Architecture pattern for integrating IBM Cloud Security and Compliance Center Workload Protection with vCenter Server

Overview of Security and Compliance Center Workload Protection for VMware workloads

Security and Compliance Center Workload Protection enables the following three practices for your VMware workloads:

• Threat detection - Threat detection is managed by defining policies, which consist of rules to detect and respond to security violations, suspicious behavior, or anomalous activities within your Windows and Linux VMs. Security and Compliance Center Workload Protection provides customizable, prebuilt policies, which are created and maintained by Sysdig’s Threat Research team. These policies can detect and prevent various security threats, such as: malware, intrusions, and DDoS attacks. The results of these policies can be viewed in Insights and Events. For more information, see About insights and Secure Events.
• Vulnerabilities - Security and Compliance Center Workload Protection provides a highly accurate view of the vulnerability risks of your Linux VMs. The views include rich details on your vulnerability risks, such as: CVSS vector, score, fix age, and insights from multiple expert feeds including the NIST National Vulnerability Database (NVD) and VulnDB.
• Compliance - Posture management provides the framework that includes controls, guidelines, benchmarks, and standards for managing compliance. With Security and Compliance Center Workload Protection, you can evaluate your Linux VMs against several CIS benchmarks such as CIS Distribution Independent Linux Benchmark and compliance policies. For more information, see Analyzing compliance postures from detection to remediation. Typical use cases include:
  • Check the current compliance status against predefined policies to understand the magnitude of the compliance gap.
  • Demonstrate to an auditor the compliance status at a specific point in time, by creating a report of the compliance status of the VMs.

Pattern for integrating Security and Compliance Center Workload Protection

The following diagram shows an example of integrating a vCenter Server with NSX-T instance on IBM Cloud classic infrastructure with IBM Cloud Security and Compliance Center Workload Protection.

This architecture pattern is summarized as follows:

1. The agents, which are installed on your Windows or Linux VMs, collect data that is used for threat detection, posture management, and vulnerability scanning. For more information, see Sysdig Agents. The Sysdig Secure Windows Agent provides runtime detection and policy enforcement for host processes on Windows. For more information, see Windows. For Linux VMs, the agent has two parts:
   • Agent - Runtime threat detection is provided by the agent, which processes syscall events and metrics, creates capture files, and performs auditing and compliance tasks. For more information about deploying the agent, see Sysdig Agent.
   • Vulnerability Host Scanner - The host scanner is used to scan for vulnerabilities on the Linux VM. For more information about deploying the host scanner, see Vulnerability Host Scanner.
2. Your DNS servers need to be able to resolve the Security and Compliance Center Workload Protection endpoint URLs. Configure your DNS servers to use IBM Cloud DNS resolvers, if needed.
3. Firewall rules enable the downloading of the agents from the Internet and HTTPS connectivity to the Security and Compliance Center Workload Protection private endpoints. For more information about configuring firewall rules, see Add a Gateway Firewall Policy and Rule.
4. Source Network Address Translation (SNAT) rules allow your VMs overlay IP addresses to be translated to IBM Cloud supplied IP addresses that can be used on the Internet. For more information about configuring SNAT rules, see Configure NAT/DNAT/No SNAT/No DNAT/Reflexive NAT.
5. The IBM Cloud Security and Compliance Center Workload Protection instance. For more information, see:
   • Provisioning an instance
   • Regions
   • Protecting Linux hosts
   • Endpoints

Agents can be installed as a docker container or as a package installed on the operating system. This pattern assumes the use of an operating system package. References in Sysdig Secure and IBM Cloud Cloud Security and Compliance Center Workload Protection documentation to Host Analyzers and Kubernetes Security Posture Management can be ignored when a package is used.

Considerations

When you design or deploy this architecture pattern, consider the following information:

• For Linux VMs, the agents log file is /opt/draios/logs/draios.log.
• You only require a single SNAT IP address for all your VMs hosted in your virtual data center to communicate with the Security and Compliance Center Workload Protection instance.
• This pattern describes firewall policies and SNAT configured on the T0. Use of the T1 is also possible.
• This pattern does not use the distributed firewall. For more information about configuring the distributed firewall, see FQDN Filtering.

Related links

• Getting started with IBM Cloud Security and Compliance Center Workload Protection
• Sysdig Secure