Securing the Data Center & Cloud - Advania · private/public cloud computing models compound the differences. Source: Gartner, “Market Guide for Cloud Workload Protection Platforms”,

Securing the Modern Data Center with

Trend Micro Deep Security

Okan Kalak, Senior Sales [email protected]

Advania Fall Conference

Copyright 2017 Trend Micro Inc.2

PublicCloud

Virtual Servers

Virtual Desktops

Infrastructure change…

PhysicalServers

ContainersServerless

1011

0100

0010

AWS Lambda Azure Functions


Cloud workloads have different requirements for security than end-user-facing endpoints, and the adoption of hybrid

private/public cloud computing models compound the differences.

Source: Gartner, “Market Guide for Cloud Workload Protection Platforms”, March 2017 G00300334

Analyst insights & recommendations

Require vendors to support the security and visibility of workloads that span physical, virtual and multiple public cloud IaaS all from

a single policy management framework and console.


Response & Containment

Intrusion Prevention

Integrity Monitoring

Anti-Malware & Content Filtering

Machine Learning

2H/17

Sandbox Analysis

Application Control

Cross-generational blend of threat defense techniques

BehavioralAnalysis






Machine Learning

2H/17

Sandbox Analysis

Application Control

Cross-generational blend of threat defense techniques

BehavioralAnalysis

Network Security


Firewall

Vulnerability Scanning


Defend against network and application threats

Stop lateral movement and reduce server attack surface

Automatically assess workload vulnerabilities & apply protection

Network Security

Protect against OS & application vulnerabilities (ex: Struts 2, Shellshock)

Detect & stop ransomware (ex: WCRY)

Reduce the need for emergency patching

Shield end of life systems & applications


Reduce operational impacts

• Reduce operational costs of emergency & ongoing patching

• Protect systems where no patches will be provided

• Secure server and application-level vulnerabilities

Vulnerability disclosed or

exploit available

Virtual patch

available

Patch Available

(if in support)

Test

Begin

Deployment

Completed

Time

WannaCry ransomware protection delivered in March, 2017, with

enhancements at public disclosure (May 2017)

Continuous protection



File Server Ransomware Protection and early detection

Ransomware Infects

End users

EndPoints have mounted file shares

Ransomware encryptsfiles on shares eventhough the server is notinfected

File Server- Windows or Linux

(Samba)

Detection:Rule 1007596 - Identified Suspicious File

Extension Rename Activity Over Network Share:- Detects renames to 50 ransomware related

extensions.- Provides early detection

Detection and Protection:Rule 1007598 - Identified Suspicious

Rename Activity Over Network Share:- Rule to prevent renames after N renames in T1

seconds for T2 seconds. - E.g. if Deep Security Detects 10 renames in 60

seconds stop any rename activity for, say, 24 hrs







Machine Learning

2H/17

Sandbox Analysis

BehavioralAnalysis

Application Control

System Security


System Security

Lock down servers and prevent changes (whitelisting)

Detect suspicious or unauthorized changes across files, ports, registries, and more

Consolidate and report on log information across systems

Automate protection from malicious

attacks like ransomware

Reduce attack surface and

speed compliance

Detect and notify of indicators of

compromise (IOCs)

Application Control


Log Inspection

Block unknown software from running on Protected Servers

• When enabled, Application Control will scan servers and create a whitelist of approved software

• Administrator defined rules can block all unknown software (not included in the whitelist) until explicitly allowed

– Effectively “locks down” servers to significantly reduce its attack surface

• Real-time protection against unknown software

• Included with the System Security License (along with Integrity Monitoring and Log Inspection)

Many ways for malware to install on your servers• Intrusions• Lateral Movement• Human Error• Authorized users installing custom/personalized tools

Application Control


Stop unauthorized changes

• Full visibility across the

hybrid cloud

• Lock down applications and

servers (Windows & Linux)

• Support continuous application

change with automation






Machine Learning

2H/17

Sandbox Analysis

Application Control

BehavioralAnalysis

Malware Prevention


Malware Prevention

Detect & stop known malware from executing

Detect suspicious files & behavior, stop malicious changes

Send suspicious objects to a customizable network sandbox

Stop malware and targeted attacks

Detect & stop ransomware (ex: WCRY)

Stop zero-day attacks

Analyze unknown threats & share across multiple

security products


Machine Learning

2H/17

BehavioralAnalysis

Sandbox Analysis


Intelligent Detection and Protection against Ransomware attacks

Deep Security Anti-malware is protecting server

Anti-malwareBehavior Monitoring

Unknown Ransomware finds server host and starts legitimate looking process

Deep Security detects and monitors suspicious behavior and begins backing up files

Deep Security determines behavior to be a Ransomware Attack > Stops process

Deep Security restores original unencrypted files to directory and logs event

Ransomware begins encrypting files


Turning Unknown threats into Known Threats with Sandbox Analysis!

OfficeScan

Mail Gateway

Web Gateway

Trend Micro Control Manager

Analyzer

Deep Security • Suspicious Object detected and sent to Deep Discovery Analyzer for confirmation

• TMCM notified of new malware and sends signature and policy to Deep Security

Real-Time Scanning

Full System Protection with Trend Micro Connected Threat Defense

Deep Security

27

29

30



Intrusion Prevention (IPS) & Firewall

Integrity Monitoring & Log Inspection

Application Control

Safe files & actions allowed

Malicious files & actions blocked

LEG

END

Known Good

Known Bad

Unknown

Machine Learning (2H/17)

Behavioral Analysis

Custom Sandbox Analysis

Protect Against Advanced Threats


Deep Security

Remove security complexity


Smart Folders Demo


Eliminate manual security processes

• Get full visibility across environments

• Automatically scale up and down without gaps

• Scan for vulnerabilities & recommend or apply security based on policy

• Install only security controls required for maximum performance


Event-based tasks to profile new systems


Protect against the latest vulnerabilities:Scheduled “Vulnerability” Scans



Deep Security

Software-DefinedData Center

(Private Cloud)vSphere, vCloud NSX

Security for VMware Deployments

End User Computing

Horizon Virtual Desktop Infrastructure (VDI)

vRealize Operations Management

OperationsVMware, AWS, Azure

Public Cloud (Multi-cloud)


• Delivers automated security deployment & micro-segmentation (file & network)

• Integration enables security event viewing in vSphere with ability to take automated actions (ex: quarantine)

Securing VMware NSX



VMware continuity to NSX

• DS 10 Supports Agentless deployments with NSX 6.2.4 or higher

– Agentless AM-only requires • NSX for vShield Endpoint license, or

• Standard license

– Agentless ”All Controls” requires• NSX Advanced license, or

• NSX Enterprise license

• Alternatively Agents can be deployed where “All Controls” are required– Agent deployments do not require NSX

1.With the built-in NSX firewall, the Deep Security firewall will normally not be used and should not be focused on for pure NSX deployments2.Agent-based functionality in combined mode with Agentless

DeepSecurityvSpherewithNSX

(Agentless)vSphere

(Agent-based)

NSXforvShield Endpoint (Free)

orNSXStandardNSX Advanced NSXEnterprise

Anti-Malware ✅ ✅ ✅ ✅

WebReputation ☑ ✅ ✅ ✅

Firewall ☑ ✅ ✅ ✅

IPS/VP ☑ ✅ ✅ ✅

Integrity Monitoring ✅ ✅ ✅ ✅

Log Inspection ☑ ✅


Single pane of glassFor Trend Micro events and VMware events


Correlate vRops Events withSecurity Events


Remove platform support issues

Thousands of supported kernels with rapid updates


Protecting Docker Deployments• Extends Deep Security server protection techniques to Docker

containers

• Secures micro-service architectures through runtime protection

• Leverage anti-malware, app control, IPS, and integrity monitoring to secure containers

Amazon ECS


Streamline information sharing


Accelerate compliance

• Multiple controls with central management & reporting

• Protect legacy environments

• Consistent security across the hybrid cloud

800-53

FERC


Accelerate compliance & enhance security

8 of 12 requirements




Confidential © 2017 Trend Micro Inc.

Gartner Magic Quadrant forEndpoint Protection PlatformsJanuary 2017

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from

https://resources.trendmicro.com/Gartner-Magic-Quadrant-Endpoints.html

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

https://resources.trendmicro.com/Gartner-Magic-Quadrant-Endpoints.html


The MARKET LEADER in server security for

7 straight years

Symantec

Intel

Other

30%

Source: IDC, Securing the Server Compute Evolution: Hybrid Cloud Has Transformed the Datacenter, January 2017 #US41867116

Questions?

Thank [email protected]

Documents

Securing the Data Center & Cloud - Advania · private/public cloud computing models compound the differences. Source: Gartner, “Market Guide for Cloud Workload Protection Platforms”,