Why are so many organizations lagging behind in performing security assessments of virtual assets in their datacenter? One contributing factor is the impact of virtualization on the datacenter has happened so quickly and organically, that products and processes haven’t kept up. Even now, there is a significant lack of understanding around the risks to virtual assets in the datacenter, and severe underestimation of security requirements.
If you think you’re covered because you’ve deployed AV across the VMs in your datacenter, think again. AV wasn’t made to protect applications running in virtualized environments, and can’t protect you from the attacks most likely to cause a breach or bring down a critical data center application. And it certainly can’t help you repair and remediate after a breach has occurred.
1) It’s not integrated with the hypervisor
As of July 2017, IDC reports that over 80% of datacenter workloads are virtualized. All those virtual assets are tapping into the hypervisor and related software-designed layers.
The hypervisor offers a unique position for securing your datacenter – it’s a centralized management pane for all the virtual assets and has complete visibility into the runtime behavior of applications and inbound/outbound network connections. Security at the hypervisor level will detect more threats than endpoint security can alone.
2) It doesn’t have orchestrated response capabilities
Data centers rarely only use the hypervisor of a virtualization platform. They typically utilize other products in the platform ecosystem, such as networking and provisioning tools, which are tightly integrated and offer customizable automation capabilities. To most efficiently minimize business impact during remediation of a datacenter server, you should leverage the orchestrated response capabilities of your virtual platform in conjunction to in-guest remediation techniques. For example, imagine when an incident occurs on a critical application server you can automatically snapshot and quarantine a VM, then trigger a new VM be spun up in it place. You can then investigate and remediate the attack on the original VM and bring it back online. You’ll need a tightly integrated solution to do that, and you’re out of luck with AV.
3) It consumes too many resources
Managing resource allocation in a virtualized environment is a serious issue. Not only are AV storms a real thing, datacenter admins are continuously looking at how to increase overall resource efficiency to balance performance and cost. In order to protect against fileless and non-malware attacks and use EDR for attack investigation, deep visibility into the OS kernel is a must – thus an agent per VM is required. To minimize impact to your virtualized environments, the agent should have a small footprint, low latency, or be tightly integrated into the environment.
4) It’s woefully ineffective against non-malware and fileless attacks
The average organizational cost of a data breach in the United States is a staggering $7.35 million1. In 2017, only 30% of breaches included malware2. Cybercriminals intent on stealing information in bulk typically begin by attacking end users. Once they gain access to an endpoint, they attack the network and tunnel their way towards confidential company data. And where is that confidential company data typically stored? You guessed it, in a datacenter application. Protecting against malware is no longer enough – an estimated 35% of endpoint attacks in 2018 were fileless attacks, and that number is expected to grow 20% year-on-year3.
5) It can’t help with attack investigations
Once it’s known that an attack has occurred, the next questions are “is it completely remediated” and “how did it happen”? According to the SANS 2017 Endpoint Security Survey, 53% of organizations experienced one or more breach that started at their endpoints – yet 79% couldn’t find these breaches and threats to their endpoints without advanced knowledge of the compromise, and 74% couldn’t determine if remediation was fully complete. This is especially relevant for datacenter attacks – it’s critical to understand how perimeter defenses were bypassed, which datacenter application vulnerabilities were exploited, and if if there are any lingering elements of the attack chain.
AV isn’t enough, and now is the time to rethink your datacenter security strategy. Carbon Black and VMware have joined forces to deliver a purpose-built, fully integrated solution for the virtual assets in your datacenter. Check out our co-published whitepaper on Solving the Security Challenges of the Software-Defined Data Center to learn more!
1 Ponemon Institute 2017 Cost of Data Breach Study, June 2017
2 Verizon Data Breach Investigations Report, 2018
3 Ponemon Institute 2017 State of Endpoint Security Risk, Nov 2017