Can you outline some of the emerging techniques for behavioral monitoring of virtualization platforms? What would you say looks most promising from a security perspective, either as a stand-alone product or as a point feature in virtualization-capable products, like IDS/IPS?
Visibility and control of the availability and performance of physical IT servers is a fairly mature discipline, but the rapid adoption of resource sharing in virtual environments has created new challenges. Monitoring agents developed for a physical server can only monitor the operating system used to boot the server, not any virtualization aspects of it. Metrics, such as how many virtual machines are hosted on a server and what CPU, memory and disk consumption each is using, requires a virtualization-aware product.
While vendors such as Microsoft and VMware Inc. provide basic analytic capabilities with their VM products, behavior-learning techniques are emerging to improve virtualization performance and visibility monitoring. Behavior-based monitoring analysis or self-learning performance management analyzes behavior in real-time to build profiles that are used to correlate infrastructure performance and application performance. This enables thresholds to become time sensitive and adaptive rather than just rules-based. These products leverage existing data-sources, collecting data from multiple performance and event sources to establish behavior patterns. Once the patterns are established, either over time or by using historical data, these tools detect deviations from the normal behavior during regular operations to provide proactive alerts. Some tools provide predictive monitoring based on regression analysis, but newer tools offer simulation-modeling capabilities, assessing data points like a system’s resources and likely workload, to recommend configurations and the specific placement of workloads.
This use of predictive analytics to proactively monitor the availability and performance of virtual IT infrastructure components enables problems to be identified or forecasted and resolved before they affect quality of service. They need to be used as an additional tool, not a replacement, to traditional network and systems management products, as they are dependent on the quality of data received from them. Because of this, organizations deploying virtual infrastructures on a large scale need to budget for comprehensive infrastructure and performance management products for both physical and virtual systems.
Monitoring is essential to ensure the availability, security and usability of IT infrastructures. As virtualization creates opportunities to automate responses to system issues and problems, stand-alone products are better placed to monitor both virtual systems and applications, providing a comprehensive view of the health of a network while being able to take corrective actions automatically. Certainly any techniques for improving performance visibility, which appear in stand-alone products or as point features in other products, should be given consideration; the easier it is to check the health of individual components the easier it is to isolate the cause of any application performance issues.
This was first published in August 2011