1. /
  2. Confident Insights Newsletter/
  3. Focus on Protection and Performance When Securing Virtual Environments

Focus on Protection and Performance When Securing Virtual Environments

August 5, 2011

Summary

In today’s rapidly evolving threat landscape, an approach that identifies and blocks new and unknown threats without sacrificing performance is needed to protect your virtual infrastructure.
Organizations investing in virtualization and cloud computing technologies tend to follow a similar path: They start by virtualizing less-critical applications such as test and development environments before moving on to more important applications, such as email, ERP, and CRM.
According to the Symantec 2011 Virtualization and Evolution to the Cloud Survey, organizations are now increasingly leveraging virtualization for their business-critical applications. Of the enterprises that are implementing virtualization, more than half (59%) plan to virtualize database applications in the next 12 months, 55% plan to virtualize Web applications, and 47% plan to virtualize email and calendar applications.
But as organizations place more and more of these applications in virtual environments, they quickly encounter some unexpected challenges. For example, antivirus scanning in virtual machines has been complicated by the overwhelming shift in the creation and distribution of malicious software. Increasingly, cyber-criminals rely on attack toolkits to launch hundreds of millions of customized and targeted threats. This shift threatens to overwhelm traditional defenses, leaving enterprises exposed to a barrage of unique threats.
Continue reading to learn why an approach that both integrates essential security technologies into a single agent and identifies new threats as they are created is needed to protect your virtual infrastructure.

Why virus scanning isn’t enough

As the latest Symantec Internet Security Threat Report demonstrates, today’s attacks are sophisticated, targeted, and rapidly mutating. Last year alone, attackers unleashed more than 286 million distinct malicious programs. That amounts to an average of nine new threats every second of every day. By comparison, Symantec detected 250,000 unique viruses in 2007. The sheer volume of today’s attacks threatens to overwhelm signature-based security solutions.
Not only are cyber-attacks proliferating at an unprecedented rate, they’re also making traditional discovery and fingerprinting of these threats nearly impossible. Reactive approaches such as signature scanning simply can’t keep up. For example, the Threat Report found that 50% of attacks were detected not by virus scanning but through proactive technologies such as intrusion prevention incorporated into Symantec’s endpoint protection platforms.
Lately, much has been made of the need to drive increased performance and density in virtual environments. Hence the recent interest in minimizing the CPU, memory, and I/O resources consumed by fully multi-instance in-guest protection (where each guest VM does its own scanning and has its own content definitions) by moving toward virtualization-aware protection, where guest VMs in the same local environment can share a single instance of applicable protection activities and technologies, primarily file scanning. With the launch of Symantec Endpoint Protection 12.1, Symantec has taken a big step in this direction by combining local virtualization-aware optimizations for single-instance scanning with global optimizations via Symantec Insight, which helps eliminate the need for scanning altogether.
Symantec is focused above all on providing complete protection, covering attack vectors that traditional file-based antivirus protection can’t defend against and doing so without sacrificing system performance. It’s a strategy that goes beyond file scanning to provide the following essential protection technologies in a single agent: Antivirus and antispyware, firewall, intrusion prevention, behavioral protection (SONAR), application control, device control, and network access control.

Context is the key to reputation-based security

In addition to deploying the above protection technologies, Symantec believes that combining and correlating local and global threat intelligence will be critical to the success of IT and security teams in the new world of rapidly mutating malware.
Symantec Insight is cloud-based reputation technology that puts files in context, using their age, frequency, location, and other characteristics to expose threats that would otherwise be missed. Built on contributions from more than 175 million systems in over 200 countries, Insight has the power to examine and track the context of billions of files.
Some vendors post malware signatures to the Internet, affix a white list, and call the result a reputation system. While this approach might provide faster access to virus signatures, it is still reacting to known threats rather than identifying new ones.
Other companies take the next step and rate the reputation of the source of the files. This is a step in the right direction, but it is still not true context-aware security. Knowing the source of a file is useful, but it does not tell you if the file was newly created just to infect you.
In contrast, Insight can identify how common or rare a file is, how old it is, its security rating, and how it might be associated with malware. Through context, Insight can identify new or rapidly mutating threats as well as rare but tightly targeted attacks.
Insight uses context to take the most important advantage of cyber-criminals—their ability to generate millions of unique threats—and turn it against them.
Because Insight provides both real-time blacklisting and whitelisting, this new technology can also significantly reduce the impact of antivirus scanning. By skipping any file that is known to be good, virus scanning overhead can be reduced by as much as 70%.
Symantec Endpoint Protection, which is powered by Insight, protects the virtual infrastructure in other important ways as well. For example, it integrates directly with VMware’s security APIs to scan for malware inside offline VMware images. To prevent concurrent scans (known as “AV Storms”) from impacting performance in dense virtual environments, SEP white lists baseline virtual machine images and shares scan results across virtual machines so that identical files only need to be scanned once. SEP can also automatically identify and manage virtual machines.
In recent tests conducted by Dennis Labs, Symantec Endpoint Protection, running in a virtual desktop infrastructure (VDI) environment, defended against more real-world threats than comparable solutions from McAfee and Trend Micro. In addition, The Tolly Group measured the performance of these solutions in VDI environments, determining that Symantec completes an on-demand scan in about half the time with 49% less disk bandwidth compared to solutions from McAfee and Trend Micro.

Conclusion

Today’s cyber-criminals employ rapid mutation technology to prevent security solutions from identifying the signatures of their code. That’s why Symantec’s virtualization security strategy goes beyond file scanning to provide both essential protection technologies in a single agent and reputation-based security to expose threats that might otherwise be missed. Symantec Endpoint Protection, powered by Insight, enables you to protect your virtualized business-critical applications without slowing you down.
To learn more about virtualizing business-critical applications, click here. To learn more about Symantec Endpoint Protection, click here.
To learn more about how Symantec Endpoint Protection defended against real-world threats in tests by Dennis Labs, click here. Click here to see how Symantec fared against Trend Micro and McAfee in tests by The Tolly Group.

Back to Newsletter