trend micro vforum agentless scanning presentation
DESCRIPTION
TRANSCRIPT
© 2009 VMware Inc. All rights reserved
Confidential
Agentless Anti-Virus and IDS/IPSA New Paradigm for Security in Virtual Environments
Harish Agastya. Director of Datacenter Security. Trend Micro
2 Confidential
Agenda
Security Roadblocks in the Virtualization Journey
Threat Evolution and the Porous Perimeter
New Security Paradigms on the vSphere platform
Trend Micro: Security Built for VMware
3 Confidential
Securing Servers the Traditional Way
App
OS
NetworkIDS / IPS
ESX Server
App
OS
App
OS
AppAV AppAV AppAV
• Anti-virus: Local, agent-based protection
in the VM
• IDS / IPS : Network-based device or
software solution
4 Confidential
Virtualization JourneyStage 1: Server Consolidation
Classification 04/10/23
4
5 Confidential
Virtualization JourneyStage 2: Expansion & Desktop
Classification 04/10/23
5
Increased Server Consolidation
Desktop Virtualization
6 Confidential
Virtualization JourneyStage 3: From Private to Public Cloud
Classification 04/10/23
6
7 Confidential
Servers
Desktops
Stage 1Server Consolidation
Stage 2Expansion & Desktop
Virtualization Journey Stages
Stage 3Private > Public Cloud
15%
30%
70%
85%
Virtualization Adoption Rate
THE SECURITY INHIBITORSTO VIRTUALIZATION
8 Confidential
IT Production Business Production ITaaS
Data destruction
Diminished perimeter
Resource Contention
Multi-tenancy
Data access & governance
Complexity of Management
Mixed trust level VMs
Compliance/ Lack of audit trail
1
2
3
4
5
6
7
8
9
10
11
Virtualiz
ation
Adoption R
ate
Security Challenges Along the Virtualization Journey
Inter-VM attacks
Instant-on gaps
Host controls under-deployed
9 Confidential
Inter-VM attacks/ blind spots1
Security Inhibitors to Virtualization
10 Confidential
Active
Dormant
Reactivated without-of-date security
Instant-on gaps2
Security Inhibitors to Virtualization
New VMs
11 Confidential
Resource contention
Typical AV Console
3:00am Scan
3
Security Inhibitors to Virtualization
12 Confidential
Patch agents
Rollout patterns
Provisioning new VMs
Complexity of Management4
Security Inhibitors to Virtualization
Reconfiguring agents
13 Confidential
Agenda
Security Roadblocks in the Virtualization Journey
Threat Evolution and the Porous Perimeter
New Security Paradigms on the vSphere platform
Trend Micro: Security Built for VMware
14 Confidential 14
• More Profitable• $100 billion: Estimated profits from global cybercrime -- Chicago Tribune, 2008
• More Sophisticated• “Breaches go undiscovered and uncontained for weeks or months in 75% of cases.” -- Verizon Breach Report, 2009
• More Frequent• "Harvard and Harvard Medical School are attacked every 7 seconds, 24 hours a day, 7 days a week.” -- John Halamka, CIO
• More Targeted • “27% of respondents had reported targeted attacks”. -- 2008 CSI Computer Crime & Security Survey
Today’s threat environment
15 Confidential
Perimeter defenses are not enough
15© 2005, Third Brigade Inc.
EncryptedAttacks 10011100111001
MobileComputers2
WirelessNetworks3
InsiderAttacks5
Unsuspecting Users4 ?
16 Confidential
16
# of days untilvulnerability isfirst exploited, after patch ismade available
2003MS- Blast
28 days
2004Sasser
18 days
2005Zotob
10 days
2006 … WMF
Zero-day Zero-day
Exploits are happening before patches are developed
2010IE zero-day
“Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.”-- ZDNet, January 21, 2010
“Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.”-- ZDNet, January 21, 2010
17 Confidential
17
Where are you vulnerable?
Takes days to months until patches are available and can be tested & deployed:• “Microsoft Tuesday”
• Oracle
• Adobe
Developers not available to fix vulnerabilities:• No longer with company
• Working on other projects
Patches are no longerbeing developed: • Red Hat 3 -- Oct 2010
• Windows 2000 -- Jul 2010
• Solaris 8 -- Mar 2009
• Oracle 10.1 -- Jan 2009
Can’t be patched because of cost, regulations, SLA reasons:• POS
• Kiosks
• Medical Devices
18 Confidential
Agenda
Security Roadblocks in the Virtualization Journey
Threat Evolution and the Porous Perimeter
New Security Paradigms on the vSphere platform
Trend Micro: Security Built for VMware
19 Confidential
New Paradigm #1:Hypervisor-powered Security Architectures
19
App
OS
ESX Server
App
OS
App
OS
vShield Endpoint
Anti-virusVirtual Appliance
• vShield Endpoint enables agentless AV scanning• Secures VMs from the outside, no changes to VM
20 Confidential
The Opportunity with Agentless Anti-malware
Virtual Appliance
Agent
vShield Endpoint
AgentAgent
vSphere
Today using vShield EndpointPreviously
• More manageable: No agents to configure, update, patch
• Faster performance: Freedom from AV Storms
• Stronger security: Instant ON protection + tamper-proofing
• Higher consolidation: Inefficient operations removed
21 Confidential
Security Virtual ApplianceSecurity Virtual Appliance
VM
APP
OS
KernelKernel
BIOS
ESX 4.1
vSphere Platform
VM
APP
OS
KernelKernel
BIOS
Guest VM
OS
Anti-malware ProductConsole
Anti-malware ProductConsole
vShield Endpoint Library
Agentless anti-malware: Architecture
Anti-malware Scanning ModuleAnti-malware Scanning Module
vShield Endpoint ESX ModulevShield Endpoint ESX Module
On Access ScansOn Access Scans
On Demand ScansOn Demand Scans
Vshield Guest DriverVshield Guest Driver
EPsec Interface
VI Admin
Security Admin
RemediationRemediation
Caching & FilteringCaching & Filtering
APPsAPPsAPPsAPPs
APPsAPPs
RE
ST
StatusMonitorStatusMonitor
22 Confidential
Agentless Anti-malware: Process flow
VMVMGuest VM
OS
Security Virtual ApplianceSecurity Virtual Appliance
EPsec Lib
Anti-malware Scanning module
Anti-malware Scanning module
On Access ScansOn Access Scans
On Demand ScansOn Demand Scans
RemediationRemediation
Caching & FilteringCaching & Filtering
APPsAPPsAPPsAPPs
APPsAPPs Vshield Guest Driver
Vshield Guest Driver
result cached?
excluded by filter?
file event
* file data request
* file data* file data
* file data request
scan result
scan resultresult
file event
data cached?
file event
result
result
* file data
time
23 Confidential
Agentless approach uses less ESX memory
23
# of Guest VMs
Anti-Virus “B”
Anti-Virus “Y”Anti-Virus “R”
24 Confidential
24
Anti-Virus “B”
Time (Seconds)
Anti-Virus “Y”
Anti-Virus “R”
Agentless approach uses less bandwidthSignature update for 10 agents
AgentlessAnti-Virus “T”
25 Confidential
New Paradigm #2: Opportunity to Beef up Server Security
VMsafe enables you to supplement perimeter defense Agentless IDS/IPS, Firewall and application protection
App
OS
ESX Server
App
OS
App
OS
VMsafe APIs
Virtual Appliance Firewall IDS / IPS Web app Anti-Virus
26 Confidential
VMsafe™ APIs
26
CPU/Memory Inspection• Inspection of specific memory pages • Knowledge of the CPU state• Policy enforcement through resource allocation
Networking• View all IO traffic on the host• Intercept, view, modify and replicate IO traffic• Provide inline or passive protection
Storage• Mount and read virtual disks (VMDK)• Inspect IO read/writes to the storage devices• Transparent to device & inline with ESX Storage stack
27 Confidential
Fastpath Driver
Micro Firewall(Blacklist & Bypass)
Tap/InlineIncoming/OutgoingPacket
Pass
Drop
StatefulFirewall
Drop
Slowpath Driver
Pass
DPI
Intrusion Defense with VMsafe
28 Confidential
vSphere
App
OS
App
OS
vCenter
New Paradigm # 3Virtualization-aware agents
vCenter integration makes security virtualization-aware V-aware agents complement virtual appliance Use cases: offline desktops, compliance, defense in depth
29 Confidential
vSphere
App
OS
App
OS OS
App
New Paradigm # 4Security that is Cloud-Ready
Security for datacenter VMs moves to the cloud with application and data
Advanced security modules (IDS/IPS, Integrity monitoring) protect server in multi-tenant environment
30 Confidential
Agenda
Security Roadblocks in the Virtualization Journey
Threat Evolution and the Porous Perimeter
New Security Paradigms on the vSphere platform
Trend Micro: Security Built for VMware
31 Confidential
31
Founded
Headquarters
Offices
Employees
Market
Leadership
United States, 1988
Tokyo, Japan
23 countries
4,350
Internet Content Security
US $1 Billion annual revenue 1,000+ Threat Research Experts 10 labs. 24x7 ops
Real-time alerts for new threats
Trend Micro security & compliance solutions
help VMware customers :
• Accelerate and complete their virtualization journey• More fully leverage their VMware investments• Maximize their virtualization ROI
Security Built for VMware
32 Confidential
32
Trend Micro Deep SecurityServer & application protection
• Latest anti-malware module adds to existing set of advanced protection modules
FirewallWeb app protection
LogInspection
Integrity Monitoring
Anti-Malware
Intrusion Detection Prevention
33 Confidential
33
IDS / IPS
Web Application Protection
Application Control
Firewall
Deep Packet Inspection
Log Inspection
Anti-Virus
Detects and blocks known and zero-day attacks that target vulnerabilities
Shields web application vulnerabilities Provides increased visibility into,
or control over, applications accessing the network
Reduces attack surface. Prevents DoS & detects reconnaissance scans
Detects malicious and unauthorized changes to directories, files, registry keys…
Optimizes the identification of important security events buried in log entries
Detects and blocks malware (web threats, viruses & worms, Trojans)
Trend Micro Deep SecurityServer & application protection
Protection is delivered via Agent and/or Virtual Appliance
5 protection modules
IntegrityMonitoring
34 Confidential
Classification 04/10/23
34
Agent-based security:• Comprehensive protection
within datacenter
• Mobility – to extend protection
to public cloud
Hypervisor / vCenter integration:• Enables virtualization-aware security
• Eliminates instant-on gaps
Coordinated approach:• Optimized protection
• Operational efficiency
23
4
Inline virtual appliance:• AV, IDS/IPS, FW
• Greater efficiency
• Manageability
1
Trend Micro Deep SecuritySecurity Built for VMware
35 Confidential
Deep Security 7.5 Integrates vShield Endpoint & VMsafe
Agent-Less Real Time Scan
• Triggers notifications to AV engine on file open/close
• Provides access to file data for scanning
Agent-Less Manual and Schedule Scan
• On demand scans are coordinated and staggered
• Traverses guest file-system and triggers notifications to the AV engine
• Integrates with vShield Endpoint (in vSphere 4.1)
• Zero Day Protection
• Trend Micro SPN Integration
Agent-Less Remediation
• Active Action, Delete, Pass, Quarantine, Clean
API Level Caching
• Caching of data and results to minimize data
traffic and optimize performance
Virtual Appl.
vShield Endpoint
SPN
36 Confidential
Thank You
www.trendmicro.com/deepsecuritywww.vmware.com/trendmicro