Visibility & Security for the Virtualized Enterprise

Visibility & Security
for the Virtualized
Enterprise
John McDonald, CISSP

© Copyright 2013 EMC Corporation. All rights reserved.

1

Roadmap Information Disclaimer
 EMC makes no representation and undertakes no obligations with
regard to product planning information, anticipated product
characteristics, performance specifications, or anticipated release
dates (collectively, “Roadmap Information”).
 Roadmap Information is provided by EMC as an accommodation to the
recipient solely for purposes of discussion and without intending to be
bound thereby.
 Roadmap information is EMC Restricted Confidential and is provided
under the terms, conditions and restrictions defined in the EMC NonDisclosure Agreement in place with your organization.


2

Agenda
 Foundations
 How Virtualization Impacts Your Security
 Securing & Monitoring Virtual Environments
 Summary


3

Foundations


4

Foundations
 Attack surface
 High Value Assets
 Types of Security Controls


5

What is An Attack Surface?
 Originally proposed by the Software Engineering
Institute at Carnegie Mellon University
 The attack surface of a system the set of ways in
which an adversary can enter the ‘system’ and
potentially cause damage
– Intentional or unintentional

 Hence, the larger the attack surface, the more
difficult it is to secure the system

6

Information is Created and Stored
DMZ
Attack Points:
• OS (multiple)
• Local storage
• Web Server
PII
PHI
PCI
IP

Networ
k

SAN

Internet

Custome
r/Client
/Patient

Database

Web
Server

Application
Server

Database
Server

Storage
Array

Infrastructure


7

DMZ
Networ
k

Attack Points:
• OS (multiple)
• Local storage
• Web Server

Internet

Customer/
Client
/Patient

SAN

PII
PHI
PCI
IP

Web
Server

Database

Application
Server

Attack Points:
• OS (multiple)
• Local storage
• App (multiple)

Database
Server

Storage
Array

Infrastructure


8

DMZ
Attack Points:
• OS (multiple)
• Local storage
• Web Server

SAN

Networ
k

PII
PHI
PCI
IP

Internet

Customer/
Client
/Patient

Attack Points:
• Switches
• Routers
•Sniffers

Web
Server

Application
Server

Attack Points:
• OS (multiple)
• Local storage
• App (multiple)

Database

Database
Server

Attack Points:
• OS (multiple)
• Local storage
• DB (multiple)

Storage
Array

Infrastructure


9

DMZ
Attack Points:
• OS (multiple)
• Local storage
• Web Server

Attack Points:
• Switches
• Routers
•Sniffers

PII
PHI
PCI
IP

Internet

Customer
/Client
/Patient

SAN

Networ
k

Web
Server

Application
Server

Attack Points:
• OS (multiple)
• Local storage
• App (multiple)

Database
Server

Attack Points:
• OS (multiple)
• Local storage
• DB (multiple)

Infrastructure


Attack Points:
• Switches
• Controllers
• Host Drivers

Database

Storage
Array

Attack Points:
• Mgt Interface
• Copies
• Backups

10

Information is Accessed and Managed
DMZ
Attack Points:
• OS (multiple)
• Local storage
• Web Server

Attack Points:
• Switches
• Routers
•Sniffers

SAN

Networ
k

PII
PHI
Database
PCI
IP

Internet

Customer
/Client
/Patient

Web
Server

Application
Server

Attack Points:
• OS (multiple)
• Local storage
• App (multiple)

Database
Server

Attack Points:
• OS (multiple)
• Local storage
• DB (multiple)

Infrastructure


Attack Points:
• Switches
• Controllers
• Host Drivers

Storage
Array

Attack Points:
• Mgt Interface
• Copies
• Backups

11

SAN

PII
PHI
Database
PCI
IP

Database
Server

Storage
Array

Infrastructure


12

Numerous Attack
Points

Partner
s

Customer
Attack Points:
• OS (multiple)
Service • Service App

Attack Points:
• Intercepted email
• Wrong addressee

Emai
l

• Local storage

SAN

Attack Points:
• OS (multiple)
• Backup App
• Snap/Clone

Attack Points:
• OS (multiple)
• Lost/stolen device
• Local storage

PII
PHI
Database
PCI
IP

Client
s

Employees

Customer
s

Suppliers

Portal/
Intranet

Attack Points:
• OS (multiple)
• Web Server
• Network


Backup
Server

Database
Server

Attack Points:
• Lost/Stolen
• Unauthorized
Access

Copy
Attack Points:

Storag
• Network
Communications
e
Business Mobile Devices Array
Attack Points:
Attack Points:
Attack Points:
• Unauthorized DR
• OS (multiple)
• Device exploit
Applications •Lost/stolen
Access
Infrastructure
• Business App
• Physical Theft Site
device
• Local storage

13

What is an Information Attack Surface?
The Information Attack Surface for a given
type of information equals the combination of
the attack surfaces of all components that
‘touch’ that type of information
• For the entire lifecycle of that information
• Virtualization adds another layer to the attack
surface

14

What are High-Value Assets?
• An asset that, if compromised, will have a significant
impact on:
–
–
–
–
–

Revenue/Critical Business Processes
Intellectual Property/Trade Secrets
Brand/Image
Legal/Regulatory Compliance
Total Customer Experience

• Assets can be systems (HVSA) or information (HVIA)

15

Types of Security Controls
• Three types of security controls to consider

– Preventive – Prevent compromise from occurring in the first
place (Firewall, AV, Encryption, etc.)
– Detective – Detects if compromise has or is occurring and
what happened (SIEM, IDS/HDS, forensics, etc.)
– Corrective – Allows environment to be returned to previous
non-compromised state (e.g. AV, backups, DR, etc.)

• Preventive provides the greatest value, but becoming
increasingly difficult (e.g. 0-day vulnerabilities. APTs,
etc.)

16

How Virtualization
Impacts Security


17

Virtualization’s Impact
 New threat landscape
 Servers as files
 Server sprawl
 Super Admins
 Multitenancy


18

New Threat Landscape


19

Virtualization Threat Modeling
 You need to understand the changes the virtualization
introduces into your threat model

– Sources – Where the attack originates (don’t forget physical
and accidents)
– Objectives – The goals of the attack
– Methods – How the attack is accomplished

 ‘Objectives’ and ‘Methods’ tend to drive an attackers
targets
 Objectives that are focused on compromising sensitive
assets or disrupting your environment can target your
virtualization environment


20

Threat Modeling Process
Threat Modeling Process
1. Identify Assets (including VMs)

Lead Designer, Business Owner

2. Create an Architecture Overview
3. Decompose the Attack Surface

Designer
Architect
Security Lead

4. Identify the Threats

Brainstorm Session

5. Document the Threats
6. Rate the Threats


Designer, Development,
Infrastructure, Documentation,
Testers, Security, Project
Management

21

Physical Servers
• Most organizations have good physical security
•

Physical servers are well protected from theft

Data Center


22

Virtualization Changes Server Security
 Servers are now files, which can easily be
copied/stolen

– Locally or over a network
– Along with the information they contain (.vmdk files)

=
Now


23

Server Sprawl
 Virtualization makes adding servers easier

– Which inevitably results in more servers
– Which in turn means more copies of sensitive information
and a larger attack surface

=
Now


24

Super Admins
 Previously, system admins only had
access to servers they were directly
responsible for
– With virtualization environments, VM
admins can access the files
representing the servers in the
domains they manage
– ‘Introspection’ capabilities provide
potential visibility into every VM


25

Multi-tenancy
 Many virtual environments support
multiple different business
organizations in a single
environment
– Cloud providers

 Each environment may have
different security requirements; all
require segregation from the
others

26

Securing &
Monitoring Your
Virtual Environment


27

Securing & Monitoring
 Ensure solid foundations
 Understand the threats
 Protect & control access
 Monitor & respond
 Advanced solutions


28

Ensure Solid Foundations
 There are a number of processes that need to be
solid before you can effectively secure a virtual (or
any) environment
–
–
–
–

Classification
Change control
Patch management
Configuration management

 Underlying all of these should be a solid
documentation foundation

– You can’t secure what you don’t understand!


29

General Process Impact
 One of the biggest advantages of virtualization is that it tends to
simplify many processes
– What used to require accessing many physical servers can be easily
accomplished from a single VM management console
– But this can also be a weakness from a security perspective

 A common problem is that this simplification tends to lead to a
more lax approach to these processes
–
–
–
–

Change control
New server creation
Asset management
Patch management

 Which in turn reduces the effectiveness of these process controls


30

Foundations: Classification
 Classification is the process of defining standard security
‘buckets’ based on broad protection requirements
– Usually 3-4 classification levels

 Example:
–
–
–
–

Restricted Internal
Company Confidential
Company Sensitive
Public

 Every asset should be assigned a classification

– Servers, databases, switches, etc.
– Based on the highest classification of information it ‘touches’


31

Foundations: Classification (contd.)
 Need to define protection requirements for VMs based on
classification
– Each classification should mandate both general and
technology-specific standards
▪ Examples:
—

All OS instances that process information classified as ‘Company Confidential’ shall themselves
be classified ‘Company Confidential’
»
»

—
—

All attempted, successful and failed login attempts shall be logged and reviewed
All access changes must be reviewed and approved

Windows instances classified as ‘Company Confidential’ shall not run the following services:…
Linux instances classified as ‘Company Confidential’ shall not run the following daemons:…

 The VM environment itself should have a classification
– And associated security configuration standards


32

Foundations: Change Control
 Automated, comprehensive & integrated change
control for VM environments
– Should cover ALL changes!
– Automated detection of changes (event logs) and
correlation to approved change requests
– Should include changes to the VM environment itself

 Change events should be sent to a SIEM system for
analysis and correlation
– Configuration change events as well as security events


33

Foundations: Configuration Management
 Unmanaged/uncontrolled changes are one of the most
common sources of security vulnerabilities

– ‘Temporary’ changes to fight some fire that never get undone

 VM environment and VMs should be scanned regularly to
ensure compliance with define configuration standards
 Consider utilizing standards-based automated
configuration definition framework

– Security Configuration Automation Protocol (SCAP)
– XML-based NIST standard (submitted to ISO)


34

Understand the Threats
 Virtualization adds an entirely new series of attack vectors to
your environment
– Understanding and monitoring potential threats is critical
– Both internal and external threats

 You need to be aware of new threats and be able to rapidly
adjust your security profile to address them
 You need to develop a threat intelligence team that monitors
threat news from multiple sources
– VMWare, McAfee, Symantec, hacker forums, Black Hat, etc.

 Be careful to distinguish between ‘threats’ and ‘vulnerabilities’


35

Protect & Control Access
 Controlling who has access to what files and who can
perform which functions is critical
– Using tools like Introspection, VM admins become ‘super
admins’
– Can access files and data structures in any running VM

 Don’t forget the basics
–
–
–
–

Strong passwords
Password rotation
Avoid shared accounts
Multi-factor or risk-based authentication for privileged
accounts
– Document an map all accounts to specific users


36

Protect & Control Access: Roles
 Role-based access control provides the ability to strongly segregate access
– Roles define which components a user can access and what they can (and can’t) do
– Users are assigned roles

 Most VM environments provide default roles

– Custom roles should be created to segregate access and control
– OS instance (VM) admins should be allowed access to only the VMs they’re
responsible for

 Implementing and managing fine-grained role-based access can be
complex, but critical
 VM host admins should be treated as some of the most sensitive accounts
in your environment!
– Strong authentication
– Full monitoring of all activities
– Restricted activities (e.g. web surfing)


37

Sample Default Roles (VMWare)


No Access: A permanent role that is assigned to new users and groups. Prevents a user or group from viewing or making changes to an object



Read-Only: A permanent role that allows users to check the state of an object or view its details, but not make changes to it



Administrator: A permanent role that enables a user complete access to all of the objects on the server. The root user is assigned this role by default, as are
all of the users who are part of the local Windows Administrators group associated with vCenter Server. At least one user must have administrative
permissions in VMware.



Virtual Machine Administrator: A sample role that allows a user complete and total control of a virtual machine or a host, up to and including removing
that VM or host



Virtual Machine Power User: A sample role that grants a user access rights only to virtual machines; can alter the virtual hardware or create snapshots of
the VM



Virtual Machine User: Grants user access rights exclusively to VMs. The user can power on, power off, and reset the virtual machine, as well as run media
from the virtual discs.



Resource Pool Administrator: Allows the user to create resource pools (RAM and CPU reserved for use) and assign these pools to virtual machines



Datacenter Administrator: Permits a user to add new datacenter objects



VMware Consolidated Backup User: Required to allow VMware Consolidated Backup to run



Datastore Consumer: Allows the user to consume space on a datastore



Network Consumer: Allows the user to assign a network to a virtual machine or a host


38

Protect & Control Access: Encryption
 Encryption can be thought of as a form of access
control

– Only actors with access to the decryption keys can access
the content

 Doing encryption right can be a challenge

– Need to understand the threats you’re trying to protect
against (use cases)
– One size does not fit all with encryption!
– Numerous potential ‘side effects’ that need to be
considered


39

The Encryption Stack
• Encrypting at a given
layer tend to protect all
layers below
• High layer encryption
addresses more threat
profiles
• Cost and complexity tend
to go up as you move up
the stack

40

Encryption: Considerations
 What are the drivers? (threats, regulations, policy, etc.)
 Key and algorithm strength
 Solution acquisition, implementation, management & impact costs
 Performance impact (encrypted data cannot be compressed)
 Protection Domains (where will the data be protected?)
 User Context/Access Control
 Transition
 Key Management (who has access, key rotation, key retention, etc.)
 Secondary Operations (backups, data de-duplication, replication, etc.)
 Government Regulations


41

Monitor & Respond
 Continuous real-time monitoring of security-related events in a virtual
environment is critical to maintaining security

– Attacks happen fast
– The longer an attacker is active in your environment, the more damage that can be
done

 Monitoring is primarily a detective control, but may prevent further
damage by detecting early
 Need to define and document requirements (based on threat environment)
– What will be monitored?
– What events will be collected?
– What do the events mean?

 Modern complex environments generate huge amounts of event data
– Need to be able to make sense of it all
– Types of events collected should be based on classification


42

Monitor & Respond: Event Monitoring
 Most obvious collection requirements are security events

– Focus on failures and errors
– For all critical components, not just host instances (e.g. network devices, VM events,
storage, etc.)

 However, management and change events can be just as critical
– Create new VM
– Change access permissions
– Accesses to VM files

 Numerous tools available

– Splunk, RSA Security Analytics, Catbird, etc.

 In a multi-tenancy environment, you may need to provide unique event
log feeds to each tenant
– All events relevant to their components (not just host events)


43

Monitor & Respond: Responding
 Detecting a security event is meaningless unless it
can be addressed effectively
– Need to have a comprehensive structured incident
response plan

 The team responsible for the virtual environment
must be integrated into the response plan
 The use of VMs can actually simplify the forensic
process
– Easy to make a snapshot of impacted servers


44

Advanced Solutions: Key Management
 In a multi-tenancy environment, some tenants may
require stronger protection of VMs
– Even if VM admin can’t access host OS, they can still
access the VM files

 Some vendors provide a split-key distributed key
management solution
– Allows each tenant to control a portion of their VM’s
encryption keys
– Afore Solutions is one example


45

Advanced Solutions: SCIT
 Self-Cleansing Intrusion
Tolerance

– Invented by a team at George
Mason University
– Supports the assertion that you
will never be able to completely
prevent all intrusions, especially in
vulnerable servers (e.g. web
servers, DNS servers, etc.)

 Uses a rotating set of ‘gold
image’ VMs to regularly replace
potentially infected ones


46

Summary
 Virtualization adds additional attack vectors to what
is already an extremely complex attack surface
 Basic foundational capabilities are critical to
effectively securing a virtual environment
 As with any technology you need to understand the
requirements and threats before you can secure it
 Controlling and protecting access and appropriate
monitoring are critical

47

Visibility & Security for the Virtualized Enterprise

Visibility & Security for the Virtualized Enterprise

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Visibility & Security for the Virtualized Enterprise

Similar to Visibility & Security for the Virtualized Enterprise (20)

More from EMC

More from EMC (20)

Recently uploaded

Recently uploaded (20)

Visibility & Security for the Virtualized Enterprise