© 2009 VMware Inc. All rights reserved

Confidential

Agentless Anti-Virus and IDS/IPSA New Paradigm for Security in Virtual Environments

Harish Agastya. Director of Datacenter Security. Trend Micro

2 Confidential

Agenda

Security Roadblocks in the Virtualization Journey

Threat Evolution and the Porous Perimeter

New Security Paradigms on the vSphere platform

Trend Micro: Security Built for VMware

3 Confidential

Securing Servers the Traditional Way

App

OS

NetworkIDS / IPS

ESX Server

App

OS

App

OS

AppAV AppAV AppAV

• Anti-virus: Local, agent-based protection

in the VM

• IDS / IPS : Network-based device or

software solution

4 Confidential

Virtualization JourneyStage 1: Server Consolidation

Classification 04/10/23

4

5 Confidential

Virtualization JourneyStage 2: Expansion & Desktop

Classification 04/10/23

5

Increased Server Consolidation

Desktop Virtualization

6 Confidential

Virtualization JourneyStage 3: From Private to Public Cloud

Classification 04/10/23

6

7 Confidential

Servers

Desktops

Stage 1Server Consolidation

Stage 2Expansion & Desktop

Virtualization Journey Stages

Stage 3Private > Public Cloud

15%

30%

70%

85%

Virtualization Adoption Rate

THE SECURITY INHIBITORSTO VIRTUALIZATION

8 Confidential

IT Production Business Production ITaaS

Data destruction

Diminished perimeter

Resource Contention

Multi-tenancy

Data access & governance

Complexity of Management

Mixed trust level VMs

Compliance/ Lack of audit trail

1

2

3

4

5

6

7

8

9

10

11

Virtualiz

ation

Adoption R

ate

Security Challenges Along the Virtualization Journey

Inter-VM attacks

Instant-on gaps

Host controls under-deployed

9 Confidential

Inter-VM attacks/ blind spots1

Security Inhibitors to Virtualization

10 Confidential

Active

Dormant

Reactivated without-of-date security

Instant-on gaps2

Security Inhibitors to Virtualization

New VMs

11 Confidential

Resource contention

Typical AV Console

3:00am Scan

3

Security Inhibitors to Virtualization

12 Confidential

Patch agents

Rollout patterns

Provisioning new VMs

Complexity of Management4

Security Inhibitors to Virtualization

Reconfiguring agents

13 Confidential

Agenda

Security Roadblocks in the Virtualization Journey

Threat Evolution and the Porous Perimeter

New Security Paradigms on the vSphere platform

Trend Micro: Security Built for VMware

14 Confidential 14

• More Profitable• $100 billion: Estimated profits from global cybercrime -- Chicago Tribune, 2008

• More Sophisticated• “Breaches go undiscovered and uncontained for weeks or months in 75% of cases.” -- Verizon Breach Report, 2009

• More Frequent• "Harvard and Harvard Medical School are attacked every 7 seconds, 24 hours a day, 7 days a week.” -- John Halamka, CIO

• More Targeted • “27% of respondents had reported targeted attacks”. -- 2008 CSI Computer Crime & Security Survey

Today’s threat environment

15 Confidential

Perimeter defenses are not enough

15© 2005, Third Brigade Inc.

EncryptedAttacks 10011100111001

MobileComputers2

WirelessNetworks3

InsiderAttacks5

Unsuspecting Users4 ?

16 Confidential

16

# of days untilvulnerability isfirst exploited, after patch ismade available

2003MS- Blast

28 days

2004Sasser

18 days

2005Zotob

10 days

2006 … WMF

Zero-day Zero-day

Exploits are happening before patches are developed

2010IE zero-day

“Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.”-- ZDNet, January 21, 2010

“Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.”-- ZDNet, January 21, 2010

17 Confidential

17

Where are you vulnerable?

Takes days to months until patches are available and can be tested & deployed:• “Microsoft Tuesday”

• Oracle

• Adobe

Developers not available to fix vulnerabilities:• No longer with company

• Working on other projects

Patches are no longerbeing developed: • Red Hat 3 -- Oct 2010

• Windows 2000 -- Jul 2010

• Solaris 8 -- Mar 2009

• Oracle 10.1 -- Jan 2009

Can’t be patched because of cost, regulations, SLA reasons:• POS

• Kiosks

• Medical Devices

18 Confidential

Agenda

Security Roadblocks in the Virtualization Journey

Threat Evolution and the Porous Perimeter

New Security Paradigms on the vSphere platform

Trend Micro: Security Built for VMware

19 Confidential

New Paradigm #1:Hypervisor-powered Security Architectures

19

App

OS

ESX Server

App

OS

App

OS

vShield Endpoint

Anti-virusVirtual Appliance

• vShield Endpoint enables agentless AV scanning• Secures VMs from the outside, no changes to VM

20 Confidential

The Opportunity with Agentless Anti-malware

Virtual Appliance

Agent

vShield Endpoint

AgentAgent

vSphere

Today using vShield EndpointPreviously

• More manageable: No agents to configure, update, patch

• Faster performance: Freedom from AV Storms

• Stronger security: Instant ON protection + tamper-proofing

• Higher consolidation: Inefficient operations removed

21 Confidential

Security Virtual ApplianceSecurity Virtual Appliance

VM

APP

OS

KernelKernel

BIOS

ESX 4.1

vSphere Platform

VM

APP

OS

KernelKernel

BIOS

Guest VM

OS

Anti-malware ProductConsole

Anti-malware ProductConsole

vShield Endpoint Library

Agentless anti-malware: Architecture

Anti-malware Scanning ModuleAnti-malware Scanning Module

vShield Endpoint ESX ModulevShield Endpoint ESX Module

On Access ScansOn Access Scans

On Demand ScansOn Demand Scans

Vshield Guest DriverVshield Guest Driver

EPsec Interface

VI Admin

Security Admin

RemediationRemediation

Caching & FilteringCaching & Filtering

APPsAPPsAPPsAPPs

APPsAPPs

RE

ST

StatusMonitorStatusMonitor

22 Confidential

Agentless Anti-malware: Process flow

VMVMGuest VM

OS

Security Virtual ApplianceSecurity Virtual Appliance

EPsec Lib

Anti-malware Scanning module

Anti-malware Scanning module

On Access ScansOn Access Scans

On Demand ScansOn Demand Scans

RemediationRemediation

Caching & FilteringCaching & Filtering

APPsAPPsAPPsAPPs

APPsAPPs Vshield Guest Driver

Vshield Guest Driver

result cached?

excluded by filter?

file event

* file data request

* file data* file data

* file data request

scan result

scan resultresult

file event

data cached?

file event

result

result

* file data

time

23 Confidential

Agentless approach uses less ESX memory

23

# of Guest VMs

Anti-Virus “B”

Anti-Virus “Y”Anti-Virus “R”

24 Confidential

24

Anti-Virus “B”

Time (Seconds)

Anti-Virus “Y”

Anti-Virus “R”

Agentless approach uses less bandwidthSignature update for 10 agents

AgentlessAnti-Virus “T”

25 Confidential

New Paradigm #2: Opportunity to Beef up Server Security

VMsafe enables you to supplement perimeter defense Agentless IDS/IPS, Firewall and application protection

App

OS

ESX Server

App

OS

App

OS

VMsafe APIs

Virtual Appliance Firewall IDS / IPS Web app Anti-Virus

26 Confidential

VMsafe™ APIs

26

CPU/Memory Inspection• Inspection of specific memory pages • Knowledge of the CPU state• Policy enforcement through resource allocation

Networking• View all IO traffic on the host• Intercept, view, modify and replicate IO traffic• Provide inline or passive protection

Storage• Mount and read virtual disks (VMDK)• Inspect IO read/writes to the storage devices• Transparent to device & inline with ESX Storage stack

27 Confidential

Fastpath Driver

Micro Firewall(Blacklist & Bypass)

Tap/InlineIncoming/OutgoingPacket

Pass

Drop

StatefulFirewall

Drop

Slowpath Driver

Pass

DPI

Intrusion Defense with VMsafe

28 Confidential

vSphere

App

OS

App

OS

vCenter

New Paradigm # 3Virtualization-aware agents

vCenter integration makes security virtualization-aware V-aware agents complement virtual appliance Use cases: offline desktops, compliance, defense in depth

29 Confidential

vSphere

App

OS

App

OS OS

App

New Paradigm # 4Security that is Cloud-Ready

Security for datacenter VMs moves to the cloud with application and data

Advanced security modules (IDS/IPS, Integrity monitoring) protect server in multi-tenant environment

30 Confidential

Agenda

Security Roadblocks in the Virtualization Journey

Threat Evolution and the Porous Perimeter

New Security Paradigms on the vSphere platform

Trend Micro: Security Built for VMware

31 Confidential

31

Founded

Headquarters

Offices

Employees

Market

Leadership

United States, 1988

Tokyo, Japan

23 countries

4,350

Internet Content Security

US $1 Billion annual revenue 1,000+ Threat Research Experts 10 labs. 24x7 ops

Real-time alerts for new threats

Trend Micro security & compliance solutions

help VMware customers :

• Accelerate and complete their virtualization journey• More fully leverage their VMware investments• Maximize their virtualization ROI

Security Built for VMware

32 Confidential

32

Trend Micro Deep SecurityServer & application protection

• Latest anti-malware module adds to existing set of advanced protection modules

FirewallWeb app protection

LogInspection

Integrity Monitoring

Anti-Malware

Intrusion Detection Prevention

33 Confidential

33

IDS / IPS

Web Application Protection

Application Control

Firewall

Deep Packet Inspection

Log Inspection

Anti-Virus

Detects and blocks known and zero-day attacks that target vulnerabilities

Shields web application vulnerabilities Provides increased visibility into,

or control over, applications accessing the network

Reduces attack surface. Prevents DoS & detects reconnaissance scans

Detects malicious and unauthorized changes to directories, files, registry keys…

Optimizes the identification of important security events buried in log entries

Detects and blocks malware (web threats, viruses & worms, Trojans)

Trend Micro Deep SecurityServer & application protection

Protection is delivered via Agent and/or Virtual Appliance

5 protection modules

IntegrityMonitoring

34 Confidential

Classification 04/10/23

34

Agent-based security:• Comprehensive protection

within datacenter

• Mobility – to extend protection

to public cloud

Hypervisor / vCenter integration:• Enables virtualization-aware security

• Eliminates instant-on gaps

Coordinated approach:• Optimized protection

• Operational efficiency

23

4

Inline virtual appliance:• AV, IDS/IPS, FW

• Greater efficiency

• Manageability

1

Trend Micro Deep SecuritySecurity Built for VMware

35 Confidential

Deep Security 7.5 Integrates vShield Endpoint & VMsafe

Agent-Less Real Time Scan

• Triggers notifications to AV engine on file open/close

• Provides access to file data for scanning

Agent-Less Manual and Schedule Scan

• On demand scans are coordinated and staggered

• Traverses guest file-system and triggers notifications to the AV engine

• Integrates with vShield Endpoint (in vSphere 4.1)

• Zero Day Protection

• Trend Micro SPN Integration

Agent-Less Remediation

• Active Action, Delete, Pass, Quarantine, Clean

API Level Caching

• Caching of data and results to minimize data

traffic and optimize performance

Virtual Appl.

vShield Endpoint

SPN

36 Confidential

Thank You

www.trendmicro.com/deepsecuritywww.vmware.com/trendmicro