerPerspective

PlexusMarketSectorsExclusivelyfocusedinmarketsectorsthatrequiremid-to-lowvolumehighercomplexityvaluestreamsolutions

Communications Healthcare/LifeSciences

Industrial/Commercial

Defense/Security/Aerospace

Copyright2017TrendMicroInc.6

TrendMicro

§ 28yearsfocusedonsecuritysoftware§ HeadquarteredinJapan,TokyoExchangeNikkeiIndex (4704)§ Annualsalesover$1BUS§ Customersinclude45oftop50globalcorporations§ 5500+employees inover50countries

500kcommercialcustomers&155M endpointsprotected

SmallBusiness

MidsizeBusiness

Enterprise

Consumer

Consumers

Copyright2017TrendMicroInc.7

Agenda

• Introductions

• Automatedsecurity:From“boltedon”to“partofthefabric”

• TheBusinessCaseforAutomatedVirtualPatching

• Solvenewproblems

• IntegrationwithvRealizeOperations

• Deploymentlessonslearned

Copyright2017TrendMicroInc.8

Integratedsecurity:From“boltedon”to“partofthefabric”

Copyright2017TrendMicroInc.9

Visibility

Riskassessment Protect MoneyMaintainContextVisibility

Copyright2017TrendMicroInc.10

What’stheproblemwith“boltedon”security?• Withtheintroductionofvirtualization,wemadeaquantumleapinOperations.

ThesameishappeningwithNWvirtualization.Butinmanycases,Security,remainedstuckintheDarkAges.Securityisstillsomethingthatisappliedafterwards.

• Weneedto“shiftleft”securityandintegrateitintheautomation• Intoday’sreal-timeenterprise,theOperationsteamhastodomorewithless,

everyday.Theycreatemorenewworkloadsthaneverbefore.• Manuallyaddingthesecuritycontrols,takesalotoftimeanditisoften

postponed(and/orfinally...“forgotten”)• ManySecurityDashboardsonlyshowworkloadswhichhadbeenbrought

underthecontroloftheSecuritySolution(andhaveasecurityagentinstalledonthem).

• ShadowITcanremaincompletelyundertheRADAR

Copyright2017TrendMicroInc.11

Copyright2017TrendMicroInc.12

Contextofnewsystems

12

Riskassessment Protect MoneyMaintainVisibility Context

Copyright2017TrendMicroInc.13

Event-basedtaskstoprofilenewsystems

Copyright2017TrendMicroInc.14

EstimatetheRisk

Protect MoneyMaintainContextVisibility Riskassessment

Copyright2017TrendMicroInc.15

SomeHighRiskVulnerabilities

Copyright2017TrendMicroInc.16

16

Copyright2017TrendMicroInc.17

Copyright2017TrendMicroInc.18

Riskassessment

Protectingnewsystems

18

MoneyMaintainContextVisibility Protect

Copyright2017TrendMicroInc.19

TheSameExploits...nowProtectedbyDeepSecurity

Copyright2017TrendMicroInc.20

Copyright2017TrendMicroInc.21

8layersofsecurity:- Anti-Malware- WebReputation- Firewall- IntrusionPrevention- IntegrityMonitoring- LogInspection- ApplicationControl- ProtectionforSAP

systems(NW-VSI)

Full,multi-layeredsecurity

Copyright2017TrendMicroInc.22

ProtectRiskassessment

Maintainconsistency

22

MoneyContextVisibility Maintain

Copyright2017TrendMicroInc.23

IntegrityMonitoringMonitorsensitivefilesandsensitiveregistrykeysforchanges

ApplicationControl:“Freezes”theserverandblocksnewexecutablesandscriptsfromrunning

Protectagainstdrift:

Copyright2017TrendMicroInc.24

Protectagainstthelatestvulnerabilities:Scheduled“Vulnerability”Scans

Copyright2017TrendMicroInc.25

Reducedeploymentcomplexity

RichAPIsettointegratewithvirtuallyanyorchestrationandautomationtools

PowerShell

Copyright2017TrendMicroInc.26

TheBusinessCaseForAutomatedVirtualPatching

Copyright2017TrendMicroInc.27

Typicalpatchcyclewithoutvirtualpatching

TypicalpatchcyclewithoutVirtualPatching

MonthlySecurityPatching Half-yearlyFullPatching

12xpatching/year

Copyright2017TrendMicroInc.28

High-impactzerodaysrequireimmediateattention

28

– Arewevulnerable?(risk?)– Who canprovideapatch?– Whencanwehavethepatch?– Whencanwetestit?– Whocantestit(team?)– Wherecanwetestit?(testenvironment)

– WhencanwehaveamaintenancewindowtoPatchandRebootourservers?

Copyright2017TrendMicroInc.29

Typicalpatchcyclewithvirtualpatching

Typicalpatchcyclewith VirtualPatching

Half-yearlyFullPatching

2xpatching/year

AutomatedOngoingSecurityPatching

Copyright2017TrendMicroInc.30

Win-Win:increasessecurity+reducescost

Copyright2017TrendMicroInc.31

5daysafterShellShock:766attacksblocked(Customerexample)

766attacksblockedbyDeepSecurityAutomatedVirtualPatchingonSept30th,atacustomermanaging100+instancesIfEmergency(physical)Patchingtakes5days...

Copyright2017TrendMicroInc.32

SolveNewProblems

WhyVMwarewithNSXandTrendMicroDeepSecurity?

TableStakes• Performance• Security• Cost

NextPlay• IntegrationandChoice• FlexibilityandInnovation

NISTCybersecurity Framework

Identify Protect Detect Respond Recover

• AssetManagement• Business

Environment• Governance• RiskAssessment• RiskManagement

Strategy

• AccessControl• Awarenessand

Training• DataSecurity• Information

ProtectionProcessesandProcedures

• Maintenance• Protective

Technology

• AnomaliesandEvents

• SecurityContinuousMonitoring

• DetectionProcesses

• ResponsePlanning• Communications• Analysis• Mitigation• Improvements

• RecoveryPlanning• Improvements• Communications

SecurityDashboard

Firewall

Antivirus

IPS

VulnerabilityScanning

IDS SIEM

Monitoring

DataRecovery

DisasterRecovery

DisconnectionManagement

SecurityIncidentResponse

• LeverageSyslog,SNMP,Emailand/orvRealize SuiteforBetterIntegrationwithExistingMonitoring/AlertingTools

• IsolateVMTaggedbyDeepSecuritywithNativeNSXFirewalling• Behavior-basedfirewalling,blockinternetphonehome,preventRGE

• TakeActiononVMTaggedbyDeepSecuritywithVMwareOrchestrator• Snapshotsandclones,preparerestores,performadditionalscanning

ExamplevideoofautomatedVMsnapshotandWireshark tap(withcode):http://www.storagegumbo.com/2014/09/automation-multi-action-security.html

• SeetheTrendThreatEncyclopediaforexamplesofHigh,MediumandLowthreats:http://trendmicro.com/vinfo

• FindsamplecodeatTrend’sDSGithub repo:https://github.com/deep-security

AutomatedResponsetoImproveProtection

Copyright2017TrendMicroInc.36

IntegrationwithvRealizeOperations

Copyright2017TrendMicroInc.37

Usercall- VMslowtorespond…

or…Administratorreceivesasecurityalert

LogTicket

LogTicket

AdminlogsintovRealizeOperations

AdminlogsintoDeepSecurityManager

• AttempttovMotion

• ReboottheVM• RecycletheVM

• Changerulestoblockspecificports

• Quarantineandscan

RootCauseAnalysis

RootCauseAnalysis

CloseTicket

CloseTicket

VirtualInfrastructureAdministrator

SecurityAdministrator

Isolatedworlds...

Copyright2017TrendMicroInc.38

SinglepaneofglassForTrendMicroeventsandVMwareevents

Copyright2017TrendMicroInc.39

CorrelatevRopsEventswithSecurityEvents

Copyright2017TrendMicroInc.40

DeploymentLessonsLearned

ReadTrend’sBestPracticesGuide(Notesizing,testing,recommendations):https://help.deepsecurity.trendmicro.com/best-practice-guide.html

ConsiderAdditionalDistributionPointsand/orManagersoverWANTroubleshootDeepSecurityVirtualAppliancesasCattlePlanYourRules:Firewall,Affinity,Restart,etc.

Agentsarestillneeded(today)for:• Server2016and*nixVMs• Someadvancedfeatures• (recommendation)Windows-basedVMwareComponentsandSupporting

SystemsthatmaystartupbeforeTrendDeepSecurityManager(i.e.itsDB)

TipsandThingsYouShouldKnow

GuestIntrospectionDriversandTroubleshooting:https://kb.vmware.com/kb/2094261

VMwareToolsVersionsandUpgradeshttps://packages.vmware.com/tools/index.html (Bewareofv10.0.0-10.0.7)https://kb.vmware.com/kb/1014508 (CorrelateversionsfiletoESXi Build)

AutomatetheUpgradewith:/v“/qn ADDLOCAL=ALLREMOVE=Hgfs,NetworkIntrospection”Note:NetworkIntrospection removaloptionalAddREBOOT=ReallySuppress topreventanyreboots

GettoKnowVMwareTools

Copyright2017TrendMicroInc.43

Summary

HopefullythispresentationhasprovidedafewinsightsandpracticalexamplesonhowtobringyourHybridCloudSecurityintothe21st century.

Byautomatingandintegratingsecurityintheoperationsstack,youcangreatlyimproveyoursecuritypostureandreduceoperationalcosts

DothesamesetupanddemoyourselfintheVMworld HandsonLabsLABHOL-1841

Summary

Copyright2017TrendMicroInc.45

JoinusWednesdayat11amfor:SKIPTHESECURITYSLOWLANEWITHVMWAREONAWS[SAI3316BUS]Presenter:BryanWebster,PrincipalArchitect,TrendMicroPresenter:Dharmesh Chovatia,LeadArchitect,GlobalCTOOffice,CapgeminiUS

VisittheVMwareSolutionExchangefora30DayTrialofTrendMicro™DeepSecurityhttps://www.trendmicro.com/product_trials/download/index/us/123

Visittrendmicro.com/vmware

Followus@trendmicro