visibility & security for the virtualized enterprise

48
1 © Copyright 2013 EMC Corporation. All rights reserved. Visibility & Security for the Virtualized Enterprise John McDonald, CISSP

Upload: emc-academic-alliance

Post on 18-Nov-2014

348 views

Category:

Technology


2 download

DESCRIPTION

As enterprises embrace virtualization, they need to be able to see what’s happening throughout their environment and then apply effective security mechanisms. This session describes the kind of information that enterprises should collect from physical and virtual infrastructures, the kind of analysis to perform and the ways tools like encryption can be applied in securing the virtualized enterprise. Objective 1: Describe what information an enterprise needs to collect to effectively manage and secure their physical and virtual environments. After this session you will be able to: Objective 2: Understand the kinds of analysis that needs to be done on collected information in order to make effective security decisions. Objective 3: Identity ways in which security capabilities can be applied in securing the virtualized enterprise. Watch more on http://www.brainshark.com/emcworld/vu?pi=zHJzQJGhyzB8sLz0

TRANSCRIPT

Page 1: Visibility & Security for the Virtualized Enterprise

1 © Copyright 2013 EMC Corporation. All rights reserved.

Visibility & Security for the Virtualized Enterprise John McDonald, CISSP

Page 2: Visibility & Security for the Virtualized Enterprise

2 © Copyright 2013 EMC Corporation. All rights reserved.

Roadmap Information Disclaimer EMC makes no representation and undertakes no obligations with

regard to product planning information, anticipated product characteristics, performance specifications, or anticipated release dates (collectively, “Roadmap Information”).

Roadmap Information is provided by EMC as an accommodation to the recipient solely for purposes of discussion and without intending to be bound thereby.

Roadmap information is EMC Restricted Confidential and is provided under the terms, conditions and restrictions defined in the EMC Non-Disclosure Agreement in place with your organization.

Page 3: Visibility & Security for the Virtualized Enterprise

3 © Copyright 2013 EMC Corporation. All rights reserved.

Agenda

Foundations

How Virtualization Impacts Your Security

Securing & Monitoring Virtual Environments

Summary

Page 4: Visibility & Security for the Virtualized Enterprise

4 © Copyright 2013 EMC Corporation. All rights reserved.

Foundations

Page 5: Visibility & Security for the Virtualized Enterprise

5 © Copyright 2013 EMC Corporation. All rights reserved.

Foundations

Attack surface

High Value Assets

Types of Security Controls

Page 6: Visibility & Security for the Virtualized Enterprise

6 © Copyright 2013 EMC Corporation. All rights reserved.

What is An Attack Surface?

Originally proposed by the Software Engineering Institute at Carnegie Mellon University

The attack surface of a system the set of ways in which an adversary can enter the ‘system’ and potentially cause damage

– Intentional or unintentional

Hence, the larger the attack surface, the more difficult it is to secure the system

Page 7: Visibility & Security for the Virtualized Enterprise

7 © Copyright 2013 EMC Corporation. All rights reserved.

DMZ

Information is Created and Stored

Internet

Web Server

Infrastructure

Customer/Client /Patient

Application Server

Database Server Storage

Array

Database

Network

SAN

PII PHI PCI IP

Attack Points: • OS (multiple) • Local storage • Web Server

Page 8: Visibility & Security for the Virtualized Enterprise

8 © Copyright 2013 EMC Corporation. All rights reserved.

DMZ

Information is Created and Stored

Internet

Web Server

Infrastructure

Customer/Client /Patient

Application Server

Database Server Storage

Array

Database

Network

SAN

PII PHI PCI IP

Attack Points: • OS (multiple) • Local storage • Web Server

Attack Points: • OS (multiple) • Local storage • App (multiple)

Page 9: Visibility & Security for the Virtualized Enterprise

9 © Copyright 2013 EMC Corporation. All rights reserved.

DMZ

Information is Created and Stored

Internet

Web Server

Infrastructure

Customer/Client /Patient

Application Server

Database Server Storage

Array

Database

Network

SAN

PII PHI PCI IP

Attack Points: • OS (multiple) • Local storage • Web Server

Attack Points: • OS (multiple) • Local storage • App (multiple)

Attack Points: • Switches • Routers •Sniffers

Attack Points: • OS (multiple) • Local storage • DB (multiple)

Page 10: Visibility & Security for the Virtualized Enterprise

10 © Copyright 2013 EMC Corporation. All rights reserved.

DMZ

Information is Created and Stored

Internet

Web Server

Infrastructure

Customer/Client /Patient

Application Server

Database Server Storage

Array

Database

Network

SAN

PII PHI PCI IP

Attack Points: • OS (multiple) • Local storage • Web Server

Attack Points: • OS (multiple) • Local storage • App (multiple)

Attack Points: • Switches • Routers •Sniffers

Attack Points: • OS (multiple) • Local storage • DB (multiple)

Attack Points: • Switches • Controllers • Host Drivers

Attack Points: • Mgt Interface • Copies • Backups

Page 11: Visibility & Security for the Virtualized Enterprise

11 © Copyright 2013 EMC Corporation. All rights reserved.

DMZ

Information is Accessed and Managed

Internet

Web Server

Infrastructure

Customer/Client /Patient

Application Server

Database Server Storage

Array

Database

Network

SAN

PII PHI PCI IP

Attack Points: • OS (multiple) • Local storage • Web Server

Attack Points: • OS (multiple) • Local storage • App (multiple)

Attack Points: • Switches • Routers •Sniffers

Attack Points: • OS (multiple) • Local storage • DB (multiple)

Attack Points: • Switches • Controllers • Host Drivers

Attack Points: • Mgt Interface • Copies • Backups

Page 12: Visibility & Security for the Virtualized Enterprise

12 © Copyright 2013 EMC Corporation. All rights reserved.

Information is Accessed and Managed

Infrastructure

Database Server Storage

Array

Database

SAN

PII PHI PCI IP

Page 13: Visibility & Security for the Virtualized Enterprise

13 © Copyright 2013 EMC Corporation. All rights reserved.

Information is Accessed and Managed

Infrastructure

Database Server Storag

e Array

SAN

Database

PII PHI PCI IP

Backup Server

Attack Points: • OS (multiple) • Backup App • Snap/Clone

Copy

Attack Points: • Lost/Stolen • Unauthorized Access

DR Site

Database

PII PHI PCI IP

Attack Points: • Network Communications

Attack Points: • Unauthorized Access • Physical Theft

Business Applications

Customer Service

Partners

Clients

Customers

Suppliers Portal/ Intranet

Mobile Devices

Employees

Email

Attack Points: • OS (multiple) • Business App • Local storage

Attack Points: • OS (multiple) • Web Server • Network

Attack Points: • Device exploit •Lost/stolen device

Attack Points: • OS (multiple) • Service App • Local storage

Attack Points: • OS (multiple) • Lost/stolen device • Local storage

Attack Points: • Intercepted email • Wrong addressee

Nu

mer

ous

Att

ack

Poi

nts

Page 14: Visibility & Security for the Virtualized Enterprise

14 © Copyright 2013 EMC Corporation. All rights reserved.

What is an Information Attack Surface?

• For the entire lifecycle of that information • Virtualization adds another layer to the attack

surface

The Information Attack Surface for a given type of information equals the combination of

the attack surfaces of all components that ‘touch’ that type of information

Page 15: Visibility & Security for the Virtualized Enterprise

15 © Copyright 2013 EMC Corporation. All rights reserved.

What are High-Value Assets?

• An asset that, if compromised, will have a significant impact on:

– Revenue/Critical Business Processes – Intellectual Property/Trade Secrets – Brand/Image – Legal/Regulatory Compliance – Total Customer Experience

• Assets can be systems (HVSA) or information (HVIA)

Page 16: Visibility & Security for the Virtualized Enterprise

16 © Copyright 2013 EMC Corporation. All rights reserved.

Types of Security Controls

• Three types of security controls to consider – Preventive – Prevent compromise from occurring in the first

place (Firewall, AV, Encryption, etc.) – Detective – Detects if compromise has or is occurring and

what happened (SIEM, IDS/HDS, forensics, etc.) – Corrective – Allows environment to be returned to previous

non-compromised state (e.g. AV, backups, DR, etc.) • Preventive provides the greatest value, but becoming

increasingly difficult (e.g. 0-day vulnerabilities. APTs, etc.)

Page 17: Visibility & Security for the Virtualized Enterprise

17 © Copyright 2013 EMC Corporation. All rights reserved.

How Virtualization Impacts Security

Page 18: Visibility & Security for the Virtualized Enterprise

18 © Copyright 2013 EMC Corporation. All rights reserved.

Virtualization’s Impact

New threat landscape

Servers as files

Server sprawl

Super Admins

Multitenancy

Page 19: Visibility & Security for the Virtualized Enterprise

19 © Copyright 2013 EMC Corporation. All rights reserved.

New Threat Landscape

Page 20: Visibility & Security for the Virtualized Enterprise

20 © Copyright 2013 EMC Corporation. All rights reserved.

Virtualization Threat Modeling You need to understand the changes the virtualization

introduces into your threat model – Sources – Where the attack originates (don’t forget physical

and accidents) – Objectives – The goals of the attack – Methods – How the attack is accomplished

‘Objectives’ and ‘Methods’ tend to drive an attackers targets Objectives that are focused on compromising sensitive

assets or disrupting your environment can target your virtualization environment

Page 21: Visibility & Security for the Virtualized Enterprise

21 © Copyright 2013 EMC Corporation. All rights reserved.

Threat Modeling Process

1. Identify Assets (including VMs)

Threat Modeling Process

2. Create an Architecture Overview

3. Decompose the Attack Surface

4. Identify the Threats

5. Document the Threats

6. Rate the Threats

Lead Designer, Business Owner

Designer Architect Security Lead

Brainstorm Session Designer, Development, Infrastructure, Documentation, Testers, Security, Project Management

Page 22: Visibility & Security for the Virtualized Enterprise

22 © Copyright 2013 EMC Corporation. All rights reserved.

Physical Servers

Data Center

• Most organizations have good physical security • Physical servers are well protected from theft

Page 23: Visibility & Security for the Virtualized Enterprise

23 © Copyright 2013 EMC Corporation. All rights reserved.

Virtualization Changes Server Security

Servers are now files, which can easily be copied/stolen

– Locally or over a network – Along with the information they contain (.vmdk files)

= Now

Page 24: Visibility & Security for the Virtualized Enterprise

24 © Copyright 2013 EMC Corporation. All rights reserved.

Server Sprawl

Virtualization makes adding servers easier – Which inevitably results in more servers – Which in turn means more copies of sensitive information

and a larger attack surface

= Now

Page 25: Visibility & Security for the Virtualized Enterprise

25 © Copyright 2013 EMC Corporation. All rights reserved.

Super Admins

Previously, system admins only had access to servers they were directly responsible for

– With virtualization environments, VM admins can access the files representing the servers in the domains they manage

– ‘Introspection’ capabilities provide potential visibility into every VM

Page 26: Visibility & Security for the Virtualized Enterprise

26 © Copyright 2013 EMC Corporation. All rights reserved.

Multi-tenancy

Many virtual environments support multiple different business organizations in a single environment

– Cloud providers

Each environment may have different security requirements; all require segregation from the others

Page 27: Visibility & Security for the Virtualized Enterprise

27 © Copyright 2013 EMC Corporation. All rights reserved.

Securing & Monitoring Your Virtual Environment

Page 28: Visibility & Security for the Virtualized Enterprise

28 © Copyright 2013 EMC Corporation. All rights reserved.

Securing & Monitoring

Ensure solid foundations

Understand the threats

Protect & control access

Monitor & respond

Advanced solutions

Page 29: Visibility & Security for the Virtualized Enterprise

29 © Copyright 2013 EMC Corporation. All rights reserved.

Ensure Solid Foundations There are a number of processes that need to be

solid before you can effectively secure a virtual (or any) environment

– Classification – Change control – Patch management – Configuration management

Underlying all of these should be a solid documentation foundation

– You can’t secure what you don’t understand!

Page 30: Visibility & Security for the Virtualized Enterprise

30 © Copyright 2013 EMC Corporation. All rights reserved.

General Process Impact One of the biggest advantages of virtualization is that it tends to

simplify many processes – What used to require accessing many physical servers can be easily

accomplished from a single VM management console – But this can also be a weakness from a security perspective

A common problem is that this simplification tends to lead to a more lax approach to these processes

– Change control – New server creation – Asset management – Patch management

Which in turn reduces the effectiveness of these process controls

Page 31: Visibility & Security for the Virtualized Enterprise

31 © Copyright 2013 EMC Corporation. All rights reserved.

Foundations: Classification Classification is the process of defining standard security

‘buckets’ based on broad protection requirements – Usually 3-4 classification levels

Example: – Restricted Internal – Company Confidential – Company Sensitive – Public

Every asset should be assigned a classification – Servers, databases, switches, etc. – Based on the highest classification of information it ‘touches’

Page 32: Visibility & Security for the Virtualized Enterprise

32 © Copyright 2013 EMC Corporation. All rights reserved.

Foundations: Classification (contd.) Need to define protection requirements for VMs based on

classification – Each classification should mandate both general and

technology-specific standards ▪ Examples:

— All OS instances that process information classified as ‘Company Confidential’ shall themselves be classified ‘Company Confidential’

» All attempted, successful and failed login attempts shall be logged and reviewed » All access changes must be reviewed and approved

— Windows instances classified as ‘Company Confidential’ shall not run the following services:… — Linux instances classified as ‘Company Confidential’ shall not run the following daemons:…

The VM environment itself should have a classification – And associated security configuration standards

Page 33: Visibility & Security for the Virtualized Enterprise

33 © Copyright 2013 EMC Corporation. All rights reserved.

Foundations: Change Control

Automated, comprehensive & integrated change control for VM environments

– Should cover ALL changes! – Automated detection of changes (event logs) and

correlation to approved change requests – Should include changes to the VM environment itself

Change events should be sent to a SIEM system for analysis and correlation

– Configuration change events as well as security events

Page 34: Visibility & Security for the Virtualized Enterprise

34 © Copyright 2013 EMC Corporation. All rights reserved.

Foundations: Configuration Management Unmanaged/uncontrolled changes are one of the most

common sources of security vulnerabilities – ‘Temporary’ changes to fight some fire that never get undone

VM environment and VMs should be scanned regularly to ensure compliance with define configuration standards

Consider utilizing standards-based automated configuration definition framework

– Security Configuration Automation Protocol (SCAP) – XML-based NIST standard (submitted to ISO)

Page 35: Visibility & Security for the Virtualized Enterprise

35 © Copyright 2013 EMC Corporation. All rights reserved.

Understand the Threats Virtualization adds an entirely new series of attack vectors to

your environment – Understanding and monitoring potential threats is critical – Both internal and external threats

You need to be aware of new threats and be able to rapidly adjust your security profile to address them

You need to develop a threat intelligence team that monitors threat news from multiple sources

– VMWare, McAfee, Symantec, hacker forums, Black Hat, etc.

Be careful to distinguish between ‘threats’ and ‘vulnerabilities’

Page 36: Visibility & Security for the Virtualized Enterprise

36 © Copyright 2013 EMC Corporation. All rights reserved.

Protect & Control Access Controlling who has access to what files and who can

perform which functions is critical – Using tools like Introspection, VM admins become ‘super

admins’ – Can access files and data structures in any running VM

Don’t forget the basics – Strong passwords – Password rotation – Avoid shared accounts – Multi-factor or risk-based authentication for privileged

accounts – Document an map all accounts to specific users

Page 37: Visibility & Security for the Virtualized Enterprise

37 © Copyright 2013 EMC Corporation. All rights reserved.

Protect & Control Access: Roles Role-based access control provides the ability to strongly segregate access

– Roles define which components a user can access and what they can (and can’t) do – Users are assigned roles

Most VM environments provide default roles – Custom roles should be created to segregate access and control – OS instance (VM) admins should be allowed access to only the VMs they’re

responsible for

Implementing and managing fine-grained role-based access can be complex, but critical

VM host admins should be treated as some of the most sensitive accounts in your environment!

– Strong authentication – Full monitoring of all activities – Restricted activities (e.g. web surfing)

Page 38: Visibility & Security for the Virtualized Enterprise

38 © Copyright 2013 EMC Corporation. All rights reserved.

Sample Default Roles (VMWare) No Access: A permanent role that is assigned to new users and groups. Prevents a user or group from viewing or making changes to an object

Read-Only: A permanent role that allows users to check the state of an object or view its details, but not make changes to it

Administrator: A permanent role that enables a user complete access to all of the objects on the server. The root user is assigned this role by default, as are all of the users who are part of the local Windows Administrators group associated with vCenter Server. At least one user must have administrative permissions in VMware.

Virtual Machine Administrator: A sample role that allows a user complete and total control of a virtual machine or a host, up to and including removing that VM or host

Virtual Machine Power User: A sample role that grants a user access rights only to virtual machines; can alter the virtual hardware or create snapshots of the VM

Virtual Machine User: Grants user access rights exclusively to VMs. The user can power on, power off, and reset the virtual machine, as well as run media from the virtual discs.

Resource Pool Administrator: Allows the user to create resource pools (RAM and CPU reserved for use) and assign these pools to virtual machines

Datacenter Administrator: Permits a user to add new datacenter objects

VMware Consolidated Backup User: Required to allow VMware Consolidated Backup to run

Datastore Consumer: Allows the user to consume space on a datastore

Network Consumer: Allows the user to assign a network to a virtual machine or a host

Page 39: Visibility & Security for the Virtualized Enterprise

39 © Copyright 2013 EMC Corporation. All rights reserved.

Protect & Control Access: Encryption Encryption can be thought of as a form of access

control – Only actors with access to the decryption keys can access

the content

Doing encryption right can be a challenge – Need to understand the threats you’re trying to protect

against (use cases) – One size does not fit all with encryption! – Numerous potential ‘side effects’ that need to be

considered

Page 40: Visibility & Security for the Virtualized Enterprise

40 © Copyright 2013 EMC Corporation. All rights reserved.

The Encryption Stack

• Encrypting at a given layer tend to protect all layers below

• High layer encryption addresses more threat profiles

• Cost and complexity tend to go up as you move up the stack

Page 41: Visibility & Security for the Virtualized Enterprise

41 © Copyright 2013 EMC Corporation. All rights reserved.

Encryption: Considerations What are the drivers? (threats, regulations, policy, etc.)

Key and algorithm strength

Solution acquisition, implementation, management & impact costs

Performance impact (encrypted data cannot be compressed)

Protection Domains (where will the data be protected?)

User Context/Access Control

Transition

Key Management (who has access, key rotation, key retention, etc.)

Secondary Operations (backups, data de-duplication, replication, etc.)

Government Regulations

Page 42: Visibility & Security for the Virtualized Enterprise

42 © Copyright 2013 EMC Corporation. All rights reserved.

Monitor & Respond Continuous real-time monitoring of security-related events in a virtual

environment is critical to maintaining security – Attacks happen fast – The longer an attacker is active in your environment, the more damage that can be

done

Monitoring is primarily a detective control, but may prevent further damage by detecting early

Need to define and document requirements (based on threat environment) – What will be monitored? – What events will be collected? – What do the events mean?

Modern complex environments generate huge amounts of event data – Need to be able to make sense of it all – Types of events collected should be based on classification

Page 43: Visibility & Security for the Virtualized Enterprise

43 © Copyright 2013 EMC Corporation. All rights reserved.

Monitor & Respond: Event Monitoring Most obvious collection requirements are security events

– Focus on failures and errors – For all critical components, not just host instances (e.g. network devices, VM events,

storage, etc.)

However, management and change events can be just as critical – Create new VM – Change access permissions – Accesses to VM files

Numerous tools available – Splunk, RSA Security Analytics, Catbird, etc.

In a multi-tenancy environment, you may need to provide unique event log feeds to each tenant

– All events relevant to their components (not just host events)

Page 44: Visibility & Security for the Virtualized Enterprise

44 © Copyright 2013 EMC Corporation. All rights reserved.

Monitor & Respond: Responding Detecting a security event is meaningless unless it

can be addressed effectively – Need to have a comprehensive structured incident

response plan

The team responsible for the virtual environment must be integrated into the response plan The use of VMs can actually simplify the forensic

process – Easy to make a snapshot of impacted servers

Page 45: Visibility & Security for the Virtualized Enterprise

45 © Copyright 2013 EMC Corporation. All rights reserved.

Advanced Solutions: Key Management

In a multi-tenancy environment, some tenants may require stronger protection of VMs

– Even if VM admin can’t access host OS, they can still access the VM files

Some vendors provide a split-key distributed key management solution

– Allows each tenant to control a portion of their VM’s encryption keys

– Afore Solutions is one example

Page 46: Visibility & Security for the Virtualized Enterprise

46 © Copyright 2013 EMC Corporation. All rights reserved.

Advanced Solutions: SCIT Self-Cleansing Intrusion

Tolerance – Invented by a team at George

Mason University – Supports the assertion that you

will never be able to completely prevent all intrusions, especially in vulnerable servers (e.g. web servers, DNS servers, etc.)

Uses a rotating set of ‘gold image’ VMs to regularly replace potentially infected ones

Page 47: Visibility & Security for the Virtualized Enterprise

47 © Copyright 2013 EMC Corporation. All rights reserved.

Summary

Virtualization adds additional attack vectors to what is already an extremely complex attack surface

Basic foundational capabilities are critical to effectively securing a virtual environment

As with any technology you need to understand the requirements and threats before you can secure it

Controlling and protecting access and appropriate monitoring are critical

Page 48: Visibility & Security for the Virtualized Enterprise