Having the right tool for the job is as important in IT as anywhere else. It’s especially important when IT infrastructure— and business—security is at stake. But while organizations typically have security measures in place for their physical IT assets, they’re often left short-handed when they use virtualization to consolidate these assets. To make sure systems and data remain safe, they need new tools that are optimized for the virtual environment.
That’s because tools designed for physical infrastructures don’t provide protection for the additional layers of abstraction that virtualization creates—including the hypervisor, management stack and virtual network. And because tools designed for physi-cal infrastructures also typiphysi-cally lack the automation found in virtual protection solutions, they can contribute to increased management complexity and cost.
The same is true for hybrid environments, where organizations deploy a mixture of physical and virtual technologies. A tool designed and deployed for physical equipment can leave virtual machines difficult to manage at best, unprotected at worst. The need for comprehensive protection becomes business criti-cal as more and more organizations seek to achieve cost savings, streamline operations and simplify IT management by deploying virtual machines—and use virtualization as the basis for rapidly expanding cloud computing environments.
And security becomes increasingly important as agencies overseeing industry best practices and legal regulations, such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS), recognize virtual environments as an accepted technology and lay down specific compliance guidelines for their operation and management.
Providing security for virtualized environments—and documenting security for regulatory compliance and audits— can be difficult, however. You need to ensure that security controls remain in place, even in the most dynamic environments. You need to deliver automated, preemptive intrusion protection, provide visibility into traffic between virtual machines, constantly apply evolving and updated protection measures, and reduce the burden on security administration.
Getting a better grip on virtualization
security
This buyer’s guide outlines the features and capabilities of an effective virtualization security solution for VMware-based virtualization, addressing the following key areas:
1. Virtual machine automatic discovery 2. Virtual network access control 3. Virtual machine rootkit detection 4. Intrusion prevention and virtual patching
5. Hypervisor integration and inter-virtual machine traffic analysis
6. Security policy management
7. Infrastructure auditing and security event monitoring 8. Integration with other components of the security ecosystem Each section of the guide provides a checklist of features to help you evaluate whether or not a solution effectively addresses each of these areas. You will also find tips to help you select solutions with the support—and a vendor with the financial stability—to address the full range of your virtualization security
1. Virtual machine automatic discovery
The ease of deploying virtual machines can be a mixed blessing. Business units or project teams can get dedicated systems faster than ever—but if many of these systems are deployed, IT can suffer from virtual machine sprawl. The problem can strike any virtualized environment, but it can be particularly acute in large environments. Not only may virtual machines be deployed in large numbers, but also they may remain in place after the need for them ends. Obsolete virtual machines can waste valuablemachine resources and threaten security if they are improperly maintained or patched. Security tools designed for virtual environments, by contrast, can automatically discover virtual machines, and can maintain a comprehensive inventory. IT can use this inventory to eliminate redundant or obsolete assets— and reduce risk—or to provide security policies for virtual machines that remain in the environment. Effective discovery and increased visibility can increase security awareness and visibility across the virtual environment as well as enhance and streamline management.
Virtual machine automatic discovery
Look for a solution that: IBM Other
Automatically provides security administrators with a comprehensive inventory of virtual IT assets Provides up-to-date visibility and control from a single management console Helps mitigate risk by revealing unauthorized virtual machines Helps reduce hard-to-manage virtual machine sprawl, revealing obsolete and potentially secure machines
Enables network-level workload isolation
2. Virtual network access control
You need to be able to assess your virtual machines to know which are secure and which are not—and then determine which security policies you need to apply or what other actions are necessary to ensure protection for your environment. In dynamic virtualized environments, where the numbers and
characteristics of virtual machines change rapidly, the ability to leverage system visibility to reduce risk and to control vulnera-bilities can be particularly important. Until you have confirmed a virtual machine’s security posture, you should be able to limit access or even totally quarantine systems while you apply policies or otherwise remediate security issues.
Virtual network access control
Look for a solution that: IBM Other
Supports security with capabilities for controlling network access Assesses the security posture of discovered virtual machines Immediately applies a security policy to a new virtual machine if it detects one that applies Allows quarantine of virtual machines that do not meet security
standards until issues are remediated or new policies are applied
3. Virtual machine rootkit detection
Attackers today are more sophisticated than ever, using techniques such as rootkits that can take complete control of a compromised system. Embedded into the operating system, a rootkit can be especially dangerous due to its ability to disguise its presence in the guest OS and disable host-based security solutions running on that same operating system. In a virtualized environment, a rootkit is unlikely to be detected by a security solution running on the same guest operating system. But virtualization does provide opportunities for rootkitdetection that are not possible in physical systems—deploying security measures that are integrated with the hypervisor to run outside the guest system. From this external location, the security solution can interrogate the memory tables of all guest systems and detect whether rootkits are running. If a rootkit is present, an effective security solution should be able to take appropriate action such as quarantining the virtual machine from the rest of the network or taking the machine offline until remediation can be completed.
Virtual machine rootkit detection
Look for a solution that: IBM Other
Integrates into the hypervisor to run outside the guest operating system Examines memory tables of the guest operating system to detect rootkits Transparently identifies rootkit activity within virtual machines
Identifies rootkits using agentless technology
Quarantines compromised virtual machines until remediation is made
4. Intrusion prevention and virtual
patching
The speed by which virtual machines can be configured and deployed results in highly dynamic environments. To keep up with change—and to prevent attacks that can target even the shortest lapse in prevention—IT must have automated and quick-acting response tools ready to protect virtual machines as they come online or migrate from one physical host to another. Support from an industry leading security research organization can play a significant role in intrusion prevention. A team of security experts focused on researching and evaluating vulnerabilities and security issues can develop assessment and countermeasure technologies, disseminate reports that provide actionable information on Internet-based threats and provide security content updates that provide protection against the
most recent forms of attack. A comprehensive approach can raise prevention to a higher level of effectiveness with detection and prevention of entire classes of threats, as opposed to a specific exploit or vulnerability.
Intrusion prevention and virtual patching
Look for a solution that: IBM Other
Delivers preemptive intrusion prevention, proactively protecting all virual machines running on each VMware ESX physical host
Provides agentless intrusion prevention and firewall protection for defense-in-depth security Automatically protects each virtual machine as it comes online, quarantining insecure machines Continuously protects virtual machines, even as they migrate from host to host Provides zero-day protection to reduce the need for emergency software patching Protects virtual web servers from attacks including SQL injection, cross site scripting,
PHP file includes and cross-site request forgery
Provides client-side application protection for attacks against applications, including those from
Microsoft Office and Adobe, against multimedia files and against web browsers
Creates protocols that are the basis for intrusion prevention Enables deep packet inspection of traffic across both physical and virtual networks to identify
issues at the protocol level
Provides protection against entire classes of attacks
Enables virtual patching to block attacks when conventional patching is not available
Provides security that is both automatic and transparent
Increases the efficiency of application teams by eliminating the need to build security into their virtual machines
Is backed by an industry-leading security research organization
Maintains a comprehensive vulnerability database
Analyzes all publicly disclosed software vulnerabilities
Regularly updates security content
5. Hypervisor integration and inter-virtual
machine traffic analysis
Visibility into systems is a key element of managing any infrastructure—physical or virtualized. But in a virtualized environment, where network traffic between virtual machines within the same physical server does not exit the host machine, traffic can go undetected. A security system that integrates with the hypervisor, however, can eliminate these blind spots and protect against threats that otherwise may not be visible.
A solution designed for virtualized environments can monitor traffic between virtual machines to stop threats before they impact the environment.
An effective protection system can add analysis of packets traveling between virtual machines, decoding protocols to identify anomalies that may be potential attempts to exploit system vulnerabilities. Working hand-in-hand with its intrusion protection capabilities, the system should be able to provide preemptive protection against a wide variety of Internet-based threats including exploits hidden in applications used every day. Hypervisor integration and inter-virtual machine traffic analysis
Look for a solution that: IBM Other
Provides visibility across physical and virtual networks by integrating with the hypervisor Places security at the optimal place in the topology to provide the most effective and
efficient security for virtualized endpoints
Protects against attacks such as hypervisor escape, hyperjacking and virtual machine man-in-the-middle that first require compromising the system through a guest virtual machine or the management infrastructure
Uses an analysis module to decode protocols and identify anomalies that could be exploits
Inspects both physical and virtual network traffic
Detects and reports on virtual machine lifecycle events for enhanced, centralized monitoring Optimizes the security footprint by providing a single security virtual machine that protects all guest
virtual machines on that physical host, providing agentless security
Provides firewall and intrusion prevention without the need for a host-based agent Centralizes management of third-party anti-malware and firewall protection Minimizes impact on network performance, disks and memory because the agent is itself a virtual machine, allowing the user to precisely allocate machine resources
Protects all platforms supported by VMware because security enforcement occurs at the hypervisor level, not in the guest OS
6. Security policy management
A central point of management can simplify, streamline and support effective control of security policy, analysis, alerting and reporting, as well as system configurations for virtualized environments. It can consolidate and analyze security events through real-time monitoring and reporting, and it can implement corrective actions quickly by pushing policies and updating security intelligence across the infrastructure. When virtualized machines proliferate in very large numbers, highly scalable security capabilities can be particularly important, extending the reach and ability of administrators to perform
numerous functions across multiple virtual machines from a single console. Such an approach can save time and enable more complex analyses and reporting. It can define classes of virtual machines and provide fine-grained control of security policies applied to different machines. It can segment the virtual network with firewall policies that control communications between machines. It can automatically send security policies to devices and sensors, and make automatic updates to those policies as they change in response to changing regulations, standards and organizational processes.
Security policy management
Look for a solution that: IBM Other
Provides continuous security policy enforcement as virtual machines migrate across physical hosts Allows fine-grain identification of security policies applied in the environment Allows defining classes of virtual machines for applying different policies as they are needed Allows centralized policy definition with centralized control of policy application across the environment Simplifies management with a centralized dashboard view that provides at-a-glance status on current threat events, their severity, their sources and overall system health
Automatically pushes security policies and updates out to intrusion prevention mechanisms Boosts developer productivity by shifting some responsibility for application security to the IT security team Reduces risk of a breach by consistently applying security policy across all applications Controls which application types (e.g. peer-to-peer clients, IM clients, Skype, etc.) are allowed to access
the network and which are not
Bases its content updates on industry-leading research and development Provides relevant security information to enable action—from blocking intruders to pushing updated policies Provides the ability to analyze security information based on filters Provides a variety of default report templates with easy template customization Identifies, manages and reports on policy exceptions and deviations with security and compliance analytics Implements corrective actions quickly by pushing policies and updating security intelligence Extends the reach and ability of a single administrator to perform numerous functions across multiple
devices from a single console
7. Infrastructure auditing and security
event monitoring
Ongoing visibility and security actions are key to keeping the virtualized infrastructure safe—so administrators need tools that enable them to monitor lifecycle events including creation, starting, stopping, suspension and deletion of virtual machines; analyze operational activities, including system access; and take appropriate actions. By generating real-time information about events occurring in the system and then aggregating those events for centralized log data analysis and event management, adminis-trators can create an audit trail to support corrective actions or to document security measures in support of regulatory compliance.
In the highly abstracted environments created by virtualization, visibility is essential to supporting infrastructure auditing and security event monitoring. Gaps in visibility and manual administration errors—such as those that typically occur when solutions designed for managing physical systems are applied to virtualized environments—can leave the infrastructure exposed to attacks, or they can result in incomplete compliance reports and failed audits. By comparison, deep insight into and intelligence about the virtualized environment can be a key component to managing risk and promoting necessary levels of security.
Infrastructure auditing and security event monitoring
Look for a solution that: IBM Other
Is optimized for a virtualized environment to provide necessary levels of system visibility Generates real-time alerts about events occurring in the environment Aggregates events to provide an audit trail for forensic analysis and lease administration Helps detect suspicious or malicious activity by generating a security event whenever a virtual machine
is powered on/off or added/removed from the environment
Supports regulatory compliance using audit and analysis data
Provides deep insight and intelligence about the environment
Extracts data from monitoring systems and analyzes log data
Correlates security events with network flow behavioral data
Provides the reporting necessary to demonstrate that sensitive information is being protected Simplifies log management, and provides the ability to expand event processing capacity in the future Performs real-time collection, storage, indexing, correlation and analysis of log data Provides global views of all event activity, with federated global searching and correlation and centralized
management, analysis and reporting
8. Integration with other components of
the security ecosystem
The sheer size of many virtualized environments means that no one tool can address all possible issues. The effectiveness of a security management solution can be enhanced, however, by integration with related security systems. Integration can add, for example, critical foundational components that improve system capabilities, such as anti-malware protection. Or it can provide supplemental functionality that improves the way the solution works, such as adding agent-based policy delivery on top of an existing agentless approach. An overall security
intelligence approach could provide rich context and actionable information for detection, forensics and remediation of stealthy threats.
Seamlessly adding agent-based patch management to existing virtual patching capabilities similarly extends functionality. Adding capabilities designed explicitly for security and compli-ance make governcompli-ance and reporting more effective, consistent and reliable. Automation helps streamline IT operations and reduce labor costs. A single, unified interface supports the visibility necessary to control and understand events and to discover and remediate problems.
Integrates with other components of the security ecosystem
Look for a solution that: IBM Other
Integrates with solutions that provide anti-malware protection to supplement its own intrusion prevention, firewall capabilities and rootkit detection
Integrates with agent-based solutions to provide enhanced security with greater system visibility Integrates with patch management solutions to supplement its own virtual patch capabilities Integrates with security and compliance offerings to add governance at guest operating system Tight integration enables analytics and reporting for advanced, intelligent threat detection and remediation Optimizes security footprint, maximizing virtual machine density, while helping to reduce security risk Manages thousands of servers, physical and virtual, regardless of location, connection type or status Automatically manages patches for multiple operating systems and applications Achieves continuous compliance with automated audit cycles measured in minutes rather than weeks Shows trending and analysis of security configuration changes through advanced security and
compliance analytics reporting
Includes comprehensive capabilities for delivering patches, with real-time reporting and automatic
confirmation applied for a complete closed-loop solution
Specifies policies for internal and external connections, ensuring that virtual machines have the right level
of protection for any given connection profile
Enables real-time response to zero-day attacks through ad hoc, closed-loop remediation Contains a comprehensive library of technical controls based on best practices to support security compliance Enables integration with technologies such as help-desk systems, asset management systems, configuration
management databases (CMDBs) and security information and event management (SIEM) systems
Selecting the right virtualization security
provider
The provider you choose should be able to support the full breadth of your virtualization security requirements. Ideally, you will also want a provider that can support you throughout the process of implementing the solution. Before you select a provider, be sure to ask these questions:
Does your provider support your organizational goals through its technology?
Look for providers whose solutions align with your organiza-tion’s objectives. Do their solutions promote efficiencies, reduce business service deployment time, reduce costs and enhance compliance?
Does your provider offer part of the total solution or the complete solution?
With a provider that is focused too narrowly on a solution that addresses only a particular virtualization or security requirement, you can run into an “islands of management” problem. Solution costs, and the time it takes to manage multiple providers, can rise dramatically when multiple providers are involved. Look for a provider with a complete portfolio of security offerings. What type of global presence does your provider have? If your organization has international offices, you should look for a provider with a global presence and proven international experience. Make sure the provider can support your offices abroad with its own local resources.
Is the solution supported by a mature support organization with the expertise and bandwidth you can rely on when you need them?
Your provider should offer highly responsive and highly effective customer support. Find a provider with a proven support organization to help you maximize the value of your security investment.
How sure are you of your provider’s stability and staying power in today’s economy?
A big issue in a challenging economy is provider stability and viability. You should consider a provider with a long history in the industry, a solid, forward-looking strategy and the resources to withstand adverse economic times.
Can your provider deliver products that are strategically designed and technically superior?
When comparing various security solutions, look for technical superiority—well-designed functionality, an intelligent architec-tural design and broad support for industry standards.
Reduce security risks and costs with
real-time threat protection
Purpose-built to protect virtualized environments,
IBM Security Virtual Server Protection for VMware
performance—the solution provides built-in capabilities for ensuring system security and integrates with other IBM solutions for expanded protection capabilities. Among these IBM solutions and capabilities are:
●● ●IBM Security SiteProtector™ System: Centralized com-mand control for identifying and applying security policies and for consolidating and analyzing security events using real-time monitoring and reporting. Built into IBM Security Virtual Server Protection for VMware, this highly scalable approach enables complex analyses and reporting for enhanc-ing business intelligence.
●● ●IBM X-FORCE®: An industry-leading research and development team that researches and monitors the latest Internet threat trends to develop security content for organizations that rely on IBM security solutions. X-FORCE research helps protect virtual machines from the latest methods of attack through extensive monitoring, recording and auditing capabilities.
●● ●Protocol Analysis Module: A deep-packet inspection engine produced by IBM X-FORCE and built into IBM Security Virtual Server Protection for VMware designed to enable preemptive protection against a wide variety of Internet threats, including exploits hidden in applications.
●● ●IBM Endpoint Manager for Security and Compliance: An agent-based approach to providing unified, real-time visibility and enforcement to protect complex and highly distributed environments.
●● ●IBM Endpoint Manager for Core Protection: Centralized, automated, real-time protection designed to prevent attacks by malware before it can exploit system vulnerabilities.
●● ●IBM Endpoint Manager for Patch Management: Automatic capabilities for distributing and installing patches for multiple operating systems and applications across physical systems and virtual machines, regardless of location.
●● ●QRadar Network Anomaly Detection: Applies sophisticated analytics to help identify network anomalies and abnormal behavior, including activity associated with advanced threats and zero-day exploits.
Designed to provide protection not only to virtualized, but also to hybrid environments that combine both virtual and physical infrastructures, IBM Security Virtual Server Protection for VMware is a centralized approach to managing virtual machines alongside existing IT security technology for greater efficiency and scalability. With built-in capabilities such as the proprietary IBM Virtual Patch® technology, this comprehensive, end-to-end approach to virtualization security can help organizations meet regulatory compliance standards by limiting access to data, tracking user access to virtual machines and providing accurate reporting.
The IBM solution’s advanced threat protection strategy protects at the network layer by strengthening and integrating network security, analytics and threat intelligence capabilities. Tight integration between IBM network security products, X-FORCE intelligence feeds and QRadar Security Intelligence Platform enables purpose-built analytics and reporting for advanced threat detection and remediation.
risk management, endpoint management, network security and more. IBM operates the world’s broadest security research and development organization and delivery organization. This comprises nine security operations centers, nine IBM Research centers, 11 software security development labs and an Institute for Advanced Security with chapters in the United States, Europe and Asia Pacific. IBM monitors 13 billion security events per day in more than 130 countries and holds more than 3,000 security patents.
IBM Global Financing can help you acquire the software capabilities that your business needs in the most cost-effective and strategic way possible. We’ll partner with credit-qualified clients to customize a financing solution to suit your business and development goals, enable effective cash management, and improve your total cost of ownership. For more information, visit: ibm.com/financing
IBM, the IBM logo, ibm.com, System x, Virtual Patch, and X-FORCE are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party.
