Virtualization promises enterprises amazing cost-saving benefits, but what about the inherent security threats? In part one of this panel, Chris Hoff, Rich Mogull and Dino Dai Zovi discuss the greatest threats to virtualized environments, including some you might not expect.
Also check out:
- Part 2: Security benefits of virtualization
- Part 3: Organizational challenges of virtualization
- Part 4: Virtualization and security vendors
Read the full transcript from this video below:
Security Roundtable: Virtualization security threats
Interviewer: Guys let's start with an easy one. Right now, what are the main threats to virtualized environments?
Chris Hoff: I think there's quite a few. The ones that are highlighted are primarily technical but I think the biggest issues that we have today are really organizational and operational. The way in which virtualization has essentially collapsed networking, server administration functions, applications, operating systems and security into a single instance that kind of gives us securities a couple check boxes an administrative function. The entire premise of who operates, who's responsible and how, is really causing a huge amount of churn within organizations. The technical stuff that relates to how we adapt to the existing technology and emerging technology is interesting. But it's a problem that we're used to seeing in security we're always kind of lagging behind and eventually it will catch up in one form or another and it's kind of part of that hamster wheel of pain, as any techno-physicist is prone to say. I think ultimately we're having a real problem with who's doing what, why, and how and visibility therein.
Rich Mogull: It would be fun to geek out and talk about the various ways that Chris has done some really good work here about the different actual technical issues around virtualization, but none of that is going to matter if we don't solve the org issues with the fact that the right people aren't necessarily involved in some of the decisions about managing these things and how they're positioned and the way that we're adopting that technology. And it's not that we need to say no don't use virtualization, its evil. That's not, I think it all is what Chris or myself or anybody else is saying. It's more along the lines of you need to have at least a little bit of understanding what some of these risks are so you can at least do a little bit of risk evaluation and make the right decisions in terms of how you enable that in your organization.
Interviewer: What about the technical side?
Dino Dai Zovi: I mean I see on the more specific side some very simple things of where is this host, is this host real or virtual? Network teams are really good at mapping a host to like a server cabinet but not necessarily a virtual host. And which virtual host is that on, and which data center is it in, a lot of manuals don't yet exist. We also have sort of the whiz bang temptation of, oh we can load all of these machines onto one VM server, why don't we load machines from this customer and this customer and basically where you wouldn't connect these machines before, people are tempted to connect them on the same virtual server because they're like they are separate it's OK. Because while we have some idea of the security risks from crossing from one guest to another we don't have much information about that yet. We know that it's possible, there's debate upon how possible it is. But there are formulas that let you do this and the hyper-visor and every level up but we just haven't seen that number of attacks and that's the one thing we know in security is until people see the attack with their own two eyes, they won't take adequate protections against it.
Rich Mogull: You don't even nee to tell you that you need new attacks either. In fact when you do that and you consolidate that way the network looses all visibility so at lot of the traditional security defenses just kind of fall away.
Chris Hoff: And in many cases the reality is that the threats and the attacks are in some ways no different than when you're in the physical world. A lot of times you'll hear of security teams kind of really just throwing up all over but the notion of virtualization. And a lot have asked, what is your chief complaint, and they say well I lose visibility, I can't see intervening traffic between two machines in a V switch. And I say OK, so if I gave you a Cisco physical switch and two machines on the same V line, what do you do today to defend the intra-physical machine at that. Well, nothing. OK so problematically there is a lot of emotion that goes along with this because as I reference, as you lose control, we kind of curl up in the fetal position and the ultimate kind of implicit deny or allow rule goes into affect. Which is we say 'well we don't understand the risk, we don't understand the threat and vulnerability, so it must be evil and we must stop it. Unfortunately the economic boon of virtualization simply doesn't allow for that, right. We all know the benefits there of. And then we have the unfortunate timing of some of the discussions that predicated a lot of the production virtualization efforts. Which was the notion of hyper- jacking, and hyper-visor malware and all of the fantastic things that come out of the detectable versus undetectable and what that did was make a bunch of peoples eyes glaze over and they started focusing on the hyper- visor and the eject-able malware and it's not that it's unimportant, it's just in the grand scheme of things. If we don't do the basics, we don't even fix the problems that have been around for 10 or 20 years, what chance do we have against some super stealth piece of software that embeds itself in hardware, that one could suggest, detectable or undetectable, but that's so far removed from the bigger problems that we have today that it's desensitized people to real threats.
Dino Dai Zovi: Well with the hyper-visor malware, I think that's a problem that largely would solve itself very quickly. Being one of the early researchers in this topic, I even in the beginning realized that this is going to be a flash in the pan. Basically, one: a lot of machines don't have this type of hardware available now and so aren't susceptible to this and two no matter what the hacker has to have system level access like in the kernel to achieve this, and that already game over for a lot of players. I think the risk is as the number of machines that have this hardware that's capable of doing harder virtual machines as that becomes move prevalent I think that most of those machines are already going to be running hyper-visors. And the problem essentially solves itself, because there already will be a hyper-visor there. You can't get hyper-jacked when you're already in a VM. And 90% of machines I think at that point will be in VM's or any machine or workstation or server that they would be attacking, and these attacks will only apply to VM servers after you break out of the hyper-visor.
Rich Mogull: I mean Chris talks about the hamster wheel of pain, and I have a, shall we say less appropriate term I sometimes use for this, where it's not even an issue of, I mean like last year there were two black hat presentations dedicated to battling each other, about talking about the hyper-visor exploits, hyper-jacking and all everything else. It wasn't possible and it wasn't under possible including like names and title of all the other researchers involved and all those sorts of things, and it was like that doesn't matter, I mean that is not even the right question to be asking. That gets all this, press all this attention. So now people are focusing on the problems that are solvable and we can keep talking about how horrendous this is but there's still basic precautions that people can do to both protect their current virtualized environments today, as well as setting themselves up to protect those environments in the future and you know were getting so caught up in some of these issues that Dino just mentioned. Which, and hey if that gets bad, it's like people ask me all the time and I am sure you get this more than I do, when's the big Mac virus going to hit? I don't know and I don't care when it does, that is going to get so much press and publicity when that finally happens, it's going to get fixed really really quickly. I think this is probably along those same lines.
Dino Dai Zovi: I'd like to go back to what I call the race. I think that at some point we are going to cross a threshold, I hope, in security where we have enough visibility into, or not visibility but enough thought into what might be the next threat, that we may have taken precautions before it becomes big. I think what happens with a lot of malware is that we are taken by surprise and web based malware, and a lot of the internet worms before that, we really didn't have the defenses, we weren't thinking about the next challenges and I think hopefully now we are thinking about the next challenges so that we have some defenses before they hit and for all we know in a parallel universe hyper-jacking could be really common because no one talk about it. There's enough people in this industry who are thinking about new attacks or new risks that defenders have a good start.