While some people worry less about the threat of malware and endpoint protection in virtualization environments, security and operations teams should avoid being lured into a false sense of security. At one time, malicious software disappeared when it detected a virtualized environment -- to escape the probing eyes of security researchers -- this has changed in recent years. That's because the makers of malware realize that organizations are now increasingly using virtualization for many things, and if malware detects a virtual machine (VM), that no longer means the malware has found itself in a sandbox.
"Most malware today does not self-destruct or encrypt itself when it detects a virtual environment," says Dave Shackleford, founder and principal consultant at Roswell, Ga.-based Voodoo Security.
Security researchers have seen malware behaving differently in virtualization environments as opposed to physical systems, but there is little agreement as to why.
Commercial packers, or compression tools, have anti-VM technology built in and malware developers are using these tools "left and right," says Shackleford. There have also been some incredible advances, such as malware that not only detects virtualization but can infect a virtual disk file so that the next time you reboot that VM, it's infected already.
What's needed, says Shackleford, is endpoint security that is capable of dealing with the malware threat, but this presents a challenge because virtual environments are incredibly sensitive to resource utilization. Some traditional antivirus tools have been adapted to be more mindful of resource utilization in these virtual environments. These virtualization security tools offer more lightweight deployment options and are designed to optimize scheduling and performance.
New architectures are also emerging that attempt to balance resource requirements by tying an HIDS VM to the hypervisor kernel, and passing all traffic and activity through the VM for "cleaning." Other virtualization security tools, such as Bromium and Invincea, are using virtualization capabilities to provide endpoint protection.
In the future, Shackleford expects to see advancement in antimalware products that use virtualization and hypervisor APIs, as well as improvements in performance for virtual systems that share resources in virtualized environments.
About the presenter: Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He previously worked as CSO at Configuresoft; as CTO at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.