A Cloud Security Primer

Conventional SeCurity for Mixed environMentS

ARE YOU ENDANGERING YOUR OPERATIONS?

CONVENTIONAL SECURITY FOR MIXED ENVIRONMENTS 1

Managing Mixed (Physical and Virtual) Environments

Ready for More: From Server Virtualization to Virtual Desktops

Hardware and operational cost savings drove the acceptance and adoption of server virtualization initiatives. Many enterprises are thus considering extending the benefits of virtualization to their endpoint infrastructure as well.1 Based on a recent Trend Micro survey, 71% of the respondents who used virtual servers also had virtual desktop infrastructure (VDI) in the production or pilot stage.

Virtualizing desktops allow IT administrators to realize some important efficiency gains. These benefits include easier and faster resource provisioning, centralized maintenance, and streamlined support for a varied range of endpoint types and user profiles.

From a business perspective, VDI lends several demonstrable benefits specifically in terms of business agility. In a typical office that requires immediate access to files and programs, VDI is ideal for certain personnel like:

• Employees who work remotely or from home

• Employees who frequently move from one location to another like those in sales or certain research and development (R&D) groups

• Employees who regularly need a narrow subset of office resources as in the case of clerks or data-entry employees

• Employees who would like to use their personal devices to access their office workstations

• Users who would like to access an organization’s resources the way they would a library or a database

The VDI Adoption Dilemma: What About Security?

Extending traditional security to protect mixed environments is logical for IT administrators. After all, the initial investment in a VDI initiative may already be too costly for organizations to also consider purchasing an entirely new protection suite. As such, security meant to protect physical desktops and servers can just be carried over to protect even their virtual counterparts.

However, doing so can lead to situations that impact security like resource contention, security storms, and instant-on gaps. Additional operational overhead costs will be incurred as IT groups continually reconfigure virtual desktops as they move or change. Auditing virtual asset maintenance will also prove challenging.

1 http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_vdi-solution.pdf

Figure 1: Ratio of decision makers that currently deploy or pilot VDI

CONVENTIONAL SECURITY FOR MIXED ENVIRONMENTS 2

Unfit Protection Leads to Security Breakdown

Today’s threat landscape and intensified attacks against corporate data and intellectual property put the security problem in perspective. While forcing traditional security to adapt to a mixed environment is a pragmatic approach, doing so can leave gaps that can be more costly to fill in than to reassess your protection strategy. The following developments in the threat landscape can affect an enterprise if its security breaks down:

• Better evasion techniques: Cybercriminals fight detection efforts by security companies through better evasion techniques. Improvements to the Blackhole Exploit Kit—a web application that serves popular exploits depending on specific vulnerabilities in a victim’s computer—for instance, made direct reference to security vendors’ efforts to trace and prevent attacks using the kit.2

• Targeted attacks by determined threat actors: Advanced persistent threats (APTs) are advanced in that they are well-researched, well-planned, and well-executed. The threat actors behind these campaigns establish network persistence to stay undetected for long periods of time as they move closer to their goal—data exfiltration. They accomplish this through auto-start mechanisms or other modifications to OS components to make sure their tools run despite reboots.

• Exploits and vulnerabilities: Exploits are a dime a dozen in the current threat landscape. Security holes have always existed in software, and cybercriminals usually create exploits for vulnerabilities in widely used software to target a larger user base. Zero-day exploits are particularly dangerous because they take advantage of vulnerabilities for which no security update is yet available.

• Network-crippling threats: Self-propagating malware, buffer overflows, or distributed denial-of-service (DDoS) attacks can take down an entire network. We have recently seen some activity related to a DDoS tool being downloaded to computers that eventually downloaded Gh0stRAT—a remote access tool (RAT) used by APT threat actors and cybercriminals alike.

• Data exfiltration: Among enterprises, the competing priorities of sharing information for efficient processes and keeping critical information intact pose data management challenges. Unlike data lost through negligence or accidental exposure, data exfiltration by threat actors is the most damaging way of losing data because stolen information can be sold to interested parties or used directly against the victim.

In the recent 2012 Cost of Cyber Crime Study by Ponemon: United States, incidents of cyber attacks more than doubled over a three-year period and the average cost to resolve a cyber attack over the average time to resolve it reached around US$592,000.3

Cybercriminals and other threat actors continuously improve their tactics, means, and execution, and security solutions must be perfectly suited to environments and work in an optimal state to match.

2 http://blog.trendmicro.com/trendlabs-security-intelligence/blackhole-2-0-beta-tests-in-the-wild/ and http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_blackhole-exploit-kit.pdf

3 http://www.hp.com/hpinfo/newsroom/press/2012/121008a.html

CONVENTIONAL SECURITY FOR MIXED ENVIRONMENTS 3

Figure 2: Traditional versus virtualization-aware security

Virtualization-Aware Security Management

Enterprise IT groups need to look for solutions made for environments with coexisting physical and virtual servers and desktops. These solutions should, for instance, be able to seamlessly integrate into hypervisor application programming interfaces (APIs) to communicate with guest virtual machines (VMs) and make monitoring security states easier. IT groups should consider setting up a dedicated security virtual appliance, which will make resource-intensive operations like security scanning more manageable to do than when implemented on a per-virtual-desktop basis, thus preventing security storms.

One of the key advantages of virtualization-aware security like Trend Micro™ Deep Security is the ability to apply agentless security.4 Instead of deploying, configuring, or updating agents in each virtual desktop, enterprise IT groups can just commandeer security operations via a virtual security appliance. This also saves up on resources.

However, even agentless security must be as robust as security for physical servers and desktops as threats do not change. Anti-malware protection should be a baseline requirement along with intrusion detection and prevention and firewall. Web reputation is also a must to protect users from accessing malicious IP addresses and domains while log inspection and integrity monitoring are important tools against highly targeted attacks.

Furthermore, agentless security can help enterprises maximize the advantages of virtualization as it increases VM densities, provides immediate protection from instant-on gaps, and simplifies manageability for your operations.

4 http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/index.html

©2012 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.

TRENDLABSSM

TrendLabs is a multinational research, development, and support center with an extensive regional presence committed to 24x7 threat surveillance, attack prevention, and timely and seamless solutions delivery. With more than 1,000 threat experts and support engineers deployed round-the-clock in labs located around the globe, TrendLabs enables Trend Micro to continuously monitor the threat landscape across the globe; deliver real-time data to detect, to preempt, and to eliminate threats; research on and analyze technologies to combat new threats; respond in real time to targeted threats; and help customers worldwide minimize damage, reduce costs, and ensure business continuity.

TREND MICRO INCORPORATED

Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cloud security leader, creates a world safe for exchanging digital information with its Internet content security and threat management solutions for businesses and consumers. A pioneer in server security with over 20 years’ experience, we deliver top-ranked client, server and cloud-based security that fits our customers’ and partners’ needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the industry-leading Trend Micro™ Smart Protection Network™ cloud computing security infrastructure, our products and services stop threats where they emerge—from the Internet. They are supported by 1,000+ threat intelligence experts around the globe.