Scopriamo il Virtual Patching
Alessandro de Simone
Product Manager – Security and Data Protection
Roma, 28maggio 2014
In collaborazione con
Scopriamo il Virtual Patching
Lo Scenario Attuale
Number of vulnerabilities on the rise
 Over 13,000 vulnerabilities reported in 2013, 32% increase from 2012
 73.5% of them are remotely exploitable over the network
 In July 2013, The New York Times reported that the average vulnerability sells
from around $35,000 to $160,000
Exploits become available shortly after disclosure
 74% on the same day
 8% more than one day later
Roaming endpoints are directly exposed to threats
 Connecting to the Internet from home, hotels, Wifi-Hotspots
 Not protected by security on the corporate network
 In February 2014, NBC reported that a new laptop & mobile phone were probed
by hackers in less than one minute and the machine exploited just a few minutes
later on the hotel wifi
Lo Scenario Attuale – Patching di tutte le vulnerabilità………… Irrealistico
Some vulnerabilities cannot be patched
 Systems need to be up 24/7 and cannot be rebooted
Patches often do not exist
 for 52% of known vulnerabilites, no patch exists
 Average of 151 days for vendors to release patch (NSS Labs 2013)
Patches – if available – are not deployed immediately
 Average time to patch in enterprises in 2013: 59 days!
 Endpoints remain vulnerable
Lo Scenario Attuale – la fine di XP
Desktop OS Market Share as of Feb 2014
Operating System
Windows 7
Windows XP
Windows 8
Windows 8.1
Mac OS X 10.9
Windows Vista
Linux
Mac OS X 10.6
Mac OS X 10.8
Mac OS X 10.7
Mac OS X 10.5
Windows NT
Mac OS X 10.4
Windows 2000
Mac OS X (no version reported)
Windows 98
Market Share
48.06%
28.44%
6.49%
4.34%
3.46%
3.15%
1.59%
1.39%
1.38%
1.15%
0.27%
0.17%
0.07%
0.03%
0.01%
0.00%
Lo Scenario Attuale
Microsoft will end the Extended Support on April 8, 2014 for Windows XP with Service Pack 3
and Windows XP x64 Edition with Service Pack 2
But Customers will still be on XP for the time being because?
1. Cost
• Gartner estimates that the per-machine cost of migrating from XP to Windows 7, for example, in an organization
with 10,000 desktops or more will vary from $1,274USD to $2,069USD
• The Camwood research found that while only 16% of IT decision makers stated that budgetary reasons were
holding them back from migrating off XP, those in the throes of migration (25%) were more concerned about the
amount of money needed to be spent to achieve a successful migration.
2. Migration Concerns
• Worry about migration was cited by over 1/5 of IT decision makers as another reason why they have not started
migration.
3. Legacy Software Support
• Companies with in-house applications generally have a greater dependency on OSes, which will prohibited them
from moving away
Lo Scenario Attuale
Protezione delle vulnerabilità prima che possano venire sfruttate
Centinaia di vulnerabilità software vengono scoperte ogni mese e l'applicazione
puntuale delle patch è dispendiosa, soggetta a errori e spesso impossibile.
Vengono così messi in evidenza i costi e le difficoltà della distribuzione di patch
di emergenza, i cicli di patch frequenti e le costose interruzioni dell'attività di
sistema.
La Soluzione – Il Patching Virtuale
Le soluzioni con patching virtuale assicurano la protezione immediata.
Potete ottenere una consolidata tutela delle vulnerabilità che proteggerà i vostri
server ed endpoint fino all’implementazione delle patch, o indefinitamente per i
sistemi privi di supporto o a cui non è possibile applicare patch. La protezione
tramite patching virtuale puoi aiutarvi ad ampliare la vita dei sistemi e delle
applicazioni preesistenti oltre a ridurre i costi amministrativi.
Come Funziona?
Over 100 applications
shielded including:
Raw Traffic
Operating Systems
1
Stateful Firewall
Allow known good
Database servers
Web app servers
Mail servers
Deep packet inspection
2
Exploit Rules
Stop known bad
FTP servers
Backup servers
3
Vulnerability Rules
Shield known
vulnerabilities
4
Filtered Traffic

Smart Rules
Shield unknown
vulnerabilities
and protect
specific applications
Storage mgt servers
DHCP servers
Desktop applications
Mail clients
Web browsers
Anti-virus
Other applications
Virtual Patching – Protezione Multilivello
Data Center
Trend Micro
DEEP SECURITY
End Point
Trend Micro
VULNERABILITY
PROTECTION
Trend Micro Vunerability Protection
Trend Micro Vunerability Protection
TMVP = TrendMicro Vulnerability Protection
•TMVP is focusing on vulnerability protection which using virtual patching to defense
remote attacks.
TMVP ⊂ {DPI, FW}
•TMVP is based Deep Packet Inspection (DPI) and Firewall (FW) technologies to
provide virtual patching and device control.
TMVP ≠ OfficeScan Plugin
•TMVP is different to IDF because it integrates with Control Manager alongside all
other endpoint products, is a standalone product, and does not require or have any
dependencies on OfficeScan.
Features
Multiple-Level Policy Inheritance
 A newly created policy can be configured to inherit
all or some of its settings from a parent policy. This
lets you create a tree structure of security policies.
Complete IPv6 support
 IPv6 support. IPv6 specific rules can use IPv6
addresses and ICMPv6 support has been added.
Generic rules like IP TCP allow port 80 apply to
both IPv4 and IPv6 traffic.
Standalone
 TMVP doesn’t require OSCE for installation, it can
operate with other major AV such as McAfee,
Symmetric, Sophos, Kaspersky.
Features
TMCM Integration:
 Central management of multiple TMVP servers in TMCM
 TMVP Status Log summary in TMCM Show Health Status
New UI:
 Completely redesigned user experience, simplified management and
navigation
 Refined options for device control related configurations
Task-Based Navigation:
 Tabbed Dashboard to allow multiple dashboards with easy switch between
them, provide many different views.
Broader Browser Support:
 Included IE 10, Chrome, and Safari to the existing Firefox and IE 9 support
CSV export
5 Punti di forza
✓ Reduce the need for patching (down-time, reboot)
✓ Extend the life of XP systems
✓ Protection against exploits
✓ Enable compliance with PCI 6.6
✓ Control unauthorized network access
Interfaccia Grafica di amministrazione
Comparison
Differentiation
Key Capabilities
Automated protection against vulnerabilities
Trend
McAfee
Symantec
Sophos
Kaspersky
Patch Deployment
only
Shields OS and apps from known and unknown attacks
Protects from vulnerabilities before patches are deployed
Visibility of vulnerabilities and CVE information
via App Control
Host Intrusion Prevention
Features
Supports Windows XP / Server 2003 and above
Blocks networking backdoors from penetrating the network
(Interface Isolation)
Automatic location-based security configuration
Detects malicious traffic for known protocols on dynamic
ports
EPP / AV Suite integration & pricing
No XP x64 support
Device Control
only
System Requirements
Vulnerability Protection Manager
Memory: 4 GB (8 GB recommended)
Disk Space: 1.5 GB (5 GB recommended)
Operating System
•Microsoft Windows 2012 R2 (64-bit)
•Microsoft Windows 2012 (64-bit)
•Windows Server 2008 R2 (64-bit)
•Windows Server 2008 (32-bit and 64-bit)
•Windows 2003 Server SP2 (32-bit and 64-bit)
•Windows 2003 Server R2 SP2 (32-bit and 64-bit)
Embedded SQL Server 2008 SP2 or SQL Server
(2008/2012) or Oracle (10g/11g)
•Required 20GB Disk Space
Vulnerability Protection Agent
Memory: 128 MB
Disk Space: 500 MB
Operating System
•Windows 8.1 (32-bit and 64-bit)
•Windows Server 2012 R2 (64-bit)
•Windows 8 (32-bit and 64-bit)
•Windows Server 2012 (64-bit)
•Windows 7 (32-bit and 64-bit)
•Windows Server 2008 R2 (64-bit)
•Windows Server 2008 (32-bit and 64-bit)
•Windows Vista (32-bit and 64-bit)
•Windows Server 2003 SP1 (32-bit and 64-bit) patched with
"Windows Server 2003 Scalable Networking Pack"
•Windows Server 2003 SP2 (32-bit and 64-bit)
•Windows Server 2003 R2 SP2 (32-bit and 64-bit)
•Windows XP (32-bit and 64-bit)
Trend Micro Deep Security
Cos’è?
Deep Security assicura una protezione server avanzata per server fisici, virtuali
e in-the-cloud.
Protegge le applicazioni e i dati aziendali da violazioni e interruzioni dell’attività
senza ricorrere alle patch di emergenza.
Questa piattaforma completa a gestione centralizzata vi aiuta a semplificare le
operazioni di sicurezza, garantendo allo stesso tempo la conformità normativa e
incrementando il ROI dei progetti di virtualizzazione e cloud.
Più attacchi… Più Mirati
• More Sophisticated
• More Targeted
• More Frequent
• More Profitable
Advanced Persistent
Threats
De-Perimeterization
Le tecnologie di protezione tradizionali non
sono più adeguate
Perché Deep Security?
Virtualization Security with Deep Security
Agentless Security Platform for Virtual Environments
Deep Security Virtual Appliance
•
•
Intrusion prevention
Firewall
The Old Way
•
•
•
Anti-malware
Web reputation
Integrity monitoring
With Deep Security
More VMs
VM
VM
VM
Security
Virtual
Appliance
VM
VM
VM
VM
Higher
Fewer
Easier
Stronger
Density
Resources
Manageability
Security
VM
6 moduli Integrati
6 protection modules
Reduces attack surface.
Prevents DoS & detects
reconnaissance scans
Tracks credibility of
websites and safeguards
users from malicious urls
Optimizes the
identification of important
security events buried in
log entries
Firewall
Intrusion
Prevention
Detects and blocks known and
zero-day attacks that target
vulnerabilities
Web
Reputation
Anti-Virus
Detects and blocks malware
(web threats, viruses &
worms, Trojans)
Log
Inspection
Integrity
Monitoring
Detects malicious and
unauthorized changes to
directories, files, registry keys…
Architettura
Deep Security
Manager
Single Pane
Scalable
Redundant
Threat
Intelligence
Manager
SecureCloud
Reports
Deep Security
Agent
•
•
•
•
•
•
Modules:
Intrusion Prevention
Firewall
Integrity Monitoring
Log Inspection
Anti-malware
Web Reputation
Deep Security
Virtual Appliance
Includes:
• Intrusion Prevention
• Firewall
• Anti-malware
• Web Reputation
• Integrity Monitoring
• Hypervisor Integrity
Monitoring
….Concludendo
• Una soluzione unica ed integrata per la protezione dei server
• L’unica soluzione che offre protezione ad-hoc per ambienti virtuali e nel
cloud
• Prima ed unica piattaforma di sicurezza Agentless(anti-malware, web
reputation, firewall, intrusion prevention, VM & hypervisor integrity
monitoring, virtual patching) per VMware
• Prima ed unica soluzione che estende la protezione dei Datacenter al
public/hybrid cloud
Trend
Micro
Trend Micro
13%
22.9%
All
Others
77.1%
All Others
Combined
87%
Trend
Micro
SEDI: Roma Milano Venezia Torino Novara Bologna
CONTATTI: [email protected] - www.cbt.it