SER1361BU Security Operations for VMware vSphere with or ......1 Introduction –The Why! 2 Users (Admin vs. Root vs. Service Accounts) 3 Shell commands 4 RBAC changes 5 Reconfiguration

Edward L. Haletky, TVP Strategy Principal AnalystMike Foley, VMware vSphere Technical Marketing

SER1361BU

#VMworld #SER1361BU

Security Operations for VMware vSphere with VMware vRealize Log Insight

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

2#SER1361BU CONFIDENTIAL



bution

Agenda

4

1 Introduction – The Why!

2 Users (Admin vs. Root vs. Service Accounts)

3 Shell commands

4 RBAC changes

5 Reconfiguration Events

6 Stump the Chump

7 Something Special!

8 Q&A

#SER1361BU CONFIDENTIAL



bution

The Why!Enact the guidance



bution

Mike’s “Why Did We Do This?”

• IT needs have changed

– Need more information to make better decisions

• Security is now on EVERYONES radar

– Need more information to

• avoid security incidents

• analyze them after the fact

• Existing tools have been inadequate

– Logs “sucked”

– SIEM tools are only as good as what you put in them

• But they have no focus on virtualization




bution

Edward’s “Why Did We Do This?”

• Existing tools have been inadequate

– …

• Best Practices are difficult to show

– SOC was to show off best practices

• Logs are difficult to read

– Visualization is better

• Bridge between Administrators, Ops, and Security

– We can show security what is happening

– Start of more discussions, everyone on the same page




bution

vSphere 6.5 Enhanced Logging



bution

Logs Transform in vSphere 6.5

Pre-6.5: Logs used for GSS/Troubleshooting

9

6.5: Logs include VC Events – Audit Quality and Actionable




bution

vSphere Logging Today: 5.x / 6.0 Virtual Machine Reconfigure

10

Logs really need improvement. I know a change was made, but what happened? What changed?




bution

Actionable Logging

11

Who, What, When, How




bution

Demo: Users Who not to see here!?



bution

Demo: Shell CommandsWhat not to see here!?



bution

Demo: RBACHow did these change!?



bution

Demo: Reconfiguration EventsWhat changed!?



bution

Demo: Stump the ChumpWhat do you want to see:

• VM Encryption Actions? • Secure Boot on VM? (UEFI Firmware)• Scale of Changes (move the dial)• Cluster Dashboard (internal vs external)?• ???



bution

Demo: Something SpecialSecureESX AddOn Bundle



bution

Q&AWhat are your questions?



bution

vSphere Security HOL HOL-1811-04-SDC



bution

Thank YouEdward L. Haletky: [email protected], @Texiwill

Mike Foley: [email protected], @mikefoley

SOC Content Pack and information: Security Operations for VMware vSphere using VMware vRealize Log Insight

SecureESX AddOn Bundle: Contact [email protected], @Texiwill



bution

mailto:[email protected]


https://www.astroarch.com/vmware-vrealize-log-insight-soc/




bution



bution

SER1361BU Security Operations for VMware vSphere with or ......1 Introduction –The Why! 2 Users (Admin vs. Root vs. Service Accounts) 3 Shell commands 4 RBAC changes 5 Reconfiguration

Documents