Ponencia de Álvaro Sierra, Major Account Manager de Trend Micro, durante la Jornada Tecnológica 2011 de Nextel S.A.
http://www.nextel.es/eventos_/jornada-tecnologica/
4. Security: the #1 Cloud Challenge
Security and privacy were the foremost concerns by far, with a weighted
score higher than the next three (performance, immaturity and regulatory
compliance) combined.
Gartner (April 2010)
Copyright 2009 Trend Micro Inc. 4
5. The Dynamic Datacenter
88% of North American enterprises 2012, 60% of virtualized servers.. less
[no] virtualization security strategy secure than… physical servers….
Forrester Research / Info Week “Addressing the Most Common Security Risks in Data Center
Virtualization Projects” Gartner, 25 January 2010
Physical Virtual Cloud
Technologies and practices for
Number one concern (87.5%)
securing physical servers won’t
about cloud services is security.
provide sufficient protections for VMs. Frank Gens, IDC, Senior VP & Chief Analyst
Neil MacDonald, Gartner, June 2009
Copyright 2009 Trend Micro Inc.
6. ¿En qué punto es vulnerable?
Transcurren días e Desarrolladores no
incluso meses hasta disponibles para
que los parches soluconar las
están disponibles y vulnerabilidades
se han probado/ • Ya no están en la
desplegado compañía
• “Microsoft Tuesday” • Trabajan en otros
• Oracle proyectos
• Adobe
No pueden ser
parcheados por el
elevado coste,
normativas o SLAs
Los parches ya no se despliegan • POS: puntos de venta
más • casetas de obra
• Red Hat 3 -- Oct 2010 • dispositivos
• Windows 2000 -- Jul 2010 médicos…
• Solaris 8 -- Mar 2009
• Oracle 10.1 -- Jan 2009
Copyright 2009 Trend Micro Inc. 6
7. VMs Need Specialized Protection
Same threats in virtualized servers
as physical
+ New challenges:
1. Dormant VMs
2. Resource contention
3. VM Sprawl
4. Inter-VM traffic
5. vMotion
Copyright 2009 Trend Micro Inc.
9. Server Virtualization Security
Overcoming resource contention
A new, better way Security
Virtual
Appliance
3:00am Scan
4:00am
5:00am
6:00am
Classification 6/27/2011 Copyright 2009 Trend Micro Inc. 9
10. vSphere 4 - VMsafe™ APIs
CPU/Memory Inspection
• Inspection of specific memory pages
• Knowledge of the CPU state
• Policy enforcement through resource allocation
Networking
• View all IO traffic on the host
• Intercept, view, modify and replicate IO traffic
• Provide inline or passive protection
Storage
• Mount and read virtual disks (VMDK)
• Inspect IO read/writes to the storage devices
• Transparent to device & inline with ESX Storage stack
Copyright 2009 Trend Micro Inc.
11. Agentless Anti-Virus Overview
These are the key “building blocks” for VMware customers
Agent-less Anti-Virus for VMware
The idea
Protection for virtualized
desktops and datacenters
Trend Micro
The components VMware
Deep Security
vShield Endpoint
Anti-malware
Enables offloading of antivirus A virtual appliance that detects
processing to Trend Micro Deep and blocks malware (web threats,
Security Anti-malware – a viruses & worms, Trojans).
dedicated, security-hardened VM.
Customer
Benefits Higher Faster Better Stronger
Consolidation Performance Manageability Security
Differ-
entiator The first and only agentless anti-virus solution architected for VMware
11 Copyright 2009 Trend Micro Inc.
13. Protection beyond Anti-Malware
Beyond providing Agentless AV, Trend Micro Deep Security provides additional protection for VMware customers
DEEP SECURITY
Agentless
1
vShield Detects and blocks malware (web threats,
Anti-Malware viruses & worms, Trojans). (PCI*)
Endpoint
Agentless
2 Detects and blocks known and zero-day
IDS / IPS attacks that target vulnerabilities (PCI*)
VMsafe
APIs Web Application Protection Shields web application vulnerabilities (PCI*)
Provides increased visibility into, or control
Application Control
over, applications accessing the network
Firewall Reduces attack surface. Prevents DoS &
detects reconnaissance scans (PCI*)
Agent-based
3
Detects malicious and unauthorized changes
Integrity Monitoring
to directories, files, registry keys. (PCI*)
Agent-based
4
Log Inspection Optimizes the identification of important
security events buried in log entries. (PCI*)
(PCI*): Helps address one or more PCI Data Security Standards and other compliance
13 Copyright 2009 Trend Micro Inc.
requirements
14. Deep Packet Inspection
Web Application Protection
IDS/IPS – Enables compliance with PCI DSS 6.6
– Shield vulnerabilities in custom web
– Vulnerability rules: shield applications, until code fixes can be
known vulnerabilities from completed
unknown attacks
– Shield legacy applications that cannot be
– Exploit rules: stop known fixed
attacks – Prevent SQL injection, cross-site scripting
(XSS)
– Smart rules: Zero-day
protection from unknown Application Control
exploits against an unknown
vulnerability – Detect suspicious inbound/outbound traffic
such as allowed protocols over non-
– Microsoft Tuesday protection standard ports
is delivered in synch with – Restrict which applications are allowed
public vulnerability network access
announcements.
– Detect and block malicious software from
– On the host/server (HIPS) network access
Copyright 2009 Trend Micro Inc.
15. Alrededor de 100 aplicaciones protegidas
Operating Systems Windows (2000, XP, 2003, Vista, 2008, 7), Sun Solaris (8, 9, 10), Red Hat EL (4, 5), SuSE
Linux (10,11)
Database servers Oracle, MySQL, Microsoft SQL Server, Ingres
Web app servers Microsoft IIS, Apache, Apache Tomcat, Microsoft Sharepoint
Mail servers Microsoft Exchange Server, Merak, IBM Lotus Domino, Mdaemon, Ipswitch, IMail,,
MailEnable Professional,
FTP servers Ipswitch, War FTP Daemon, Allied Telesis
Backup servers Computer Associates, Symantec, EMC
Storage mgt servers Symantec, Veritas
DHCP servers ISC DHCPD
Desktop applications Microsoft (Office, Visual Studio, Visual Basic, Access, Visio, Publisher, Excel Viewer,
Windows Media Player), Kodak Image Viewer, Adobe Acrobat Reader, Apple Quicktime,
RealNetworks RealPlayer
Mail clients Outlook Express, MS Outlook, Windows Vista Mail, IBM Lotus Notes, Ipswitch IMail Client
Web browsers Internet Explorer, Mozilla Firefox
Anti-virus Clam AV, CA, Symantec, Norton, Trend Micro, Microsoft
Other applications Samba, IBM Websphere, IBM Lotus Domino Web Access, X.Org, X Font Server prior,
Rsync, OpenSSL, Novell Client
15 Copyright 2009 Trend Micro Inc.
16. Microsoft Active Protections Program (MAPP)
• Microsoft Active Protections Program (MAPP)
– Program for security software vendors
– Members receive security vulnerability information from the Microsoft
Security Response Center (MSRC) in advance of Microsoft’s monthly
security update
– Members use this information to deliver protection to their customers
after the Microsoft Security Bulletins have been published
• Trend Micro’s protection is delivered to customers within 2 hours of
Microsoft Security Bulletins being published
– This enables customers to shield their vulnerable systems from attack
– Systems can then be patched during the next scheduled maintenance window
Copyright 2009 Trend Micro Inc.
17. Recommendation Scans
• The server being protected is analyzed to determine:
– OS, service pack and patch level
– Installed applications and version
– DPI rules are recommended to shield the unpatched vulnerabilities from attacks
– As patches, hotfixes, and updates are applied over time, the Recommendation Scan
will:
• Recommend new rules for assignment
• Recommend removal of rules no longer required after system patching
– Recommendations for DPI, Integrity Monitoring, and Log Inspection rules are
supported
Copyright 2009 Trend Micro Inc.
19. In IT, do you know the differences???
Agent Agent Agent Agent Agent Agent
Ahora
vSphere
Futuro
Copyright 2009 Trend Micro Inc.
19
20. Deep Security Virtual Appliance
Architecture of Coordinated approach
vNIC vNIC vNIC vNIC
Vmsafe API
ESX 4 vSwitch
Hypervisor
Copyright 2009 Trend Micro Inc.
21. Deep Security enables higher VM densities
• SYMC/MFE consume 3x –12x more resources in sch. scans & could not handle
more than 25 desktop VMs/host
• DS supports 2-3 times no. of desktop VMs/host than traditional AV
• DS supports 40-60% more server VMs/host than traditional AV
CPU IOPS
Symantec Trend McAfee Symantec Trend McAfee
2143
307% 2053
%
%
273%
692%
81%
Symantec Trend McAfee Symantec Trend McAfee
Scheduled scan resource usage over baseline – 50 VMs per host
Copyright 2009 Trend Micro Inc.
22. Agentless approach uses less ESX memory
Anti-Virus “B”
Anti-Virus “Y”
Anti-Virus “R”
# of Guest VMs
Copyright 2009 Trend Micro Inc.
22
23. Agentless approach uses less bandwidth
Signature update for 10 agents
Anti-Virus “B”
Anti-Virus “Y”
Anti-Virus “R”
Agentless
Anti-Virus “T”
Time (Seconds)
Copyright 2009 Trend Micro Inc.
23
24. Coordinated Approach …
Coordinated Security Approach
• Agent Disappears (removed / reverted to previous snapshot)
• Virtual Appliance auto-protects VM
Deep Security VMware
Virtual Appliance* vCenter
VMware vSphere 4
* VMware vSphere 4
VMsafe API based solution
Copyright 2009 Trend Micro Inc.
25. Deep Security 7.5: Funcionalidades Clave
• Escaneo en tiempo real sin agentes
– Notificaciones al motor de antivirus
– Acceso a ficheros de datos para escaneo
• Escaneo manual y/o programado sin agentes
– Los escaneos bajo demanda son coordinados y organizados SPN
– Notificaciones
• Se integra con vShield Endpoint ( vSphere 4.1)
• Protección día Zero
– Integración con Smart Protection Network
• Limpieza sin agentes Virtual
– Active Action, Delete, Pass, Quarantine, Clean
Appl.
• Caching a nivel de API
– Cacheo de datos para optimizar el rendimiento
vShield Endpoint
Copyright 2009 Trend Micro Inc.
26. ¿Cuáles es la diferencia?
Copyright 2009 Trend Micro Inc.
27. Addressing Payment Card Industry (PCI)
Requirements
Key Deep Security features & capabilities
(1.) – Network Segmentation
(1.x) – Firewall
(6.1) – Virtual Patching* 81% NOT
PCI compliant
(6.5) – Web Application Firewall prior to breach
Verizon 2009 Data Breach
(10.6) – Review Logs Daily Investigation Report
(11.4) – Deploy IDS / IPS
(11.5) – Deploy File Integrity Monitoring
Copyright 2009 Trend Micro Inc.
* Compensating control subject to QSA approval
28. Trend Micro: Server Security Leadership
IDC Market Analysis: Worldwide Corporate Server Security Market Share
Trend Micro
22.9%
All Others
77.1%
These products are generally more robust than desktop endpoint security
and are available for a much wider set of operating systems (Windows, Unix, and Linux).
This category also includes products that are designed to protect hypervisors and virtual
servers.” Source: Worldwide Endpoint Security 2010-2014
Forecast and 2009 Vendor Shares, IDC
Copyright 2009 Trend Micro Inc. 28
29. Improves Security Improves Virtualization
by providing security solutions
by providing the most
architected to fully leverage
secure virtualization infrastructure,
the VMware platform
with APIs, and certification programs
The most comprehensive suite of next-generation,
virtualization security solutions:
Virtual appliance- and guest-based
Tightly integrated with, and leverages,
VMware APIs and technologies.
Architected to fully leverage the VMware platform
for delivering better-than-physical security.
Copyright 2009 Trend Micro Inc.
29