Best Practices in Virtualization & Cloud Security with Symantec DCS

1

Nathaphon K.

Technical Consultant

Best Practices in Virtualization &

Cloud Security with Symantec DCS

Would You

Ever Leave

Your Doors

Unlocked?

Would You

Ever Leave

Your Doors

Unlocked?

SERVERS AT RISK?

why are…

Contain valuable information

Always available

Security vulnerabilities

Unauthorized configuration changes

Insider abuse and targeted attacks

SIXTY-SEVEN PERCENT

of breaches (hacked) occur on servers

NINETY-FOUR PERCENT

Virtual & Physical Share Security Concerns

Configuration Hardening Hypervisor settings Server Instances settings Access Rights Management Implement least privileged access Prevent access escalation

…But Virtual Introduces New Challenges

Separation of

Instances on a

Shared Host

Threats jumping across instances Compliance and legal issues as workloads move across zones

Limited

Logging

and Reporting

Logging for failed actions Activity logging is not attributable

Effective Security Addresses Both Physical and Virtual

Configuration Hardening Hypervisor settings Server Instances settings Access Rights Management Implement least privileged access Prevent access escalation

Separation of

Instances on a

Shared Host

Threats jumping across instances Compliance and legal issues as workloads move across zones

Limited

Logging

and Reporting

Logging for failed actions Activity logging is not attributable

NSX Extensibility: Partner Integration

NSX Controller NSX API Partner Extensions Network Security Platform Network Gateway Services Application Delivery Services Security Services 7

Moving Forward Software Defined Security

• Our competitor was a clear first mover in “Agentless 1.0” >> or VShield

• Symantec leads with innovations and integrations to VMware for “Agentless 2.0” and the go-forward NSX platforms for

VMware’s SDDC

How do Symantec and VMware Work!

Symantec

Manager

VMware NSX Networking & Security

VM

VM

Endpoint Service

1. Import OVA and register AV Security Service

1 1

2. Publish new Symantec AV Security Policy Profile

2

3. Deploy AV Security Service to Cluster

SYMC SVA

3

4. Create new Security Policy (w/ AV)

4

5. Apply Security Policy to Security Group

5

6. Tag Networking & Security upon AV detection

6

Security Group

9

Data Center Security: Server 6.0 (

Agent-less

)

Integrated Protection

•

Natively Integrated into

VMware NSX (VShield2)

platform

– Always on agent-less file based antivirus protection

– Symantec Reputation engine to prevent false positives (both good & bad file insight database)

– Automatic provision-less scale out as data center grows

•

Underlying VMware technology provides

Networking and Security extensibility

– Our security controls and policies integrate into the

VMware fabric and security partner ecosystem to support automated security enforcement and dynamic workflows

10

Symantec Global Intelligence Network (GIN)

Identifies more threats, takes action faster & prevents impact

Information Protection

Preemptive Security Alerts Threat Triggered Actions

Global Scope and Scale

Worldwide Coverage 24x7 Event Logging

Rapid Detection Attack Activity • 240,000+ sensors • 200+ countries and territories Malware Intelligence • 150M client, server, gateways monitored • Global coverage Vulnerabilities • 35,000+ vulnerabilities • 11,000 vendors • 80,000 technologies Spam/Phishing • 5M decoy accounts • 8B+ email messages/day • 1B+ web requests/day Austin, TX Mountain View, CA Culver City, CA San Francisco, CA Taipei, Taiwan Tokyo, Japan Dublin, Ireland Calgary, Alberta Chengdu, China Chennai, India Pune, India 11

SEP 12 Press Briefing

New Center at Singapore Available now, fast response

VMware vSphere Threats and What’s we protect?

ESX/ESXi Host vCenter Server Datastores “Datacenter” “Cluster” Datastores

vSphere Client _{vCenter Server}

vCenter Database Threats Rouge Clients  Client Hijacking Disgruntled Admin Mis-configurations SSL certificate Malware

Is signature based enough to protect zero day attack???

Presentation Identifier Goes Here 13

DCS Firewall/AppControl DCS User Control Antimalware Network Firewall/IPS

Unauthorized server access

Why does pure SVA solution is not enough

We need to Stop Internal & External Attacks To Servers

Critical System Protection Deep Dive 14

SOURCE: NIST Guide to General Server Security

Internet

Web Server

Email Server

Monitor and lock down files and configurations

Malware installed to capture data and change configurations

Monitor and lock down application behaviors

Application Exploit attack to gain access

Prevent unauthorized executables

Backdoor entry enables unauthorized access Application Server Database Server File Server Domain Controller Server Entry as an email attachment or file link

Prevent inappropriate access Monitor and prevent access

changes

Unauthorized changes to privileges & information

Monitor access rights changes

Agent-less still need VMware tool installed in guest OS And some time VMware tool

Where does hacker break your system?

And how Data Center Security: Server Advance protected it

Data Center Security Advance Registry Config Files Portable Storage Devices Applications Operating System

Ensure File Integrity

Prevent Data Leakage

Prevent Targeted/Advanced Malware

Prevent Rootkits Ensure Registry Integrity

Memory Ensure Memory Protection

16

Symantec Server Protection

Un-compromised at Black Hat 3 Year-in-a-row

• Challenge:

– ‘Flags hidden across un-patched Windows and Linux systems

– Main flag protected with CSP CORE out-of-the box prevention policy

– 50+ skillful hackers/pen-testers from DoD, NSA, DISA, Anonymous, etc.

• Attacks Techniques used:

– Backtrack 5 and custom tools used during penetration attempts

– Zero day attack used and stopped on protected system

– Recompiled version of Flamer stopped by CSP out of the box policy

• Outcome:

– No one was able to capture the flag… now three years in a row…

– Hackers said if they would have known that Sandboxing was used, maybe not worth the time they put into it

Data Center Security:

Server Advanced

6.0

Scale Up Protection with DCS agent

•

Additional Security in addition to the included

Data Center Security: Server

•

Simplified Server Hardening

– Protection strategy based policy wizard

• Protected Whitelisting, Hardened, Basic

– Expert knowledge in Server applications not required

• With Application discovery and reputation

– Select Application(s) and Protection(Sandbox)

• Out of the box default sandboxes

• Out of the box application-centric sandboxes for common complex apps (domain controller, database, mail and web servers)

•

Include IPS and IDS functionality

17

Our agent has minimal overhead

Critical System Protection Deep Dive

• Typical CPU Usage

1-6% depending upon policies used and the

amount of IO usage on the system

• Memory

– Windows - typically 25-40MB – Unix – typically 40-80MB

• Disk space

– Requires a minimum of 100MB disk space

– Additional disk space may be used if agent log files are not purged periodically

Where is the system security industry going?

Least Privilege Application Control (LPAC)

Also known as Sandboxing

Based on Fundamental Security Principles and highly effective

• Proactive protection against malware (known & unknown)

• The containment model limits the potential for exploitation

• Applicable to all environments and applications

• Dramatically improves security posture and reduces IT costs

• Windows UAC • Google Chrome • Adobe Reader X • Android OS

• SELinux

Notable Industry Examples

Embedded Security: A View from Symantec 19

AUDITING & ALERTING

How does

Server

Advanced

Security Work?

->

Signature-less

technology

20 -Monitor file integrity in real-time for compliance. -Alert/notify for early response. -Lockdown configuration settings.

-Enforce security policy. -Restrict device access.

-Close back doors.

-Limit connectivity by app. -Restrict traffic flow.

-Prevent zero-day attacks.

-Application White Listing, and -De-escalate privileges

i.e. sandbox.

-Restrict behaviors.

-Buffer overflow protection.

Intrusion Detection

Intrusion Prevention

SYSTEM

CONTROLS PROTECTION NETWORK _PREVENTION EXPLOIT

How does Data Center Security technically work?

It is all about behavior

creates a “sandbox” or

“containment jail” for one or more programs (processes) using a policy that defines least privilege controls or “acceptable” resource access behaviors Files Registry Network Devices File system and Configuration info Process Access Control Outlook CMD DNS Server Kernel RPC Services or Daemons Interactive Applications

Granular Resource Constraints Host

Chrome

Most programs require a limited set of resources and

access rights to perform normal functions

But most programs have privileges and resource rights far beyond what is required – attacks readily exploit this gap

Critical System Protection Deep Dive 21

Defaults for Service and Interactive

Etc. Etc.

Memory

Usage of Ports and Devices

Policy Strategy Selection with policy wizard

•

Whitelisting

(maximize security)

– The user adds the application and its sandbox to the whitelist

– Default deny security posture –

applications not listed in the whitelist are not allowed to run.

•

Hardened

(Additional security)

– Symantec defined sandboxes included in policy for known applications

– Blocks software installation, protects DCP resources, protects OS resources, protects raw local disk, application data protection by default

•

Basic

(Minimize Operational Risk)

– Symantec defined sandboxes included in policy for known applications

– Blocks software installation and protects DCP resources by default

Increased protection

Reputation (from Global Intelligent Network)

Data for the SDCS:SA

Reputation display is:

• Drawn from Symantec Insight’s file-based reputation database • Provided for existing applications

as: – Trusted – Good – Unproven – Poor – Bad

• If data is not available, Pending is displayed.

• Reputation is not available for

custom applications defined by the

user. Process Reputation is displayed in the

Easy customization by using Hash, Publisher, and

Signature Flags

New attributes that can be used to identify a process when:

• Creating or editing an application • Creating or editing a sandbox rule

Attributes include:

• Hash

– Hash of the executable file on disk for a specific process

– MD5 and SHA256 hash algorithms are supported.

• Publisher

– Name of the publisher (Signer CN) represented in the digital certificate

associated with the executable file

• Signature Flags

– Digital signature related data

– Includes: OS Components, Microsoft Signed, Symantec Signed, Signed and

Trusted, Interactive Process, Service Process

Extending Coverage to Broader Platforms

>> we can protect your virtual infrastructure along

with your existing physical system in one console

Controller servers

Thin clients Point of sale / Payment

processors Kiosks / ATMs SCADA systems Medical devices

CSP

25 Flexible licensing

Advanced IT Analytics Reporting

• Provides multi dimensional reporting • Flexible ad-hoc/custom reporting

Use case 1: DC prevention

The domain controller prevention features enable you to:

• Protect Active Directory (AD) data

– File data

• AD database files • Log files

• Settings

– Registry data

• Service parameter settings for NTDS and NT File Replication Service (NTFRS)

Windows Server

Use case 2: Database Workload Prevention Feature

The database workload prevention features enable you to:

• Protect SQL Server data, including:

– File data

• Database and transaction log files • Operations log files

• Backups

• Templates and other settings – Registry data

• Service parameter settings for:

• SQL Server • Oracle RDBMS

• Policy enforces least privilege access to the database data

– User configuration is not required.

– Sandboxes requiring read or write access are granted access, and all others are denied any access.

SCSP Product Overview 29

Use case 3: PCI standard compliance/Admin abuse

prevention

Secure

Audit

Monitor

• Network Protection –

Server Host Firewall

• System and Application –

Exploit Prevention & System Controls • Host based • Real-time Prevention and Detection • Broad OS and application coverage

• System and Application –

Event and Text Log Monitoring

• System and Application –

File, Configuration and Registry Monitoring

Respond

• Block changes from

unauthorized users/apps

• Run actions in response

Use case 4: Vmware ESX/Hyper-V protection

• VMware agent-less + agent protection

• Hyper-V agent protection

Presentation Identifier Goes Here 30

Hardened Virtual Infrastructure

VM

Advanced

Security _SVA

Essential Security

Use case 5: POS/Kiosk/ATM system protection

Presentation Identifier Goes Here 31

Contain valuable cardholder data

Unauthorized applications can be installed Security vulnerabilities exist

Target of insider abuse and attacks

Data leakage through removable media

EIGHT-FIVE PERCENT

of breaches in 2011 involved POS terminals and servers

NINETY-SEVEN PERCENT

Use case 6: patch mitigations

Use case 7: Zero day/Target attack protection

• Enforce least privilege access to the critical data

– Sandboxes requiring read or write access are granted access, and all others are denied any access.

License

• The title on the management console will always be “Symantec Security: Server” regardless of the offerings

HIDS/HIPS (Client) HIDS/HIPS (Server) HIDS/HIPS (vSphere) Agentless AV SCSP v5.2.X X X X SDCS:S v6.0 X X SDCS:SA v6.0 X X X X SCSP Client v6.0 X

Robust Security for the Data Centre

VM1 VM2 VM3 ESX/ESXi vCenter Server Physical Virtual CCS Vulnerability Manager CCS Virtual Security Manager CCS Dashboard & Reports CCS Assessment Manager Critical System Protection CCS Standards Manager Admin VMware Admins

Control & monitor VMware administrative, access &

configuration workflow

Harden vCenter based on VMware hardening

guidelines

Monitor & protect hypervisor configuration

Harden & protect guest VM’s with same protection policies as

physical servers

Single plane of glass on security posture

Evaluate ESX against CIS hardening benchmark

Evaluate systems against international or customized

benchmarks Scan physical & virtual

environment for vulnerabilities without agent Assess people and processes

Harden & protect systems from harm

Summary



Policy based approach + admin control



Broad cross platform coverage with a single console



Minimal system performance overhead



Comprehensive out-of-the-box policies and templates



Elevates from reactive to comprehensive proactive

Symantec Solutions

37

Classification _Ownership

Threats Encryption Discovery

Compliance Remediation Reporting

Policy