visibility & security for the virtualized enterprise
DESCRIPTION
As enterprises embrace virtualization, they need to be able to see what’s happening throughout their environment and then apply effective security mechanisms. This session describes the kind of information that enterprises should collect from physical and virtual infrastructures, the kind of analysis to perform and the ways tools like encryption can be applied in securing the virtualized enterprise. Objective 1: Describe what information an enterprise needs to collect to effectively manage and secure their physical and virtual environments. After this session you will be able to: Objective 2: Understand the kinds of analysis that needs to be done on collected information in order to make effective security decisions. Objective 3: Identity ways in which security capabilities can be applied in securing the virtualized enterprise. Watch more on http://www.brainshark.com/emcworld/vu?pi=zHJzQJGhyzB8sLz0TRANSCRIPT
1 © Copyright 2013 EMC Corporation. All rights reserved.
Visibility & Security for the Virtualized Enterprise John McDonald, CISSP
2 © Copyright 2013 EMC Corporation. All rights reserved.
Roadmap Information Disclaimer EMC makes no representation and undertakes no obligations with
regard to product planning information, anticipated product characteristics, performance specifications, or anticipated release dates (collectively, “Roadmap Information”).
Roadmap Information is provided by EMC as an accommodation to the recipient solely for purposes of discussion and without intending to be bound thereby.
Roadmap information is EMC Restricted Confidential and is provided under the terms, conditions and restrictions defined in the EMC Non-Disclosure Agreement in place with your organization.
3 © Copyright 2013 EMC Corporation. All rights reserved.
Agenda
Foundations
How Virtualization Impacts Your Security
Securing & Monitoring Virtual Environments
Summary
4 © Copyright 2013 EMC Corporation. All rights reserved.
Foundations
5 © Copyright 2013 EMC Corporation. All rights reserved.
Foundations
Attack surface
High Value Assets
Types of Security Controls
6 © Copyright 2013 EMC Corporation. All rights reserved.
What is An Attack Surface?
Originally proposed by the Software Engineering Institute at Carnegie Mellon University
The attack surface of a system the set of ways in which an adversary can enter the ‘system’ and potentially cause damage
– Intentional or unintentional
Hence, the larger the attack surface, the more difficult it is to secure the system
7 © Copyright 2013 EMC Corporation. All rights reserved.
DMZ
Information is Created and Stored
Internet
Web Server
Infrastructure
Customer/Client /Patient
Application Server
Database Server Storage
Array
Database
Network
SAN
PII PHI PCI IP
Attack Points: • OS (multiple) • Local storage • Web Server
8 © Copyright 2013 EMC Corporation. All rights reserved.
DMZ
Information is Created and Stored
Internet
Web Server
Infrastructure
Customer/Client /Patient
Application Server
Database Server Storage
Array
Database
Network
SAN
PII PHI PCI IP
Attack Points: • OS (multiple) • Local storage • Web Server
Attack Points: • OS (multiple) • Local storage • App (multiple)
9 © Copyright 2013 EMC Corporation. All rights reserved.
DMZ
Information is Created and Stored
Internet
Web Server
Infrastructure
Customer/Client /Patient
Application Server
Database Server Storage
Array
Database
Network
SAN
PII PHI PCI IP
Attack Points: • OS (multiple) • Local storage • Web Server
Attack Points: • OS (multiple) • Local storage • App (multiple)
Attack Points: • Switches • Routers •Sniffers
Attack Points: • OS (multiple) • Local storage • DB (multiple)
10 © Copyright 2013 EMC Corporation. All rights reserved.
DMZ
Information is Created and Stored
Internet
Web Server
Infrastructure
Customer/Client /Patient
Application Server
Database Server Storage
Array
Database
Network
SAN
PII PHI PCI IP
Attack Points: • OS (multiple) • Local storage • Web Server
Attack Points: • OS (multiple) • Local storage • App (multiple)
Attack Points: • Switches • Routers •Sniffers
Attack Points: • OS (multiple) • Local storage • DB (multiple)
Attack Points: • Switches • Controllers • Host Drivers
Attack Points: • Mgt Interface • Copies • Backups
11 © Copyright 2013 EMC Corporation. All rights reserved.
DMZ
Information is Accessed and Managed
Internet
Web Server
Infrastructure
Customer/Client /Patient
Application Server
Database Server Storage
Array
Database
Network
SAN
PII PHI PCI IP
Attack Points: • OS (multiple) • Local storage • Web Server
Attack Points: • OS (multiple) • Local storage • App (multiple)
Attack Points: • Switches • Routers •Sniffers
Attack Points: • OS (multiple) • Local storage • DB (multiple)
Attack Points: • Switches • Controllers • Host Drivers
Attack Points: • Mgt Interface • Copies • Backups
12 © Copyright 2013 EMC Corporation. All rights reserved.
Information is Accessed and Managed
Infrastructure
Database Server Storage
Array
Database
SAN
PII PHI PCI IP
13 © Copyright 2013 EMC Corporation. All rights reserved.
Information is Accessed and Managed
Infrastructure
Database Server Storag
e Array
SAN
Database
PII PHI PCI IP
Backup Server
Attack Points: • OS (multiple) • Backup App • Snap/Clone
Copy
Attack Points: • Lost/Stolen • Unauthorized Access
DR Site
Database
PII PHI PCI IP
Attack Points: • Network Communications
Attack Points: • Unauthorized Access • Physical Theft
Business Applications
Customer Service
Partners
Clients
Customers
Suppliers Portal/ Intranet
Mobile Devices
Employees
Attack Points: • OS (multiple) • Business App • Local storage
Attack Points: • OS (multiple) • Web Server • Network
Attack Points: • Device exploit •Lost/stolen device
Attack Points: • OS (multiple) • Service App • Local storage
Attack Points: • OS (multiple) • Lost/stolen device • Local storage
Attack Points: • Intercepted email • Wrong addressee
Nu
mer
ous
Att
ack
Poi
nts
14 © Copyright 2013 EMC Corporation. All rights reserved.
What is an Information Attack Surface?
• For the entire lifecycle of that information • Virtualization adds another layer to the attack
surface
The Information Attack Surface for a given type of information equals the combination of
the attack surfaces of all components that ‘touch’ that type of information
15 © Copyright 2013 EMC Corporation. All rights reserved.
What are High-Value Assets?
• An asset that, if compromised, will have a significant impact on:
– Revenue/Critical Business Processes – Intellectual Property/Trade Secrets – Brand/Image – Legal/Regulatory Compliance – Total Customer Experience
• Assets can be systems (HVSA) or information (HVIA)
16 © Copyright 2013 EMC Corporation. All rights reserved.
Types of Security Controls
• Three types of security controls to consider – Preventive – Prevent compromise from occurring in the first
place (Firewall, AV, Encryption, etc.) – Detective – Detects if compromise has or is occurring and
what happened (SIEM, IDS/HDS, forensics, etc.) – Corrective – Allows environment to be returned to previous
non-compromised state (e.g. AV, backups, DR, etc.) • Preventive provides the greatest value, but becoming
increasingly difficult (e.g. 0-day vulnerabilities. APTs, etc.)
17 © Copyright 2013 EMC Corporation. All rights reserved.
How Virtualization Impacts Security
18 © Copyright 2013 EMC Corporation. All rights reserved.
Virtualization’s Impact
New threat landscape
Servers as files
Server sprawl
Super Admins
Multitenancy
19 © Copyright 2013 EMC Corporation. All rights reserved.
New Threat Landscape
20 © Copyright 2013 EMC Corporation. All rights reserved.
Virtualization Threat Modeling You need to understand the changes the virtualization
introduces into your threat model – Sources – Where the attack originates (don’t forget physical
and accidents) – Objectives – The goals of the attack – Methods – How the attack is accomplished
‘Objectives’ and ‘Methods’ tend to drive an attackers targets Objectives that are focused on compromising sensitive
assets or disrupting your environment can target your virtualization environment
21 © Copyright 2013 EMC Corporation. All rights reserved.
Threat Modeling Process
1. Identify Assets (including VMs)
Threat Modeling Process
2. Create an Architecture Overview
3. Decompose the Attack Surface
4. Identify the Threats
5. Document the Threats
6. Rate the Threats
Lead Designer, Business Owner
Designer Architect Security Lead
Brainstorm Session Designer, Development, Infrastructure, Documentation, Testers, Security, Project Management
22 © Copyright 2013 EMC Corporation. All rights reserved.
Physical Servers
Data Center
• Most organizations have good physical security • Physical servers are well protected from theft
23 © Copyright 2013 EMC Corporation. All rights reserved.
Virtualization Changes Server Security
Servers are now files, which can easily be copied/stolen
– Locally or over a network – Along with the information they contain (.vmdk files)
= Now
24 © Copyright 2013 EMC Corporation. All rights reserved.
Server Sprawl
Virtualization makes adding servers easier – Which inevitably results in more servers – Which in turn means more copies of sensitive information
and a larger attack surface
= Now
25 © Copyright 2013 EMC Corporation. All rights reserved.
Super Admins
Previously, system admins only had access to servers they were directly responsible for
– With virtualization environments, VM admins can access the files representing the servers in the domains they manage
– ‘Introspection’ capabilities provide potential visibility into every VM
26 © Copyright 2013 EMC Corporation. All rights reserved.
Multi-tenancy
Many virtual environments support multiple different business organizations in a single environment
– Cloud providers
Each environment may have different security requirements; all require segregation from the others
27 © Copyright 2013 EMC Corporation. All rights reserved.
Securing & Monitoring Your Virtual Environment
28 © Copyright 2013 EMC Corporation. All rights reserved.
Securing & Monitoring
Ensure solid foundations
Understand the threats
Protect & control access
Monitor & respond
Advanced solutions
29 © Copyright 2013 EMC Corporation. All rights reserved.
Ensure Solid Foundations There are a number of processes that need to be
solid before you can effectively secure a virtual (or any) environment
– Classification – Change control – Patch management – Configuration management
Underlying all of these should be a solid documentation foundation
– You can’t secure what you don’t understand!
30 © Copyright 2013 EMC Corporation. All rights reserved.
General Process Impact One of the biggest advantages of virtualization is that it tends to
simplify many processes – What used to require accessing many physical servers can be easily
accomplished from a single VM management console – But this can also be a weakness from a security perspective
A common problem is that this simplification tends to lead to a more lax approach to these processes
– Change control – New server creation – Asset management – Patch management
Which in turn reduces the effectiveness of these process controls
31 © Copyright 2013 EMC Corporation. All rights reserved.
Foundations: Classification Classification is the process of defining standard security
‘buckets’ based on broad protection requirements – Usually 3-4 classification levels
Example: – Restricted Internal – Company Confidential – Company Sensitive – Public
Every asset should be assigned a classification – Servers, databases, switches, etc. – Based on the highest classification of information it ‘touches’
32 © Copyright 2013 EMC Corporation. All rights reserved.
Foundations: Classification (contd.) Need to define protection requirements for VMs based on
classification – Each classification should mandate both general and
technology-specific standards ▪ Examples:
— All OS instances that process information classified as ‘Company Confidential’ shall themselves be classified ‘Company Confidential’
» All attempted, successful and failed login attempts shall be logged and reviewed » All access changes must be reviewed and approved
— Windows instances classified as ‘Company Confidential’ shall not run the following services:… — Linux instances classified as ‘Company Confidential’ shall not run the following daemons:…
The VM environment itself should have a classification – And associated security configuration standards
33 © Copyright 2013 EMC Corporation. All rights reserved.
Foundations: Change Control
Automated, comprehensive & integrated change control for VM environments
– Should cover ALL changes! – Automated detection of changes (event logs) and
correlation to approved change requests – Should include changes to the VM environment itself
Change events should be sent to a SIEM system for analysis and correlation
– Configuration change events as well as security events
34 © Copyright 2013 EMC Corporation. All rights reserved.
Foundations: Configuration Management Unmanaged/uncontrolled changes are one of the most
common sources of security vulnerabilities – ‘Temporary’ changes to fight some fire that never get undone
VM environment and VMs should be scanned regularly to ensure compliance with define configuration standards
Consider utilizing standards-based automated configuration definition framework
– Security Configuration Automation Protocol (SCAP) – XML-based NIST standard (submitted to ISO)
35 © Copyright 2013 EMC Corporation. All rights reserved.
Understand the Threats Virtualization adds an entirely new series of attack vectors to
your environment – Understanding and monitoring potential threats is critical – Both internal and external threats
You need to be aware of new threats and be able to rapidly adjust your security profile to address them
You need to develop a threat intelligence team that monitors threat news from multiple sources
– VMWare, McAfee, Symantec, hacker forums, Black Hat, etc.
Be careful to distinguish between ‘threats’ and ‘vulnerabilities’
36 © Copyright 2013 EMC Corporation. All rights reserved.
Protect & Control Access Controlling who has access to what files and who can
perform which functions is critical – Using tools like Introspection, VM admins become ‘super
admins’ – Can access files and data structures in any running VM
Don’t forget the basics – Strong passwords – Password rotation – Avoid shared accounts – Multi-factor or risk-based authentication for privileged
accounts – Document an map all accounts to specific users
37 © Copyright 2013 EMC Corporation. All rights reserved.
Protect & Control Access: Roles Role-based access control provides the ability to strongly segregate access
– Roles define which components a user can access and what they can (and can’t) do – Users are assigned roles
Most VM environments provide default roles – Custom roles should be created to segregate access and control – OS instance (VM) admins should be allowed access to only the VMs they’re
responsible for
Implementing and managing fine-grained role-based access can be complex, but critical
VM host admins should be treated as some of the most sensitive accounts in your environment!
– Strong authentication – Full monitoring of all activities – Restricted activities (e.g. web surfing)
38 © Copyright 2013 EMC Corporation. All rights reserved.
Sample Default Roles (VMWare) No Access: A permanent role that is assigned to new users and groups. Prevents a user or group from viewing or making changes to an object
Read-Only: A permanent role that allows users to check the state of an object or view its details, but not make changes to it
Administrator: A permanent role that enables a user complete access to all of the objects on the server. The root user is assigned this role by default, as are all of the users who are part of the local Windows Administrators group associated with vCenter Server. At least one user must have administrative permissions in VMware.
Virtual Machine Administrator: A sample role that allows a user complete and total control of a virtual machine or a host, up to and including removing that VM or host
Virtual Machine Power User: A sample role that grants a user access rights only to virtual machines; can alter the virtual hardware or create snapshots of the VM
Virtual Machine User: Grants user access rights exclusively to VMs. The user can power on, power off, and reset the virtual machine, as well as run media from the virtual discs.
Resource Pool Administrator: Allows the user to create resource pools (RAM and CPU reserved for use) and assign these pools to virtual machines
Datacenter Administrator: Permits a user to add new datacenter objects
VMware Consolidated Backup User: Required to allow VMware Consolidated Backup to run
Datastore Consumer: Allows the user to consume space on a datastore
Network Consumer: Allows the user to assign a network to a virtual machine or a host
39 © Copyright 2013 EMC Corporation. All rights reserved.
Protect & Control Access: Encryption Encryption can be thought of as a form of access
control – Only actors with access to the decryption keys can access
the content
Doing encryption right can be a challenge – Need to understand the threats you’re trying to protect
against (use cases) – One size does not fit all with encryption! – Numerous potential ‘side effects’ that need to be
considered
40 © Copyright 2013 EMC Corporation. All rights reserved.
The Encryption Stack
• Encrypting at a given layer tend to protect all layers below
• High layer encryption addresses more threat profiles
• Cost and complexity tend to go up as you move up the stack
41 © Copyright 2013 EMC Corporation. All rights reserved.
Encryption: Considerations What are the drivers? (threats, regulations, policy, etc.)
Key and algorithm strength
Solution acquisition, implementation, management & impact costs
Performance impact (encrypted data cannot be compressed)
Protection Domains (where will the data be protected?)
User Context/Access Control
Transition
Key Management (who has access, key rotation, key retention, etc.)
Secondary Operations (backups, data de-duplication, replication, etc.)
Government Regulations
42 © Copyright 2013 EMC Corporation. All rights reserved.
Monitor & Respond Continuous real-time monitoring of security-related events in a virtual
environment is critical to maintaining security – Attacks happen fast – The longer an attacker is active in your environment, the more damage that can be
done
Monitoring is primarily a detective control, but may prevent further damage by detecting early
Need to define and document requirements (based on threat environment) – What will be monitored? – What events will be collected? – What do the events mean?
Modern complex environments generate huge amounts of event data – Need to be able to make sense of it all – Types of events collected should be based on classification
43 © Copyright 2013 EMC Corporation. All rights reserved.
Monitor & Respond: Event Monitoring Most obvious collection requirements are security events
– Focus on failures and errors – For all critical components, not just host instances (e.g. network devices, VM events,
storage, etc.)
However, management and change events can be just as critical – Create new VM – Change access permissions – Accesses to VM files
Numerous tools available – Splunk, RSA Security Analytics, Catbird, etc.
In a multi-tenancy environment, you may need to provide unique event log feeds to each tenant
– All events relevant to their components (not just host events)
44 © Copyright 2013 EMC Corporation. All rights reserved.
Monitor & Respond: Responding Detecting a security event is meaningless unless it
can be addressed effectively – Need to have a comprehensive structured incident
response plan
The team responsible for the virtual environment must be integrated into the response plan The use of VMs can actually simplify the forensic
process – Easy to make a snapshot of impacted servers
45 © Copyright 2013 EMC Corporation. All rights reserved.
Advanced Solutions: Key Management
In a multi-tenancy environment, some tenants may require stronger protection of VMs
– Even if VM admin can’t access host OS, they can still access the VM files
Some vendors provide a split-key distributed key management solution
– Allows each tenant to control a portion of their VM’s encryption keys
– Afore Solutions is one example
46 © Copyright 2013 EMC Corporation. All rights reserved.
Advanced Solutions: SCIT Self-Cleansing Intrusion
Tolerance – Invented by a team at George
Mason University – Supports the assertion that you
will never be able to completely prevent all intrusions, especially in vulnerable servers (e.g. web servers, DNS servers, etc.)
Uses a rotating set of ‘gold image’ VMs to regularly replace potentially infected ones
47 © Copyright 2013 EMC Corporation. All rights reserved.
Summary
Virtualization adds additional attack vectors to what is already an extremely complex attack surface
Basic foundational capabilities are critical to effectively securing a virtual environment
As with any technology you need to understand the requirements and threats before you can secure it
Controlling and protecting access and appropriate monitoring are critical