The cornerstones of a proactive security strategy are vulnerability management and risk assessment. However, traditional “scan-and-patch” vulnerability scanning approaches are inadequate for dynamic, virtualized environments. Traditional scanners cannot track changes in real time, so they cannot accurately measure constantly changing risks. Anyone charged with securing IT assets needs to understand the dynamic security risks inherent to virtualized environments, and more importantly, what to do to mitigate those risks. This whitepaper explores the challenges of securing a virtualized environment and gives actionable solutions to address them.

1. White Paper
The Dynamic Nature of Virtualization Security
The need for real-time vulnerability management and risk assessment

2. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Introduction
Virtualization is radically shifting how enterprises deploy, deliver, and manage applications and data. It offers
tremendous benefits for business efficiency and agility: resource consolidation for controlling costs, greater scalability
and higher utilization of existing assets and applications, and flexibility for adapting assets to meet current business
demands.
Forrester asserts: “Virtualization is the norm; deploying a physical server is the exception.” It found that “server
virtualization is nearly ubiquitous,” that “85 percent of organizations have adopted or are planning to adopt x86 server
virtualization,” and that “79 percent of firms have or are planning to institute a ‘virtualization first’ policy.” By 2014,
Forrester predicts that 75 percent of all servers will be virtualized. (“The CISO’s Guide to Virtualization Security,” by
Rick Holland, et al., Forrester Research, Inc., January 12, 2012.)
Similarly, Information Week reports that adoption of server virtualization has grown to 97 percent in survey-respondent
data centers. It also reports similar adoption rates in storage virtualization (86 percent), application virtualization (88
percent), and desktop virtualization (76 percent). (“Next-Generation VM Security,” by Kurt Marko, Information Week
reports, June 2012).
As more enterprises virtualize their infrastructures, they also face new threat vectors. In the rush to virtualize
applications and other assets and realize the fiscal and management benefits of virtualization, IT managers must
continue to protect IT infrastructures from hacking incidents, inadvertent insider damage, and malware attacks.
Servers, applications, networks, and end-user devices are becoming dynamic and unpredictable.
Virtualized assets are susceptible to the same threats and vulnerabilities as traditional assets but traditional security
devices offer limited visibility into virtualized environments, where assets and their security postures are constantly
changing. Incidents in virtualized servers can escalate rapidly and cause considerable damage. Determining the risk
level associated with a given vulnerability remains vital to prioritizing mitigation tasks.
The cornerstones of a proactive security strategy are vulnerability management and risk assessment. However,
traditional “scan-and-patch” vulnerability scanning approaches are inadequate for dynamic, virtualized environments.
Traditional scanners cannot track changes in real time, so they cannot accurately measure constantly changing risks.
Anyone charged with securing IT assets needs to understand the dynamic security risks inherent to virtualized
environments, and more importantly, what to do to mitigate those risks. With security infrastructures lagging behind
virtualization adoption, a vulnerability management solution that provides immediate risk assessment plays a critical
role in helping security managers protect virtualized assets and data.
Forrester recommends:
You must extend your vulnerability management program into your virtual environment. Server hardening,
including patch management and configuration management, is a core element of vulnerability management. A
number of good resources are available to assist you with hardening your virtual servers. You must also ensure
that you are conducting regular vulnerability assessments, including scanning and penetration testing, of the
environment. …You should include virtualization-specific penetration tests to validate the hardening and security
controls of the environment. (Forrester, Ibid., p. 9)
Scheduled scans remain useful in virtualized environments, but the dynamic character of virtualization presents new
kinds of risk. The constantly fluctuating environment requires continuous and comprehensive security monitoring to
detect changes as they happen.

3. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
The vulnerability management solution should include these capabilities:
• Deployable as a virtual machine (VM)
• Discover and scan VMs as they spin up and down for vulnerabilities and misconfigurations.
• Detect snapshot rollbacks and scan after restores
• Track asset migrations and proactively monitor their security postures
To better understand the need for these capabilities, consider the challenges and solutions below.
Challenge: On or Off?
Virtual machines spin up and down all day long. Some VMs may activate many times a day, while others may spin up
once a month. An IT administrator can provision, operate, and delete a VM before a traditional vulnerability scanner
can check it for vulnerabilities. Periodic scans assign inactive VMs a risk score of 0. There’s inherent risk if that
potentially-vulnerable VM spins up again before the next periodic scan kicks off.
Solution: Automated Discovery and Scanning
Security managers need to know when VMs become active, so they have the option to scan them immediately and
assess their risk levels. Without requiring operator intervention, the vulnerability management solution should be able
to interact with the hypervisor to detect VMs as they come online and maintain an accurate database of discovered
resources. More importantly, a security manager should have the option to configure the vulnerability management
solution to automatically scan critical resources when they spin up and issue a scan report upon completion.
Challenge: Snapshot Rollbacks
Storage snapshots are a valuable data protection capability. However, a rollback or restore may expose a VM, and the
system it resides upon, to a previously fixed vulnerability. For example, rollbacks may revert a VM to an older software
version that needs critical patching. A periodic scan may not discover this exposure for days or weeks. Another scenario
is a rollback reinstates a configuration error or other vulnerability that is exploitable by malware, and a malware
attack may have caused the crash.
Solution: Rollback Detection and Automated Scanning
If the vulnerability management solution is in communication with the hypervisor, it should be able to detect rollbacks
and restores and send an alert to the management console. The security manager should have the option to configure
the vulnerability management solution to automatically scan assets after a rollback or restore and issue a scan report
upon completion. For example, such scans can immediately verify that software versions remain compliant with
policies after a rollback, or expose the exploitable errors or vulnerabilities and allow security managers to mitigate
them.

4. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Challenge: Virtual Machine Migration
Live migrations of VMs to other hosts, using features such as VMware vMotion, helps server managers adjust server
utilization and maintain performance levels without service interruption. Migrations may be a proactive management
task, but more often they occur as a result of a catastrophic failure. Some failures, such as loss of an asset pool,
can trigger migrations to another asset pool or even to another site. The security manager needs visibility to track
migrations as they happen, verifying that security posture of migrated assets does not change.
Solution: Automated Scanning
Vulnerability assessments can help security managers determine the cause and type of such a failure. They need
visibility not only within an asset pool or site, but among multiple pools or sites in the case of co-located or distributed
data centers. The hypervisor detects the migration, and the vulnerability management solution should recognize it and
send an alert to the security manager. Again, the security manager should have the option to configure the vulnerability
management software to automatically scan migrated assets and issue a scan report upon completion.
What About Hypervisor Security?
A 2009 IBM report suggested that the hypervisor platform contained dozens of vulnerabilities. This report sparked
industry discussions that securing a virtualized environment presents a new set of risks, but emphasized securing the
hypervisor itself. Hypervisor vulnerabilities are static. Conventional scanners can identify these vulnerabilities, and
administrators can remediate them using conventional scan-and-patch processes.
The IBM study failed to address the dynamic nature of the entire virtualized infrastructure. There is general agreement
that the hypervisor is an ideal location to deploy security solutions such as anti-malware systems. That said, in a 2011
report, Forrester “addressed the security of the hypervisor and concluded that it introduces some marginal risk to the
server environment but that concerns are largely overblown.” (Forrester, Ibid., p. 6.)
Solution: Rapid7 Security Risk Intelligence
Rapid7 Security Risk Intelligence is a data-driven approach to risk assessment and vulnerability management that
weighs the value of data sets when measuring risk. Rapid7 offers a powerful combination of innovative vulnerability
management and penetration testing solutions along with deep security expertise to identify and prioritize the dynamic
security risks of virtualized environments.
Rapid7 Nexpose is the industry’s first vulnerability management solution with capabilities, such as Continuous
Discovery, designed specifically for virtualized environments. Working closely with VMware, Rapid7 continues to add
virtualization-specific capabilities into Nexpose, its vulnerability management and risk-assessment solution. Nexpose is
the only third party vulnerability management solution included in the VMware security reference architecture.
Additionally, Rapid7 Metasploit can be used in conjunction with Nexpose to validate risk in IT environments based on
actual exploitability of vulnerabilities, both in physical and in virtual environments.

5. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
How Rapid7 Can Help
Rapid7 is a leader in security risk intelligence that can help you gain valuable insight into your security posture,
through both products and services.
Headquartered in Boston, MA, Rapid7 was founded in 2000. In response to the increasing security threat
environment, the company developed its award-winning vulnerability management solution Nexpose. In 2009,
Rapid7 acquired Metasploit, the leading penetration testing platform with the world’s largest quality assured exploit
database. The combination of both products has resulted in the company’s integrated security risk intelligence
portfolio, designed to provide organizations with unique insight into their threat and risk posture. Rapid7 also has a
professional services unit that conducts product deployments and trainings as well as security assessments.
If you have questions on how you could improve your organization’s security posture, would like to evaluate Rapid7’s
vulnerability management or penetration testing products, or would like to talk to Rapid7’s professional services
team, please contact Rapid7 at info@rapid7.com, call +1.617.247.1717, or visit www.rapid7.com.