The outside-in approach is still important, but, alone, is not sufficient in today’s evolving data center. Disgruntled employees are already within the perimeter. Advanced Persistent Threats are unique attacks that will not be stopped by many traditional perimeter defenses. And the changing nature of IT is causing deperimeterization with new technologies like virtualization, cloud computing, and consumerization. New security approaches must be added to the traditional outside-in protection.
Next we’ll cover instant-on gaps. [click]Unlike a physical machine, when a virtual machine is offline, it is still available to any application that can access the virtual machine storage over the network, and is therefore susceptible to malware infection. However, dormant or offline VMs do not have the ability to run an antimalware scan agent. [click]Also when dormant VMs are reactivated, they may have out-of-date security. [click]One of the benefits of virtualization is the ease at which VMs can be cloned. However, if a VM with out-of-date security is cloned the new VM will have out-of-date security as well. New VMs must have a configured security agent and updated pattern files to be effectively protected. [click]Again the solution is a dedicated security virtual appliance that can ensure that guest VMs on the same host have up-to-date security if accessed or reactivated, and can make sure that newly provisioned VMs also have current security. This security virtual appliance should include layered protection that integrates multiple technologies such as antivirus, integrity monitoring, intrusion detection and prevention, virtual patching, and more. .
Trend Micro was VMware’s 2011 Technology Alliance Partner of the Year. This timeline helps highlight some of our achievements in our partnership with VMware, starting back in 2008. [Highlight a couple of key points from the timeline—do not cover it all.]
VMware controls more than half of the virtualization market. Virtualization security must fit into the VMware ecosystem to effectively support enterprise virtualization efforts. Here we demonstrate the different VM-security aspects and how they can fit into a VMware infrastructure.[click]The pairing of agent-less antivirus and agentless integrity monitoring with vShield Endpoint enables massive reduction in memory footprint for security on virtual hosts by eliminating security agents from the guest virtual machines and centralizing those functions on a dedicated security virtual machine. [click]Protection such as intrusion detection and prevention, web application protection, application control, and firewall can be integrated with VMware using VMsafe APIs, integrating security with VMware vSphere environments. Again this can be an agent-less option.[click]And finally, log inspection which optimizes the identification of important security events buried in log entries, can be applied through agent-based protection on each VM. [click]These elements can be integrated and centrally managed with VMware vCenter Server. Together, these provide comprehensive, integrated virtual server and desktop security.
Everybody knows about the explosive growth of malwareThis graph shows the growth in the size of the pattern file alone over the last 4 years. This is industry average, not individual vendor.Size grows faster for vendors who rely strictly on pattern files, rather than taking advantage of new protection mechanisms=> Keeping a pattern file on every client is impractical and unsustainable.
I mentioned that the agentless approach began with agentless antivirus. Trend Micro’s agentless antivirus solution was available starting in 2010, so there’s been an opportunity to test its success. In an independent study by Tolly Enterprises, Trend Micro agentless antivirus was tested against leading traditional antivirus solutions that do not use a dedicated security virtual appliance and agentless antivirus, and the results were striking. Trend Micro’s agentless antivirus achieved 3 times higher VDI VM consolidation ratios—and similar results also extended to server virtualization as well. The VDI results translate into saving almost $540,000 every 3 years for each 1000 virtual desktops.
The final virtualization challenge we’ll discuss is the complexity of management. Virtual machines are dynamic. They can quickly be reverted to previous instances, paused, and restarted, all relatively easily. They can also be readily cloned and seamlessly moved between physical servers. Vulnerabilities or configuration errors may be unknowingly propagated. Also, it is difficult to maintain an auditable record of the security state of a virtual machine at any given point in time.[click]This dynamic nature and potential for VM sprawl makes it difficult to achieve and maintain consistent security. Hypervisor introspection is needed for visibility and control. Security that leverages the hypervisor APIs can ensure that each guest VM on the host remains secure and that this security coordinates with the virtualization platform.
We continue to invest in threat research and innovate our core technologies, products and services to ensure we stay one step ahead of the bad guys, to stop threats faster, and give you the actionable threat intelligence you need to make more informed choices about how best to protect your data.As the source of global threat intelligence forTrend Micro’s cloud-era security, the Trend Micro™ Smart Protection Network™ has expanded to look in more places and correlate more threat intelligence, to identify threats, deliver proactive protection, and secure data faster than any other security vendor. This expansion includes global intelligence about mobile apps, vulnerabilities/exploits, APTs and goodware.And our global threat intelligence is integrated into all our solutions, across consumer to enterprise customers, including mobile, endpoint, server, network, messaging, gateway, and SaaS solutions.
Challenge: Resource ContentionTypical SecurityConsole 09:00am Virus DefinitionUpdatesConfigurationStormAutomatic security scans overburden the system3:00am Integrity ScanDestroys the business case for VDI
ClonedChallenge: Instant-on Gaps DormantActiveReactivated without dated security Reactivated and cloned VMs can have out-of-date security
LogInspectionAnti-VirusDetects and blocks knownand zero-day attacks thattarget vulnerabilitiesTracks credibility ofwebsites and safeguardsusers from malicious urlsReduces attack surface.Prevents DoS & detectsreconnaissance scansDetects malicious andunauthorized changes todirectories, files, registry keys…Optimizes theidentification of importantsecurity events buriedin log entriesDetects and blocks malware(web threats, viruses &worms, Trojans)Deep Security Virtual Appliance (or Agent)System, application and data security for serversProtection is delivered via Agent and/or Virtual Appliance6 protection modulesIntegrityMonitoringIntrusionPreventionFirewallWebReputationPhysical Servers Virtual Servers Cloud Desktop/Laptop
Any HypervisorAgent BasedVMware HypervisorAgent-Less
2012 Technology Alliance Partner of theYearImproves Securityby providing the most secure virtualizationinfrastructure, with APIs, and certificationprogramsImproves Virtualizationby providing security solutions architected tofully exploit the VMware platform2008 2009 2011Feb: JoinVMsafeprogramRSA: Trend Micro VMsafedemo, announcesCoordinated approach &Virtual pricingRSA: Trend Microannounces virtualappliance2010:>100 customers>$1M revenueVMworld: AnnounceDeep Security 8w/ Agentless FIM1000 AgentlesscustomersVMworld: Trend virtseccustomer, case study,webinar, videoMay: TrendacquiresThird BrigadeJuly:CPVMGANov: Deep Security 7with virtual applianceRSA: Trend MicroDemos Agentless2010Q4: JoinedEPSEC vShieldProgramVMworld:AnnounceDeep Security 7.5Sale of DS 7.5Before GADec: Deep Security 7.5w/ Agentless AntivirusRSA: Othervendors“announce”Agentless
Deep Security Virtual Appliance• Intrusion prevention• FirewallVirtualization Security with Deep SecurityAgentless Security Platform for Private Cloud Environments• Anti-malware• Web reputation• Integrity monitoringVM VM VMThe Old WaySecurityVirtualApplianceVM VM VMWith Deep SecurityVMEasierManageabilityHigherDensityFewerResourcesStrongerSecurityVMMore VMs
Shared Memory:Light and LeanClassification 5/9/201311Keeping a signature file inevery virtual desktop isinefficient and unsustainable
Sources: Tolly Enterprises Test Report, Trend Micro Deep Security vs. McAfee and Symantec, February 2011; Saving estimate based on VMware ROIcalculations3X higher VDI VM consolidation ratiosIncreased ROI with Deep SecurityExample: Agentless AntivirusVIRTUALIZATION SECURITY0 10 20 30 40 50 60 70 80Traditional AVAgentless AVVM servers per host75253-year Savings on 1000 VDI VMs = $539,600
CBRE UK – VDI Success• 2000 Seats of VDI• 15,000 global rollout• Mobile Device Enabled• Operational Benefits• Single Image• Easier Support• Reduced Capex• Improved UserProductivity• EMEA rollout planned
Secure the lifecycle of the VMVIRTUALIZATION SECURITYMovingVM’sRestartedVMSelf Servicenew VMsReconfiguringVM - ClonesRelevant DeepSecurityControlsFIMDPIFirewallAVFIMDPIFirewallAVFIMDPIFirewallAVFIMDPIFirewallAVFIMDPIFirewallAVRecommendationScanvCenter
Profile ManagementDeep SecurityManagerAgentless Protection withVirtual ApplianceAgent based Protection
Manual UpdatesAs RequiredPattern #file distributionVulnerability IdentifiedRule defined and Incorporated in Pattern File
THREAT DATACUSTOMERSTHREATINTELLIGENCEGlobal Threat Intelligence withthe Smart Protection NetworkIdentifiesGlobalWe look in moreplacesBroadWe look at morethreat vectorsCorrelatedWe identify allcomponents ofan attackProactiveWe block threatsat their source1.15B ThreatSamples Daily90K maliciousthreats daily200M Threats blockeddaily
Virtual PatchingVM VM VM VM50-60 VMs per servervShieldVAMicrosoft Patch Tuesday Business Critical AppsOther VendorsRegular ProcessTime ConsumingExpansiveUn Supported OSIntermittent notificationChange FreezeZero Down timeNo Regular notificationCollaborative process