This document discusses challenges in protecting virtual data centers and cloud systems. It describes emerging solutions like running protection engines outside the operating system context in a hypervisor to gain better visibility and context. Intelligent Protection is introduced as a solution using a hypervisor to intercept interactions and apply security controls like a virtual firewall, intrusion prevention, and anti-malware. Future extensions are outlined like integrating multiple anti-malware engines and applying these techniques beyond clouds to mobile devices.

1. Protecting systems and applications on virtual data centres and in
the cloud: challenges, emerging solutions and lessons learnt
Dr Fadi El-Moussa - Senior Researcher – Malware Detection and prevention Specialist
Dr Theo Dimitrakos – Chief Security Researcher – Head of Security Architectures Research
Slide 1

2. Cyber Security: More Important than Ever
COMPROMISES THAT CAN BE STOPPED
THROUGH PROPER CONFIGURATION AND
PATCH MANAGEMENT 90%
© British Telecommunications
plc
Slide 2

3. Cyber Security: More Important than Ever
SONY PLAYSTATION –100M CUSTOMERS EXPOSED
–20K CREDIT CARDS EXPOSED
© British Telecommunications
plc
Slide 3

4. A different perspective on solving security problems
Hypervisor + Security API Better Context Mgmt
Issues with traditional protection methods
• Protection by running outside OS
• Isolated from most malware
• Dependent on smaller, trustable
codebase of hypervisor
Context intermingling
• Of protection engines that run in Superior Visibility
the same context as the malware
they are protecting against
• New interactions: CPU, Memory
• Real-time interception
Limited Visibility • view / modify / aggregate
• network / storage / memory
• Of OS and application by network- • Context aggregation includes
hosted protection solutions • code in memory
• Of other contexts by protection • network traffic
engines running in a safe context
© British Telecommunications
plc
• process calls
Slide 4

5. Intelligent Protection overview
Round-trip of
protection
intelligence
Virtual Firewall
Core strengths & innovative features
Intrusion Prevention
• Intercept interactions between the Guest OS and application processes and the physical server
• Intercept traffic between the Guest OS and the network
Intelligent Protection (Beta)
• Detect and stop malware and rootkit at the hypervisor level before they infect the system
• Detection system outside the context of the attack: stealthy and more reliable detection
Virtual Patching
© British Telecommunications
plc Anti-malware
Slide 5

6. Forthcoming extensions
Anti-Malware:
• Experimentation with integration of multiple AV
virtual appliances and hypervisors
• Exploit benefits of context of operation to improve
effectiveness of detection
• Performance against different obfuscation
techniques: combinations of poly/paramorphism,
encryption, memory injection, etc.
• Performance against different forms of advanced
evasion techniques
2 BT patents including extensions of
virtual patching to BIOS for devices
© British Telecommunications
plc
Slide 6

7. Forthcoming extensions
Beyond the cloud:
• Extend applicability to hybrid environments under
the same security management offered via a
Security Operations Management Portal as a SaaS:
• Virtual Data Centre
• Cloud
• Corporate Servers
• Mobile devices (laptops, smart-phones, etc.)
2 BT patents including extensions of
virtual patching to BIOS for devices
© British Telecommunications
plc
Slide 7

8. Forthcoming extensions
Mega-Honeypot
• Information about possible / actual attacks
collected even if attacks are blocked
• Filter, analyse, correlate information
• about frequency / origin / form of attacks
• about stability of security patches to
OS/Application builds
© British Telecommunications
plc
Slide 8

9. General Considerations
and take-away points
Strong points:
• Hypervisor embedded security controls provide a improvement to
the security of servers and applications that run on protected
virtual machines. ‘Defence in depth’: Provided at the Hypervisor
level
• IDS
• Firewall
• Anti-Malware
• Data Leakage prevention
• Potential to enhance intrusion prevention within multi-tenancy
Cloud architecture.
• Flexible (agent-based/-less deployment) allows patches either
Server or Hypervisor
• Extremely efficient security patch application / removal (almost
zero downtime)
© British Telecommunications
plc
Slide 9

10. General Considerations
and take-away points
Remaining weaknesses:
• Does not cover all possible security patches (e.g.
Patches relating to internal OS modules or some
aspects of application code)
• Vulnerability/Patch Mapping / Frequency of updates
depend upon effectiveness of Vendor Patch to
vulnerability ‘accuracy’.
• New security technologies will become target for the
‘next emerging threats’ – Attackers will be targeting
hypervisor/security functionality.
• May be dependent upon Hypervisor configuration and
security management (Cloud Service Provide
Administration teams).
© British Telecommunications
plc
Slide 10

11. © British Telecommunications
plc
Slide 11