McAfee MOVE (Management for Optimized Virtual Environments) bietet Sicherheitsmanagement für virtuelle Umgebungen. Außerdem werden Lösungen für Endpoint Security vorgestellt.

1. McAfee MOVE / Endpoint Security
Marco Schultes
02.06.2011
Marco Schultes - netlogix Hausmesse LIVE/11 1

2. Was IST eigentlich McAfee MOVE?
Management for
Optimized Virtual
Environments
2
2

3. Aber warum optimiert?
Heutige (AntiVirus)-
Applikationen sind
nicht für virtuelle
Umgebungen
programmiert, nicht
„hypervisor aware“
und deshalb sehr
verschwenderisch
im Umgang mit
Ressourcen.
3

4. MOVE - die neue Plattform zur
Absicherung virtueller Umgebungen
„MOVE is a new strategic Platform and NOT a single Product“
HIPS
Plug-in AV for
Server
Plug-in
File
Encryption AV for
Plug-in McAfee
MOVE VDI‘s
Platform Plug-in
Site
SIA
Adivsor
Partner
Plug-in
Device Plug-in
Control
Plug-in
4

5. AntiVirus Optimierung
Die Probleme des Administrators
5

6. Problem #1 - Virtuelle Server
“Klassisches AV frisst CPU-Leistung”
Individuelle Konsolidierte
Server Server
CPU & I/O Utilization
On-Access Scans 3-5% CPU-Last auf 30% mit 10 virtuellen Maschinen
individuellen Maschinen
On-Demand Scans 50-70% Last auf individuellen Drei gleichzeitige Scans
Maschinen können den Host in die Knie
zwingen
6

7. Problem #2 - Virtuelle Server
“READ-ONLY Images”
Virtual Virtual Offline
Machine Machine Virtual
Image
• READ-ONLY & Offline Apps Apps Apps
Images können nicht
gepatched werden OS OS OS
und keine DAT-
Hypervisor
Updates erhalten
7

8. Problem #3 - Virtuelle Desktops
“AV-Storming”
Organisatorische
Probleme
• Kapazitätsplanung
• Zeitplanung
• VM-Dichte auf dem
Hypervisor
• Verschiedene
Management-Oberflächen
8

9. McAfee MOVE-AV für Server und VDI
VM VM MOVE
Virtual Appliance
Applications Applications
MOVE Off-load
MOVE
Processing
OS OS
Hypervisor ePO
McAfee ePO
MOVE AV for VDI’s
Client • On-Access Scanning (OAS)
• On-Demand Scanning (ODS) (angekündigt)
Virtual Desktop
• Updates nur auf MOVE Virtual Appliance nötig
Client
MOVE AV for Virtual Servers
• Scan basierend auf Hypervisor-Auslastung
Virtual Desktop
• On-Demand Scanning (ODS)
• Offline Scanning (OVI)
• On-Access Scanning (OAS) (angekündigt)
9

10. Features
Effizientes Security-Management
– Volle ePO-Integration
– Hypervisor-unabhängig (Vmware
ESX / Citrix XenServer / MS HyperV
(angekündigt)
– Offline Virenscan
– Hypervisor-lastabhängig
– Security Dashboards/Reports per
Hypervisor
10

11. McAfee MOVE
Ein technischer Überblick
11

12. Optimiertes File Scanning
1. Lokaler Scan Cache
2. Globaler Scan Cache
3. File scannen
4. Artemis Anbindung
3
2
1 4
abc abc
Scan
abc
ac
def
gi
def
gi
def
def
g ii
g Engine
Hypervisor
Artemis
12

13. Advanced File Caching
• Reduziert den Scan Overhead
– Durch effizienten Einsatz von Caches
– Lokaler Scan Cache auf der VM
– Globaler Scan Cache auf der Scan Engine
ePO Server
Scan
abc abc abc
def
gi
def
gi
abc
def
def
g ii
g
Engine
Hypervisor
MOVE
Cache Synchronization Protocol
Server
13

14. Traditionelles AV vs. MOVE AV
14

15. McAfee Plattform-Test auf Citrix XenServer
A/V within the guest Offloading A/V with MOVE
Memory Consumption 60-120MB+ ~20MB
(per VM)
Peak CPU Usage (per 80-100% <10%
hypervisor)
VM Density X 3X
Scanning Resource YES NO
Utilization (Offloaded to Virtual Appliance)
DAT Update Resource YES NO
Utilization (Offloaded to Virtual Appliance)
The product plans, specifications and descriptions herein are provided for information only, subject to change
without notice, results may vary and without warranty of any kind, express or implied
15

16. MOVE Agent in Action
16

17. MOVE Konfiguration
Bis zu 2 Scan-Server können angegeben werden
(virtuelle oder physikalische Server)
17

18. Security Dashboards / Reports
18

19. Hypervisor-aware Scheduler
19

20. Verhindert „AV Storming“
Scan wird verhindert, da die Hypervisor-Auslastung zu hoch ist
20

21. Zusammenfassung
• Erhöhen der virtuellen Server Security mit
minimalen Performance-Auswirkungen
• Aktivieren von VDI Security bei gleichzeitig
hoher VM Dichte pro Hypervisor
• (Zeit-)Einsparungen durch vereinfachtes
zentrales Management über ePO
• Unabhängig vom Hypervisor
– ESX / XenServer / Hyper-V
21

22. McAfee Data Protection
22

23. McAfee Data Protection
McAfee Data Loss Prevention McAfee Device Control
Full control and absolute Prevent unauthorized use
visibility over user behavior of removable media
Data Loss Device devices
Prevention Control
McAfee Total Integrated
Protection™ technologies for
for Data total data
protection
Endpoint Encrypted
Encryption USB
McAfee Endpoint Encryption McAfee Encrypted USB
Full disk, mobile device, and Secure, portable external
file and folder encryption storage devices
coupled with strong
authentication
23

24. Data Breaches Don’t Discriminate
“DuPont scientist downloaded “Royal London Mutual Insurance
22,000 sensitive documents as he Society loses eight laptops and the
got ready to take a job with a personal details of 2,135 people”
competitor…”
SC Magazine
“The FSA has fined “Personal data of “ChoicePoint to pay
Nationwide £980,000 600,000 on lost $15 million over data
for a stolen laptop” laptop” breach—Data broker sold
info on 163,000 people”
24

25. Challenge
How best to protect confidential corporate data on mobile devices from loss, theft, or exposure
to unauthorized parties?
– Laptops lost or stolen in airports, taxis and hotels cost companies an average of
$49,2461
– 36% of data breaches were due to lost or stolen laptop computers
• Average cost is $6.75 million per breach2
– Best practices: “Ensure that portable data-bearing devices…are encrypted”2
– “Protected health information (PHI) is rendered unusable, unreadable, or
indecipherable to unauthorized individuals if encrypted or destroyed”3
– Staying out of the news
1 Ponemon
2 Ponemon, 2009 Cost of a Data Breach
3 HIPAA DHHS Guidance 2009 25

26. McAfee Endpoint Encryption
You need
• Encryption for laptops, desktops, and mobile
devices with the flexibility to choose full disk or
file and folder encryption
Data Loss Device • Confidence in integrity of sensitive data when a
Prevention Control device is lost or stolen
• Safe Harbor protection
McAfee offers
• Broad support for laptops, desktops, and mobile
devices
Endpoint Encrypted
Encryption USB • Full audit trails for compliance & auditing needs
• Support for multiple strong authentication
methods
• Certifications: FIPS 140-2, Common Criteria Level
4 (highest level for software products), BITS,
CSIA, etc.
26

27. Solution: Full Disk Encryption
Why encrypt?
– Every disk drive in an organization eventually leaves said organization
• Natural retirement/replacement
• Loss
• Theft
– Knowing what sensitive information is on a given drive is difficult
• Avoids having to classify data to decide what to protect
– Applications use a myriad of “hidden” temp files that contain your data
Data protection made easy
– Simple to deploy
– Nearly transparent user experience
27

28. Solution: Full Disk Encryption
Full Disk Encryption
• No data access without proper authentication
• Complete, proven protection against loss and theft
• Extensible complement to other data protection technologies
like file encryption, encrypted USB drives, and DLP
How does it work?
• Disk drive is fully encrypted, sector A through sector Z
• As new information is created, it is encrypted
on-the-fly
• A unique, per-device recovery token is used to
handle normal “lost password” situations
28

29. Security Details Matter
CC EAL 4 and FIPS 140-2 Level 2 validation
– Proves the security level by an independent body
AES 256-bit encryption
– Encryption on-the-fly using strong algorithms
Up to three-factor authentication
– McAfee Endpoint Encryption offers a strong pre-
boot authentication
– Support for various smart cards, USB tokens
and biometric devices
ePO compliance reporting and deployment
– Identify non-encrypted machines
– Deploy using McAfee ePO
Business continuity
– McAfee Endpoint Encryption offers offline
challenge-response recovery
– Reduce costs using our local user self-recovery
(questions + answers)
29