Today all
enterprise security systems are client-server based and managed from central
location. All cloud instances with security agent (Symantec, Forefront,
Kaspersky) installed inside OS could be deactivated by qualified attacker. This
leave cloud instance unmanaged and without any acting protection. Imagine
situation if 100500 Amazon Windows instances (or all Azure instances with open
3389 port) will be affected by virus through 0-day RDP vulnerability. Should
you stop all these instances for maintenance and to stop infection? Who will
responsible to manage process of clean up all these OSs? Is it possible to
centrally stop this infection in my cloud? We will uncover how Virtual Machine
Introspection (VMI) can help to stop new threats and change cloud security management
approach.
Today Clouds are
mostly built based on different types of virtualization. Security of applications
benefit from virtualization by running in isolated virtual machines (VMs) and
building smaller trusted computing bases (TCBs).
Cloud providers
also faced following security challenges:
- Prove security hygiene of provider infrastructure to third parties
- Auditability, certification process, risk analysis methodologies, compliance.
- Trusted cloud computing technologies provide cryptographic evidence.
Main problem of all
modern security management and monitoring system is - Stealthy and Tamper
resistance. The problem of Agent based monitoring and protection is that all
this agents could be detected by user/malefactor and be subverted, and/or
disabled by the attacker.
By contrast,
hypervisor-based security resides outside the guest-VM, and is thus
tamper-proof to any malware infections inside a VM.
VMI provide
following benefits from security perspective:
- Central processing of security functions is more efficient than distributing security controls and related overhead to each VM
- No host agents required –guaranteeing security for all VMs regardless of operating system type and patch level, and with no impact to applications running inside the VMs.
- Tamper-proof security. Host-agents are subject to getting compromised by the very malware they aim to thwart (e.g., Conficker turning off A/V).
VMI - is like X-ray
view of all VM states in you private Cloud, including installed applications, operating
systems, and patch levels. Could be used for Detection, Protection and Management,
compliance and automated security enforcement. VMI use the capabilities of hypervisor
to supervise VM behavior.
Virtual Machine
Introspection (VMI) can be positioned as out of the box VM management that
allows to apply the monitoring of all hosted virtual machines, has many
applications in areas such as security and systems. From Cloud
provider prospective let’s use following terms against host server and guest OS
(cloud instance):
- Inspection– host server virtualization system (VMM) can examine entire state of the guest system (memory, devices, storage, executed commands etc)
- Interposition–VMM can interrupt guest code at any time (stop loading malicious payload and stop loading virus body into the memory)
This approach of
controlling virtual operating systems also can be used to protect the operating
system on hypervisor level, which is the newest approach in designing systems
to protect information in enterprise systems.
What can be monitored?
- All user input
- Malware on FS and in memory
- Network Traffic
- File activity and integrity
- User access and activity
Other applicable
areas where VMI can be very useful:
- Malware analysis
- Cloud SIEM
- VM IPS/IDS
- VM Forcing
- Policies
- VM Honeypot
- Cloud Firewall
- VM Patch management
- Invisible system logging
- Rootkit prevention
VMI for Cloud management
- Quarantine of non-compliant VMs to eliminate administrative errors and reduce risk.
- Automated security classification and enforcement for new or cloned VMs
- Automated VM compliance assessment based on multiple VM attributes;
Немає коментарів:
Дописати коментар