secure your vms with vsphere and appdefense...cve2015 4979-20191003 cve 20177187 cve -20153660 cve...
TRANSCRIPT
©2019 VMware, Inc.Confidential │ ©2019 VMware, Inc.
Secure Your VMs with vSphere and AppDefense
Wee Kiong TanStaff Solution Engineer, VMware
Ivan Yulian SuryawinataAssociate Systems Engineer, VMware
©2019 VMware, Inc.
Disclaimer
This presentation may contain product features or functionality that are currently under development.
This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.
This information is confidential.
2
The information in this presentation is for informational purposes only and may not be incorporated into any contract. There is no commitment or obligation to deliver any items presented herein.
©2019 VMware, Inc.
Agenda
3
Introductions & GoalsIt’s all about risk
AppDefenseFlipping the script on endpoint security
Protect with VM-level Security FeaturesMaking it easy to be secure
©2019 VMware, Inc. 4
©2019 VMware, Inc. 5
Confidentiality Integrity Availability
©2019 VMware, Inc. 6
• AppDefense
• NIAP/Common Criteria
• MDS/L1TF/Spectre/Meltdown Mitigations
• Audit-Quality Logging
• HCX & VMware Cloud on AWS
• vSphere & vSAN Health
• TPM 2.0 & Host Attestation
• VBS & Windows *Guard
• vTPM
• TLS 1.2 by default
• FIPS 140-2 by default
• Secure Boot (Host and Guest)
• VM Sandboxing
• Storage/Network I/O Control
• + hundreds more
• VM Encryption
• VMware Certificate Authority
• vSAN Stretched Clusters
• vSAN Encryption
• vSphere Replication
• HA & vCenter HA
• DRS & Predictive DRS
• Fault Tolerance
• Enhanced vMotion Compatibility
• Snapshots & Clones
• Encrypted vMotion
• NSX
• Host Profiles
• Update Manager
©2019 VMware, Inc. 7
Confidentiality
Integrity AvailabilityHCX
Audit-QualityLogging
AppDefense
vSphereHealth
TPM & vTPM
Virtualization-BasedSecurity
TLS
Secure Boot
VM Encryption
CertificateManagement
vSAN StretchedClusters
HighAvailability
DRS
FaultTolerance
Snapshots
EncryptedvMotion
UpdateManager
EVC
NIAPCertification
L1TF/Spectre/MDSMitigations FIPS 140-2
NSX
HostAttestation
VMSandboxing
vSANEncryption
vCenter HA
Host Profiles
SIOC
NIOC
Log Insight
vMotion
8©2019 VMware, Inc.
AppDefense
©2019 VMware, Inc. 9
Anti-MalwareScanning
HIPS withVulnerability Shielding
Server Workload EDRBehavioral Monitoring
Threat Detection/Response
Exploit Prevention / Memory Protection
Application Control / Whitelisting
System Integrity Assurance
Network Firewalling, Visibility and Microsegmentation
Figure 2. Cloud Workload Protection Controls Hierarchy, © 2019 Gartner, Inc.
Restricted Physical and Logical Operator Access
No Arbitrary CodeNo Email, Web Client
Admin PrivilegeManagement
ChangeManagement
LogManagement
Operations Hygiene
Hardening, Configuration and Vulnerability Management
Foundational
Less Critical
Important,But May BePerformed Outside of the Workload
CoreWorkloadProtection Strategies
Optional, but ShouldBe Performed On File Repositories
Gartner Market Guide for CWPP
The Vision
©2019 VMware, Inc. 10
Why VMware?
Application Automation
What was Provisioned
What isRunning
Agent Fatigue / Isolation
ESX
AppDefense Agent (as part of
VMware Tools)
©2019 VMware, Inc. 11
Private Cloud Monitoring
Primary AppDefense Use Cases
Visibility: App DiscoveryVisibilityUnderstand Your Workloads
Intrinsic Lifecycle Management
Vulnerability Prioritization
ValidationAnalyze Risk for Your Workloads
Application Verification
ProtectionRespond and Remediate Incidents
Automated Response
System Integrity
©2019 VMware, Inc. 12
!
!
Security information and event management
Private Cloud Monitoring
? ??
!
Private Cloud
Security information & event management
App: CRM Service: DB Hash: Good Behavior: Anomalous
App: ERP Service: Web Hash: Risky Behavior: Normal
App: E-Commerce Service: DB Hash: Good Behavior: Normal
Visibility: Private Cloud Monitoring
©2019 VMware, Inc. 13
VMs and Containers
Acme organization
VM-a
VM-e
VM-a5
VM-3f
VM-a3
VM-s
VM-c
VM-2
VM-t
VM-f
VM-2h
VM-a
VM-b
VM-6y
VM-4b
VM-a1
VM-2d
VM-88
VM-g
VM-e
C-aa
C-2f
C-d
C-h
C-z2
C-v
C-z1
VM-a
VM-e
VM-a5
VM-3f
VM-a3
VM-s
VM-c
VM-2
VM-t
VM-f
VM-2h
VM-a
VM-b
VM-6y
VM-4b
VM-a1
VM-2d
VM-88
VM-g
VM-e
C-aa
C-2f
C-d
C-h
C-z2
C-v
C-z1
VM-a
VM-e
VM-a5
VM-3f
VM-a3
VM-s
VM-c
VM-2
VM-t
VM-f
VM-2h
VM-a
VM-b
VM-6y
VM-4b
VM-a1
VM-2d
VM-88
VM-g
VM-e
C-aa
C-2f
VM-c
C-h
C-z2
C-v
C-z1
VM-a
VM-e
VM-a5
VM-3f
VM-a3
VM-s
VM-c
VM-2
VM-t
VM-f
VM-2h
VM-a
VM-b
VM-6y
VM-4b
VM-a1
VM-2d
VM-88
VM-g
VM-e
C-aa
C-2f
C-d
C-h
C-z2
C-v
C-z1
VM-a
VM-e
VM-a5
VM-3f
VM-a3
VM-s
VM-c
VM-2
VM-t
VM-f
VM-2h
VM-a
VM-b
VM-6y
VM-4b
VM-a1
VM-2d
VM-88
VM-g
VM-e
C-aa
C-2f
C-d
C-h
C-z2
C-v
C-z1
VM-a
VM-e
VM-a5
VM-3f
VM-a3
VM-s
VM-c
VM-2
VM-t
VM-f
VM-2h
VM-a
VM-b
VM-6y
VM-4b
VM-a1
VM-2d
VM-88
VM-g
VM-e
C-aa
C-2f
C-d
C-h
C-z2
C-v
C-z1
VM-f
VM-c
Enter Name
Finance App VM-a
VM-e
VM-a5
VM-3f
VM-a3
VM-s
C-2f
C-d
C-z2
Process name
PWRISOVM.EXE
sqlservr.exe
python2.7
renice
rm
rmdir
rpctool.exe
sadc
sar
sed
ServerManager.exe
sevices.exe
sleep
smss.exe
spoolsv.exe
STAFProc.exe
svchost.exe
System
Systemd-tmpfiles
taskhost.exe
pickup
Process-1.exe
AppServer
AppServer
SQLServer
AI Classification & Graph Based Learning Engines
VM-f
IISServer
AppServer
AppServer
Hash
803b2
Ce49e
4a5410
68d495
ab570
6226f
7cbe5
9e99a
90b5c
Ef6f94
F966f
D912ec
50f84
Daf3a6
Dfd6a9
F20c9
F8ef4
28942
18ce4b
6b22
B5889
3d55e
Outbound
10.172.13.4
NA
45.251.96.100
NA
NA
NA
NA
domain-controller
NA
NA
Microsoft Update
NA
NA
NA
NA
NA
NA
10.172.122.14
NA
NA
NA
NA
Inbound
80
NA
NA
225
2280
NA
NA
80
4530
NA
80
NA
NA
80
80
NA
NA
2280
NA
80
80
225
Finance App: App Server
803b2
Ce49e
4a5410
68d495
ab570
6226f
7cbe5
9e99a
90b5c
Ef6f94
F966f
D912ec
50f84
Daf3a6
Dfd6a9
F20c9
F8ef4
28942
18ce4b
6b22
B5889
3d55e
10.172.13.4
NA
45.251.96.100
NA
NA
NA
NA
domain-controller
NA
NA
Microsoft Update
NA
NA
NA
NA
NA
NA
10.172.122.14
NA
NA
NA
NA
80
NA
NA
225
2280
NA
NA
80
4530
NA
80
NA
NA
80
80
NA
NA
2280
NA
80
80
225
Techniques used:
Social Assurance
3rd party reputation feeds
Machine Learning
Global Services
DNS queries
Welcome AdminValidation: App Verification
©2019 VMware, Inc. 14
Welcome Admin
VMs and Containers
Acme organization
Risk Details
CVE-2018-12377
CVE-2015-3010
CVE-2019-8741
CVE-2016-11832
CVE-2015-3913
CVE-2016-2778
CVE-2018-2047
CVE-2015-8080
CVE-2017-2457
CVE-2018-12077
CVE-2019-6387
CVE-2017-4717
CVE-2019-5719
CVE-2015-4931
CVE-2019-11488
CVE-2015-2281
CVE-2019-5293
CVE-2017-1196
CVE-2019-9058
CVE-2019-7142
CVE-2015-3385
CVE-2018-7127
CVE-2017-8804
CVE-2019-12430
CVE-2019-7413
CVE-2017-6087
CVE-2018-4209
CVE-2016-3813
CVE-2019-5736
CVE-2017-12971
CVE-2018-2928
CVE-2015-4979
CVE-2019-1003
CVE-2017-7187
CVE-2015-3660
CVE-2018-9807
CVE-2015-9912
CVE-2019-2388
CVE-2016-8742
CVE-2017-7887
CVE-2018-3270
CVE-2017-9391
CVE-2019-6207
CVE-2019-123912
CVE-2017-2076
CVE-2015-5044
CVE-2018-6217
CVE-2017-2882
CVE-2016-3645
CVE-2017-5150
CVE-2019-2603
CVE-2018-7937
CVE-2019-4823
CVE-2019-11007
CVE-2017-6552
CVE-2016-2784
CVE-2017-12361
CVE-2015-3611
CVE-2019-1303
CVE-2016-8808
CVE-2019-2703
CVE-2016-7496
CVE-2018-5317
CVE-2017-3641
CVE-2015-3599
CVE-2019-4034
CVE-2015-12710
CVE-2019-3713
CVE-2019-9168
CVE-2016-11203
CVE-2019-4563
CVE-2017-6547
CVE-2018-4277
CVE-2016-8703
CVE-2017-6856
CVE-2019-11019
CVE-2019-5933
CVE-2015-7212
CVE-2017-8011
CVE-2018-3307
CVE-2016-12344
CVE-2017-7017
CVE-2015-3812
CVE-2019-2293
CVE-232-11002
CVE-232-6393
CVE-232-8214
CVE-232-4847
CVE-232-9103
CVE-232-12074
CVE-232-2390
CVE-232-1094
CVE-232-3283
CVE-232-5723
CVE-232-8708
CVE-232-7219
Low High
0 1 2 3 4 5 6 7 8 9 10
Criticality
Validation: Vulnerability Prioritization
©2019 VMware, Inc. 15
Security – System Integrity
ESXi
3rd party drivers
Windows Kernel
AppDAgent
Guest Virtual Machine
Core Data Structures
Protects against top-level MITRE Att&ck categories (defense evasion and persistence)
Protection: System Integrity
©2019 VMware, Inc. 16
When a deviation occurs:
De-duplication
Incident Response–Automated Response
High
0 1 2 3 4 5 6 7 8 9 10
Criticality
Upgrade DetectionTrust/
ReputationSocial
AssuranceML Analisys
Low
Alert Kill
Running processesAlerts
> agetty.exe> anacron.exe> arch.exe
> ssh.exe
Trust/Reputation
> ssh.exe Kill
ProcessAction Taken
Protection: Automated Response
©2019 VMware, Inc. 17
Intrinsic Security
Context
Control
IntrinsicSecurity
Apps Data
DataCompute AccessUsers DevicesNetwork
18©2019 VMware, Inc.
vSphere Security Features
©2019 VMware, Inc. 19
Make It Easy to Do the Right Thing
©2019 VMware, Inc. 20
Make the RightThing the Default
©2019 VMware, Inc. 21
©2019 VMware, Inc. 22
37
24
10
5
1
5.5 6 6.5 6.7 Future
Hardening Settings Over Time
vSphere Security Configuration Guide
©2019 VMware, Inc. 23
Secure Boot
©2019 VMware, Inc. 24
Secure Bootfor VMs
• Does not require hardware TPM or Secure Boot!
• Requires VM Hardware v13+ and EFI Firmware (GPT)
• Helps prevent rootkits and other malware from taking hold
• Microsoft requirement for Virtualization-Based Security (VBS)
• Great for new 2019 templates!
©2019 VMware, Inc. 25
Virtualization-BasedSecurity
©2019 VMware, Inc. 26
Virtualization-BasedSecurity (VBS)
• AKA Device Guard, Credential Guard, and HVCI
• Nested virtualization provides a secure memory space inside the guest OS to hold credentials & keys
• Effectively ends a whole class ofin-guest attacks against credentials
©2019 VMware, Inc. 27
Virtualization-BasedSecurity (VBS)
• Does not require vTPM (but will use it if it’s there)
• Requires VM Hardware v14+, EFI Firmware (GPT), Secure Boot,and 2016+/1709+
©2019 VMware, Inc. 28
VBSReadinessTool
©2019 VMware, Inc. 29
VBSgpedit.msc
©2019 VMware, Inc. 30
VM Encryption
©2019 VMware, Inc. 31
VM Encryption
• Encryption at rest without complexity
• Encrypts VM home files & VMDKs
• 100% guest OS agnostic
• Frees you from SEDs and specialized storage, use what you have right now
• Requires a KMIP KMS infrastructure, check HCL
©2019 VMware, Inc. 32
VM Encryption
• Full support in PowerCLI. One line of code shows all encrypted VMs
• Enables vTPM
• Enables additional permissions in vCenter to help prevent exfiltration
• Granular, you can still use vSAN Encryption & Deduplication
©2019 VMware, Inc. 33
©2019 VMware, Inc. 34
©2019 VMware, Inc. 35
Lifecycle & Patching
©2019 VMware, Inc.
Thank You!
Confidential │ ©2019 VMware, Inc.
©2019 VMware, Inc. 37