SlideShare a Scribd company logo

The Dynamic Nature of Virtualization Security

Rapid7, profile picture
Rapid7

The document discusses the changing landscape of virtualization security, emphasizing the need for real-time vulnerability management as virtualization becomes pervasive in organizational IT infrastructure. It highlights the inadequacies of traditional vulnerability scanning methods in dynamic virtual environments and recommends the adoption of automated, continuous security monitoring and risk assessment solutions. Rapid7's Nexpose, designed specifically for virtualized environments, is presented as an advanced tool to manage these new security challenges.

Technology
Related topics:
Vulnerability Management Risk Assessment
1 of 5
Download to read offline
1
2
3
4
5
White Paper The Dynamic Nature of Virtualization Security The need for real-time vulnerability management and risk assessment
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Introduction Virtualization is radically shifting how enterprises deploy, deliver, and manage applications and data. It offers tremendous benefits for business efficiency and agility: resource consolidation for controlling costs, greater scalability and higher utilization of existing assets and applications, and flexibility for adapting assets to meet current business demands. Forrester asserts: “Virtualization is the norm; deploying a physical server is the exception.” It found that “server virtualization is nearly ubiquitous,” that “85 percent of organizations have adopted or are planning to adopt x86 server virtualization,” and that “79 percent of firms have or are planning to institute a ‘virtualization first’ policy.” By 2014, Forrester predicts that 75 percent of all servers will be virtualized. (“The CISO’s Guide to Virtualization Security,” by Rick Holland, et al., Forrester Research, Inc., January 12, 2012.) Similarly, Information Week reports that adoption of server virtualization has grown to 97 percent in survey-respondent data centers. It also reports similar adoption rates in storage virtualization (86 percent), application virtualization (88 percent), and desktop virtualization (76 percent). (“Next-Generation VM Security,” by Kurt Marko, Information Week reports, June 2012). As more enterprises virtualize their infrastructures, they also face new threat vectors. In the rush to virtualize applications and other assets and realize the fiscal and management benefits of virtualization, IT managers must continue to protect IT infrastructures from hacking incidents, inadvertent insider damage, and malware attacks. Servers, applications, networks, and end-user devices are becoming dynamic and unpredictable. Virtualized assets are susceptible to the same threats and vulnerabilities as traditional assets but traditional security devices offer limited visibility into virtualized environments, where assets and their security postures are constantly changing. Incidents in virtualized servers can escalate rapidly and cause considerable damage. Determining the risk level associated with a given vulnerability remains vital to prioritizing mitigation tasks. The cornerstones of a proactive security strategy are vulnerability management and risk assessment. However, traditional “scan-and-patch” vulnerability scanning approaches are inadequate for dynamic, virtualized environments. Traditional scanners cannot track changes in real time, so they cannot accurately measure constantly changing risks. Anyone charged with securing IT assets needs to understand the dynamic security risks inherent to virtualized environments, and more importantly, what to do to mitigate those risks. With security infrastructures lagging behind virtualization adoption, a vulnerability management solution that provides immediate risk assessment plays a critical role in helping security managers protect virtualized assets and data. Forrester recommends: You must extend your vulnerability management program into your virtual environment. Server hardening, including patch management and configuration management, is a core element of vulnerability management. A number of good resources are available to assist you with hardening your virtual servers. You must also ensure that you are conducting regular vulnerability assessments, including scanning and penetration testing, of the environment. …You should include virtualization-specific penetration tests to validate the hardening and security controls of the environment. (Forrester, Ibid., p. 9) Scheduled scans remain useful in virtualized environments, but the dynamic character of virtualization presents new kinds of risk. The constantly fluctuating environment requires continuous and comprehensive security monitoring to detect changes as they happen.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com The vulnerability management solution should include these capabilities: • Deployable as a virtual machine (VM) • Discover and scan VMs as they spin up and down for vulnerabilities and misconfigurations. • Detect snapshot rollbacks and scan after restores • Track asset migrations and proactively monitor their security postures To better understand the need for these capabilities, consider the challenges and solutions below. Challenge: On or Off? Virtual machines spin up and down all day long. Some VMs may activate many times a day, while others may spin up once a month. An IT administrator can provision, operate, and delete a VM before a traditional vulnerability scanner can check it for vulnerabilities. Periodic scans assign inactive VMs a risk score of 0. There’s inherent risk if that potentially-vulnerable VM spins up again before the next periodic scan kicks off. Solution: Automated Discovery and Scanning Security managers need to know when VMs become active, so they have the option to scan them immediately and assess their risk levels. Without requiring operator intervention, the vulnerability management solution should be able to interact with the hypervisor to detect VMs as they come online and maintain an accurate database of discovered resources. More importantly, a security manager should have the option to configure the vulnerability management solution to automatically scan critical resources when they spin up and issue a scan report upon completion. Challenge: Snapshot Rollbacks Storage snapshots are a valuable data protection capability. However, a rollback or restore may expose a VM, and the system it resides upon, to a previously fixed vulnerability. For example, rollbacks may revert a VM to an older software version that needs critical patching. A periodic scan may not discover this exposure for days or weeks. Another scenario is a rollback reinstates a configuration error or other vulnerability that is exploitable by malware, and a malware attack may have caused the crash. Solution: Rollback Detection and Automated Scanning If the vulnerability management solution is in communication with the hypervisor, it should be able to detect rollbacks and restores and send an alert to the management console. The security manager should have the option to configure the vulnerability management solution to automatically scan assets after a rollback or restore and issue a scan report upon completion. For example, such scans can immediately verify that software versions remain compliant with policies after a rollback, or expose the exploitable errors or vulnerabilities and allow security managers to mitigate them.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Challenge: Virtual Machine Migration Live migrations of VMs to other hosts, using features such as VMware vMotion, helps server managers adjust server utilization and maintain performance levels without service interruption. Migrations may be a proactive management task, but more often they occur as a result of a catastrophic failure. Some failures, such as loss of an asset pool, can trigger migrations to another asset pool or even to another site. The security manager needs visibility to track migrations as they happen, verifying that security posture of migrated assets does not change. Solution: Automated Scanning Vulnerability assessments can help security managers determine the cause and type of such a failure. They need visibility not only within an asset pool or site, but among multiple pools or sites in the case of co-located or distributed data centers. The hypervisor detects the migration, and the vulnerability management solution should recognize it and send an alert to the security manager. Again, the security manager should have the option to configure the vulnerability management software to automatically scan migrated assets and issue a scan report upon completion. What About Hypervisor Security? A 2009 IBM report suggested that the hypervisor platform contained dozens of vulnerabilities. This report sparked industry discussions that securing a virtualized environment presents a new set of risks, but emphasized securing the hypervisor itself. Hypervisor vulnerabilities are static. Conventional scanners can identify these vulnerabilities, and administrators can remediate them using conventional scan-and-patch processes. The IBM study failed to address the dynamic nature of the entire virtualized infrastructure. There is general agreement that the hypervisor is an ideal location to deploy security solutions such as anti-malware systems. That said, in a 2011 report, Forrester “addressed the security of the hypervisor and concluded that it introduces some marginal risk to the server environment but that concerns are largely overblown.” (Forrester, Ibid., p. 6.) Solution: Rapid7 Security Risk Intelligence Rapid7 Security Risk Intelligence is a data-driven approach to risk assessment and vulnerability management that weighs the value of data sets when measuring risk. Rapid7 offers a powerful combination of innovative vulnerability management and penetration testing solutions along with deep security expertise to identify and prioritize the dynamic security risks of virtualized environments. Rapid7 Nexpose is the industry’s first vulnerability management solution with capabilities, such as Continuous Discovery, designed specifically for virtualized environments. Working closely with VMware, Rapid7 continues to add virtualization-specific capabilities into Nexpose, its vulnerability management and risk-assessment solution. Nexpose is the only third party vulnerability management solution included in the VMware security reference architecture. Additionally, Rapid7 Metasploit can be used in conjunction with Nexpose to validate risk in IT environments based on actual exploitability of vulnerabilities, both in physical and in virtual environments.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com How Rapid7 Can Help Rapid7 is a leader in security risk intelligence that can help you gain valuable insight into your security posture, through both products and services. Headquartered in Boston, MA, Rapid7 was founded in 2000. In response to the increasing security threat environment, the company developed its award-winning vulnerability management solution Nexpose. In 2009, Rapid7 acquired Metasploit, the leading penetration testing platform with the world’s largest quality assured exploit database. The combination of both products has resulted in the company’s integrated security risk intelligence portfolio, designed to provide organizations with unique insight into their threat and risk posture. Rapid7 also has a professional services unit that conducts product deployments and trainings as well as security assessments. If you have questions on how you could improve your organization’s security posture, would like to evaluate Rapid7’s vulnerability management or penetration testing products, or would like to talk to Rapid7’s professional services team, please contact Rapid7 at info@rapid7.com, call +1.617.247.1717, or visit www.rapid7.com.

More Related Content

PDF
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Rapid7
 
PDF
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
 
PDF
20 Security Controls for the Cloud
NetStandard
 
PDF
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
 
PDF
Kofax Document Security
Kofax
 
PDF
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 
PPTX
How to Increase ICS Cybersecurity Return on Investment (ROI)
Dragos, Inc.
 
PDF
The Critical Security Controls and the StealthWatch System
Lancope, Inc.
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Rapid7
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
 
20 Security Controls for the Cloud
NetStandard
 
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
 
Kofax Document Security
Kofax
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
Dragos, Inc.
 
The Critical Security Controls and the StealthWatch System
Lancope, Inc.
 

What's hot (20)

PDF
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
PPTX
NextGen Endpoint Security for Dummies
Atif Ghauri
 
PDF
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
 
PDF
Cheatsheet for your cloud project
Petteri Heino
 
PDF
Ebook: Splunk SANS - CIS Top 20 Critical Security Controls
Dominique Dessy
 
PDF
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
Risk Analysis Consultants, s.r.o.
 
PDF
Security operations center 5 security controls
AlienVault
 
PPTX
Splunk for Security: Background & Customer Case Study
Andrew Gerber
 
PDF
Security Automation and Orchestration
Greg Foss
 
PDF
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
PDF
Industrial Control Systems Cybersecurity Technology Selection
Dragos, Inc.
 
PPTX
Extending the 20 critical security controls to gap assessments and security m...
John M. Willis
 
PDF
Accelerating OT - A Case Study
Digital Bond
 
PDF
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
Priyanka Aash
 
PDF
Hardware Security on Vehicles
Priyanka Aash
 
PPTX
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
PPTX
Dragos S4x20: How to Build an OT Security Operations Center
Dragos, Inc.
 
PPTX
Improve threat detection with hids and alien vault usm
AlienVault
 
PDF
Vulnerability threat and attack
newbie2019
 
PPTX
Incident Response: Validation, Containment & Forensics
Priyanka Aash
 
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
NextGen Endpoint Security for Dummies
Atif Ghauri
 
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
 
Cheatsheet for your cloud project
Petteri Heino
 
Ebook: Splunk SANS - CIS Top 20 Critical Security Controls
Dominique Dessy
 
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
Risk Analysis Consultants, s.r.o.
 
Security operations center 5 security controls
AlienVault
 
Splunk for Security: Background & Customer Case Study
Andrew Gerber
 
Security Automation and Orchestration
Greg Foss
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Industrial Control Systems Cybersecurity Technology Selection
Dragos, Inc.
 
Extending the 20 critical security controls to gap assessments and security m...
John M. Willis
 
Accelerating OT - A Case Study
Digital Bond
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
Priyanka Aash
 
Hardware Security on Vehicles
Priyanka Aash
 
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos, Inc.
 
Improve threat detection with hids and alien vault usm
AlienVault
 
Vulnerability threat and attack
newbie2019
 
Incident Response: Validation, Containment & Forensics
Priyanka Aash
 
Ad

Viewers also liked (11)

PDF
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Rapid7
 
PDF
Rapid7 FISMA Compliance Guide
Rapid7
 
PDF
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7
 
PDF
Rapid7 CAG Compliance Guide
Rapid7
 
PDF
IT Security in Higher Education
Rapid7
 
PDF
Combating Phishing Attacks
Rapid7
 
PDF
What is Penetration Testing?
Rapid7
 
PDF
Rapid7 Report: Data Breaches in the Government Sector
Rapid7
 
PDF
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Rapid7
 
PDF
Protecting Patient Health Information in the HITECH Era
Rapid7
 
PPTX
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
Rapid7
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Rapid7
 
Rapid7 FISMA Compliance Guide
Rapid7
 
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7
 
Rapid7 CAG Compliance Guide
Rapid7
 
IT Security in Higher Education
Rapid7
 
Combating Phishing Attacks
Rapid7
 
What is Penetration Testing?
Rapid7
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Rapid7
 
Protecting Patient Health Information in the HITECH Era
Rapid7
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
Rapid7
 
Ad

Similar to The Dynamic Nature of Virtualization Security (20)

PDF
2_24551_Virtualization_SC_0113
Jim Romeo
 
PDF
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
Symantec
 
PDF
Risk Analysis and Mitigation in Virtualized Environments
Siddharth Coontoor
 
PDF
Getting the Most Value from VM and Compliance Programs white paper
Tawnia Beckwith
 
PDF
Managing The Virtualized Enterprise New Technology, New Challenges
Enterprise Technology Management (ETM)
 
PDF
PCI DSS & Virtualization
TobyRobinson13
 
DOCX
user centric machine learning framework for cyber security operations center
Venkat Projects
 
DOC
Five Mistakes of Vulnerability Management
Anton Chuvakin
 
PDF
IT Security Risk Mitigation Report: Virtualization Security
Booz Allen Hamilton
 
PPTX
Enterprise Class Vulnerability Management Like A Boss
rbrockway
 
PDF
Aricent Highly Automated Vulnerability Assessment Orchestration Containers (H...
Aricent
 
PDF
Top 10 Questions to Ask Your Vulnerability Management Provider
Tawnia Beckwith
 
DOCX
VAPT- A Service on Eucalyptus Cloud
Swapna Shetye
 
PDF
Esg solution showcase considerations for protecting converged systems and ...
Fernando Alves
 
PDF
Vulnerability Management System
IRJET Journal
 
PPTX
Ivanti Security Controls.pptx
FarhanSaifudin2
 
PDF
EastNets Compliance Solutions
EastNets
 
PDF
Integration of Qualys with HCL BigFix Insights for Vulnerability Remediation
HCLSoftware
 
PDF
Bit defender ebook_secmonitor_print
james morris
 
PDF
Maintaining Continuous Compliance with HCL BigFix
HCLSoftware
 
2_24551_Virtualization_SC_0113
Jim Romeo
 
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
Symantec
 
Risk Analysis and Mitigation in Virtualized Environments
Siddharth Coontoor
 
Getting the Most Value from VM and Compliance Programs white paper
Tawnia Beckwith
 
Managing The Virtualized Enterprise New Technology, New Challenges
Enterprise Technology Management (ETM)
 
PCI DSS & Virtualization
TobyRobinson13
 
user centric machine learning framework for cyber security operations center
Venkat Projects
 
Five Mistakes of Vulnerability Management
Anton Chuvakin
 
IT Security Risk Mitigation Report: Virtualization Security
Booz Allen Hamilton
 
Enterprise Class Vulnerability Management Like A Boss
rbrockway
 
Aricent Highly Automated Vulnerability Assessment Orchestration Containers (H...
Aricent
 
Top 10 Questions to Ask Your Vulnerability Management Provider
Tawnia Beckwith
 
VAPT- A Service on Eucalyptus Cloud
Swapna Shetye
 
Esg solution showcase considerations for protecting converged systems and ...
Fernando Alves
 
Vulnerability Management System
IRJET Journal
 
Ivanti Security Controls.pptx
FarhanSaifudin2
 
EastNets Compliance Solutions
EastNets
 
Integration of Qualys with HCL BigFix Insights for Vulnerability Remediation
HCLSoftware
 
Bit defender ebook_secmonitor_print
james morris
 
Maintaining Continuous Compliance with HCL BigFix
HCLSoftware
 

More from Rapid7 (7)

PDF
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
Rapid7
 
PPTX
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
Rapid7
 
PPTX
How to Manage Your Security Control's Effectiveness
Rapid7
 
PPTX
Penetration Testing Techniques - DREAD Methodology
Rapid7
 
PDF
Life's a Breach: Yahoo Gets Burned by SQL Injection
Rapid7
 
PDF
Rapid7 NERC-CIP Compliance Guide
Rapid7
 
PDF
How to Sell Security to Your CIO
Rapid7
 
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
Rapid7
 
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
Rapid7
 
How to Manage Your Security Control's Effectiveness
Rapid7
 
Penetration Testing Techniques - DREAD Methodology
Rapid7
 
Life's a Breach: Yahoo Gets Burned by SQL Injection
Rapid7
 
Rapid7 NERC-CIP Compliance Guide
Rapid7
 
How to Sell Security to Your CIO
Rapid7
 

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 

The Dynamic Nature of Virtualization Security

  • 1. White Paper The Dynamic Nature of Virtualization Security The need for real-time vulnerability management and risk assessment
  • 2. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Introduction Virtualization is radically shifting how enterprises deploy, deliver, and manage applications and data. It offers tremendous benefits for business efficiency and agility: resource consolidation for controlling costs, greater scalability and higher utilization of existing assets and applications, and flexibility for adapting assets to meet current business demands. Forrester asserts: “Virtualization is the norm; deploying a physical server is the exception.” It found that “server virtualization is nearly ubiquitous,” that “85 percent of organizations have adopted or are planning to adopt x86 server virtualization,” and that “79 percent of firms have or are planning to institute a ‘virtualization first’ policy.” By 2014, Forrester predicts that 75 percent of all servers will be virtualized. (“The CISO’s Guide to Virtualization Security,” by Rick Holland, et al., Forrester Research, Inc., January 12, 2012.) Similarly, Information Week reports that adoption of server virtualization has grown to 97 percent in survey-respondent data centers. It also reports similar adoption rates in storage virtualization (86 percent), application virtualization (88 percent), and desktop virtualization (76 percent). (“Next-Generation VM Security,” by Kurt Marko, Information Week reports, June 2012). As more enterprises virtualize their infrastructures, they also face new threat vectors. In the rush to virtualize applications and other assets and realize the fiscal and management benefits of virtualization, IT managers must continue to protect IT infrastructures from hacking incidents, inadvertent insider damage, and malware attacks. Servers, applications, networks, and end-user devices are becoming dynamic and unpredictable. Virtualized assets are susceptible to the same threats and vulnerabilities as traditional assets but traditional security devices offer limited visibility into virtualized environments, where assets and their security postures are constantly changing. Incidents in virtualized servers can escalate rapidly and cause considerable damage. Determining the risk level associated with a given vulnerability remains vital to prioritizing mitigation tasks. The cornerstones of a proactive security strategy are vulnerability management and risk assessment. However, traditional “scan-and-patch” vulnerability scanning approaches are inadequate for dynamic, virtualized environments. Traditional scanners cannot track changes in real time, so they cannot accurately measure constantly changing risks. Anyone charged with securing IT assets needs to understand the dynamic security risks inherent to virtualized environments, and more importantly, what to do to mitigate those risks. With security infrastructures lagging behind virtualization adoption, a vulnerability management solution that provides immediate risk assessment plays a critical role in helping security managers protect virtualized assets and data. Forrester recommends: You must extend your vulnerability management program into your virtual environment. Server hardening, including patch management and configuration management, is a core element of vulnerability management. A number of good resources are available to assist you with hardening your virtual servers. You must also ensure that you are conducting regular vulnerability assessments, including scanning and penetration testing, of the environment. …You should include virtualization-specific penetration tests to validate the hardening and security controls of the environment. (Forrester, Ibid., p. 9) Scheduled scans remain useful in virtualized environments, but the dynamic character of virtualization presents new kinds of risk. The constantly fluctuating environment requires continuous and comprehensive security monitoring to detect changes as they happen.
  • 3. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com The vulnerability management solution should include these capabilities: • Deployable as a virtual machine (VM) • Discover and scan VMs as they spin up and down for vulnerabilities and misconfigurations. • Detect snapshot rollbacks and scan after restores • Track asset migrations and proactively monitor their security postures To better understand the need for these capabilities, consider the challenges and solutions below. Challenge: On or Off? Virtual machines spin up and down all day long. Some VMs may activate many times a day, while others may spin up once a month. An IT administrator can provision, operate, and delete a VM before a traditional vulnerability scanner can check it for vulnerabilities. Periodic scans assign inactive VMs a risk score of 0. There’s inherent risk if that potentially-vulnerable VM spins up again before the next periodic scan kicks off. Solution: Automated Discovery and Scanning Security managers need to know when VMs become active, so they have the option to scan them immediately and assess their risk levels. Without requiring operator intervention, the vulnerability management solution should be able to interact with the hypervisor to detect VMs as they come online and maintain an accurate database of discovered resources. More importantly, a security manager should have the option to configure the vulnerability management solution to automatically scan critical resources when they spin up and issue a scan report upon completion. Challenge: Snapshot Rollbacks Storage snapshots are a valuable data protection capability. However, a rollback or restore may expose a VM, and the system it resides upon, to a previously fixed vulnerability. For example, rollbacks may revert a VM to an older software version that needs critical patching. A periodic scan may not discover this exposure for days or weeks. Another scenario is a rollback reinstates a configuration error or other vulnerability that is exploitable by malware, and a malware attack may have caused the crash. Solution: Rollback Detection and Automated Scanning If the vulnerability management solution is in communication with the hypervisor, it should be able to detect rollbacks and restores and send an alert to the management console. The security manager should have the option to configure the vulnerability management solution to automatically scan assets after a rollback or restore and issue a scan report upon completion. For example, such scans can immediately verify that software versions remain compliant with policies after a rollback, or expose the exploitable errors or vulnerabilities and allow security managers to mitigate them.
  • 4. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Challenge: Virtual Machine Migration Live migrations of VMs to other hosts, using features such as VMware vMotion, helps server managers adjust server utilization and maintain performance levels without service interruption. Migrations may be a proactive management task, but more often they occur as a result of a catastrophic failure. Some failures, such as loss of an asset pool, can trigger migrations to another asset pool or even to another site. The security manager needs visibility to track migrations as they happen, verifying that security posture of migrated assets does not change. Solution: Automated Scanning Vulnerability assessments can help security managers determine the cause and type of such a failure. They need visibility not only within an asset pool or site, but among multiple pools or sites in the case of co-located or distributed data centers. The hypervisor detects the migration, and the vulnerability management solution should recognize it and send an alert to the security manager. Again, the security manager should have the option to configure the vulnerability management software to automatically scan migrated assets and issue a scan report upon completion. What About Hypervisor Security? A 2009 IBM report suggested that the hypervisor platform contained dozens of vulnerabilities. This report sparked industry discussions that securing a virtualized environment presents a new set of risks, but emphasized securing the hypervisor itself. Hypervisor vulnerabilities are static. Conventional scanners can identify these vulnerabilities, and administrators can remediate them using conventional scan-and-patch processes. The IBM study failed to address the dynamic nature of the entire virtualized infrastructure. There is general agreement that the hypervisor is an ideal location to deploy security solutions such as anti-malware systems. That said, in a 2011 report, Forrester “addressed the security of the hypervisor and concluded that it introduces some marginal risk to the server environment but that concerns are largely overblown.” (Forrester, Ibid., p. 6.) Solution: Rapid7 Security Risk Intelligence Rapid7 Security Risk Intelligence is a data-driven approach to risk assessment and vulnerability management that weighs the value of data sets when measuring risk. Rapid7 offers a powerful combination of innovative vulnerability management and penetration testing solutions along with deep security expertise to identify and prioritize the dynamic security risks of virtualized environments. Rapid7 Nexpose is the industry’s first vulnerability management solution with capabilities, such as Continuous Discovery, designed specifically for virtualized environments. Working closely with VMware, Rapid7 continues to add virtualization-specific capabilities into Nexpose, its vulnerability management and risk-assessment solution. Nexpose is the only third party vulnerability management solution included in the VMware security reference architecture. Additionally, Rapid7 Metasploit can be used in conjunction with Nexpose to validate risk in IT environments based on actual exploitability of vulnerabilities, both in physical and in virtual environments.
  • 5. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com How Rapid7 Can Help Rapid7 is a leader in security risk intelligence that can help you gain valuable insight into your security posture, through both products and services. Headquartered in Boston, MA, Rapid7 was founded in 2000. In response to the increasing security threat environment, the company developed its award-winning vulnerability management solution Nexpose. In 2009, Rapid7 acquired Metasploit, the leading penetration testing platform with the world’s largest quality assured exploit database. The combination of both products has resulted in the company’s integrated security risk intelligence portfolio, designed to provide organizations with unique insight into their threat and risk posture. Rapid7 also has a professional services unit that conducts product deployments and trainings as well as security assessments. If you have questions on how you could improve your organization’s security posture, would like to evaluate Rapid7’s vulnerability management or penetration testing products, or would like to talk to Rapid7’s professional services team, please contact Rapid7 at info@rapid7.com, call +1.617.247.1717, or visit www.rapid7.com.