1 data center security & control compliance suite olaf mischkovsky & armin schneider
TRANSCRIPT
1
Data Center Security &
Control Compliance Suite
Olaf Mischkovsky & Armin Schneider
SYMANTEC VISION SYMPOSIUM 2014 2
Agenda
• Symantec Data Center Security & Compliance Offering: Products Today & Why we grouped them together
• Data Center & Server Protection with: Data Center Security: Server & Server Advanced
• Compliance Monitoring & Unified Assessment with: Control Compliance Suite
• Symantec Data Center Security Portfolio: Moving Forward
• Summary & additional Information
SYMANTEC VISION SYMPOSIUM 2014
Symantec Data Center Security & Compliance Offering
3
SYMANTEC VISION SYMPOSIUM 2014 4
Server Hardening & Monitoring
Threat Protection
& Intelligence
Compliance & Security
Assessment
Data Center Security & Compliance Business Unit: Products Today
Data Center Security: Server & Server Advanced
Symantec ProtectionEngine
Control ComplianceSuite
SYMANTEC VISION SYMPOSIUM 2014 5
Why Data Center Security & Compliance together?
• Common Target:– The Data Center (Physical & Virtual Servers, Applications & Data Stores)
• Common Buyer:– Security Office, Data Center Operations, Server Management
• Common Platforms:– Windows, Linux, UNIX, Database & Middleware Applications
• Common Processes:– Decision Processes, Change Control and Implementation Processes, …
SYMANTEC VISION SYMPOSIUM 2014 6
But what else … ?New Security Challenges
Public Cloud
PrivateCloud
On-Premise Physical
•Asset inventory1
IDS/IPSDLP
EncryptionAntimalware
VMHardening
SEIMConfigurationmanagement
•Many point solutions2
•Rapid rate of change3
•New and expanding attack surfaces4
•No infrastructure control 5
SYMANTEC VISION SYMPOSIUM 2014
Servers are the Target: “Endpoints simply provide an initial foothold”
7
Variety of compromised assets across 47,000+ security incidents
Verizon 2013 Data Breach Investigations Report: “When you consider the methods used by attackers to gain a foothold in organizations –Brute Force, stolen creds, phishing, tampering – It’s really not all that surprising that none receive the high difficulty rating…”
97%of stolen data is
from servers
SYMANTEC VISION SYMPOSIUM 2014
Compromising ServersMost breaches are caused by: Unpatched systems
Operating systems Applications
Careless mistakes
System configuration
Zero day vulnerabilities
Targeted malware
Malicious employees
Stolen credentials
Untrusted applications
8
SYMANTEC VISION SYMPOSIUM 2014
Segmented Physical/Virtual
Security Solutions with DCS
SDDC• Asset inventory• Centralized Risk Management1
• Automated security context and templates
• Security orchestration3
• Integrated security intelligence for internal/external threats/vulnerabilities4
DCS Server Security• Advanced Threat Protection • Server & Hypervisor Hardening
DCS Data Store Security• Data and Messaging Protection
DCS Unified Assessment• Secure configuration management• Vulnerability assessment
Operations Director• Integrated security intelligence
and orchestration
Public Cloud
• Public Cloud Protection 5
9
• Integrated protection for workloads, SDNs, and data intensive applications
2
SYMANTEC VISION SYMPOSIUM 2014
Data Center & Server Protection with: Data Center Security: Server & Server Advanced
10
SYMANTEC VISION SYMPOSIUM 2014
What do Hackers Target on Systems?SDCS: Server Advanced
Registry
Config Files
Portable Storage Devices
Applications
Operating System
Memory
Enforce Registry Integrity
Enforce File Integrity
Enforce Memory Protection
Enforce network controls
Enforce device controls
Enforce application activity
11
SYMANTEC VISION SYMPOSIUM 2014
Why SDCS: Server Advanced on Servers?
Policy based protection System lock down Application Whitelisting Privilege de-escalation Exploit/malware prevention Remediation automation Compliance enforcement Real-time file integrity monitoring User Monitoring Broad OS and platform coverage Agentless AV Protection*
*Agentless AV protection will be covered in separate SSE+ Technical Sales presentation
FEATURESComplete protection
across physicaland virtual servers
High performanceand reduced
downtime
Lower costmanagement and
administration
VALUEDetection + Prevention + Agentless Antimalware Protection*
Symantec Data Center Security: Server Advanced
12
SYMANTEC VISION SYMPOSIUM 2014
Traditional Approach:Blacklist Malware
Behavior Blocking:Sandboxing/Whitelisting
Malware Signatures30 Million and growing @ xxx / Month
DLoader.AMHZW \ Exploit_Gen.HOW \ Hacktool.KDY \ INF/AutoRun.HK \ JS/BomOrkut.A \ JS/Exploit.GX \ JS/FakeCodec.B \ JS/Iframe.BZ \ JS/Redirector.AH \ KillAV.MPK \ LNK/CplLnk.K ….
Application and OS Behavior Control
As defined by prevention policy
Signature based
Stops only what is known
Reactive
Ineffective on: Zero Day
Protects itself from misbehaved applications or users
Requires extra layers of security
Policy based
Stops the unknown
Proactive
Effective for: Zero day
Protects the OS from misbehaved applications or users
Protects applications from each other
Behavior Blocking vs. Traditional Protection
13
SYMANTEC VISION SYMPOSIUM 2014
Sandboxing is Highly Effective at Stopping Zero-Day Attacks
• Based on Fundamental Security Principles: Least Privilege Access Control • Highly effective against malware (known & unknown)• Containment model limits the potential for exploitation• Applicable to all environments and applications• Dramatically improves security posture
User Applications
Core OSService
SDCS:SA Agent
Files Named Pipes
Registry (Win only)
Network Controls
Memory (Buffer Overflow)
OS Calls Devices
Behavior Control AgentKernel mode intercept driver
Windows, Solaris, Linux
HTTPS
Web, DB, Mail, etc.
SDCS:SA Management Server
14
SYMANTEC VISION SYMPOSIUM 2014
Zero Trust Model with Sandboxing to Protect Servers
creates a “sandbox” for one or more programs (processes) using a policy that defines Least Privilege Access Controls or “acceptable” resource access behaviors
Files
Registry
Network
Devices
File system and
Configuration info
Process AccessControl
Outlook
CMD
DNS Server
Kernel
RPC
Services or
Daemons
Interactive Applications
Granular Resource ConstraintsHost
Chrome
Most programs require a limited set of resources and access rights to perform normal functions
But most programs have privileges and resource rights far beyond what is required – attacks readily exploit this gap
Defaults for Service and Interactive
Etc. Etc.
Memory
Usage of Ports and Devices
Default “Sandbox”
15
SYMANTEC VISION SYMPOSIUM 2014
Lockdown Critical System with Whitelisting Policy
Intuitive prevention policy wizard to reduce time and complexity during policy creation
Application discovery during policy creation
Symantec Insight application reputation
Fine grained application control rules using file hashes
General application rules using signed and trusted root
16
SYMANTEC VISION SYMPOSIUM 2014
Use Case: Domain Controller (AD Server) Lockdown
Domain Controllers are often targets of attacks
Theft of database file gives attackers access to user accounts
Restrict access to database files (ntds.dit, edb.log, and temp.edb) & registry keys
Restrict network access to Domain Controller
Prevent FTP traffic to and from system
Except by authorized users or applications
*SDCS:SA provides AD Server protection w/ out-of-box Policy
17
SYMANTEC VISION SYMPOSIUM 2014
4. Trusted user or application allowed to make selective changes
2. Unauthorized access, regardless of privileges, is blocked
3. Policy can allow certain users or applications to make change
1. SDCS:SA policies restrict access to critical resources by all users and processes
System Control: Control Privileged Users & Resources
18
SYMANTEC VISION SYMPOSIUM 2014
Use Case: Administrator Privilege De-Escalation Administrator and root
accounts hold the key to the entire system
Administrator privilege de-escalation can be possible by locking specific resources by a specific set of users/groups
The users/groups are only allow read/write resources via a specific application
In case of a breach the locked resources are still protected
19
SYMANTEC VISION SYMPOSIUM 2014
Use Case: Harden Virtual Environments VSC03 – Restrict access to
SSL certificates VSH02 – Keep VMware
center system properly patched
VSC05 – Restrict network access to VMware vCenter server system
VSH04 – Avoid user login to VMware vCenter server system
VSC06 – Block access to ports not being used by VMware vCenter
20
SYMANTEC VISION SYMPOSIUM 2014
Detection: Auditing and Alerting
21
SYMANTEC VISION SYMPOSIUM 2014
SDCS:SA Detection: Monitors for Configuration ChangesChange Detection
File and Registry Change Detection Security Configuration Changes Group Management Changes Active Directory Changes Shares Configuration Changes Domain Trust Changes User/Group Account Modification Fine Grained System Activity Malware/Spyware Detection USB Device Activity Monitors ESXi host configuration
and VMX files
22
SYMANTEC VISION SYMPOSIUM 2014
Real-Time Change Detection = Situational Awareness
23
PCI Section 11: File Integrity Monitoring Requirements (FIM) SDCS: Server Advanced offers continuous (real-time) File Integrity Monitoring (RTFIM) No scanning, no OS auditing required Captures server/file/user name, timestamp, change type, change content, program that
made change Uses SHA-256 hashes
FeaturesCompetitor
FIMSDCS:SA RTFIM
Real-time change detection and alerts
Requires auditing enabled on Windows
SYMANTEC VISION SYMPOSIUM 2014
SDCS:SA Detection: Monitors Significant System Security Events
Logon/Logoff Monitoring Success, Failures, After Hours, Weekends, privileged
user, Unusual access methods, password cracking attempts
System/Services Monitoring Service/daemon/driver failures, process
tracking (privileged access, unusual usage)
C2 Object Level Log Monitoring
Web Log Monitoring
Application Log Monitoring Database logs Application server logs (such as ESXi) Security tool logs (such as AV) Unix shell & sudo logs vSphere logs
System/Application Log Monitoring
24
SYMANTEC VISION SYMPOSIUM 2014
SDCS: SA Architecture: Agent, Manager and Console
25
SYMANTEC VISION SYMPOSIUM 2014
SDCS: Server Advanced Agent Multi Platform Support
Platform Client Edition
Server Edition
Prevention Detection
Microsoft Windows®
Windows 7
Windows Embedded 7
Windows XP
Windows XPe
Windows 2000
Windows 2012, 2008, 2003, and 2000Windows NT 4.0*Support varies for x86, AMD64, EM64T and difference service pack levels
Windows 2012, 2008, 2003, and 2000Windows NT 4.0*Support varies for x86, AMD64, EM64T and difference service pack levels
Solaris™ Not ApplicableSolaris 9 and 10*Support varies for SPARC, x86, AMD64, EM64T & local/global zones
Solaris 9, 10, and 11*Support varies for SPARC, x86, AMD64, EM64T & local/global zones
Linux™ SuSE Linux Professional
SUSE Linux Enterprise Server 9,10, and 11Red Hat Enterprise Linux 5 and 6CentOS 5 and 6Oracle Linux 5 and 6*Support varies for x86, AMD64, EM64T & IA64
SUSE Linux Enterprise Server 9,10, and 11
RedHat Enterprise Linux, 4, 5, and 6CentOS 5 and 6Oracle Linux 5 and 6*Support varies for x86, AMD64, EM64T & IA64
AIX™ Not Applicable AIX 5L 5.3, 6.1, and 7.1*Support for PowerPC 32-bit and 64-bit
AIX 5L, 6.1, and 7.1*Support for PowerPC 32-bit and 64-bit
HP-UX™ Not Applicable Not supportedHP-UX 11i v1 (11.11)**, v2 (11.23)** and v3 (11.31)** 64 bit*Support varies for PARISC and Itanium2
ESX™ Not Applicable ESX 4.1 Host
ESXi 5.0 Host
ESXi 5.5 Host
*monitoring is done remotely by the vSphere Support Pack.
ESX 4.1 Host
Note: For support details please refer back to Platform Support Matrix
26
SYMANTEC VISION SYMPOSIUM 2014
Minimal Overhead
• Typical CPU Usage
1-6% depending upon policies used and the amount of IO usage on the system
• Memory– Windows - typically 25-40MB
– Unix – typically 40-80MB
• Disk space– Requires a minimum of 100MB disk space
– Additional disk space may be used if agent log files are not purged periodically
27
SYMANTEC VISION SYMPOSIUM 2014
Compliance Monitoring & Unified Assessment with:Control Compliance Suite
28
SYMANTEC VISION SYMPOSIUM 2014 29
Implementation
Policies
That is a Policy Sample Text without any meaning and just there to Illustrates the Text within a PowerPoint Slide.
That is a Policy Sample Text without any meaning and just there to Illustrates the Text within a PowerPoint Slide.
That is a Policy Sample Text without any meaning and just there to Illustrates the Text within a PowerPoint Slide.
Controls
Cobit ISO PCI NERC
HIPPA SOX GLBA FISMA Basel
Technical Controls
That is a Policy Sample Text without any meaning and just there to Illustrates the Text within a PowerPoint Slide.
That is a Policy Sample Text without any meaning and just there to Illustrates the Text within a PowerPoint Slide.
That is a Policy Sample Text without any meaning and just there to Illustrates the Text within a PowerPoint Slide.
ProceduralControls
That is a Policy Sample Text without any meaning and just there to Illustrates the Text within a PowerPoint Slide.
That is a Policy Sample Text without any meaning and just there to Illustrates the Text within a PowerPoint Slide.
That is a Policy Sample Text without any meaning and just there to Illustrates the Text within a PowerPoint Slide.
Assets People
End to End - IT Governance Risk & Compliance Management
Requirements
Measure
Map
Assign Deploy
Measure
Manage Risk
SYMANTEC VISION SYMPOSIUM 2014 30
Control Compliance Suite 11 - Modular ViewPolicy Manager Risk Manager
Virtualization Sec. Mgr.Standards Manager Vulnerability Manager
CommonAsset & Data Store
CommonDashboard & Reporting
Core Infrastructure
Vendor Risk Manager
Assessment Manager
External Data Integration
SYMANTEC VISION SYMPOSIUM 2014
Hub: Control Compliance Suite Infrastructure
Centrally collect and manage evidence….
• Combine evidence from multiple systems (including 3rd party tools)
• Format evidence and map to policies and regulations
• View with compliance data
• Gain greater visibility into IT and security risks
• Lower administrative overheads
• Integrate with 3rd party service desks for remediation
External Evidence System
Evidence Provider
Control Compliance Suite
Control Compliance Suite
Connect to Evidence Provider
1
Collect evidence
Format and store data
Map data to policiesand regulations
Triggerdata evolution
Triggerreporting job
Control Compliance Suite
3
2
5
4
6
31
SYMANTEC VISION SYMPOSIUM 2014
Hub: Control Compliance Suite Infrastructure
…. and report on security, compliance & risk posture
• Combine CCS and 3rd party data for a holistic view of security and compliance posture
• Customizable multi-level reports for security operations and mandate-based reporting
• Gain granular visibility into security, compliance and risk posture:
• Web-based, dynamic dashboards and reports
• Multiple dashboard panel views and filtering options
Risk dashboard
32
SYMANTEC VISION SYMPOSIUM 2014
CCS Standards Manager: Asset Discovery & Continuous Assessment of Security Configuration Settings
• Discover rogue networks and assets
• Automate assessment of security configurations
• Identify configuration drift and misconfigured assets
• Harden your server and virtual infrastructure (with Symantec CSP)
• Role-based and operational mandate-based reporting on security configuration
• Prioritize technical controls for remediation across IT ops, Sec Ops, and compliance
• Support the new SCAP 1.2, PCI-DSS v.3, and NIST Cybersecurity standards
33
SYMANTEC VISION SYMPOSIUM 2014
CCS Risk Manager: Align IT Operations and Security Priorities
• Define business-centric risk objectives and thresholds
• Map risks to assets, controls and owners
• Prioritize security and audit findings according to business criticality
• Optimize resource allocation via risk-based remediation
• Generate risk-based dashboards for multiple stakeholders
• Project risk reduction over time
Overall Risk Score: 8.8
Overall Risk Score: 6.9
Overall Risk Score: 2.1
Overall Risk Score: 1.3
My Online Web StoreHigh exposure to current malware threatsHigh # of compliance assessment failureNo evidence on successful incident response testing
HR SystemMedium exposure to current malware threatsHigh # of compliance assessment failureNo evidence on successful incident response testing
Inventory SystemLow exposure to current malware threatsNo compliance failures
Finance SystemLow exposure to current malware threatsZero information leakage incidents
34
SYMANTEC VISION SYMPOSIUM 2014
CCS Vulnerability Manager: Advanced Vulnerability Assessment & Scanning
• Scan your IPv4 and IPv6 environments (physical and virtual)
• Discover risk associated with IPv6 devices that may be enabled by default on your IPv4 environments.
• Integrated scanners identify hidden risks
• Scan for current and emerging threats and understand dependencies through unique “chaining” mechanism
• Covers web applications, databases servers and network devices
• Unique risk-scoring algorithm
• Granular, role-based asset management of threats and vulnerabilities
Web Service
Database
OS
Your Data
Unique “Chaining” Mechanism
35
SYMANTEC VISION SYMPOSIUM 2014 36
• Build a scalable, cost-effective, and automated vendor security risk management program
• Identify and continually assess supply chain cybersecurity risks
• Enable informed business decisions during the vendor selection process
• Support third- party cloud and SDDC migrations by providing a hub for conducting security due diligence
• Automate internal process and standards for addressing and responding to third party data breaches
Assign vendor
tier
Initiate vendor assessment schedule
Collect vendor
evidence
Route and review
submitted evidence
Authorize or remediate
vendor
Continuous vendor risk monitoring
Vendor Risk Manager
CCS Vendor Risk Manager: Continuous Assessments of Third Party Managed Data & Infrastructure
SYMANTEC VISION SYMPOSIUM 2014
• Secure the hypervisor from threats
• Granular access control inc. secondary approval
• Manage hypervisor and VM configuration settings
• Automate configuration assessment and reporting
• Enforce instance separation to isolate assets and limit scope
• Detailed logging for forensics & audit
CCS Virtualization Security Manager: Role-based Access Control & Governance of VM/Cloud Admins
Detailed logging
VMware Hardening Guidelines
VSM Dashboard
37
SYMANTEC VISION SYMPOSIUM 2014
CCS Policy Manager: Automate Policy Definition and Life Cycle Management
• Automate the policy definition and lifecycle administration
• Leverage out-of-box policy content
• Map security and compliance policies to control statements and assets
• Identify and rationalize common controls across compliance programs
• Mitigate policy conflicts across compliance programs
• Automatic regulatory updates
Corporate Policy Lifecycle
1. Define 2. Review
5. Track Acceptances/ Exceptions
3. Approve
4. Distribute
38
SYMANTEC VISION SYMPOSIUM 2014
CCS Assessment Manager: Assessment & Reporting of Procedural Controls
• Automate assessment of procedural controls
• Cover 100+ regulations/frameworks updated regularly
• Risk-weighted survey capabilities
• Drill down within Web-based dashboards for additional insights into procedural gaps, facilitating targeted remediation effort
• Workflow integration with Symantec™ Data Loss Prevention to trigger targeted and timely security awareness training Consolidate responses
Administer Survey
Analyze Results
Distribute via web
Respondents
39
SYMANTEC VISION SYMPOSIUM 2014
Symantec Data Center Security Portfolio: Integration Today & Moving Forward
40
SYMANTEC VISION SYMPOSIUM 2014
Symantec Data Center Security Integrated security, driven by context, enabled by policy. Supporting customers’ evolution to the SDDC by impacting inhibitors to adoption
Security Orchestration
Serv
er S
ecur
ity
Uni
fied
Asse
ssm
ent
Dat
e St
ore
Secu
rity
VDI S
ecur
ity
• Security Orchestration Platform Security Tax
• Integrated Offering Complexity
• Unified Assessment Compliance
41
Focus Areas
• Embed security into the platform
• Integrate Security across point technologies
• Orchestrate Security Automation
Moving Forward
SYMANTEC VISION SYMPOSIUM 2014 42
Summary & additional Information:
• Public Sources:– http://www.symantec.com/ccs
– http://www.symantec.com/data-center-security
• Symantec Connect: – https://www-secure.symantec.com/connect
– Communities: Control Compliance Suite & Critical System Protection
• Partner Net:– http://partnernet.symantec.com
• Data Center Security: Server & Server Advanced Bootcamp:– Planned for the 15. to 17. of September in the UK
(contact us if you are interested)
Thank you!
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
43