Successfully reported this slideshow.
© 2009 VMware Inc. All rights reserved
Confidential
Agentless Anti-Virus and IDS/IPS
A New Paradigm for Security in Virtua...
2 Confidential
Agenda
Security Roadblocks in the Virtualization Journey
Threat Evolution and the Porous Perimeter
New Secu...
3 Confidential
Securing Servers the Traditional Way
App
OS
Network
IDS / IPS
ESX Server
App
OS
App
OS
AppAV AppAV AppAV
• ...
4 Confidential
Virtualization Journey
Stage 1: Server Consolidation
Classification 01/30/15
4
5 Confidential
Virtualization Journey
Stage 2: Expansion & Desktop
Classification 01/30/15
5
Increased Server
Consolidatio...
6 Confidential
Virtualization Journey
Stage 3: From Private to Public Cloud
Classification 01/30/15
6
7 Confidential
Servers
Desktops
Stage 1
Server Consolidation
Stage 2
Expansion & Desktop
Virtualization Journey Stages
Sta...
8 Confidential
IT Production Business Production ITaaS
Data destruction
Diminished perimeter
Resource Contention
Multi-ten...
9 Confidential
Inter-VM attacks/ blind spots1
Security Inhibitors to Virtualization
10 Confidential
Active
   
Dormant
 
Reactivated with
out-of-date security
   
Instant-on gaps2
Security Inhibit...
11 Confidential
Resource contention
Typical AV
Console
3:00am Scan
3
Security Inhibitors to Virtualization
12 Confidential
Patch
agents
Rollout
patterns
Provisioning
new VMs
Complexity of Management4
Security Inhibitors to Virtua...
13 Confidential
Agenda
Security Roadblocks in the Virtualization Journey
Threat Evolution and the Porous Perimeter
New Sec...
14 Confidential
14
• More Profitable
• $100 billion: Estimated profits from global cybercrime
-- Chicago Tribune, 2008
• M...
15 Confidential
Perimeter defenses are not enough
15
© 2005, Third Brigade Inc.
Encrypted
Attacks 10011100111001
Mobile
Co...
16 Confidential
16
# of days until
vulnerability is
first exploited,
after patch is
made available
2003
MS- Blast
28 days
...
17 Confidential
17
Where are you vulnerable?
Takes days to months
until patches are
available and can be
tested & deployed...
18 Confidential
Agenda
Security Roadblocks in the Virtualization Journey
Threat Evolution and the Porous Perimeter
New Sec...
19 Confidential
New Paradigm #1:
Hypervisor-powered Security Architectures
19
App
OS
ESX Server
App
OS
App
OS
vShield Endp...
20 Confidential
The Opportunity with Agentless Anti-malware
Virtual
Appliance
Agent
vShield Endpoint
AgentAgent
vSphere
To...
21 Confidential
Security Virtual ApplianceSecurity Virtual Appliance
VM
APP
OS
Kernel
Kernel
BIOS
ESX 4.1
vSphere Platform...
22 Confidential
Agentless Anti-malware: Process flow
VMVMGuest VM
OS
Security Virtual ApplianceSecurity Virtual Appliance
...
23 Confidential
Agentless approach uses less ESX memory
# of Guest VMs
Anti-Virus “B”
Anti-Virus “Y”
Anti-Virus “R”
24 Confidential
Anti-Virus “B”
Time (Seconds)
Anti-Virus “Y”
Anti-Virus “R”
Agentless approach uses less bandwidth
Signatu...
25 Confidential
New Paradigm #2:
Opportunity to Beef up Server Security
 VMsafe enables you to supplement perimeter defen...
26 Confidential
VMsafe™ APIs
26
CPU/Memory Inspection
• Inspection of specific memory pages
• Knowledge of the CPU state
•...
27 Confidential
Fastpath Driver
Micro Firewall
(Blacklist &
Bypass)
Tap/Inline
Incoming
/
Outgoing
Packet
Pass
Drop
Statef...
28 Confidential
vSphere
App
OS
App
OS
vCenter
New Paradigm # 3
Virtualization-aware agents
 vCenter integration makes sec...
29 Confidential
vSphere
App
OS
App
OS OS
App
New Paradigm # 4
Security that is Cloud-Ready
 Security for datacenter VMs m...
30 Confidential
Agenda
Security Roadblocks in the Virtualization Journey
Threat Evolution and the Porous Perimeter
New Sec...
31 Confidential
Founded
Headquarters
Offices
Employees
Market
Leadership
United States, 1988
Tokyo, Japan
23 countries
4,3...
32 Confidential
32
Trend Micro Deep Security
Server & application protection
• Latest anti-malware module adds to existing...
33 Confidential
33
IDS / IPS
Web Application Protection
Application Control
Firewall
Deep Packet Inspection
Log
Inspection...
34 Confidential
Classification 01/30/15
34
Agent-based security:
• Comprehensive protection
within datacenter
• Mobility –...
35 Confidential
Deep Security 7.5 Integrates vShield Endpoint & VMsafe
Agent-Less Real Time Scan
• Triggers notifications ...
36 Confidential
Thank You
www.trendmicro.com/deepsecurity
www.vmware.com/trendmicro
Upcoming SlideShare
Loading in …5
×

Trend Micro VForum Agentless Scanning Presentation

3,597 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Trend Micro VForum Agentless Scanning Presentation

  1. 1. © 2009 VMware Inc. All rights reserved Confidential Agentless Anti-Virus and IDS/IPS A New Paradigm for Security in Virtual Environments Harish Agastya. Director of Datacenter Security. Trend Micro
  2. 2. 2 Confidential Agenda Security Roadblocks in the Virtualization Journey Threat Evolution and the Porous Perimeter New Security Paradigms on the vSphere platform Trend Micro: Security Built for VMware
  3. 3. 3 Confidential Securing Servers the Traditional Way App OS Network IDS / IPS ESX Server App OS App OS AppAV AppAV AppAV • Anti-virus: Local, agent-based protection in the VM • IDS / IPS : Network-based device or software solution
  4. 4. 4 Confidential Virtualization Journey Stage 1: Server Consolidation Classification 01/30/15 4
  5. 5. 5 Confidential Virtualization Journey Stage 2: Expansion & Desktop Classification 01/30/15 5 Increased Server Consolidation Desktop Virtualization
  6. 6. 6 Confidential Virtualization Journey Stage 3: From Private to Public Cloud Classification 01/30/15 6
  7. 7. 7 Confidential Servers Desktops Stage 1 Server Consolidation Stage 2 Expansion & Desktop Virtualization Journey Stages Stage 3 Private > Public Cloud 15% 30% 70% 85% Virtualization Adoption Rate THE SECURITY INHIBITORS TO VIRTUALIZATION
  8. 8. 8 Confidential IT Production Business Production ITaaS Data destruction Diminished perimeter Resource Contention Multi-tenancy Data access & governance Complexity of Management Mixed trust level VMs Compliance/ Lack of audit trail 1 2 3 4 5 6 7 8 9 10 11 Virtualization Adoption Rate Security Challenges Along the Virtualization Journey Inter-VM attacks Instant-on gaps Host controls under-deployed
  9. 9. 9 Confidential Inter-VM attacks/ blind spots1 Security Inhibitors to Virtualization
  10. 10. 10 Confidential Active     Dormant   Reactivated with out-of-date security     Instant-on gaps2 Security Inhibitors to Virtualization New VMs
  11. 11. 11 Confidential Resource contention Typical AV Console 3:00am Scan 3 Security Inhibitors to Virtualization
  12. 12. 12 Confidential Patch agents Rollout patterns Provisioning new VMs Complexity of Management4 Security Inhibitors to Virtualization Reconfiguring agents
  13. 13. 13 Confidential Agenda Security Roadblocks in the Virtualization Journey Threat Evolution and the Porous Perimeter New Security Paradigms on the vSphere platform Trend Micro: Security Built for VMware
  14. 14. 14 Confidential 14 • More Profitable • $100 billion: Estimated profits from global cybercrime -- Chicago Tribune, 2008 • More Sophisticated • “Breaches go undiscovered and uncontained for weeks or months in 75% of cases.” -- Verizon Breach Report, 2009 • More Frequent • "Harvard and Harvard Medical School are attacked every 7 seconds, 24 hours a day, 7 days a week.” -- John Halamka, CIO • More Targeted • “27% of respondents had reported targeted attacks”. -- 2008 CSI Computer Crime & Security Survey Today’s threat environment
  15. 15. 15 Confidential Perimeter defenses are not enough 15 © 2005, Third Brigade Inc. Encrypted Attacks 10011100111001 Mobile Computers2 Wireless Networks3 Insider Attacks5 Unsuspecting Users4 ?
  16. 16. 16 Confidential 16 # of days until vulnerability is first exploited, after patch is made available 2003 MS- Blast 28 days 2004 Sasser 18 days 2005 Zotob 10 days 2006 … WMF Zero-day Zero-day Exploits are happening before patches are developed 2010 IE zero-day “Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.” -- ZDNet, January 21, 2010 “Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.” -- ZDNet, January 21, 2010
  17. 17. 17 Confidential 17 Where are you vulnerable? Takes days to months until patches are available and can be tested & deployed: • “Microsoft Tuesday” • Oracle • Adobe Developers not available to fix vulnerabilities: • No longer with company • Working on other projects Patches are no longer being developed: • Red Hat 3 -- Oct 2010 • Windows 2000 -- Jul 2010 • Solaris 8 -- Mar 2009 • Oracle 10.1 -- Jan 2009 Can’t be patched because of cost, regulations, SLA reasons: • POS • Kiosks • Medical Devices
  18. 18. 18 Confidential Agenda Security Roadblocks in the Virtualization Journey Threat Evolution and the Porous Perimeter New Security Paradigms on the vSphere platform Trend Micro: Security Built for VMware
  19. 19. 19 Confidential New Paradigm #1: Hypervisor-powered Security Architectures 19 App OS ESX Server App OS App OS vShield Endpoint Anti-virus Virtual Appliance • vShield Endpoint enables agentless AV scanning • Secures VMs from the outside, no changes to VM
  20. 20. 20 Confidential The Opportunity with Agentless Anti-malware Virtual Appliance Agent vShield Endpoint AgentAgent vSphere Today using vShield EndpointPreviously • More manageable: No agents to configure, update, patch • Faster performance: Freedom from AV Storms • Stronger security: Instant ON protection + tamper-proofing • Higher consolidation: Inefficient operations removed
  21. 21. 21 Confidential Security Virtual ApplianceSecurity Virtual Appliance VM APP OS Kernel Kernel BIOS ESX 4.1 vSphere Platform VM APP OS Kernel Kernel BIOS Guest VM OS Anti-malware Product Console Anti-malware Product Console vShield Endpoint Library Agentless anti-malware: Architecture Anti-malware Scanning ModuleAnti-malware Scanning Module vShield Endpoint ESX Module vShield Endpoint ESX Module On Access ScansOn Access Scans On Demand ScansOn Demand Scans Vshield Guest Driver Vshield Guest Driver EPsec Interface VI Admin Security Admin RemediationRemediation Caching & FilteringCaching & Filtering APPsAPPs APPsAPPs APPsAPPs REST Status Monitor Status Monitor
  22. 22. 22 Confidential Agentless Anti-malware: Process flow VMVMGuest VM OS Security Virtual ApplianceSecurity Virtual Appliance EPsec Lib Anti-malware Scanning module Anti-malware Scanning module On Access ScansOn Access Scans On Demand ScansOn Demand Scans RemediationRemediation Caching & FilteringCaching & Filtering APPsAPPs APPsAPPs APPsAPPs Vshield Guest Driver Vshield Guest Driver result cached? excluded by filter? file event * file data request * file data * file data * file data request scan result scan resultresult file event data cached? file event result result * file data time
  23. 23. 23 Confidential Agentless approach uses less ESX memory # of Guest VMs Anti-Virus “B” Anti-Virus “Y” Anti-Virus “R”
  24. 24. 24 Confidential Anti-Virus “B” Time (Seconds) Anti-Virus “Y” Anti-Virus “R” Agentless approach uses less bandwidth Signature update for 10 agents Agentless Anti-Virus “T”
  25. 25. 25 Confidential New Paradigm #2: Opportunity to Beef up Server Security  VMsafe enables you to supplement perimeter defense  Agentless IDS/IPS, Firewall and application protection App OS ESX Server App OS App OS VMsafe APIs Virtual Appliance Firewall IDS / IPS Web app Anti-Virus
  26. 26. 26 Confidential VMsafe™ APIs 26 CPU/Memory Inspection • Inspection of specific memory pages • Knowledge of the CPU state • Policy enforcement through resource allocation Networking • View all IO traffic on the host • Intercept, view, modify and replicate IO traffic • Provide inline or passive protection Storage • Mount and read virtual disks (VMDK) • Inspect IO read/writes to the storage devices • Transparent to device & inline with ESX Storage stack
  27. 27. 27 Confidential Fastpath Driver Micro Firewall (Blacklist & Bypass) Tap/Inline Incoming / Outgoing Packet Pass Drop Stateful Firewall Drop Slowpath Driver Pass DPI Intrusion Defense with VMsafe
  28. 28. 28 Confidential vSphere App OS App OS vCenter New Paradigm # 3 Virtualization-aware agents  vCenter integration makes security virtualization-aware  V-aware agents complement virtual appliance  Use cases: offline desktops, compliance, defense in depth
  29. 29. 29 Confidential vSphere App OS App OS OS App New Paradigm # 4 Security that is Cloud-Ready  Security for datacenter VMs moves to the cloud with application and data  Advanced security modules (IDS/IPS, Integrity monitoring) protect server in multi-tenant environment
  30. 30. 30 Confidential Agenda Security Roadblocks in the Virtualization Journey Threat Evolution and the Porous Perimeter New Security Paradigms on the vSphere platform Trend Micro: Security Built for VMware
  31. 31. 31 Confidential Founded Headquarters Offices Employees Market Leadership United States, 1988 Tokyo, Japan 23 countries 4,350 Internet Content Security US $1 Billion annual revenue 1,000+ Threat Research Experts 10 labs. 24x7 ops Real-time alerts for new threats nd Micro security & compliance solutions VMware customers : Accelerate and complete their virtualization journey More fully leverage their VMware investments Maximize their virtualization ROI Security Built for VMware
  32. 32. 32 Confidential 32 Trend Micro Deep Security Server & application protection • Latest anti-malware module adds to existing set of advanced protection modules Firewall Web app protection Log Inspection Integrity Monitoring Anti- Malware Intrusion Detection Prevention
  33. 33. 33 Confidential 33 IDS / IPS Web Application Protection Application Control Firewall Deep Packet Inspection Log Inspection Anti-Virus Detects and blocks known and zero-day attacks that target vulnerabilities Shields web application vulnerabilities Provides increased visibility into, or control over, applications accessing the network Reduces attack surface. Prevents DoS & detects reconnaissance scans Detects malicious and unauthorized changes to directories, files, registry keys… Optimizes the identification of important security events buried in log entries Detects and blocks malware (web threats, viruses & worms, Trojans) Trend Micro Deep Security Server & application protection Protection is delivered via Agent and/or Virtual Appliance 5 protection modules Integrity Monitoring
  34. 34. 34 Confidential Classification 01/30/15 34 Agent-based security: • Comprehensive protection within datacenter • Mobility – to extend protection to public cloud Hypervisor / vCenter integration: • Enables virtualization-aware security • Eliminates instant-on gaps Coordinated approach: • Optimized protection • Operational efficiency 2 3 4 Inline virtual appliance: • AV, IDS/IPS, FW • Greater efficiency • Manageability 1 Trend Micro Deep Security Security Built for VMware
  35. 35. 35 Confidential Deep Security 7.5 Integrates vShield Endpoint & VMsafe Agent-Less Real Time Scan • Triggers notifications to AV engine on file open/close • Provides access to file data for scanning Agent-Less Manual and Schedule Scan • On demand scans are coordinated and staggered • Traverses guest file-system and triggers notifications to the AV engine • Integrates with vShield Endpoint (in vSphere 4.1) • Zero Day Protection • Trend Micro SPN Integration Agent-Less Remediation • Active Action, Delete, Pass, Quarantine, Clean API Level Caching • Caching of data and results to minimize data traffic and optimize performance Virtual Appl. vShield Endpoint SPN
  36. 36. 36 Confidential Thank You www.trendmicro.com/deepsecurity www.vmware.com/trendmicro

×