NEW - SOPHOS SECURITY AND DATA PROTECTION
Improving security through control for endpoint, Web and email

Sophos Security and Data Protection provides complete protection across endpoint, email and Web in a single solution. It enables you to proactively protect against all new and unknown threats and secure your data against accidental or malicious loss. 24x7x365 expert support, and all future updates to protection, management and product upgrades are part of your subscription.

The following components are part of Sophos Security and Data Protection:

Endpoint Security and Data Protection - simplified cross-platform security, centralised management, full data encryption and flexible control of devices, applications and network access ensuring your data is secured against infection and loss and complies with government/ industry regulations.

Sophos SafeGuard - a comprehensive encryption solution that covers data confidentiality, integrity and central security policy management.

Email Security and Data Protection - managed email security appliances and protection for Exchange, UNIX and Notes servers. Unique integration of anti virus, anti spam, anti-phishing and policy enforcement secure and control email.

Web Security and Control - the first managed appliance to proactively ensure safe Web browsing, blocking suspicious URLs, hijacked or infected Web sites, and download of spyware, viruses, malwar

Sophos NAC Advanced - enables organisation-wide compliance with your internal policies and helps you to meet industry and government regulations. Controls network access, protects data, and ensures that all computers have up-to-date security software and patches.

Sophos Server Virtualisation Security

Transformational model or just another buzzword? James Lyne, Senior Technologist at Sophos, takes a look at server virtualisation security ...

Server virtualisation is the most adopted virtualisation technology in the enterprise, allowing significant consolidation of physical resources by virtue of layering multiple systems on a piece of hardware managed by a hypervisor. This technology is, however, not only popular for consolidation, it also makes it significantly easier to achieve fault tolerance and offer high availability in the enterprise due to easier portability of systems across hardware.

Increasingly, virtualisation technology is the underpinning of the enterprise data centre with many enterprises electing to follow a 'virtualisation first' policy for all new systems. Unsurprisingly for such an adopted technology hosting the critical services for the enterprise, security has quickly become a hot topic.

SECURITY IN A VIRTUALISED WORLD
Ignoring for a moment the existing technologies and theories around virtualisation security, it is apparent that there are areas that require improvement in a virtualised world and equally that there may be opportunities to provide better security with a different model.

The key concerns of the server virtualisation security administrator are performance, management and a tertiary concern of how to improve security further.

Performance is often the greatest gripe. Having embarked on a project to consolidate resources and enhance performance using virtualisation, administrators are frequently faced with poor performance by their endpoint security products, which, while they are designed to be lightweight, they are also generally designed with the assumption of free resource due to operating on a single system to each hardware device. Normal activities such as scheduled scans or updating checks which would normally occur in the background on a traditional system can be triggered simultaneously causing huge load to the virtualisation platform as a whole and degrading delivery.

There is also a mass of market hype about new attacks that are possible due to virtualisation technology and the ability to use the hypervisor to circumvent the system in new ways. There are certainly some interesting proof of concept attacks and some precedent for vulnerabilities in the virtualisation software, blue pill for example, but the greatest threat in these environments is still the traditional malware or hacking threat - the same threat that was present when machines were physical. It is, however, likely that as the use of virtualisation increases and valuable data resides on these systems, more 'virtualisation' specific attacks will become prevalent.

INTROSPECTION SECURITY
This leads us to the new models using the hypervisor to do introspection on multiple virtual machines (VM) from a single security VM. The theory is fantastic, enabling consolidation of the security functions to enhance performance significantly. While these introspection technologies offer interesting visibility - and they do have some practical uses today, e.g. for conventional firewalling - they do not yet provide a credible replacement for endpoint security.

Modern endpoint security requires application, user and data context to work effectively. The understanding that anti virus works on signatures and can be performed by just calculating deterministic hashes is indeed myth. Modern endpoint security inspects the browser for exploit as the majority of malware enters the enterprise via the Web, is distributed from compromised legitimate Web sites and exploits the browser, and it observes the runtime operation of programs for bad behaviour and understands the user behaviour or data being acted upon. Getting all of this visibility from a hypervisor dealing with CPU states, memory I/O and other such very low level information is next to impossible, particularly with present models.

An agent running inside the machine to provide that visibility is still required, but that doesn't mean that introspection security doesn't offer any benefits. Rootkits are increasingly being deployed as part of other forms of malware. Detecting and removing rootkits that circumvent the kernel is very difficult for an agent sitting inside the compromised environment. Introspection security either via an API or looking at the virtual disks makes detection of these nasties significantly easier as you can scan for their presence without their manipulation of the operating environment.

PHYSICAL vs. VIRTUAL
While virtualisation specific attacks are developing, today the greatest risks to virtualised server systems are the same as their physical counterparts. New virtualisation security technologies hold promise and are being aggressively developed by virtualisation vendors and security vendors, but are yet to become an effective replacement for endpoint security inside the virtual machines.

Monitor virtualisation security closely, but today the top tips are:

1. Ensure your patching process includes your virtualisation technology. Vulnerabilities in the virtualisation software could leave you exposed as they increasingly become a target
   
   
2. Follow endpoint security vendor best practices for performance tuning on virtualisation platforms to aid performance issues attributed to endpoint security on these platforms. Don't buy in to bleeding edge new models - yet!
   
   
3. Remember - it's not just the data centre you need to watch - be on the lookout for casual use of virtualisation at the desktop. Users will make use of these technologies and create 'black holes' in your environment where your corporate policies do not apply. Use application control and update your AUP to make sensible use of virtualisation elsewhere in your corporate environment.

FIND OUT MORE
For more information on how Sophos solutions can help secure your IT environment - including virtual machines - contact your Phoenix Account Manager on 0845 265 1265 or email info@phoenixs.co.uk