Deep Security Integration with Sumo Logic

Size: px

Start display at page:

Download "Deep Security Integration with Sumo Logic"

Johnathan Fitzgerald
5 years ago
Views:

A Trend Micro White Paper I May 2016 Install, Integrate and Analyze» This paper is aimed at information security and solution architects looking to integrate

1 A Trend Micro White Paper I May 2016 Install, Integrate and Analyze» This paper is aimed at information security and solution architects looking to integrate the Trend Micro Deep Security with Sumo Logic. This paper will help you to design, implement and integrate the Trend Micro Deep Security Platform with Sumo Logic.

2 TABLE OF CONTENTS TABLE OF CONTENTS... 2 GETTING STARTED... 3 Introduction... 3 Intended Audience... 3 About this Paper... 3 Help and Support... 3 SOLUTION COMPONENTS... 4 Deep Security Manager (DSM)... 4 Sumo Logic Data Analytics Service and Web UI... 4 Deep Security Agent (DSA)... 4 Sumo Logic Installed Collectors and Sources... 4 HOW THE INTEGRATED SOLUTION WORKS?... 5 Overview... 5 INSTALL... 6 Install options... 6 Installed Collector with Syslog Sources... 6 INTEGRATE... 8 System event log forwarding... 8 Security event log forwarding... 9 Integration Options for security event logs Relay Via Deep Security Manager Direct Forward Comparison between Two Integration Options ANALYZE Supported Event Log Formats Parsing Event Log Messages Field Extraction Rules Sumo Logic Dashboard What s Coming? Page 2 of 16 Trend Micro White Paper

3 GETTING STARTED INTRODUCTION The Trend Micro Deep Security Software and Deep Security as a Service provides a comprehensive security solution that easily integrates with log management, security analytics and Security Information and Event Manager (SIEM) products. Enterprises are running their workloads across complex, hybrid infrastructures, and need solutions that provide full-stack, 360-degree visibility to support rapid time to identify and resolve security threats. Trend Micro Deep Security offers seamless integration with Sumo Logic s data analytics service to enable rich analysis, visualizations and reporting of critical security and system data. INTENDED AUDIENCE This paper is intended for information security and solution architects looking to integrate the Trend Micro Deep Security with Sumo Logic. It is expected that the reader is comfortable with common computing and networking terminologies and topics. ABOUT THIS PAPER This paper includes architectural considerations and configuration steps required to integrate the Trend Micro Deep Security Platform and Sumo Logic. This paper also provides a detailed walkthrough of event forwarding and incident analysis. HELP AND SUPPORT This paper is not meant to substitute for product documentation. For detailed information regarding installation, configuration, administration and usage of the Deep Security product, please refer to the following links to online resource, documentation and self-help tools; For detailed information regarding installation, configuration and administration of Sumo Logic, please refer to the following link: Page 3 of 16 Trend Micro White Paper

SOLUTION COMPONENTS DEEP SECURITY MANAGER (DSM) This is the management component of the system and is responsible for sending rules and security settings to the Deep Security Agents.

The integration with Sumo Logic is done using this interface and no additional component or software is required. DEEP SECURITY AGENT (DSA) This component provides for all protection functionality.

Additionally, the DSA sends a regular heartbeat to the DSM, and pushes event logs and other data points about the instance being protected to the DSM.

4 SOLUTION COMPONENTS DEEP SECURITY MANAGER (DSM) This is the management component of the system and is responsible for sending rules and security settings to the Deep Security Agents. The DSM is controlled using the web-based management console. Using the console, the administrator can define security policies, manage deployed agents, query status of various managed instances, etc. The integration with Sumo Logic is done using this interface and no additional component or software is required. DEEP SECURITY AGENT (DSA) This component provides for all protection functionality. The nature of protection depends on the rules and security settings that each DSA receives from the Deep Security Manager. Additionally, the DSA sends a regular heartbeat to the DSM, and pushes event logs and other data points about the instance being protected to the DSM. SUMO LOGIC INSTALLED COLLECTORS AND SOURCES Sumo Logic Installed Collectors receive data from one or more Sources. Collectors collect raw log data, compress it, encrypt it, and send it to the Sumo Logic, in real time via HTTPS. The Deep Security Solution Components forward security events to Installed Collectors with a syslog source. SUMO LOGIC DATA ANALYTICS SERVICE AND WEB UI The Sumo Logic Web UI is browser-based and provides visibility and analysis of log data and security events sent by the Deep Security Platform to the Sumo Logic service and also provides administration tools for checking system status, managing your deployment, controlling user access and managing Collectors. Page 4 of 16 Trend Micro White Paper

OVERVIEW HOW THE INTEGRATED SOLUTION WORKS?

through the Installed Collector and Syslog Source.

syslog messages from Trend Micro Deep Security Solution.

forwards them securely to the Sumo Logic Data Analytics Service.

5 OVERVIEW HOW THE INTEGRATED SOLUTION WORKS? Trend Micro Deep Security Software and Deep Security as a Service integrates with Sumo Logic through the Installed Collector and Syslog Source. This Syslog Source operates like a syslog server listening on the designated port to receive syslog messages from Trend Micro Deep Security Solution. The Installed Collectors can be deployed in your environment either on a local machine, a dedicated server or in the cloud. The Deep Security platform sends system and security event logs to this server, which forwards them securely to the Sumo Logic Data Analytics Service. Figure 1 provides a high-level overview of the integration process. Install Install Collector & configre Syslog Source Integrate Integrate Deep Security with Sumo Logic Analyze Perform visualizations and forensic investigations from the Sumo service FIGURE 1 - INTEGRATION OVERVIEW Page 5 of 16 Trend Micro White Paper

INSTALL OPTIONS INSTALL The first thing to consider when you set up the integration is how to collect data from your Deep Security deployment and forward it to Sumo Logic.

6 INSTALL OPTIONS INSTALL The first thing to consider when you set up the integration is how to collect data from your Deep Security deployment and forward it to Sumo Logic. There are three basic methods available, local host data collection, centralized syslog data collection and hosted collector. Deep Security uses an installed centralized collector with syslog source. In this method, an installed Collector with Syslog Sources can be used to collect all relevant data in a centralized location before forwarding it on to Sumo Logic s cloud-based service. INSTALLED COLLECTOR WITH SYSLOG SOURCES The installation process involves the deployment of a Sumo Logic collector in your environment and then adding a Syslog Source to it. A Sumo Logic Installed Collector can be installed on any standard server and used to collect local files, remote files or to aggregate logs from network services via syslog. You can choose to install a small number of collectors to minimize maintenance or you can choose to install many Collectors on many machines to leverage existing configuration management and automation tools like Puppet or Chef. At the minimum you will need one Installed Collector setup for Deep Security. The number of syslog sources you need depends on the types of event logs that you are sending to Sumo logic. You will need one syslog source for each type of event. There are two types of events in Deep Security: System Events and Security Events. In the example shown below, we have configured Sumo Logic Installed Collector with two Syslog Sources using UDP protocol. FIGURE 2 - LIST OF COLLECTORS FROM SUMO LOGIC S WEB CONSOLE In this example setup, the first syslog source is listening on UDP port 514 for System Event Log forwarding. Page 6 of 16 Trend Micro White Paper

7 FIGURE 3 - INSTALLED COLLECTOR SYSLOG SOURCE FOR SYSTEM EVENTS The second syslog source below is listening on UDP port 1514 for Security modules event log forwarding. FIGURE 4 - INSTALLED COLLECTOR SYSLOG SOURCE FOR SECURITY EVENTS Page 7 of 16 Trend Micro White Paper

SYSTEM EVENT LOG FORWARDING INTEGRATE The integration of Trend Micro Deep Security for system events forwarding to Sumo Logic is done via system setting (Administration System Settings SIEM)

8 SYSTEM EVENT LOG FORWARDING INTEGRATE The integration of Trend Micro Deep Security for system events forwarding to Sumo Logic is done via system setting (Administration System Settings SIEM) configuration as shown below; FIGURE 5 - SYSTEM SETTINGS FOR INTEGRATION OF SYSTEM EVENTS WITH SUMO LOGIC Page 8 of 16 Trend Micro White Paper FIGURE 6 - SYSTEM EVENTS FORWARDING TO SUMO LOGIC

SECURITY EVENT LOG FORWARDING The integration of Trend Micro Deep Security for security event forwarding to Sumo Logic is done via Policy configuration and requires a Syslog Source with UDP protocol

9 SECURITY EVENT LOG FORWARDING The integration of Trend Micro Deep Security for security event forwarding to Sumo Logic is done via Policy configuration and requires a Syslog Source with UDP protocol and connection information to be added to the policy. Deep Security allows Policy heritance where child policies inherit their settings from their parent Policies. This way you can create a policy tree that begins with a top/base parent policy configured with settings and rules that will apply to all computers. When you have a single collector installed in your environment to collect logs from Deep Security it is recommended to set the integration details at the Top (root/base) policy as shown below; FIGURE 7 - POLICY SETTINGS FOR INTEGRATION OF SECURITY EVENTS WITH SUMO LOGIC Additionally, you can configure individual collectors for each security protection module or have all Deep Security modules to send logs to one collector depending on your requirements. Page 9 of 16 Trend Micro White Paper

10 INTEGRATION OPTIONS FOR SECURITY EVENT LOGS There are two integration options available to configure Deep Security Solution to forward security events to Sumo Logic, Relay via Deep Security Manager and Direct Forward. RELAY VIA DEEP SECURITY MANAGER This option sends the syslog messages from the Deep Security Manager after events are collected on heartbeats as shown below. FIGURE 8 - SECURITY EVENT FORWARDING VIA DEEP SECURITY MANAGER Page 10 of 16 Trend Micro White Paper

11 DIRECT FORWARD This option sends the security events/messages in real time directly from the Agents as shown below. FIGURE 9 - DIRECT EVENTS FORWARDING OF SECURITY EVENTS Page 11 of 16 Trend Micro White Paper

12 COMPARISON BETWEEN TWO INTEGRATION OPTIONS When you are deciding what integration option to choose from to send security events to Sumo Logic Installed Collectors among these two integration choices, consider your deep security deployment (as a Service, AWS and Azure Marketplace AMI/VM or software), your network topology/design, your available bandwidth, and deep security policy design. The table below provides comparison between these two choices for easier decision process; RELAY VIA DEEP SECURITY MANAGER Delivery of security event logs is not in real time. Note: Security events are sent from Deep Security Agents to Deep Security Manager on every regular heartbeat interval (By default every 10 minutes) and then forwarded to Sumo Logic Installed Collector Transport protocol is UDP Easier network design with a single installed collector configuration. Since this option requires only one network connection path to Installed Collector Server i.e. From DSM to Installed Collector Server. Single Security policy configuration can help integrate with Sumo Logic. Not Recommended with Deep Security as a Service deployment model because the event data is sent to your local installed collector in clear text. DIRECT FORWARD Delivery of Security event logs is real time. Note: Security events are sent directly by the Deep Security Agents in real time hence there is no dependency on heartbeat. Transport protocol is UDP Requires more network connection path to Installed Collector Server i.e. From each DSA to Installed Collector Server. This may require complex network design based on where Deep Security Agents are running. This option could require multiple Installed Collector Servers. May require multiple policies to help integrate with Sumo Logic. Recommended with Deep Security as a Service deployment model because the event data is sent to your local installed collector and all the traffic is local to your network e.g. Never leave the VPC network in clear text. Page 12 of 16 Trend Micro White Paper

13 ANALYZE Once the install and integration steps are done, you are all set to analyze Deep Security event data in Sumo Logic s web console. You can run searches, identify anomalies and correlate events across your protected workloads. You can also create powerful dashboards to unify, enrich and visualize security related information across your entire physical, virtual and cloud infrastructure. SUPPORTED EVENT LOG FORMATS Deep Security can forward events to a Sumo Logic collector over syslog in these formats; Common Event Format 1.0 Log Event Extended Format (LEEF) 2.0 There is also a basic syslog format available for legacy installations. This format should not be used for new installations because not all security events modules support basic syslog format. The event format selection for security events is done via Policy configuration and for system events it is done via the system setting. It is recommended to pick an event format that help with the interoperability between various event or log-generating devices in your deployment. PARSING EVENT LOG MESSAGES In each supported event format, the Extension part of the event message is a placeholder for additional custom fields used by Deep Security. These additional fields are documented in the Deep Security Administration Guide under Syslog Integration section. All the extensions described in the event log format tables of the administration guide will not necessarily be included in each log entry. Sumo Logic provides a number of ways to parse fields in your log messages. For example, the Parse Regex operator enables users comfortable with regular expression syntax to extract data from log messages. You can use parse regex operator to extract Deep Security event log messages. When parsing Deep Security event log messages, make sure; The search query expressions do not depend on each key/value pair to be there. Use nodrop option with parse regex expression to ensure this. The search query expressions don t expect key/value pairs to be in a particular order. For example; to parse Anti-Malware log events in CEF format, you can use a search query; Page 13 of 16 Trend Micro White Paper

FIGURE 10 - SAMPLE PARSE REGEX QUERY TO EXTRACT ANTI-MALWARE EVENTS FIELD EXTRACTION RULES Automatic field parsing can also be configured using Field Extraction Rules.

14 FIGURE 10 - SAMPLE PARSE REGEX QUERY TO EXTRACT ANTI-MALWARE EVENTS FIELD EXTRACTION RULES Automatic field parsing can also be configured using Field Extraction Rules. This feature allows the Sumo Logic user the ability to explore the data without writing parse statements into every search. See below for sample field extraction rules and deployment guidance. For additional information and instructions on configuring field extraction rules, see the Sumo Logic documentation here. Also, sample Trend Micro Deep Security specific field extraction rules can be found here Page 14 of 16 Trend Micro White Paper

15 SUMO LOGIC DASHBOARD The Sumo Logic dashboards are a powerful visualization tool to help accelerate the time to identify anomalies and indicators of compromise (IOC). The saved searches powering these dashboards can also be leverage for forensic investigations and to reduce the time it takes for root cause analysis and remediation. The uses for Dashboards are nearly endless. Perhaps your IT security group wants to keep an eye on who is installing virtual machines. You can edit, create and save the queries you run as a panel in a Dashboard, and watch for spikes over time in a line graph. Multiple graphical options/formats are supported. Dashboards bring additional assurance, knowing that unusual activity will be displayed real time in an easy-to-digest graphical format. The data that matters the most to you is even easier to track. FIGURE 11 - SUMO LOGIC DASHBOARD WITH TREND MICRO DEEP SECURITY PANELS Page 15 of 16 Trend Micro White Paper

16 WHAT S COMING? Sumo Logic Apps deliver out-of-the-box Dashboards, saved searches, and field extraction for popular data Sources. When you install a Sumo Logic App, these pre-set searches and Dashboards are customized with your source configurations and populated in a folder selected by you. The Sumo Logic App for Trend Micro Deep Security will be released in the near future to provide pre-set searches and extractions rules with out-of-the box dashboard for each security module it offers. Trend Micro Incorporated, a global leader in security software, strives to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses and governments provide layered content security to protect information on mobile devices, endpoints, gateways, servers and the cloud. All of our solutions are powered by cloud-based global threat intelligence, the Trend Micro Smart Protection Network, and are supported by over 1,200 threat experts around the globe. For more information, visit by Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, and Smart Protection Network are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice. [WPXX_templates_160318US] Page 16 of 16 Trend Micro White Paper

Network Security Protection Alternatives for the Cloud

A Trend Micro White Paper May 2016 Network Security Protection Alternatives for the Cloud» A technical brief summarizing the deployment options that can be used to deploy IDS/IPS protection for cloud instances