securing the data center & cloud - advania · private/public cloud computing models compound...
TRANSCRIPT
Securing the Modern Data Center with
Trend Micro Deep Security
Okan Kalak, Senior Sales [email protected]
Advania Fall Conference
Copyright 2017 Trend Micro Inc.2
PublicCloud
Virtual Servers
Virtual Desktops
Infrastructure change…
PhysicalServers
ContainersServerless
1011
0100
0010
AWS Lambda Azure Functions
Copyright 2017 Trend Micro Inc.3
Cloud workloads have different requirements for security than end-user-facing endpoints, and the adoption of hybrid
private/public cloud computing models compound the differences.
Source: Gartner, “Market Guide for Cloud Workload Protection Platforms”, March 2017 G00300334
Analyst insights & recommendations
Require vendors to support the security and visibility of workloads that span physical, virtual and multiple public cloud IaaS all from
a single policy management framework and console.
Copyright 2017 Trend Micro Inc.5
Response & Containment
Intrusion Prevention
Integrity Monitoring
Anti-Malware & Content Filtering
Machine Learning
2H/17
Sandbox Analysis
Application Control
Cross-generational blend of threat defense techniques
BehavioralAnalysis
Copyright 2017 Trend Micro Inc.6
Response & Containment
Intrusion Prevention
Integrity Monitoring
Anti-Malware & Content Filtering
Machine Learning
2H/17
Sandbox Analysis
Application Control
Cross-generational blend of threat defense techniques
BehavioralAnalysis
Network Security
Copyright 2017 Trend Micro Inc.7
Firewall
Vulnerability Scanning
Intrusion Prevention
Defend against network and application threats
Stop lateral movement and reduce server attack surface
Automatically assess workload vulnerabilities & apply protection
Network Security
Protect against OS & application vulnerabilities (ex: Struts 2, Shellshock)
Detect & stop ransomware (ex: WCRY)
Reduce the need for emergency patching
Shield end of life systems & applications
Copyright 2017 Trend Micro Inc.8
Reduce operational impacts
• Reduce operational costs of emergency & ongoing patching
• Protect systems where no patches will be provided
• Secure server and application-level vulnerabilities
Vulnerability disclosed or
exploit available
Virtual patch
available
Patch Available
(if in support)
Test
Begin
Deployment
Completed
Time
WannaCry ransomware protection delivered in March, 2017, with
enhancements at public disclosure (May 2017)
Continuous protection
Copyright 2017 Trend Micro Inc.10
Copyright 2017 Trend Micro Inc.12
File Server Ransomware Protection and early detection
Ransomware Infects
End users
EndPoints have mounted file shares
Ransomware encryptsfiles on shares eventhough the server is notinfected
File Server- Windows or Linux
(Samba)
Detection:Rule 1007596 - Identified Suspicious File
Extension Rename Activity Over Network Share:- Detects renames to 50 ransomware related
extensions.- Provides early detection
Detection and Protection:Rule 1007598 - Identified Suspicious
Rename Activity Over Network Share:- Rule to prevent renames after N renames in T1
seconds for T2 seconds. - E.g. if Deep Security Detects 10 renames in 60
seconds stop any rename activity for, say, 24 hrs
Copyright 2017 Trend Micro Inc.13
Copyright 2017 Trend Micro Inc.14
Response & Containment
Intrusion Prevention
Integrity Monitoring
Anti-Malware & Content Filtering
Machine Learning
2H/17
Sandbox Analysis
BehavioralAnalysis
Application Control
System Security
Copyright 2017 Trend Micro Inc.15
System Security
Lock down servers and prevent changes (whitelisting)
Detect suspicious or unauthorized changes across files, ports, registries, and more
Consolidate and report on log information across systems
Automate protection from malicious
attacks like ransomware
Reduce attack surface and
speed compliance
Detect and notify of indicators of
compromise (IOCs)
Application Control
Integrity Monitoring
Log Inspection
Block unknown software from running on Protected Servers
• When enabled, Application Control will scan servers and create a whitelist of approved software
• Administrator defined rules can block all unknown software (not included in the whitelist) until explicitly allowed
– Effectively “locks down” servers to significantly reduce its attack surface
• Real-time protection against unknown software
• Included with the System Security License (along with Integrity Monitoring and Log Inspection)
Many ways for malware to install on your servers• Intrusions• Lateral Movement• Human Error• Authorized users installing custom/personalized tools
Application Control
Copyright 2017 Trend Micro Inc.17
Stop unauthorized changes
• Full visibility across the
hybrid cloud
• Lock down applications and
servers (Windows & Linux)
• Support continuous application
change with automation
Copyright 2017 Trend Micro Inc.18
Response & Containment
Intrusion Prevention
Integrity Monitoring
Anti-Malware & Content Filtering
Machine Learning
2H/17
Sandbox Analysis
Application Control
BehavioralAnalysis
Malware Prevention
Copyright 2017 Trend Micro Inc.19
Malware Prevention
Detect & stop known malware from executing
Detect suspicious files & behavior, stop malicious changes
Send suspicious objects to a customizable network sandbox
Stop malware and targeted attacks
Detect & stop ransomware (ex: WCRY)
Stop zero-day attacks
Analyze unknown threats & share across multiple
security products
Anti-Malware & Content Filtering
Machine Learning
2H/17
BehavioralAnalysis
Sandbox Analysis
Copyright 2017 Trend Micro Inc.20
Intelligent Detection and Protection against Ransomware attacks
Deep Security Anti-malware is protecting server
Anti-malwareBehavior Monitoring
Unknown Ransomware finds server host and starts legitimate looking process
Deep Security detects and monitors suspicious behavior and begins backing up files
Deep Security determines behavior to be a Ransomware Attack > Stops process
Deep Security restores original unencrypted files to directory and logs event
Ransomware begins encrypting files
Copyright 2017 Trend Micro Inc.21
Turning Unknown threats into Known Threats with Sandbox Analysis!
OfficeScan
Mail Gateway
Web Gateway
Trend Micro Control Manager
Analyzer
Deep Security • Suspicious Object detected and sent to Deep Discovery Analyzer for confirmation
• TMCM notified of new malware and sends signature and policy to Deep Security
Real-Time Scanning
Full System Protection with Trend Micro Connected Threat Defense
Deep Security
27
29
30
Copyright 2017 Trend Micro Inc.31
Anti-Malware & Content Filtering
Intrusion Prevention (IPS) & Firewall
Integrity Monitoring & Log Inspection
Application Control
Safe files & actions allowed
Malicious files & actions blocked
LEG
END
Known Good
Known Bad
Unknown
Machine Learning (2H/17)
Behavioral Analysis
Custom Sandbox Analysis
Protect Against Advanced Threats
Copyright 2017 Trend Micro Inc.33
Deep Security
Remove security complexity
Copyright 2017 Trend Micro Inc.34
Smart Folders Demo
Copyright 2017 Trend Micro Inc.35
Eliminate manual security processes
• Get full visibility across environments
• Automatically scale up and down without gaps
• Scan for vulnerabilities & recommend or apply security based on policy
• Install only security controls required for maximum performance
Copyright 2017 Trend Micro Inc.36
Event-based tasks to profile new systems
Copyright 2017 Trend Micro Inc.37
Protect against the latest vulnerabilities:Scheduled “Vulnerability” Scans
Copyright 2017 Trend Micro Inc.38
Copyright 2017 Trend Micro Inc.39
Deep Security
Software-DefinedData Center
(Private Cloud)vSphere, vCloud NSX
Security for VMware Deployments
End User Computing
Horizon Virtual Desktop Infrastructure (VDI)
vRealize Operations Management
OperationsVMware, AWS, Azure
Public Cloud (Multi-cloud)
Copyright 2017 Trend Micro Inc.40
• Delivers automated security deployment & micro-segmentation (file & network)
• Integration enables security event viewing in vSphere with ability to take automated actions (ex: quarantine)
Securing VMware NSX
Copyright 2017 Trend Micro Inc.41
Copyright 2017 Trend Micro Inc.42
VMware continuity to NSX
• DS 10 Supports Agentless deployments with NSX 6.2.4 or higher
– Agentless AM-only requires • NSX for vShield Endpoint license, or
• Standard license
– Agentless ”All Controls” requires• NSX Advanced license, or
• NSX Enterprise license
• Alternatively Agents can be deployed where “All Controls” are required– Agent deployments do not require NSX
1.With the built-in NSX firewall, the Deep Security firewall will normally not be used and should not be focused on for pure NSX deployments2.Agent-based functionality in combined mode with Agentless
DeepSecurityvSpherewithNSX
(Agentless)vSphere
(Agent-based)
NSXforvShield Endpoint (Free)
orNSXStandardNSX Advanced NSXEnterprise
Anti-Malware ✅ ✅ ✅ ✅
WebReputation ☑ ✅ ✅ ✅
Firewall ☑ ✅ ✅ ✅
IPS/VP ☑ ✅ ✅ ✅
Integrity Monitoring ✅ ✅ ✅ ✅
Log Inspection ☑ ✅
Copyright 2017 Trend Micro Inc.43
Single pane of glassFor Trend Micro events and VMware events
Copyright 2017 Trend Micro Inc.44
Correlate vRops Events withSecurity Events
Copyright 2017 Trend Micro Inc.45
Remove platform support issues
Thousands of supported kernels with rapid updates
Copyright 2017 Trend Micro Inc.46
Protecting Docker Deployments• Extends Deep Security server protection techniques to Docker
containers
• Secures micro-service architectures through runtime protection
• Leverage anti-malware, app control, IPS, and integrity monitoring to secure containers
Amazon ECS
Copyright 2017 Trend Micro Inc.47
Streamline information sharing
Copyright 2017 Trend Micro Inc.48
Accelerate compliance
• Multiple controls with central management & reporting
• Protect legacy environments
• Consistent security across the hybrid cloud
800-53
FERC
Copyright 2017 Trend Micro Inc.49
Accelerate compliance & enhance security
8 of 12 requirements
10 of 20 requirements
6 of 10 requirements
Copyright 2017 Trend Micro Inc.50
Confidential © 2017 Trend Micro Inc.
Gartner Magic Quadrant forEndpoint Protection PlatformsJanuary 2017
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from
https://resources.trendmicro.com/Gartner-Magic-Quadrant-Endpoints.html
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Copyright 2017 Trend Micro Inc.51
The MARKET LEADER in server security for
7 straight years
Symantec
Intel
Other
30%
Source: IDC, Securing the Server Compute Evolution: Hybrid Cloud Has Transformed the Datacenter, January 2017 #US41867116
Questions?
Thank [email protected]