Download - McAfee MOVE & Endpoint Security
1
McAfee MOVE / Endpoint SecurityMarco Schultes
02.06.2011Marco Schultes - netlogix Hausmesse LIVE/11
2
Was IST eigentlich McAfee MOVE?
Management for
Optimized Virtual
Environments
2
3
Aber warum optimiert?
Heutige (AntiVirus)-Applikationen sind nicht für virtuelle Umgebungen programmiert, nicht „hypervisor aware“ und deshalb sehr verschwenderisch im Umgang mit Ressourcen.
4
MOVE - die neue Plattform zur
Absicherung virtueller Umgebungen„MOVE is a new strategic Platform and NOT a single Product“
McAfeeMOVE
Platform
AV for ServerPlug-in
AV for VDI‘sPlug-in
HIPSPlug-in
FileEncryptionPlug-in
SiteAdivsorPlug-in
DeviceControlPlug-in
SIAPartnerPlug-in
5
AntiVirus OptimierungDie Probleme des Administrators
6
Problem #1 - Virtuelle Server
“KlassischesAV frisst CPU-Leistung”
CPU & I/O Utilization
IndividuelleServer
KonsolidierteServer
On-Access Scans 3-5% CPU-Last auf individuellen Maschinen
30% mit 10 virtuellen Maschinen
On-Demand Scans 50-70% Last auf individuellenMaschinen
Drei gleichzeitige Scans können den Host in die Knie
zwingen
7
Problem #2 - Virtuelle Server
“READ-ONLY Images”
• READ-ONLY & Offline Images können nicht gepatchedwerden und keine DAT-Updates erhalten
Hypervisor
Apps
OS
Virtual Machine
Apps
OS
Virtual Machine
Apps
OS
OfflineVirtual Image
8
Problem #3 - VirtuelleDesktops
“AV-Storming”
OrganisatorischeProbleme
• Kapazitätsplanung
• Zeitplanung
• VM-Dichte auf demHypervisor
• VerschiedeneManagement-Oberflächen
9
Client
Virtual Desktop
McAfee MOVE-AV für Server und VDI
ePO
Client
Virtual Desktop
Hypervisor
VM
OS
Applications
MOVE
MOVE Virtual Appliance
Off-load Processing
McAfee ePO
VM
OS
Applications
MOVE
MOVE AV for VDI’s•On-Access Scanning (OAS)•On-Demand Scanning (ODS) (angekündigt)•Updates nur auf MOVE Virtual Appliance nötig
MOVE AV for Virtual Servers• Scan basierend auf Hypervisor-Auslastung•On-Demand Scanning (ODS)•Offline Scanning (OVI)•On-Access Scanning (OAS) (angekündigt)
10
Features
Effizientes Security-Management
– Volle ePO-Integration
– Hypervisor-unabhängig (VmwareESX / Citrix XenServer / MS HyperV(angekündigt)
– Offline Virenscan
– Hypervisor-lastabhängig
– Security Dashboards/Reports per Hypervisor
11
McAfee MOVEEin technischer Überblick
12
Optimiertes File Scanning
1. Lokaler Scan Cache
2. Globaler Scan Cache
3. File scannen
4. Artemis Anbindung
Hypervisor
Artemis
Scan Engine
abc
def
g i
abc
def
g i
abc
def
g i
ac
def
g i
1
2
3
4
13
Advanced File Caching
• Reduziert den Scan Overhead
– Durch effizienten Einsatz von Caches
– Lokaler Scan Cache auf der VM
– Globaler Scan Cache auf der Scan Engine
Hypervisor
MOVE Server
ePO Server
Cache Synchronization Protocol
Scan Engine
abc
def
g i
abc
def
g i
abc
def
g i
abc
def
g i
14
Traditionelles AV vs. MOVE AV
15
McAfee Plattform-Test auf Citrix XenServer
A/V within the guest Offloading A/V with MOVE
Memory Consumption (per VM)
60-120MB+ ~20MB
Peak CPU Usage (per hypervisor)
80-100% <10%
VM Density X 3X
Scanning Resource Utilization
YES NO (Offloaded to Virtual Appliance)
DAT Update Resource Utilization
YES NO (Offloaded to Virtual Appliance)
The product plans, specifications and descriptions herein are provided for information only, subject to change without notice, results may vary and without warranty of any kind, express or implied
16
MOVE Agent in Action
17
MOVE Konfiguration
Bis zu 2 Scan-Server können angegeben werden(virtuelle oder physikalische Server)
18
Security Dashboards / Reports
19
Hypervisor-aware Scheduler
20
Verhindert „AV Storming“
Scan wird verhindert, da die Hypervisor-Auslastung zu hoch ist
21
Zusammenfassung
• Erhöhen der virtuellen Server Security mitminimalen Performance-Auswirkungen
• Aktivieren von VDI Security bei gleichzeitighoher VM Dichte pro Hypervisor
• (Zeit-)Einsparungen durch vereinfachteszentrales Management über ePO
• Unabhängig vomHypervisor
– ESX / XenServer / Hyper-V
22
McAfee Data Protection
23
McAfee Data Protection
Data Loss
Prevention
Data Loss
Prevention
Device
Control
Device
Control
Encrypted
USB
Encrypted
USB
Endpoint
Encryption
Endpoint
Encryption
McAfee Endpoint EncryptionFull disk, mobile device, and file and folder encryption coupled with strong authentication
McAfee Data Loss PreventionFull control and absolute visibility over user behavior
McAfee Encrypted USBSecure, portable external storage devices
McAfee Device ControlPrevent unauthorized use of removable media devices
McAfee Total Protection™for Data
Integrated technologies for total data protection
24
SC Magazine
Data Breaches Don’t Discriminate
“DuPont scientist downloaded 22,000 sensitive documents as he got ready to take a job with a competitor…”
“Royal London Mutual Insurance Society loses eight laptops and the personal details of 2,135 people”
“The FSA has fined Nationwide £980,000 for a stolen laptop”
“Personal data of 600,000 on lost laptop”
“ChoicePoint to pay $15 million over data breach—Data broker soldinfo on 163,000 people”
25
Challenge
How best to protect confidential corporate data on mobile devices from loss, theft, or exposure to unauthorized parties?
– Laptops lost or stolen in airports, taxis and hotels cost companies an average of $49,2461
– 36% of data breaches were due to lost or stolen laptop computers
• Average cost is $6.75 million per breach2
– Best practices: “Ensure that portable data-bearing devices…are encrypted”2
– “Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals if encrypted or destroyed”3
– Staying out of the news
1 Ponemon2 Ponemon, 2009 Cost of a Data Breach3HIPAA DHHS Guidance 2009
26
McAfee Endpoint Encryption
You need
• Encryption for laptops, desktops, and mobile devices with the flexibility to choose full disk or file and folder encryption
• Confidence in integrity of sensitive data when a device is lost or stolen
• Safe Harbor protection
McAfee offers
• Broad support for laptops, desktops, and mobile devices
• Full audit trails for compliance & auditing needs
• Support for multiple strong authentication methods
• Certifications: FIPS 140-2, Common Criteria Level 4 (highest level for software products), BITS, CSIA, etc.
Data Loss PreventionData Loss Prevention
DeviceControlDeviceControl
Encrypted USBEncrypted USB
EndpointEncryptionEndpointEncryption
27
Solution: Full Disk Encryption
Why encrypt?
– Every disk drive in an organization eventually leaves said organization
• Natural retirement/replacement
• Loss
• Theft
– Knowing what sensitive information is on a given drive is difficult
• Avoids having to classify data to decide what to protect
– Applications use a myriad of “hidden” temp files that contain your data
Data protection made easy
– Simple to deploy
– Nearly transparent user experience
28
Solution: Full Disk Encryption
Full Disk Encryption
• No data access without proper authentication
• Complete, proven protection against loss and theft
• Extensible complement to other data protection technologieslike file encryption, encrypted USB drives, and DLP
How does it work?
• Disk drive is fully encrypted, sector A through sector Z
• As new information is created, it is encrypted on-the-fly
• A unique, per-device recovery token is used tohandle normal “lost password” situations
29
Security Details Matter
CC EAL 4 and FIPS 140-2 Level 2 validation
– Proves the security level by an independent body
AES 256-bit encryption
– Encryption on-the-fly using strong algorithms
Up to three-factor authentication
– McAfee Endpoint Encryption offers a strong pre-boot authentication
– Support for various smart cards, USB tokensand biometric devices
ePO compliance reporting and deployment
– Identify non-encrypted machines
– Deploy using McAfee ePO
Business continuity
– McAfee Endpoint Encryption offers offline challenge-response recovery
– Reduce costs using our local user self-recovery (questions + answers)