Only security made for VMware can protect your

Applications, Servers and Data across private, public

and hybrid Clouds and give you a good return on
investment
David Girard CISSP, CWSP, CHFI, TCTP, TCSE, ITIL, VTSP4
Senior Security Advisor

10/5/2012

Copyright 2012 Trend Micro Inc.

One Security Model Across All Environments

Private Cloud

Hybrid Cloud

Public Cloud

Cloud becomes an extension of the data center

and VMs are run from the optimal location
Private Cloud
Cloud assets within the
data center run IT as a
service

Hybrid Cloud
Assets are moved
between private and
public clouds

Public Cloud
Cloud assets are hosted
by one or more service
providers

Cloud Security Needs to Seamlessly Protect Private,

Public, and Hybrid

10/5/2012

Copyright 2012 Trend Micro Inc.

Whats Holding Back Cloud Deployment?

Private Cloud

Hybrid Cloud

Public Cloud

In 2012, over said apprehension over security

is holding back their cloud adoption
Top two risks / barriers to adopting the cloud:
54% - security of data or cloud infrastructure
50% - performance / availability of cloud

10/5/2012

Copyright 2012 Trend Micro Inc.

Cloud Models: Security and Control

Servers

Virtualization &
Private Cloud

Public Cloud
IaaS

End-User (Enterprise)

Public Cloud
PaaS

Public Cloud
SaaS

Service Provider

Who is responsible for security?

With IaaS the customer is responsible for VM-level security
With SaaS or PaaS the service provider is responsible for security

Security must span physical and virtual servers, VDI,

and private, public, and hybrid cloud environments
10/5/2012

Copyright 2012 Trend Micro Inc.

Cloud Security Challenges

Multi-tenancy = mixed trust levels
Traditional concerns still exist malware and APTs
Rapid scaling makes patch management
a nightmare
Public IaaS gives little access into and
control logs
Adding more cloud servers stretches
monitoring resources
Rapid provisioning creates an IT black market
Loss insight and control makes compliance difficult
Data security and privacy risks are greatly increased

10/5/2012

Copyright 2012 Trend Micro Inc.

Issues with Traditional Security for Virtual Desktops

Challenge: Resource Contention

Typical
Security
Console

3:00am Scan

Security Storm

Automatic security scans overburden the system

10/5/2012

Copyright 2012 Trend Micro Inc.

Issues with Traditional Security for Virtual Desktops

Challenge: Instant-on Gaps

Active

Reactivated with
Dormant
out dated security

Cloned

Reactivated and cloned VMs can have out-of-date security

10/5/2012

Copyright 2012 Trend Micro Inc.

Issues with Traditional Security for Virtual Desktops

Challenge: Inter-VM Attacks / Blind Spots

Attacks can spread across VMs

10/5/2012

Copyright 2012 Trend Micro Inc.

Issues with Traditional Security for Virtual Desktops

Challenge: Complexity of Management

Provisioning
new VMs

Reconfiguring
agents

Rollout
patterns

Patch
agents

VM sprawl inhibits compliance

10/5/2012

Copyright 2012 Trend Micro Inc.

Vulnerabilities: Risk & Compliance Impacts

2,723

Critical Software Flaw

Vulnerabilities in 2009

Inherently open and accessible

Content & functions constantly evolving
The most common point of attack
Many legacy apps cannot be fixed
Perimeter security doesnt protect web apps

How often / easily do you patch

these vulnerabilities?

Medical
ATM, POS
Other

8
2009/
2010

Reason for not patching:

10.1

10/5/2012

Copyright 2012 Trend Micro Inc.

Cost of refresh
Compliance restrictions
Service Level Agreements

Next?

10

Sample list of systems protected

Deep Security rules shield vulnerabilities in these common applications
Operating Systems

Windows (2000, XP, 2003, Vista, 2008, 7), Sun Solaris (8, 9, 10), Red Hat EL (4, 5), SuSE
Linux (10,11)

Database servers

Oracle, MySQL, Microsoft SQL Server, Ingres

Web app servers

Microsoft IIS, Apache, Apache Tomcat, Microsoft Sharepoint

Mail servers

Microsoft Exchange Server, Merak, IBM Lotus Domino, Mdaemon, Ipswitch, IMail,,
MailEnable Professional,

FTP servers

Ipswitch, War FTP Daemon, Allied Telesis

Backup servers

Computer Associates, Symantec, EMC

Storage mgt servers

Symantec, Veritas

DHCP servers

ISC DHCPD

Desktop applications

Microsoft (Office, Visual Studio, Visual Basic, Access, Visio, Publisher, Excel Viewer,
Windows Media Player), Kodak Image Viewer, Adobe Acrobat Reader, Apple Quicktime,
RealNetworks RealPlayer

Mail clients

Outlook Express, MS Outlook, Windows Vista Mail, IBM Lotus Notes, Ipswitch IMail Client

Web browsers

Internet Explorer, Mozilla Firefox

Anti-virus

Clam AV, CA, Symantec, Norton, Trend Micro, Microsoft

Other applications

Samba, IBM Websphere, IBM Lotus Domino Web Access, X.Org, X Font Server prior,
Rsync, OpenSSL, Novell Client

11

Enabling PCI Compliance for

Datacenter
Agent-based PCI controls for physical
server environments
Agentless PCI controls for Vmware vSphere
and vCloud environments enabling mixed-mode deployments
Private & Public Cloud
Agent-based PCI controls for all IaaS cloud environments
Distributed Retail Locations
Ideal for enabling cost effective compliance in highly
distributed environments
Centrally managed and implemented reduces implementation
costs and resources
Is a fraction of the cost of implementing appliances at
store locations
10/5/2012

Copyright 2012 Trend Micro Inc.

12

Trend Micro Deep Security

5 Protection Modules
Deep Packet Inspection
IDS / IPS / Virtual Patches

Shields web application

vulnerabilities

Web Application Protection

Application Control

Reduces attack surface.

Prevents DoS & detects
reconnaissance scans
Optimizes identification of
important security events
across multiple log files
Physical Servers

Firewall

Anti-Virus
Web Reputation

Integrity
Monitoring

Log
Inspection

Virtual Servers

Cloud

Detects and blocks known and

zero-day attacks that target
vulnerabilities
Provides increased visibility into,
or control over, applications
accessing the network
Detects and blocks malware
(viruses, worms, Trojans)
Monitors critical OS and
application files for changes:
files, directories, registry
keys/values, ports, services,
ESXi
Desktop/Laptop

Protection is delivered via Agent and/or Virtual Appliance

10/5/2012

Copyright 2012 Trend Micro Inc.

13

Deep Security for PCI compliance

Addressing 7 PCI Regulations and
20+ Sub-Controls Including:

Deep Packet Inspection

IDS / IPS / Virtual Patches

(1.)

Network Segmentation

(1.x)

Firewall

(5.x)

Anti-virus

(6.1)

Virtual Patching*

(6.6)

Web App. Protection

Web Application Protection

Application Control

AntiMalware

Firewall

Log
Inspection

Integrity
Monitoring

(10.6) Daily Log Review

(11.4) IDS / IPS
(11.5) File Integrity Monitoring
* Compensating Control

Physical
Servers

10/5/2012

Virtual
Servers

Cloud
Computing

Confidential | Copyright 2012 Trend Micro Inc.

Endpoints
& Devices

14

Agentless Security Architecture

Trend Micro

Deep Security
Manager

Trend Micro

Deep Security Virtual Appliance

Guest VM
Anti-Malware
Real-time Scan
Scheduled &
Manual Scans
Web Reputation

Network Security
Security
Admin

IDS/IPS
Web App Protection
Application Control
Firewall

APPs
APPs
OS
APPs

Integrity Monitoring
On-Demand Scans

Kernel

OS

BIOS

vShield Endpoint
API

VMsafe-net
API

vShield Manager

VI
Admin

vCenter

Legend

10/5/2012

Trend Micro
filter driver

Confidential | Copyright 2012 Trend Micro Inc.

VMware Tools

vShield Endpoint
ESX Module

vSphere Platform ESX 4.1 +

Trend Micro
product
components

VMware
Platform

15

vShield
Endpoint
Components

More On Data Security. . .

Name: John Doe
SSN: 425-79-0053
Visa #: 4456-8732

Use of encryption is rare:

Who can see your information?

Virtual volumes and servers are mobile:

Your data is mobile has it moved?

Name: John Doe

SSN: 425-79-0053
Visa #: 4456-8732

Rogue servers might access data:

Who is attaching to your volumes?

Rich audit and alerting

modules lacking:
What happened when you werent looking?

Encryption keys remain with vendor:

Are you locked into a single security solution?
Who has access to your keys?

Virtual volumes contain residual data:

Are your storage devices recycled securely?

10/5/2012

Copyright 2012 Trend Micro Inc.

16

The Trend Micro Cloud Protection Solution

Deep Security
Server Security Platform

Anti-malware
File integrity monitoring
IDS / IPS

Deep Security

Bi-direction firewall
Log inspection
Application control

SecureCloud
Credit Card
Payment
Encryption
with
PolicyPatientSecurity
Medical
Records
Sensitive
Social
Research
Numbers
Results
Information

based Key Management

SecureCloud

FIPS 140-2 Level 2 certified AES encryption

Policy-based encryption key management
10/5/2012

System and application

protection for virtual
machines across public,
private and hybrid clouds

Copyright 2012 Trend Micro Inc.

17

Integrated data protection

with encryption for data
stored in public, private
and hybrid clouds

Advanced Protection In and Across

Your Clouds

Private Cloud

Security
Virtual
Appliance

VM VM VM VM

Deep Security Manager

vCloud, vSphere
and AWS
Interoperability

Agentless or Agent Encryption for cloud data

based security
Compliance support
Layered server security (FIM, encryption, etc.)

Hybrid Cloud

Public Cloud
VM VM VM VM VM VM

SecureCloud console

10/5/2012

Copyright 2012 Trend Micro Inc.

18

Agent-based security in public multi-tenant clouds

Layered server and data security
Encryption across all cloud providers
Compliance and governance support

Deep Security Server Security Platform

VIRTUAL

PHYSICAL

Intrusion
Prevention

10/5/2012

Copyright 2012 Trend Micro Inc.

Anti
Malware

Firewall

19

CLOUD

Web
Reputation

Integrity
Monitoring

Log
Inspection

Deep Security 9
Extending Datacenter Security to Hybrid Cloud
AWS and vCloud API integration
Single management pane-of-glass between
VMs in internal VMware datacenters,
VPCs, and public clouds

Hierarchical policy
management
Inheritance enables customized
policies for different VMs or
datacenters, while central IT
can mandate compliant baseline
settings

10/5/2012

Copyright 2012 Trend Micro Inc.

20

Deep Security 9
Agile Security Management for the Cloud
Multi-tenant Deep Security Manager architected for key attributes of cloud computing*:
Resource-pooling independent tenant policies/data for shared, multi-tenant clouds
Elasticity - Automated deployment of components to cloud scale
Self-service Policies can be delegated by cloud admin to tenants through
self-service GUI
Broad network access Web-based console built on REST APIs for extensibility
and integration with broader cloud management frameworks
Same architecture can be deployed as security-as-a-service by IaaS public cloud
providers, or within enterprise ITaaS for private clouds
*e.g. NIST definition of Cloud Computing

Extending to cloud scale

Trend Micro Confidential-NDA Required

10/5/2012

Copyright 2012 Trend Micro Inc.

21

Deep Security 9 (2012) Physical/Virtual/Cloud

Modular
Multi-Tenant
Hosted

Single Pane
Scalable
Redundant

Deep Security
Manager

Threat
Intelligence
Manager

SecureCloud
Reports

Deep Security
Agent

Includes:
Intrusion Prevention
Firewall
Anti-malware
Web Reputation
Integrity Monitoring
Log Inspection
Recommendation Scan

10/5/2012

Copyright 2012 Trend Micro Inc.

Amazon AWS
or vCloud
Provider
Delivers:
ALL Security Modules PLUS
vCloud Director Integration
(NEW)
Amazon Integration (NEW)
Multi-tenant Ready (NEW)

22

Deep Security
Virtual Appliance

Includes:
Intrusion Prevention
Firewall
Anti-malware
Web Reputation
Integrity Monitoring
Hypervisor Integrity
Monitoring (NEW)
Recommendation Scan
(NEW)

Securing workloads:
physical, private
and public cloud
Asset visibility across
networks into the cloud
Simultaeously manage
physical, virtual, cloud
Enforce consistent
security policy

Corporate Network

Physical

Virtual
Cloud Providers

10/5/2012

Database

Web
Server

Web

Storage

Mail
Server

Mail

Copyright 2012 Trend Micro Inc.

23

The SecureCloud Encryption Solution

Encryption
Credit
Card Payment
Patient
Medical
Records
Sensitive
Social
Security
Research
Numbers
Results
with
Policy-based
Information
Key Management
Render data unreadable without encryption keys
Control of when and where data is accessed
Server identity and integrity validation
Custody of keys and separation of duties
FIPS 140-2 certified encryption agent

10/5/2012

Copyright 2012 Trend Micro Inc.

24

SecureCloud Protects Your Data

Cloud Service Provider

Hosted SaaS Model

VM
Corporate
App

VM

VM

Hypervisor
Trend Micro
SecureCloud Console

Shared Storage
Enterprise Key

10/5/2012

Copyright 2012 Trend Micro Inc.

My Data

25

VM

Policy-based Key Management

in the Cloud

Identity
Is it mine?

10/5/2012

Integrity
Is it okay?

IP Address
Services open
Location
Mount point

Copyright 2012 Trend Micro Inc.

26

Firewall
AV
Self integrity check
Deep Security info

Choose Your Trend Ready Cloud Service Provider

Or Become One!

Trend Ready for Cloud Service Providers

A technology partnership initiative aimed at facilitating enterprise
adoption of public and hybrid IaaS cloud computing by reducing
security adoption barriers
Provides end user education on cloud security and governance risks;
describes methods to mitigate them
Delivers cloud security tools relevant to reducing cloud risk
Deep Security and SecureCloud offer integrated application, server and data
threat mitigation

Verifies through testing that Trend Micro security products are

interoperable and effective in partner clouds
Directs enterprises towards Trend Ready CSPs for rapid and secure
cloud deployment

Value:
End user: gain additional knowledge about cloud risk factors; ability to
safely access efficiencies and economics offered by public IaaS
CSP: offer additional security components that help increase user base,
add revenue and differentiate cloud service from peer CSPs

10/5/2012

Copyright 2012 Trend Micro Inc.

29

Retour sur Investissement / Return On

Investment

30

Avantages

Source http://www.hydroquebec.com/residentiel/eclairage/avantages.html

31

Avantages

http://www.hydroquebec.com/residential/eclairage/avantages.html

32

Utilisation des ressources virtuelles /

Virtual ressources uses
GREEN

+CO2

Traditional Security

Deep Security
Agent Less
Protection

10/5/2012

Confidential | Copyright 2012 Trend Micro Inc.

33

Utilisation des ressources virtuelles /

Virtual ressources uses
AM

+CO2

More density = Lower operational cost and huge savings

GREEN
IT
VERT
Deep
Security

Plus de densit = un cot oprationnel moindre et des

grosses conomies

34

Improved Density means Dollars Saved

$250K over 3 years for 1000 Virtual Desktops Saved
Desktop Virtualization TCO With Trend Micro
1000 Virtual Desktops
+GREEN

With Traditional
Antivirus
+ CO2

VDI Images per server

75

25

Servers Required to Host

1000 Virtual Desktops

14

40

Capex Savings for 1 server

$5900 (from VMware TCO Calculator)

Power, Cooling & Rackspace

Savings for 1 server over 3
$3600 (from VMware TCO Calculator)
years
3-year savings for 1000
$(5900+3600) X 26 fewer servers =
virtual desktops running
$247,000
Trend Micro
Similar savings accrue for server VM as well.
3-year savings for 600 server VMs running Trend Micro =
$200,000
35

What do you use to protect your Cloud?

or
Traditional AV Kill VMS
and your infrastructure

Trend Micro got the weapon

to kill threats not your
infrastructure

Dont play Russian roulette with your virtual security!

Deep Security, SecureCloud and OfficeScan-VDI are VM
aware. They are optimized for VMware. Save resources, save
money now!
36

Merci!
www.cloudjourney.com

#1 Security Platform for

Virtualization and the Cloud

Copyright 2012 Trend Micro Inc.

Copyright 2012 Trend Micro Inc.

Appendix

10/5/2012

Copyright 2012 Trend Micro Inc.

38

Deep Security Multi-tenancy

Providing Individual Control
Procurement
Security Profile 3
Less Sensitive

Private Cloud

Finance
Security Profile 1
Highly Sensitive

Security
Virtual
Appliance

VM VM VM VM

Agentless or Agent Encryption for cloud data

based security
Compliance support
Layered server security (FIM, encryption, etc.)

Hybrid Cloud

Public Cloud
VM VM VM VM VM VM

Human Resources
Security Profile 1
Highly Sensitive
10/5/2012

R&D
Security Profile 2
Moderately Sensitive

Copyright 2012 Trend Micro Inc.

39

Agent-based security in public multi-tenant clouds

Layered server and data security
Encryption across all cloud providers
Compliance and governance support

Deep Security Certifications

Common Criteria
CC Certified to Level 4 Augmented (EAL 4+)
All protection modules (Firewall, DPI, Integrity Monitoring,
Log Inspection, Anti Malware)
All platforms (Windows, Linux, Solaris, HPUX, AIX,
VMware Virtual Appliance)
Deep Security is the first product to pass NSS Labs PCI Suitability
testing for Host Intrusion Prevention Systems (HIPS).

Certified for VCE Vblock* Infrastructure Platforms

U.S. Army Certificate of Networthiness (CoN)

*VCE Vblock Infrastructure Platforms combine industry-leading technologies from Cisco, EMC, and
VMware to deliver a pre-configured, rapidly deployable, converged infrastructure for cloud computing.
This certification provides Trend Micro customers with effective security solutions certified to work with
the Vblock Infrastructure Platform.
10/5/2012

Copyright 2012 Trend Micro Inc.

40

Trend Micro HyTrust

PCI DSS 2.0 Reporting Solution
Customer must deploy Deep Security and
HyTrust Virtual Appliance
PCI reporting solution runs from HyTrust console and leverages
Deep Security data
Dashboard gives a compliance score for each area of DSS 2.0
guidelines
Report indicates specific areas for action/ remediation
See screen shot on next slide
Contact Allan MacPhee or David Silverberg for more details

10/5/2012

Copyright 2012 Trend Micro Inc.

41

Trend Micro and HyTrust PCI Dashboard

10/5/2012

Copyright 2012 Trend Micro Inc.

42

Success stories
Major Electronics Retailer
Enabled PCI compliance and optimized operational efficiency

Re-evaluating how to achieve PCI Compliance

Over 1,000 stores and

150,000 employees

Server security specified as a must to meet security,

compliance and operational cost requirements
Now centrally managing 5000 self-defending servers across
1000 stores
Keys: Vulnerability shielding, Firewall, & Log Collection

Restaurant Chain
Maximizing protection and cost efficiency

Cost effective security & PCI compliance

for 220+ stores
Rapidly growing
casual family
restaurant chain

10/5/2012

Confidential | Copyright 2012 Trend Micro Inc.

Local processing of card data requires in-depth security

Server
self-defense
PCI
compliance
a and
baseline for secure operations
regulatory compliance
Keys: Integrity Monitoring & Firewall; central management

43

Success stories
UK Grocer
Virtual Patching for Legacy Application Enables PCI compliance

Electronic Funds Transfer application needs patch

140 years old
800 supermarkets
150,000 employees

Mission critical Solaris application not patched in 4 years.

Virtual patch needed to meet PCI compliance requirement
Deep Security has allowed them to achieve AND defer cost of
upgrading application for 3 years

International Grocer
PCI Compliance across a highly distributed retail environment

Multi-platform Integrity Monitoring Requirements

Multiple grocery chains
~ 170,000 employees

10/5/2012

Copyright 2012 Trend Micro Inc.

Windows and Linux platforms

Over 725 stores across multiple grocery chains with 20,000
POS systems & 3,000 servers
Keys: Integrity Monitoring across multiple platforms

44

Key Trends: Data-centric threat environment

More Profitable

More Sophisticated

More Frequent

# of days until
vulnerability is
first exploited,
after patch is
made available

Exploits are happening

before patches
are developed

28 days

18 days
10 days

More Targeted
Zero-day
2003
2005
2004
MS- Blast Sasser Zotob
45

Zero-day

2006
2010
WMF IE zero-day