matt hubbard regional product marketing [email protected] securing today’s computing...
TRANSCRIPT
Confidential | Copyright 2012 Trend Micro Inc.
Matt Hubbard
Regional Product Marketing
Securing Today’s Computing Ecosystem: Physical, Virtual and CloudWith a Smart Protection Strategy
Unprotected Data Needing Protection Amount of data needing protection
will grow by a factor of 90 by 2020
-IDC
Data Everywhere – Is It Protected?
Only 20% of Virtual systems use Virtualization specific security tools.Computer Security Institute
2010/2011 Computer Crime and Security Survey
72% of server workloads
will be virtualized
By2014
Worm Outbreaks
Vulnerabilities
2001
The Changing Threat Landscape
Copyright 2013 Trend Micro Inc.
Worm Outbreaks
Vulnerabilities
DA
MA
GE
CA
US
ED
2001 2004 2005 2007
CRIMEWARE
2003
Spyware
IntelligentBotnets
Web Threats
SpamMass
MailersWorm
OutbreaksVulnerabilities
Now
TargetedAttacks
• Now it’s personal!• Financially motivated• Targeting valuable
information
Copyright 2013 Trend Micro Inc.
Source: Trend Micro, tested on 6th October, 2011, and 8th June 2012 using the latest endpoint products with the latest pattern at the time of testing
200MB
June 2012Oct 2011
289MB
Competitor A
34MB
Trend MicroJune 2012Oct 2011
33 MB 34 MB
100 --
200 --
300 -- E
ndpo
int
Mal
war
e D
efin
ition
Siz
e (M
B)
Competitor B
June 2012Oct 2011
122MB
156MB
IT Admin
Security
Copyright 2013 Trend Micro Inc.
Collects
Protects
Identifies
GLOBALTHREAT
INTELLIGENCE
DAILY STATS:• 200M threats blocked• 50M malicious URL’s• 700K cloud email
entries• 1.4B whitelist queries• 80M malicious files
• Email Reputation• Web Reputation• File Reputation• Whitelisting
• Vulnerabilit ies & Exploits• Mobile App Reputation• Network Traffic Rules• Threat Actor Research
Copyright 2013 Trend Micro Inc.
2.4B Internet Users1
1 Trillion+ URLs indexed
by Google2
665M Web Sites3
1BFacebook
Users4
427M Smart Phones Sold
Last Year5
54% of Facebook Access is via
Mobile6
Sources – 1: Internet World Stats, Dec 2012; 2: Google, 2008; 3: NetCraft Site Data, July 2012; 4: Facebook, Oct 2012; 5: Gartner 2012; 6: SocialBakers, May 2012;
Unprecedented Adoption Rates
Copyright 2013 Trend Micro Inc.
Source: KPCB, Apple Quarterly Results
01
23 4
5 67 8
66.1MiPads
21.2MiPhones
1.3MiPods
Stretching Networks PerimetersSo Network Security Must Be Elastic to Stretch with the Network
MobileUserRemote Office
Internet
New Perimeter
IaaS SaaS
Main Campus
OldPerimeter
Security Scanning
Cloud
CentralSecurityPolicy
VPN
VPN
VPN
VPNVPN
VPN
My CampusNetwork
My CloudNetwork
My BranchNetwork
My MobileNetwork
VV
VV
VV
VM
100 Employees6 Months
Onsite Services
Christmas SeasonAd Campaigns
The Elastic Network
DataSystem
DataSystem
My CampusNetwork
DataSystem
My BranchNetwork
My MobileNetwork
DataSystem Data
System
DataSystem
DataSystem
DataSystem
DataSystem
My CloudNetwork
DataSystem
DataSystem
My CampusNetwork
DataSystem
My BranchNetwork
My MobileNetwork
DataSystem Data
System
DataSystem
DataSystem
DataSystem
DataSystem
My CloudNetwork
Because the perimeter is elastic, systems and data are more vulnerable to attack. Protecting this
“Spectrum of Computing” means Securing the Elastic Network and data in motion and at rest.
The “Spectrum of Computing” Security for Elastic Networks & User Environments
Laptops, DtopsSmart Phones
HandheldsTablets, Social
Media…
Physical &Virtual
Servers& Desktops….
Private & Public Cloud SaaS,
PaaS, ITaaS . . .
Cloud
Endpoints
Endpoint Oriented Products
Server/Gateway Oriented Products
Cloud & Virtual Oriented Products
Deep SecuritySecure Cloud…
Deep SecurityServer ProtectPortal Protect
IMS/IWS….
OfficeScan, DLPEncryption
WorryFree . . .
Effective Security Must Span From “Endpoint-to-Cloud”
Devices, Systems, Data, Applications
Integrated Security Across PlatformsTraditional Outside-in Model of Perimeter Defense
Layer protection from outside in keeps threats as far away as possible!
Outside-In Security
Data Protection
Data
• Self-Secured Workload
• Local Threat Intelligence
• When-Timeline Aware
• Who-Identity Aware
• Where-Location Aware
• What-Content Aware
• User-defined Access Policies
• Encryption
All network-connected data must be able to defend itself from attacks
Integrated Security Across PlatformsVirtual and Cloud Oriented Inside-out Security
Inside-Out Security
Endpoints Datacenters
Typical AV
Console3:00am Scan
Antivirus Storm
Automatic security scans overburden an entire system whether multi-tenant server or VDI host system
Virtualization Security
Challenge: Resource Contention – Desktop or Server
Reactivated and cloned VMs can have out-of-date security
Dormant
Virtualization Security
Challenge: Instant-on Gaps
Active
Reactivated without dated security Cloned
VM sprawl inhibits compliance
Virtualization Security
Challenge: Complexity of Management
Patch agents
Rollout patterns
Provisioning new VMs
Reconfiguring agents
Attacks can spread across VMs
Virtualization Security
Challenge: Inter-VM Attacks / Blind Spots
• Antivirus• Integrity Monitoring
Agentless Security for VMware—Beyond Antivirus
VM VM VM
The Old WaySecurity Virtual Appliance
VM VM VM
With Agentless Security
VM
• Intrusion Prevention• Virtual Patching
• Firewall• Web Application Protection
Virtualization Security
What is the Solution? A Dedicated Security Virtual Appliance
VM VM VM VMVM VM
Maximizes Performance and ROI
vShieldEndpointSecurity
Virtual Machine
Other VMware
APIs
Security agent on individual VMs
Integrates with
vCenter
Antivirus
Agentless
Agentless
IDS / IPS
Web Application Protection
Application Control
Firewall
Log Inspection
Agent-based
Trend Micro Deep Security
Integrity Monitoring
vSphere Virtual Environment
1 Virtualization Security
Fit for the VMware Ecosystem
Cost Reduction & Consolidation
In the Cloud: Who Has Control?
Who is responsible for security?• With IaaS the customer is responsible for VM-level security
• With SaaS or PaaS the service provider is responsible for security
Public CloudPaaS
Public CloudIaaS
Servers Virtualization & Private Cloud
End-User (Enterprise) Service Provider
Public CloudSaaS
Amazon Web Services™ Customer Agreement
4.2 Other Security and Backup. You are responsible for properly configuring and using the Service Offerings and taking your own steps to maintain
appropriate security, protection and backup of Your Content, which may include the use of encryption technology to protect Your Content from
unauthorized access and routine archiving Your Content.
http://aws.amazon.com/agreement/#4 (30 March 2011)
The cloud customer has responsibility for their data security and needs to plan for this.
What is there to worry about?
Name: John DoeSSN: 425-79-0053
Visa #: 4456-8732…
Name: John DoeSSN: 425-79-0053
Visa #: 4456-8732…
Use of encryption is rare:• Who can see your information?
Virtual volumes and servers are mobile: • Your data is mobile — has it moved?
Rogue servers might access data: • Who is attaching to your volumes?
Rich audit and alerting modules lacking:• What happened when you weren’t looking?
Encryption keys remain with vendor:• Are you locked into a single security
solution? Who has access to your keys?
Virtual volumes contain residual data:• Are your storage devices recycled
securely?
Cloud Security – Modular Protection
Compliance
23
TemplateIntegrity
VM Isolation
Real-timeProtection
Data Protection
What is the Solution?Security that Travels with the VM
Self-Defending VM Security in the Cloud
• Agent on VM - can travel between cloud solutions
• One management portal for all modules
• SaaS security deployment option
SecureCloud – Securing Data in the Cloud
• Encrypts data in public or private cloud environments– Military grade, FIPS 140-2 compliant encryption to 256-bits
• Manages encryption keys– Typically a very tedious, detailed and expensive process– Application upkeep offloaded to trusted partner
• Authenticates servers requesting access to data– Policy-based system gives wide range of factors on which key
deployment decisions are made– Delivers keys securely over encrypted SSL channels
• Audits, alerts, and reports on key delivery activities– Multiple reports and alerting mechanisms available
VM VM VM VMVM VM VM VMVM VM VM VM
Data Center Private Cloud Public Cloud
VMware vCloud
VMware vSphere
Encryption throughout your cloud journey—data protection for virtual & cloud environments
Cost Reduction & Consolidation1 Cloud Security
Fitting Encryption into a VMware Ecosystem
Enterprise Key
Key Service Console
Encryption Solution
VM
VMware VirtualizationSecurity
Virtual Appliance
VM VM VM VM
• Agentless security
• Layered server security
• Encryption for vSphere
Private Cloud
• Agentless security• Layered server
security
Security Virtual
ApplianceVM VM VM
Public CloudServer security console
• Shared policy profile
• Vulnerability shielding
VM
VM VM VMVM
• Encryption for vCloud• Compliance support
(FIM, Encryption, etc.)
Encryption console
• Shared policy profile
• Key ownership
• Encryption for leading cloud providers
• Compliance support (FIM, Encryption, etc.)
• Agent-based security
• Layered server security
VM
Virtualization and Cloud Security
One Security Model
Copyright 2013 Trend Micro Inc.
Data Center
Physical Virtual Private Cloud Public Cloud
Cloud and Data Center Security
Anti-MalwareIntegrity
MonitoringEncryption
Log InspectionFirewall
IntrusionPrevention
Data Center Ops
Security
Copyright 2013 Trend Micro Inc.
Source: IDC, 2012 Worldwide Corporate Endpoint Server Security Revenue Share by Vendor, 2011
Trend Micro27%
Top ratings for Virtualization Security
VMware Technology Alliance ‘Partner of the Year’
Thank You!