Articles / VM Security from an Unexpected Source

on 28 Jan 2019

Much of what you learned in Operating Systems 101 is no longer applicable to modern computing – and virtualization lies at the root (ahem) of this change. The core principle is that physical host machines are now used to run multiple guest virtual machines (VMs) to optimize the use of memory, bandwidth, and CPU. Orchestration of this virtualized sharing is typically done by a layer of software called a hypervisor.

VMs are logically separated, which helps to ensure that problems such as malware exploitation don’t easily cascade between multiple guests on the same physical host. This logical separation also allows for VMs to be moved easily across the underlying server infrastructure, which is helpful to IT and data center managers. Again, the hypervisor plays a central role in supporting these computing advantages.

Hypervisors can run on conventional operating systems as with VMWare Workstation or KVM. More often, however, they run directly on bare metal, thus replacing the normal operating system. Microsoft’s Hyper-V, VMWare’s ESX/ESXi, Nutanix’s AHV, and Xen are popular bare metal offerings. Correspondingly, the virtual marketplace includes several software vendors: Microsoft, VMWare, and Citrix/Xen. (Amazon runs KVM on Linux.)

Securing all this might seem simple at first glance. That is, one could transpose traditional OS protection controls to the hypervisor with extensions for multiple guests. This would address threats such as hyperjacking. But distributed, virtualized applications over bare metal hypervisors introduce many new security challenges. Furthermore, containers used to optimize resource utilization can introduce cascading threats between containerized apps.

This mix of technology, security, and modern architecture would seem like the ultimate magnet for cool start-ups in sleek Silicon Valley digs. And certainly, there are many start-ups working in this important area. But this past week, I ran into a more traditional team from an unexpected source doing world-class cyber security work in virtualized computing. The team is with Romania-based consumer AV and Internet Security vendor Bitdefender.

Mike Gable, Gavin Hill, and Paul Brown were my tour guides to the Bitdefender solutions, which are marketed under the GravityZone name. More specifically, their enterprise offerings include GravityZone Endpoint Security for Physical Workstations (EDR/EPP), GravityZone Security for Virtual Environments (SVE), Hypervisor Introspection (HVI), and Network Traffic Security Analytics (NTSA). Let me go through these solutions in turn.

The GravityZone Endpoint Security solution includes the familiar set of Windows protections organized into two major categories: Local malware security via scanning and remote malware security via browsing controls. These categories are important to note here, not because they differ much from other EDR/EPP solutions, but rather because they form the basis for the protections introduced by Bitdefender to virtualized environments.

GravityZone SVE is a hypervisor-agnostic solution that prevents VM-resident malware exploits on VMWare, Hyper-V, Citrix, and other cloud operating systems. The customer installs a virtual appliance into the local environment and agents are dropped onto each guest. The architecture, which includes intelligent caching, protects virtual servers and workstations, without impacting performance or VM density. A control center provides centralized management in the customer SOC.

“This unique arrangement in GravityZone SVE allows our customers to offload the virtual machine malware scanning to a dedicated virtual appliance,” explained Gavin Hill. “It’s all hypervisor agnostic and supported by threat intelligence in our Bitdefender cloud. Customers can enjoy high performance for their distributed, virtualized applications, while also knowing that world-class anti-malware controls are being continually run.”

Bitdefender’s Hypervisor Introspection (HVI) extends to the hypervisor. The solution, which currently supports Citrix/Xen (support for KVM is planned), monitors each virtual machine’s raw memory. It stops attacks before they execute inside a VM, before detection by any in-VM solution. It apparently stopped WannaCry and NotPetya ransomware long before they were publicized. Citrix supports this capability through a specialized API in its XenServer hypervisor, thus offering direct, low-level access to each virtual machine.

Network Traffic Security Analytics (NTSA) is a networking monitoring virtual appliance that ingests network data to generate intelligence from metadata. The platform includes the ability to code scenarios, which allows visibility to be obtained from network traffic. The platform uses machine learning and behavior analysis with insights from Bitdefender cloud threat intelligence (derived from a half billion nodes) to automatically detect threats.  

If you’re like me, then you’ve always thought of Bitdefender as a consumer AV company, led by an iconic CEO - Florin Talpes. But welcome to the new Bitdefender, with its impressive range of virtualization and network security tools for enterprise. They have a strong story, and the team that took me through the platform was capable and well-informed about how their customers are using the technology. Their presentation was strong.

If you work in cloud computing or if you offer virtualized support for enterprise applications, then you’d be well-served to be in touch with the Bitdefender team. Ask them to take you through their architectural schematics, and to provide insights into the heuristics used to detect malware. It is an impressive story – one developed through many years helping PC users protect themselves from viruses.

As always, please share back with us what you’ve learned.