1 Data Center Security & Control Compliance Suite Olaf Mischkovsky & Armin Schneider

1

Data Center Security &

Control Compliance Suite

Olaf Mischkovsky & Armin Schneider

SYMANTEC VISION SYMPOSIUM 2014 2

Agenda

• Symantec Data Center Security & Compliance Offering: Products Today & Why we grouped them together

• Data Center & Server Protection with: Data Center Security: Server & Server Advanced

• Compliance Monitoring & Unified Assessment with: Control Compliance Suite

• Symantec Data Center Security Portfolio: Moving Forward

• Summary & additional Information

SYMANTEC VISION SYMPOSIUM 2014

Symantec Data Center Security & Compliance Offering

3


Server Hardening & Monitoring

Threat Protection

& Intelligence

Compliance & Security

Assessment

Data Center Security & Compliance Business Unit: Products Today

Data Center Security: Server & Server Advanced

Symantec ProtectionEngine

Control ComplianceSuite


Why Data Center Security & Compliance together?

• Common Target:– The Data Center (Physical & Virtual Servers, Applications & Data Stores)

• Common Buyer:– Security Office, Data Center Operations, Server Management

• Common Platforms:– Windows, Linux, UNIX, Database & Middleware Applications

• Common Processes:– Decision Processes, Change Control and Implementation Processes, …


But what else … ?New Security Challenges

Public Cloud

PrivateCloud

On-Premise Physical

•Asset inventory1

IDS/IPSDLP

EncryptionAntimalware

VMHardening

SEIMConfigurationmanagement

•Many point solutions2

•Rapid rate of change3

•New and expanding attack surfaces4

•No infrastructure control 5


Servers are the Target: “Endpoints simply provide an initial foothold”

7

Variety of compromised assets across 47,000+ security incidents

Verizon 2013 Data Breach Investigations Report: “When you consider the methods used by attackers to gain a foothold in organizations –Brute Force, stolen creds, phishing, tampering – It’s really not all that surprising that none receive the high difficulty rating…”

97%of stolen data is

from servers


Compromising ServersMost breaches are caused by: Unpatched systems

Operating systems Applications

Careless mistakes

System configuration

Zero day vulnerabilities

Targeted malware

Malicious employees

Stolen credentials

Untrusted applications

8


Segmented Physical/Virtual

Security Solutions with DCS

SDDC• Asset inventory• Centralized Risk Management1

• Automated security context and templates

• Security orchestration3

• Integrated security intelligence for internal/external threats/vulnerabilities4

DCS Server Security• Advanced Threat Protection • Server & Hypervisor Hardening

DCS Data Store Security• Data and Messaging Protection

DCS Unified Assessment• Secure configuration management• Vulnerability assessment

Operations Director• Integrated security intelligence

and orchestration

Public Cloud

• Public Cloud Protection 5

9

• Integrated protection for workloads, SDNs, and data intensive applications

2


Data Center & Server Protection with: Data Center Security: Server & Server Advanced

10


What do Hackers Target on Systems?SDCS: Server Advanced

Registry

Config Files

Portable Storage Devices

Applications

Operating System

Memory

Enforce Registry Integrity

Enforce File Integrity

Enforce Memory Protection

Enforce network controls

Enforce device controls

Enforce application activity

11

http://www.networkworld.com/news/2007/032307-question.html?zb&rc=mgmt


Why SDCS: Server Advanced on Servers?

Policy based protection System lock down Application Whitelisting Privilege de-escalation Exploit/malware prevention Remediation automation Compliance enforcement Real-time file integrity monitoring User Monitoring Broad OS and platform coverage Agentless AV Protection*

*Agentless AV protection will be covered in separate SSE+ Technical Sales presentation

FEATURESComplete protection

across physicaland virtual servers

High performanceand reduced

downtime

Lower costmanagement and

administration

VALUEDetection + Prevention + Agentless Antimalware Protection*

Symantec Data Center Security: Server Advanced

12


Traditional Approach:Blacklist Malware

Behavior Blocking:Sandboxing/Whitelisting

Malware Signatures30 Million and growing @ xxx / Month

DLoader.AMHZW \ Exploit_Gen.HOW \ Hacktool.KDY \ INF/AutoRun.HK \ JS/BomOrkut.A \ JS/Exploit.GX \ JS/FakeCodec.B \ JS/Iframe.BZ \ JS/Redirector.AH \ KillAV.MPK \ LNK/CplLnk.K ….

Application and OS Behavior Control

As defined by prevention policy

Signature based

Stops only what is known

Reactive

Ineffective on: Zero Day

Protects itself from misbehaved applications or users

Requires extra layers of security

Policy based

Stops the unknown

Proactive

Effective for: Zero day

Protects the OS from misbehaved applications or users

Protects applications from each other

Behavior Blocking vs. Traditional Protection

13


Sandboxing is Highly Effective at Stopping Zero-Day Attacks

• Based on Fundamental Security Principles: Least Privilege Access Control • Highly effective against malware (known & unknown)• Containment model limits the potential for exploitation• Applicable to all environments and applications• Dramatically improves security posture

User Applications

Core OSService

SDCS:SA Agent

Files Named Pipes

Registry (Win only)

Network Controls

Memory (Buffer Overflow)

OS Calls Devices

Behavior Control AgentKernel mode intercept driver

Windows, Solaris, Linux

HTTPS

Web, DB, Mail, etc.

SDCS:SA Management Server

14


Zero Trust Model with Sandboxing to Protect Servers

creates a “sandbox” for one or more programs (processes) using a policy that defines Least Privilege Access Controls or “acceptable” resource access behaviors

Files

Registry

Network

Devices

File system and

Configuration info

Process AccessControl

Outlook

CMD

DNS Server

Kernel

RPC

Services or

Daemons

Interactive Applications

Granular Resource ConstraintsHost

Chrome

Most programs require a limited set of resources and access rights to perform normal functions

But most programs have privileges and resource rights far beyond what is required – attacks readily exploit this gap

Defaults for Service and Interactive

Etc. Etc.

Memory

Usage of Ports and Devices

Default “Sandbox”

15


Lockdown Critical System with Whitelisting Policy

Intuitive prevention policy wizard to reduce time and complexity during policy creation

Application discovery during policy creation

Symantec Insight application reputation

Fine grained application control rules using file hashes

General application rules using signed and trusted root

16


Use Case: Domain Controller (AD Server) Lockdown

Domain Controllers are often targets of attacks

Theft of database file gives attackers access to user accounts

Restrict access to database files (ntds.dit, edb.log, and temp.edb) & registry keys

Restrict network access to Domain Controller

Prevent FTP traffic to and from system

Except by authorized users or applications

*SDCS:SA provides AD Server protection w/ out-of-box Policy

17


4. Trusted user or application allowed to make selective changes

2. Unauthorized access, regardless of privileges, is blocked

3. Policy can allow certain users or applications to make change

1. SDCS:SA policies restrict access to critical resources by all users and processes

System Control: Control Privileged Users & Resources

18

http://www.networkworld.com/news/2007/032307-question.html?zb&rc=mgmt


Use Case: Administrator Privilege De-Escalation Administrator and root

accounts hold the key to the entire system

Administrator privilege de-escalation can be possible by locking specific resources by a specific set of users/groups

The users/groups are only allow read/write resources via a specific application

In case of a breach the locked resources are still protected

19


Use Case: Harden Virtual Environments VSC03 – Restrict access to

SSL certificates VSH02 – Keep VMware

center system properly patched

VSC05 – Restrict network access to VMware vCenter server system

VSH04 – Avoid user login to VMware vCenter server system

VSC06 – Block access to ports not being used by VMware vCenter

20


Detection: Auditing and Alerting

21


SDCS:SA Detection: Monitors for Configuration ChangesChange Detection

File and Registry Change Detection Security Configuration Changes Group Management Changes Active Directory Changes Shares Configuration Changes Domain Trust Changes User/Group Account Modification Fine Grained System Activity Malware/Spyware Detection USB Device Activity Monitors ESXi host configuration

and VMX files

22


Real-Time Change Detection = Situational Awareness

23

PCI Section 11: File Integrity Monitoring Requirements (FIM) SDCS: Server Advanced offers continuous (real-time) File Integrity Monitoring (RTFIM) No scanning, no OS auditing required Captures server/file/user name, timestamp, change type, change content, program that

made change Uses SHA-256 hashes

FeaturesCompetitor

FIMSDCS:SA RTFIM

Real-time change detection and alerts

Requires auditing enabled on Windows


SDCS:SA Detection: Monitors Significant System Security Events

Logon/Logoff Monitoring Success, Failures, After Hours, Weekends, privileged

user, Unusual access methods, password cracking attempts

System/Services Monitoring Service/daemon/driver failures, process

tracking (privileged access, unusual usage)

C2 Object Level Log Monitoring

Web Log Monitoring

Application Log Monitoring Database logs Application server logs (such as ESXi) Security tool logs (such as AV) Unix shell & sudo logs vSphere logs

System/Application Log Monitoring

24


SDCS: SA Architecture: Agent, Manager and Console

25


SDCS: Server Advanced Agent Multi Platform Support

Platform Client Edition

Server Edition

Prevention Detection

Microsoft Windows®

Windows 7

Windows Embedded 7

Windows XP

Windows XPe

Windows 2000

Windows 2012, 2008, 2003, and 2000Windows NT 4.0*Support varies for x86, AMD64, EM64T and difference service pack levels

Windows 2012, 2008, 2003, and 2000Windows NT 4.0*Support varies for x86, AMD64, EM64T and difference service pack levels

Solaris™ Not ApplicableSolaris 9 and 10*Support varies for SPARC, x86, AMD64, EM64T & local/global zones

Solaris 9, 10, and 11*Support varies for SPARC, x86, AMD64, EM64T & local/global zones

Linux™ SuSE Linux Professional

SUSE Linux Enterprise Server 9,10, and 11Red Hat Enterprise Linux 5 and 6CentOS 5 and 6Oracle Linux 5 and 6*Support varies for x86, AMD64, EM64T & IA64

SUSE Linux Enterprise Server 9,10, and 11

RedHat Enterprise Linux, 4, 5, and 6CentOS 5 and 6Oracle Linux 5 and 6*Support varies for x86, AMD64, EM64T & IA64

AIX™ Not Applicable AIX 5L 5.3, 6.1, and 7.1*Support for PowerPC 32-bit and 64-bit

AIX 5L, 6.1, and 7.1*Support for PowerPC 32-bit and 64-bit

HP-UX™ Not Applicable Not supportedHP-UX 11i v1 (11.11)**, v2 (11.23)** and v3 (11.31)** 64 bit*Support varies for PARISC and Itanium2

ESX™ Not Applicable ESX 4.1 Host

ESXi 5.0 Host

ESXi 5.5 Host

*monitoring is done remotely by the vSphere Support Pack.

ESX 4.1 Host

Note: For support details please refer back to Platform Support Matrix

26


Minimal Overhead

• Typical CPU Usage

1-6% depending upon policies used and the amount of IO usage on the system

• Memory– Windows - typically 25-40MB

– Unix – typically 40-80MB

• Disk space– Requires a minimum of 100MB disk space

– Additional disk space may be used if agent log files are not purged periodically

27


Compliance Monitoring & Unified Assessment with:Control Compliance Suite

28


Implementation

Policies

That is a Policy Sample Text without any meaning and just there to Illustrates the Text within a PowerPoint Slide.



Controls

Cobit ISO PCI NERC

HIPPA SOX GLBA FISMA Basel

Technical Controls




ProceduralControls




Assets People

End to End - IT Governance Risk & Compliance Management

Requirements

Measure

Map

Assign Deploy

Measure

Manage Risk


Control Compliance Suite 11 - Modular ViewPolicy Manager Risk Manager

Virtualization Sec. Mgr.Standards Manager Vulnerability Manager

CommonAsset & Data Store

CommonDashboard & Reporting

Core Infrastructure

Vendor Risk Manager

Assessment Manager

External Data Integration


Hub: Control Compliance Suite Infrastructure

Centrally collect and manage evidence….

• Combine evidence from multiple systems (including 3rd party tools)

• Format evidence and map to policies and regulations

• View with compliance data

• Gain greater visibility into IT and security risks

• Lower administrative overheads

• Integrate with 3rd party service desks for remediation

External Evidence System

Evidence Provider



Connect to Evidence Provider

1

Collect evidence

Format and store data

Map data to policiesand regulations

Triggerdata evolution

Triggerreporting job


3

2

5

4

6

31


Hub: Control Compliance Suite Infrastructure

…. and report on security, compliance & risk posture

• Combine CCS and 3rd party data for a holistic view of security and compliance posture

• Customizable multi-level reports for security operations and mandate-based reporting

• Gain granular visibility into security, compliance and risk posture:

• Web-based, dynamic dashboards and reports

• Multiple dashboard panel views and filtering options

Risk dashboard

32


CCS Standards Manager: Asset Discovery & Continuous Assessment of Security Configuration Settings

• Discover rogue networks and assets

• Automate assessment of security configurations

• Identify configuration drift and misconfigured assets

• Harden your server and virtual infrastructure (with Symantec CSP)

• Role-based and operational mandate-based reporting on security configuration

• Prioritize technical controls for remediation across IT ops, Sec Ops, and compliance

• Support the new SCAP 1.2, PCI-DSS v.3, and NIST Cybersecurity standards

33


CCS Risk Manager: Align IT Operations and Security Priorities

• Define business-centric risk objectives and thresholds

• Map risks to assets, controls and owners

• Prioritize security and audit findings according to business criticality

• Optimize resource allocation via risk-based remediation

• Generate risk-based dashboards for multiple stakeholders

• Project risk reduction over time

Overall Risk Score: 8.8




My Online Web StoreHigh exposure to current malware threatsHigh # of compliance assessment failureNo evidence on successful incident response testing

HR SystemMedium exposure to current malware threatsHigh # of compliance assessment failureNo evidence on successful incident response testing

Inventory SystemLow exposure to current malware threatsNo compliance failures

Finance SystemLow exposure to current malware threatsZero information leakage incidents

34


CCS Vulnerability Manager: Advanced Vulnerability Assessment & Scanning

• Scan your IPv4 and IPv6 environments (physical and virtual)

• Discover risk associated with IPv6 devices that may be enabled by default on your IPv4 environments.

• Integrated scanners identify hidden risks

• Scan for current and emerging threats and understand dependencies through unique “chaining” mechanism

• Covers web applications, databases servers and network devices

• Unique risk-scoring algorithm

• Granular, role-based asset management of threats and vulnerabilities

Web Service

Database

OS

Your Data

Unique “Chaining” Mechanism

35


• Build a scalable, cost-effective, and automated vendor security risk management program

• Identify and continually assess supply chain cybersecurity risks

• Enable informed business decisions during the vendor selection process

• Support third- party cloud and SDDC migrations by providing a hub for conducting security due diligence

• Automate internal process and standards for addressing and responding to third party data breaches

Assign vendor

tier

Initiate vendor assessment schedule

Collect vendor

evidence

Route and review

submitted evidence

Authorize or remediate

vendor

Continuous vendor risk monitoring

Vendor Risk Manager

CCS Vendor Risk Manager: Continuous Assessments of Third Party Managed Data & Infrastructure


• Secure the hypervisor from threats

• Granular access control inc. secondary approval

• Manage hypervisor and VM configuration settings

• Automate configuration assessment and reporting

• Enforce instance separation to isolate assets and limit scope

• Detailed logging for forensics & audit

CCS Virtualization Security Manager: Role-based Access Control & Governance of VM/Cloud Admins

Detailed logging

VMware Hardening Guidelines

VSM Dashboard

37


CCS Policy Manager: Automate Policy Definition and Life Cycle Management

• Automate the policy definition and lifecycle administration

• Leverage out-of-box policy content

• Map security and compliance policies to control statements and assets

• Identify and rationalize common controls across compliance programs

• Mitigate policy conflicts across compliance programs

• Automatic regulatory updates

Corporate Policy Lifecycle

1. Define 2. Review

5. Track Acceptances/ Exceptions

3. Approve

4. Distribute

38


CCS Assessment Manager: Assessment & Reporting of Procedural Controls

• Automate assessment of procedural controls

• Cover 100+ regulations/frameworks updated regularly

• Risk-weighted survey capabilities

• Drill down within Web-based dashboards for additional insights into procedural gaps, facilitating targeted remediation effort

• Workflow integration with Symantec™ Data Loss Prevention to trigger targeted and timely security awareness training Consolidate responses

Administer Survey

Analyze Results

Distribute via web

Respondents

39


Symantec Data Center Security Portfolio: Integration Today & Moving Forward

40


Symantec Data Center Security Integrated security, driven by context, enabled by policy. Supporting customers’ evolution to the SDDC by impacting inhibitors to adoption

Security Orchestration

Serv

er S

ecur

ity

Uni

fied

Asse

ssm

ent

Dat

e St

ore

Secu

rity

VDI S

ecur

ity

• Security Orchestration Platform Security Tax

• Integrated Offering Complexity

• Unified Assessment Compliance

41

Focus Areas

• Embed security into the platform

• Integrate Security across point technologies

• Orchestrate Security Automation

Moving Forward


Summary & additional Information:

• Public Sources:– http://www.symantec.com/ccs

– http://www.symantec.com/data-center-security

• Symantec Connect: – https://www-secure.symantec.com/connect

– Communities: Control Compliance Suite & Critical System Protection

• Partner Net:– http://partnernet.symantec.com

• Data Center Security: Server & Server Advanced Bootcamp:– Planned for the 15. to 17. of September in the UK

(contact us if you are interested)

http://www.symantec.com/ccs

http://www.symantec.com/data-center-security

http://www.symantec.com/data-center-security

https://www-secure.symantec.com/connect

https://www-secure.symantec.com/connect

http://partnernet.symantec.com/

Thank you!

Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

43

Olaf [email protected] [email protected]

mailto:[email protected]



Documents

1 Data Center Security & Control Compliance Suite Olaf Mischkovsky & Armin Schneider