Ghost In the Machine: IBM’s New “Phantom” VirtSec Solution (?)
I had another post-RSA press release show up in my mailbox today from IBM again pitching their "…breakthrough research initiative from IBM X-Force and IBM Research,
code-named "Phantom", which offers businesses a new means of securing
virtualized server environments."
Besides the rumblings at RSA, I haven’t been briefed on this as of yet, but let’s explore what we have thus far, keeping it mind that this is described as an "initiative" and not a "product:"
At Phantom’s core is industry-leading network and host intrusion protection used to guard the virtual environment and the machines from the inside out. The new technology sits in a secure, isolated partition and integrates with the hypervisor – the layer of management software that coordinates calls between operating systems and computer hardware.
In this description, Phantom is confusingly framed more as a product/solution rather than an initiative and it gets a little fuzzy as to how this qualifies as integration with the hypervisor besides just sitting on top of it, but perhaps this is one of the secrets-in-stealth that defines the breakthroughs mentioned above or perhaps sadly yet another unfortunate translation from Klingon?
If one were to take a quick first-pass, it sounds like they’ve taken their software-based IBM/ISS IPS solution and turned it into a virtual appliance (that would be the "secure, isolated partition") that runs alongside the VM’s in a physical host? This is basically what every other vendor on the planet is currently doing. Integration with SiteProtector and interaction with the hardware-based physical appliances would make sense, too.
Playing futurist, in terms of the more broadly-reaching "initiative" angle, it might leverage some of the research IBM has already done on their secure hypervisor (sHype) or more appropriately rHype (which I believe is Xen-based) as well as the many other virtualization efforts they’ve hatched to date.
If IBM were going to commercialize this into productized offerings, besides supporting their own hypervisor(s) and virtualization platforms/operating systems first, I’d guess they would aim for supporting VMware first since that’s where the dollars are. Or not.
IBM’s Phantom initiative aims to create virtualization security technology to efficiently monitor and disrupt malicious communications between virtual machines without being compromised.
In addition, full visibility of virtual hardware resources would allow Phantom to monitor the execution state of virtual machines, protecting them against both known and unknown threats before they occur.
Roger. Protect intra-vm traffic. And because they can protect "…against both known and unknown threats before they occur" it’s psychic to boot!
It is also designed to increase the security posture of the hypervisor – a critical point of vulnerability; because once an attacker gains control of the hypervisor, they gain control of all of machines running on the virtualized platform. For the first time, the hypervisor, the gateway to the virtualized world and all that lays above it, can be locked down.
I’m interested in this part because as most vendor’s pitches go, when one digs down deeper, what this really means is that *today* if one can control traffic between the VM’s which transit the vSwitch, one can potentially prevent a compromise of a VM leading to a launchpad for an attack on the hypervisor.
What’s confusing here is that despite the fact that most hypervisor platform providers consciously limit what is exposed (even in an abstracted state) by the hypervisor, vendors continue to insist that they are "integrated" with and will "lock down" the hypervisor itself. We saw that in the dissection of the Catbird "HyperVisorShield" announcement I wrote about earlier.
Protecting the hypervisor today is really a by-product of protecting the VM’s.
Here’s another extract from additional coverage of Phantom:
Phantom is a joint effort between IBM’s X-Force threat analysis team and the company’s research division. It aims to lock down the hypervisor software that IBM systems use to manage virtual machines. "What we’re doing through Phantom is we’re implementing an IPS (intrusion prevention system)– an IPS that sits at the hypervisor layer," said Kris Lovejoy, director of strategy for IBM corporate security.
The researchers are also building tools that can lock down the hypervisor itself, Lovejoy added. "The hypervisor layer was built for optimum performance, not necessarily effective security," she said. "Our customers are just looking for assurance that their virtualized infrastructure is not going to be the single point of failure."
Aha! See vendors in their press releases continue to reference THE hypervisor in a singular, monolithic manner that seems to imply that their solutions will protect and lockdown any and all hypervisors. I know this point may not be lost on all people, but it’s become very difficult to figure out what many of these VirtSec products actually do and which platforms they support.
I think this last paragraph really intimates that in this case we’re talking about IBM’s hypervisor(s) — perhaps based upon sHype/rHype or other IBM virtualization platforms — at least at first.
I’m not knocking IBM or doubting their efforts as they’ve been at the virtualization game a long time and with the acquisition of ISS, they got a bunch of good talent and a decent product base. I *am* just weary of claims that seem to apply research and "initiatives" in such broad strokes that it becomes difficult to sort the wheat from the chaff.
Looking forward to learning more about Phantom.