2. 2 Confidential
Agenda
Security Roadblocks in the Virtualization Journey
Threat Evolution and the Porous Perimeter
New Security Paradigms on the vSphere platform
Trend Micro: Security Built for VMware
3. 3 Confidential
Securing Servers the Traditional Way
App
OS
Network
IDS / IPS
ESX Server
App
OS
App
OS
AppAV AppAV AppAV
• Anti-virus: Local, agent-based protection
in the VM
• IDS / IPS : Network-based device or
software solution
13. 13 Confidential
Agenda
Security Roadblocks in the Virtualization Journey
Threat Evolution and the Porous Perimeter
New Security Paradigms on the vSphere platform
Trend Micro: Security Built for VMware
14. 14 Confidential
14
• More Profitable
• $100 billion: Estimated profits from global cybercrime
-- Chicago Tribune, 2008
• More Sophisticated
• “Breaches go undiscovered and uncontained for
weeks or months in 75% of cases.”
-- Verizon Breach Report, 2009
• More Frequent
• "Harvard and Harvard Medical School are attacked
every 7 seconds, 24 hours a day, 7 days a week.”
-- John Halamka, CIO
• More Targeted
• “27% of respondents had reported targeted attacks”.
-- 2008 CSI Computer Crime & Security Survey
Today’s threat environment
16. 16 Confidential
16
# of days until
vulnerability is
first exploited,
after patch is
made available
2003
MS- Blast
28 days
2004
Sasser
18 days
2005
Zotob
10 days
2006 …
WMF
Zero-day Zero-day
Exploits are happening before patches are developed
2010
IE zero-day
“Microsoft today admitted it knew
of the Internet Explorer flaw used
in the attacks against Google and
Adobe since September last
year.”
-- ZDNet, January 21, 2010
“Microsoft today admitted it knew
of the Internet Explorer flaw used
in the attacks against Google and
Adobe since September last
year.”
-- ZDNet, January 21, 2010
17. 17 Confidential
17
Where are you vulnerable?
Takes days to months
until patches are
available and can be
tested & deployed:
• “Microsoft Tuesday”
• Oracle
• Adobe
Developers not available
to fix vulnerabilities:
• No longer with company
• Working on other projects
Patches are no longer
being developed:
• Red Hat 3 -- Oct 2010
• Windows 2000 -- Jul 2010
• Solaris 8 -- Mar 2009
• Oracle 10.1 -- Jan 2009
Can’t be patched
because of cost,
regulations, SLA
reasons:
• POS
• Kiosks
• Medical Devices
18. 18 Confidential
Agenda
Security Roadblocks in the Virtualization Journey
Threat Evolution and the Porous Perimeter
New Security Paradigms on the vSphere platform
Trend Micro: Security Built for VMware
19. 19 Confidential
New Paradigm #1:
Hypervisor-powered Security Architectures
19
App
OS
ESX Server
App
OS
App
OS
vShield Endpoint
Anti-virus
Virtual Appliance
• vShield Endpoint enables agentless AV scanning
• Secures VMs from the outside, no changes to VM
20. 20 Confidential
The Opportunity with Agentless Anti-malware
Virtual
Appliance
Agent
vShield Endpoint
AgentAgent
vSphere
Today using vShield EndpointPreviously
• More manageable: No agents to configure, update, patch
• Faster performance: Freedom from AV Storms
• Stronger security: Instant ON protection + tamper-proofing
• Higher consolidation: Inefficient operations removed
21. 21 Confidential
Security Virtual ApplianceSecurity Virtual Appliance
VM
APP
OS
Kernel
Kernel
BIOS
ESX 4.1
vSphere Platform
VM
APP
OS
Kernel
Kernel
BIOS
Guest VM
OS
Anti-malware
Product
Console
Anti-malware
Product
Console
vShield Endpoint
Library
Agentless anti-malware: Architecture
Anti-malware Scanning ModuleAnti-malware Scanning Module
vShield Endpoint ESX
Module
vShield Endpoint ESX
Module
On Access ScansOn Access Scans
On Demand ScansOn Demand Scans
Vshield Guest
Driver
Vshield Guest
Driver
EPsec
Interface
VI Admin
Security
Admin
RemediationRemediation
Caching & FilteringCaching & Filtering
APPsAPPs
APPsAPPs
APPsAPPs
REST
Status
Monitor
Status
Monitor
22. 22 Confidential
Agentless Anti-malware: Process flow
VMVMGuest VM
OS
Security Virtual ApplianceSecurity Virtual Appliance
EPsec
Lib
Anti-malware
Scanning module
Anti-malware
Scanning module
On Access ScansOn Access Scans
On Demand ScansOn Demand Scans
RemediationRemediation
Caching & FilteringCaching & Filtering
APPsAPPs
APPsAPPs
APPsAPPs Vshield
Guest
Driver
Vshield
Guest
Driver
result cached?
excluded by filter?
file event
* file data request
* file data
* file data
* file data request
scan result
scan resultresult
file event
data cached?
file event
result
result
* file data
time
24. 24 Confidential
Anti-Virus “B”
Time (Seconds)
Anti-Virus “Y”
Anti-Virus “R”
Agentless approach uses less bandwidth
Signature update for 10 agents
Agentless
Anti-Virus “T”
25. 25 Confidential
New Paradigm #2:
Opportunity to Beef up Server Security
VMsafe enables you to supplement perimeter defense
Agentless IDS/IPS, Firewall and application protection
App
OS
ESX Server
App
OS
App
OS
VMsafe APIs
Virtual Appliance
Firewall
IDS / IPS
Web app
Anti-Virus
26. 26 Confidential
VMsafe™ APIs
26
CPU/Memory Inspection
• Inspection of specific memory pages
• Knowledge of the CPU state
• Policy enforcement through resource allocation
Networking
• View all IO traffic on the host
• Intercept, view, modify and replicate IO traffic
• Provide inline or passive protection
Storage
• Mount and read virtual disks (VMDK)
• Inspect IO read/writes to the storage devices
• Transparent to device & inline with ESX Storage stack
27. 27 Confidential
Fastpath Driver
Micro Firewall
(Blacklist &
Bypass)
Tap/Inline
Incoming
/
Outgoing
Packet
Pass
Drop
Stateful
Firewall
Drop
Slowpath Driver
Pass
DPI
Intrusion Defense with VMsafe
28. 28 Confidential
vSphere
App
OS
App
OS
vCenter
New Paradigm # 3
Virtualization-aware agents
vCenter integration makes security virtualization-aware
V-aware agents complement virtual appliance
Use cases: offline desktops, compliance, defense in depth
29. 29 Confidential
vSphere
App
OS
App
OS OS
App
New Paradigm # 4
Security that is Cloud-Ready
Security for datacenter VMs moves to the cloud with
application and data
Advanced security modules (IDS/IPS, Integrity monitoring)
protect server in multi-tenant environment
30. 30 Confidential
Agenda
Security Roadblocks in the Virtualization Journey
Threat Evolution and the Porous Perimeter
New Security Paradigms on the vSphere platform
Trend Micro: Security Built for VMware
31. 31 Confidential
Founded
Headquarters
Offices
Employees
Market
Leadership
United States, 1988
Tokyo, Japan
23 countries
4,350
Internet Content Security
US $1 Billion annual revenue 1,000+ Threat Research Experts
10 labs. 24x7 ops
Real-time alerts for new threats
nd Micro security & compliance solutions
VMware customers :
Accelerate and complete their virtualization journey
More fully leverage their VMware investments
Maximize their virtualization ROI
Security Built for VMware
32. 32 Confidential
32
Trend Micro Deep Security
Server & application protection
• Latest anti-malware module adds to existing set of advanced protection
modules
Firewall
Web app
protection
Log
Inspection
Integrity
Monitoring
Anti-
Malware
Intrusion
Detection
Prevention
33. 33 Confidential
33
IDS / IPS
Web Application Protection
Application Control
Firewall
Deep Packet Inspection
Log
Inspection
Anti-Virus
Detects and blocks known and
zero-day attacks that target
vulnerabilities
Shields web application
vulnerabilities Provides increased visibility into,
or control over, applications
accessing the network
Reduces attack surface.
Prevents DoS & detects
reconnaissance scans
Detects malicious and
unauthorized changes to
directories, files, registry keys…
Optimizes the
identification of important
security events buried in
log entries
Detects and blocks malware
(web threats, viruses &
worms, Trojans)
Trend Micro Deep Security
Server & application protection
Protection is delivered via Agent and/or Virtual Appliance
5 protection modules
Integrity
Monitoring
34. 34 Confidential
Classification 01/30/15
34
Agent-based security:
• Comprehensive protection
within datacenter
• Mobility – to extend protection
to public cloud
Hypervisor / vCenter integration:
• Enables virtualization-aware security
• Eliminates instant-on gaps
Coordinated approach:
• Optimized protection
• Operational efficiency
2
3
4
Inline virtual appliance:
• AV, IDS/IPS, FW
• Greater efficiency
• Manageability
1
Trend Micro Deep Security
Security Built for VMware
35. 35 Confidential
Deep Security 7.5 Integrates vShield Endpoint & VMsafe
Agent-Less Real Time Scan
• Triggers notifications to AV engine on file open/close
• Provides access to file data for scanning
Agent-Less Manual and Schedule Scan
• On demand scans are coordinated and staggered
• Traverses guest file-system and triggers notifications to the AV engine
• Integrates with vShield Endpoint (in vSphere 4.1)
• Zero Day Protection
• Trend Micro SPN Integration
Agent-Less Remediation
• Active Action, Delete, Pass, Quarantine, Clean
API Level Caching
• Caching of data and results to minimize data
traffic and optimize performance
Virtual
Appl.
vShield Endpoint
SPN
New security solutions can be developed and integrated into VMware virtual infrastructure
Protect the VM by inspection of virtual components (CPU, Memory, Network and Storage)
Provides an unprecedented level of security for the application and the data inside the VM
Complete integration with, and awareness of VMotion, Storage VMotion, HA, etc.
CPU/Memory Inspection
Inspection of specific memory pages used by the VM or it applications
Knowledge of the CPU state
Policy enforcement through resource allocation of CPU and memory page
Networking
View all IO traffic on the host
Ability to intercept, view, modify and replicate IO traffic from any one VM or all VM’s on a single host.
Capability to provide inline or passive protection
Storage
Mount and read virtual disks (VMDK)
Inspect IO read/writes to the storage devices
Transparent to device & inline with ESX Storage stack