вівторок, 8 квітня 2014 р.

VMI - draft

Today all enterprise security systems are client-server based and managed from central location. All cloud instances with security agent (Symantec, Forefront, Kaspersky) installed inside OS could be deactivated by qualified attacker. This leave cloud instance unmanaged and without any acting protection. Imagine situation if 100500 Amazon Windows instances (or all Azure instances with open 3389 port) will be affected by virus through 0-day RDP vulnerability. Should you stop all these instances for maintenance and to stop infection? Who will responsible to manage process of clean up all these OSs? Is it possible to centrally stop this infection in my cloud? We will uncover how Virtual Machine Introspection (VMI) can help to stop new threats and change cloud security management approach.

Today Clouds are mostly built based on different types of virtualization. Security of applications benefit from virtualization by running in isolated virtual machines (VMs) and building smaller trusted computing bases (TCBs).
Cloud providers also faced following security challenges:

  • Prove security hygiene of provider infrastructure to third parties
  • Auditability, certification process, risk analysis methodologies, compliance.
  • Trusted cloud computing technologies provide cryptographic evidence.
But how else virtualization is used today to enhance security? Virtual machine Introspection - open new horizons for private and public cloud security that soon will totally change understanding of managing software in the cloud.

Main problem of all modern security management and monitoring system is - Stealthy and Tamper resistance. The problem of Agent based monitoring and protection is that all this agents could be detected by user/malefactor and be subverted, and/or disabled by the attacker.
By contrast, hypervisor-based security resides outside the guest-VM, and is thus tamper-proof to any malware infections inside a VM.

VMI provide following benefits from security perspective:
  1. Central processing of security functions is more efficient than distributing security controls and related overhead to each VM
  2. No host agents required –guaranteeing security for all VMs regardless of operating system type and patch level, and with no impact to applications running inside the VMs.
  3. Tamper-proof security. Host-agents are subject to getting compromised by the very malware they aim to thwart (e.g., Conficker turning off A/V).

VMI - is like X-ray view of all VM states in you private Cloud, including installed applications, operating systems, and patch levels. Could be used for Detection, Protection and Management, compliance and automated security enforcement. VMI use the capabilities of hypervisor to supervise VM behavior.

Virtual Machine Introspection (VMI) can be positioned as out of the box VM management that allows to apply the monitoring of all hosted virtual machines, has many applications in areas such as security and systems. From Cloud provider prospective let’s use following terms against host server and guest OS (cloud instance):
  • Inspection– host server virtualization system (VMM) can examine entire state of the guest system (memory, devices, storage, executed commands etc)
  • Interposition–VMM can interrupt guest code at any time (stop loading malicious payload and stop loading virus body into the memory)

This approach of controlling virtual operating systems also can be used to protect the operating system on hypervisor level, which is the newest approach in designing systems to protect information in enterprise systems.

What can be monitored?
  • All user input
  • Malware on FS and in memory
  • Network Traffic
  • File activity and integrity
  • User access and activity

Other applicable areas where VMI can be very useful:
  • Malware analysis
  • Cloud SIEM
  • VM Forcing
  • Policies
  • VM Honeypot
  • Cloud Firewall
  • VM Patch management
  • Invisible system logging
  • Rootkit prevention

VMI for Cloud management

  • Quarantine of non-compliant VMs to eliminate administrative errors and reduce risk.
  • Automated security classification and enforcement for new or cloned VMs
  •  Automated VM compliance assessment based on multiple VM attributes;

Немає коментарів:

Дописати коментар