The 3/8 Virtualization Security Podcast held a discussion on the happenings as the 2012 RSA Conference in San Francisco as well as a discussion of the features of Bitdefender’s entry into the virtualization and cloud space with their SVE product. RSA Conference high lights not just those security tools for the virtualization and cloud spaces but the entire industry and each year there is always a common theme. Was there one this year? Was there any surprises at the conference?During the first half of the podcast we discussed RSA Conference 2012 and what it had to bring to the security industry and the panel could not find a common theme. Last year it was all about cloud and cloud identity, the year before almost everyone had something on virtualization and cloud security, but this year, there did not seem to be a common theme, actually there seemed to be a lack of cloud discussions and very few virtualization security hotspots. In reality, it looked like there was only one virtualization security only vendor showing their wares: HyTrust.
However, they were not alone, walking the show floor showed that virtualization security was present in the Trend Micro, Juniper, Kaspersky, Bitdefender, RSA/VCE/EMC, Symantec booths amongst some others. But everything seemed incremental to their existing technologies. For Cloud security I saw Trusteer and a few others but no major splashes. Everyone however was talking about the new purchase by Juniper of Mykonos. Mykonos is definitely worth a mention as it would add to Juniper’s existing Next Generation Fire Wall by adding in functionality that can detect if URLs have been modified in transit or are URLs truly from the server on the protected side of the firewall.It does this by adding into the URL string fragments that it looks for when the protected servers are accessed once more. This is a more proactive approach to URL modification detection.
Virtualization and Cloud may not have been the primary discussion this year at RSA Conference, but nearly everyone had a product that fit into the space. One notable exception to this list was Palo Alto Networks, they are concentrating on the bastion firewall protected the environment.  Eventually, I also expect a virtual appliance from them. More and more virtualization security products are working cross hypervisor or more important regardless of hypervisor. Once such product is Bitdefender SVE.
Gavin Hill who has joined the podcast before now works at Bitdefender as their Director of cloud and virtualization security. Gavin gave us the 5 minute rundown of SVE and then we launched into a serious of discussions about the product. Bitdefender SVE does things a bit differently than other players in this space, while it does make use of VMware vShield Endpoint when running within vSphere, it also makes use of a thin agent, more a shim than an full agent. This shim would communicate with the engine across the network much like vShield Endpoint does to determine if the file open, write, and reads are acceptable to the anti-virus, anti-malware engine residing on another virtual or physical machine.
In essence, Bitdefender liked the vShield Endpoint model so much, that they adopted it for all their future virtualization and cloud security endeavors. This approach grants them the ability to run in every hypervisor with a single code base, which will aid in development times. Lastly, they have gone one step further than vShield Endpoint as their agent will also take into account memory scanning. The one drawback to this approach is the lack of offline scanning for VMs that are not running, that may soon be running. Even so, Bitdefender’s approach allows a cloud tenant to control their own Anti-Virus/Anti-Malware which could help with compliance and future auditing. However, if the tenant is running within a vCloud instance, and vShield Endpoint and the Cloud provider has a copy of Bitdefender SVE, then the tenant can also make use of Bitdefender SVE shared within the vCloud.
Bitdefender speeds up their product by making use of cache mechanisms within each of their own agents as well as on the virtual appliance. This cache contains a SHA-style checksum for everything checked already and will return very quickly with an answer if the checksum already exists. This caching will increase performance quite a bit as the Bitdefender SVE has to do much less than normal. With a per host checksum when running within vSphere it works best when there are like operating systems and applications running on the host in question.
Conclusion
RSA Conference this year showed off quite a few product improvements but there was no big splash and cloud and virtualization security was a ‘yes we have that as a virtual appliance’ approach. But very few products truly integrate within the environment. On the Anti-virus front however, Bitdefender SVE is a product whose development has shifted to a new direction based solely on virtualization. A direction that takes advantage of virtualization when present and applies the same techniques regardless of environment: cloud, virtual, or physical.