How to Use Patch Management and SIEM to Better Secure Virtualized Environments

MavTurner_HeadshotBy Mav Turner, Director, Security, SolarWinds

As the saying goes, it’s better to be safe than sorry. And given the fact that nearly everything in modern business has been digitized, nowhere is that truer than when it comes to the mountains of potentially sensitive data organizations create every day. Information security must be a key consideration at every turn.

One such turn is the broad implementation of virtualization in datacenters across the globe. While virtualization is in reality almost as mature of a technology as they come, for some, it still feels very new because of the rapid increase in deployment over the past five to ten years. As such, many are still trying to figure out how to properly address the security risks inherent with virtual environments. And there’s no better time to do so than the present, as attackers have taken notice of the opportunity.

Case in point: Late last year, a supposed attacker sent customers of browser-based testing vendor BrowserStack an email about the company’s virtual environment security, or lack thereof. The email, which was meant to appear as though it was sent from the company, stated, “We have no firewalls in place, and our password policies are atrocious. All virtual machines launched are open to the public…it is almost certain all of your data has been compromised.” While BrowserStack denies any truth to the claims, the incident has naturally spurred many to question whether adequate steps to ensure a secure virtual environment were being taken by the company.

Unfortunately, BrowserStack will not be the only company whose virtual environment will come under attack. As such, organizations need to better understand the security risks associated with virtual environments and the strategies necessary to mitigate those threats, two of the most helpful being patch management and security information and event management (SIEM).

Using Patch Management Technologies to Safeguard Against the Walking Dead

One of the biggest security risks associated with virtualization is zombie virtual machines (VMs). Yes, that may sound like a figment of a system administrator’s nightmares, but anyone who has been involved in virtualization administration is all too familiar with the concept of zombie VMs and knows it’s a real issue.

In a virtual environment, a VM that continues to live idly in the background but isn’t carrying any significant workloads and is therefore often forgotten can be considered a zombie VM. When these VMs continue to go under the radar and multiply over time, it leads to the phenomenon of VM sprawl, or the unchecked growth of virtual machines in a virtual environment. Sprawl is common occurrence within organizations today, and can be attributed to the relatively easy process of creating and provisioning VMs as compared to physical environments. To make matters worse, Sprawl tends to happen slowly over time, resulting in difficulty recognizing the problem as it occurs.

The issue this creates is a severe difficulty keeping track of what’s online, offline and what potential security holes are exposed as a result, particularly unpatched VMs that can serve as a gateway to gain access to a company’s systems, subsequently leading to a potential data breach, or at the very least a lack of compliance.

To correct this risk at its core, actively managing virtual environments in terms of what’s being used, what’s needed and what’s not is necessary is important. However, as mentioned, sprawl often happens over time and without realizing it’s occurring. As such, proper patch management technologies should be used to ensure that any zombie VMs with security vulnerabilities lurking in an environment do not become an open door for attackers.

Most organizations don’t have the resources or time to patch the hundreds or even thousands of systems possible in virtual environments, especially if sprawl gets out of hand, so having automated patch tools and processes helps to ensure all VMs—zombie or not—are up-to-date with critical security patches.

Virtualization and SIEM: The Dynamic Duo

Virtualization creates flexibility, scalability, quality assurance and cost savings benefits. But to do so, by its very nature, it also adds additional layers of infrastructure complexity. This means monitoring for unusual events and anomalies also becomes more complex, which in turn makes it more difficult than it already is to identify security issues, such as advanced persistent threats.

In addition, VMs and the workloads they carry are highly dynamic, capable of rapidly changing on a regular basis. This also poses a security risk.

For example, it’s common practice to spin up VMs in a lab environment to help developers test and deploy applications. Sometimes, however, these lab VMs are rolled from their native test environments into production. The problem is that lab VMs often don’t have adequate security measures for production workloads—because they didn’t need them when they were first created in the lab environment.

In a similar vein, certain workloads may need a high level of security, and the initial virtual machine the workload is assigned to may provide that security. But when faced with the need to make room for more mission-critical workloads, it could easily be moved to a new virtual machine with lower level security, thereby opening a potential security hole.

While patch management solves some of the security concern surrounding the dynamic nature of VMs, SEIM tools go the rest of the way. With SIEM, it’s possible to automate the monitoring for insecure VMs and unusual security-related events or anomalies that often crop up due to the rapid pace of change in virtual environments. A proper SIEM solution will provide full visibility into the security risks of a virtual environment, alerting when something is amiss.

Beyond Patch Management and SIEM

While two of the most important pieces of the virtualization security puzzle, patch management, and SIEM are obviously not the only elements of a defense in depth plan for securing virtual environments. Here are a few more things to consider:

  • Defined processes: A well-run environment has relevant, efficient security processes as well as the tools necessary to support the processes and help minimize manual labor, when possible.
  •  Regular audits: By regularly scanning and auditing the virtual environment, it will be easier to understand where resources are allocated and being used, eliminating zombie VMs in the process. Leverage tools to automate security checks, balances, and processes wherever possible.
  • Separate: Establish how and where to separate development, test and production virtual machines.

With an understanding of the security risks associated with virtualization and how to best mitigate them, particularly through effective patch management and SIEM solutions and strategies, an organization can take advantage of the benefits of virtualization while ensuring it’s potentially sensitive data remains safe.

Jeff Edwards
Follow Jeff

Jeff Edwards

Jeff Edwards is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large.He holds a Bachelor of Arts Degree in Journalism from the University of Massachusetts Amherst, and previously worked as a reporter covering Boston City Hall.
Jeff Edwards
Follow Jeff

One thought on “How to Use Patch Management and SIEM to Better Secure Virtualized Environments”

Leave a Reply

Your email address will not be published. Required fields are marked *