Date post: | 21-Jan-2018 |
Category: |
Technology |
Upload: | trend-micro |
View: | 1,175 times |
Download: | 0 times |
Chris Van den AbbeeleKelly McBrair
SAI3313BUS
#VMworld #SAI3313BUS
Automated Security for the Real-Time Enterprise with VMware NSX and Trend Micro Deep Security
Copyright2017TrendMicroInc.2
Welcometo:AUTOMATEDSECURITYFORTHEREAL-TIMEENTERPRISEWITHVMWARENSXANDTRENDMICRODEEPSECURITY[SAI3313BUS]Presenter:ChrisVandenAbbeele,GlobalSolutionsArchitect,TrendMicroPresenter:KellyMcBrair,ITInfrastructureArchitect,PlexusCorp
JoinusWednesdayat11amfor:SKIPTHESECURITYSLOWLANEWITHVMWAREONAWS[SAI3316BUS]Presenter:BryanWebster,PrincipalArchitect,TrendMicroPresenter:Dharmesh Chovatia,LeadArchitect,GlobalCTOOffice,CapgeminiUS
VisittheVMwareSolutionExchangefora30DayTrialofTrendMicro™DeepSecurityhttps://www.trendmicro.com/product_trials/download/index/us/123
Visittrendmicro.com/vmware
Followus@trendmicro
AutomatedSecurityfortheReal-timeEnterprisewithVMwareNSXandTrendMicroDeepSecurity
KellyMcBrair,ITInfrastructureArchitect,PlexusCorp.ChrisVanDenAbbeele,GlobalSolutionArchitect,TrendMicro
Copyright2017TrendMicroInc.4
CustomerPerspective
PlexusMarketSectorsExclusivelyfocusedinmarketsectorsthatrequiremid-to-lowvolumehighercomplexityvaluestreamsolutions
Communications Healthcare/LifeSciences
Industrial/Commercial
Defense/Security/Aerospace
Copyright2017TrendMicroInc.6
TrendMicro
§ 28yearsfocusedonsecuritysoftware§ HeadquarteredinJapan,TokyoExchangeNikkeiIndex (4704)§ Annualsalesover$1BUS§ Customersinclude45oftop50globalcorporations§ 5500+employees inover50countries
500kcommercialcustomers&155M endpointsprotected
SmallBusiness
MidsizeBusiness
Enterprise
Consumer
Consumers
Copyright2017TrendMicroInc.7
Agenda
• Introductions
• Automatedsecurity:From“boltedon”to“partofthefabric”
• TheBusinessCaseforAutomatedVirtualPatching
• Solvenewproblems
• IntegrationwithvRealizeOperations
• Deploymentlessonslearned
Copyright2017TrendMicroInc.8
Integratedsecurity:From“boltedon”to“partofthefabric”
Copyright2017TrendMicroInc.9
Visibility
Riskassessment Protect MoneyMaintainContextVisibility
Copyright2017TrendMicroInc.10
What’stheproblemwith“boltedon”security?• Withtheintroductionofvirtualization,wemadeaquantumleapinOperations.
ThesameishappeningwithNWvirtualization.Butinmanycases,Security,remainedstuckintheDarkAges.Securityisstillsomethingthatisappliedafterwards.
• Weneedto“shiftleft”securityandintegrateitintheautomation• Intoday’sreal-timeenterprise,theOperationsteamhastodomorewithless,
everyday.Theycreatemorenewworkloadsthaneverbefore.• Manuallyaddingthesecuritycontrols,takesalotoftimeanditisoften
postponed(and/orfinally...“forgotten”)• ManySecurityDashboardsonlyshowworkloadswhichhadbeenbrought
underthecontroloftheSecuritySolution(andhaveasecurityagentinstalledonthem).
• ShadowITcanremaincompletelyundertheRADAR
Copyright2017TrendMicroInc.11
Copyright2017TrendMicroInc.12
Contextofnewsystems
12
Riskassessment Protect MoneyMaintainVisibility Context
Copyright2017TrendMicroInc.13
Event-basedtaskstoprofilenewsystems
Copyright2017TrendMicroInc.14
EstimatetheRisk
Protect MoneyMaintainContextVisibility Riskassessment
Copyright2017TrendMicroInc.15
SomeHighRiskVulnerabilities
Copyright2017TrendMicroInc.16
16
Copyright2017TrendMicroInc.17
Copyright2017TrendMicroInc.18
Riskassessment
Protectingnewsystems
18
MoneyMaintainContextVisibility Protect
Copyright2017TrendMicroInc.19
TheSameExploits...nowProtectedbyDeepSecurity
Copyright2017TrendMicroInc.20
Copyright2017TrendMicroInc.21
8layersofsecurity:- Anti-Malware- WebReputation- Firewall- IntrusionPrevention- IntegrityMonitoring- LogInspection- ApplicationControl- ProtectionforSAP
systems(NW-VSI)
Full,multi-layeredsecurity
Copyright2017TrendMicroInc.22
ProtectRiskassessment
Maintainconsistency
22
MoneyContextVisibility Maintain
Copyright2017TrendMicroInc.23
IntegrityMonitoringMonitorsensitivefilesandsensitiveregistrykeysforchanges
ApplicationControl:“Freezes”theserverandblocksnewexecutablesandscriptsfromrunning
Protectagainstdrift:
Copyright2017TrendMicroInc.24
Protectagainstthelatestvulnerabilities:Scheduled“Vulnerability”Scans
Copyright2017TrendMicroInc.25
Reducedeploymentcomplexity
RichAPIsettointegratewithvirtuallyanyorchestrationandautomationtools
PowerShell
Copyright2017TrendMicroInc.26
TheBusinessCaseForAutomatedVirtualPatching
Copyright2017TrendMicroInc.27
Typicalpatchcyclewithoutvirtualpatching
TypicalpatchcyclewithoutVirtualPatching
MonthlySecurityPatching Half-yearlyFullPatching
12xpatching/year
Copyright2017TrendMicroInc.28
High-impactzerodaysrequireimmediateattention
28
– Arewevulnerable?(risk?)– Who canprovideapatch?– Whencanwehavethepatch?– Whencanwetestit?– Whocantestit(team?)– Wherecanwetestit?(testenvironment)
– WhencanwehaveamaintenancewindowtoPatchandRebootourservers?
Copyright2017TrendMicroInc.29
Typicalpatchcyclewithvirtualpatching
Typicalpatchcyclewith VirtualPatching
Half-yearlyFullPatching
2xpatching/year
AutomatedOngoingSecurityPatching
Copyright2017TrendMicroInc.30
Win-Win:increasessecurity+reducescost
Copyright2017TrendMicroInc.31
5daysafterShellShock:766attacksblocked(Customerexample)
766attacksblockedbyDeepSecurityAutomatedVirtualPatchingonSept30th,atacustomermanaging100+instancesIfEmergency(physical)Patchingtakes5days...
Copyright2017TrendMicroInc.32
SolveNewProblems
WhyVMwarewithNSXandTrendMicroDeepSecurity?
TableStakes• Performance• Security• Cost
NextPlay• IntegrationandChoice• FlexibilityandInnovation
NISTCybersecurity Framework
Identify Protect Detect Respond Recover
• AssetManagement• Business
Environment• Governance• RiskAssessment• RiskManagement
Strategy
• AccessControl• Awarenessand
Training• DataSecurity• Information
ProtectionProcessesandProcedures
• Maintenance• Protective
Technology
• AnomaliesandEvents
• SecurityContinuousMonitoring
• DetectionProcesses
• ResponsePlanning• Communications• Analysis• Mitigation• Improvements
• RecoveryPlanning• Improvements• Communications
SecurityDashboard
Firewall
Antivirus
IPS
VulnerabilityScanning
IDS SIEM
Monitoring
DataRecovery
DisasterRecovery
DisconnectionManagement
SecurityIncidentResponse
• LeverageSyslog,SNMP,Emailand/orvRealize SuiteforBetterIntegrationwithExistingMonitoring/AlertingTools
• IsolateVMTaggedbyDeepSecuritywithNativeNSXFirewalling• Behavior-basedfirewalling,blockinternetphonehome,preventRGE
• TakeActiononVMTaggedbyDeepSecuritywithVMwareOrchestrator• Snapshotsandclones,preparerestores,performadditionalscanning
ExamplevideoofautomatedVMsnapshotandWireshark tap(withcode):http://www.storagegumbo.com/2014/09/automation-multi-action-security.html
• SeetheTrendThreatEncyclopediaforexamplesofHigh,MediumandLowthreats:http://trendmicro.com/vinfo
• FindsamplecodeatTrend’sDSGithub repo:https://github.com/deep-security
AutomatedResponsetoImproveProtection
Copyright2017TrendMicroInc.36
IntegrationwithvRealizeOperations
Copyright2017TrendMicroInc.37
Usercall- VMslowtorespond…
or…Administratorreceivesasecurityalert
LogTicket
LogTicket
AdminlogsintovRealizeOperations
AdminlogsintoDeepSecurityManager
• AttempttovMotion
• ReboottheVM• RecycletheVM
• Changerulestoblockspecificports
• Quarantineandscan
RootCauseAnalysis
RootCauseAnalysis
CloseTicket
CloseTicket
VirtualInfrastructureAdministrator
SecurityAdministrator
Isolatedworlds...
Copyright2017TrendMicroInc.38
SinglepaneofglassForTrendMicroeventsandVMwareevents
Copyright2017TrendMicroInc.39
CorrelatevRopsEventswithSecurityEvents
Copyright2017TrendMicroInc.40
DeploymentLessonsLearned
ReadTrend’sBestPracticesGuide(Notesizing,testing,recommendations):https://help.deepsecurity.trendmicro.com/best-practice-guide.html
ConsiderAdditionalDistributionPointsand/orManagersoverWANTroubleshootDeepSecurityVirtualAppliancesasCattlePlanYourRules:Firewall,Affinity,Restart,etc.
Agentsarestillneeded(today)for:• Server2016and*nixVMs• Someadvancedfeatures• (recommendation)Windows-basedVMwareComponentsandSupporting
SystemsthatmaystartupbeforeTrendDeepSecurityManager(i.e.itsDB)
TipsandThingsYouShouldKnow
GuestIntrospectionDriversandTroubleshooting:https://kb.vmware.com/kb/2094261
VMwareToolsVersionsandUpgradeshttps://packages.vmware.com/tools/index.html (Bewareofv10.0.0-10.0.7)https://kb.vmware.com/kb/1014508 (CorrelateversionsfiletoESXi Build)
AutomatetheUpgradewith:/v“/qn ADDLOCAL=ALLREMOVE=Hgfs,NetworkIntrospection”Note:NetworkIntrospection removaloptionalAddREBOOT=ReallySuppress topreventanyreboots
GettoKnowVMwareTools
Copyright2017TrendMicroInc.43
Summary
HopefullythispresentationhasprovidedafewinsightsandpracticalexamplesonhowtobringyourHybridCloudSecurityintothe21st century.
Byautomatingandintegratingsecurityintheoperationsstack,youcangreatlyimproveyoursecuritypostureandreduceoperationalcosts
DothesamesetupanddemoyourselfintheVMworld HandsonLabsLABHOL-1841
Summary
Copyright2017TrendMicroInc.45
JoinusWednesdayat11amfor:SKIPTHESECURITYSLOWLANEWITHVMWAREONAWS[SAI3316BUS]Presenter:BryanWebster,PrincipalArchitect,TrendMicroPresenter:Dharmesh Chovatia,LeadArchitect,GlobalCTOOffice,CapgeminiUS
VisittheVMwareSolutionExchangefora30DayTrialofTrendMicro™DeepSecurityhttps://www.trendmicro.com/product_trials/download/index/us/123
Visittrendmicro.com/vmware
Followus@trendmicro