Security Standards Compliance CSE ITSG Trend Micro Products. - Version 2.0

Transcription

1 Security Standards Compliance CS ITSG Trend Micro roducts (Deep Discovery Inspector, Deep Security and SecureCloud) - Version 2.0 Document TMIC-004-CS Version 2.0, February

2 Guide to Managing Security Risks from Using Information Systems, Security Control Catalogue, ITSG-33 Annex 3 Security Standards Compliance -- Trend Micro roducts (Deep Discovery Inspector, Deep Security and SecureCloud) Reference: A CS Guide to Managing Security Risks from Using Information Systems, Security Control Catalogue, ITSG-33 Annex 3, final draft, 31 Mar 11 B CS Guide to Managing Security Risks from Using Information Systems, rotected B / Medium Integrity / Medium Availability, ITSG-33, Annex 4, 1, final draft, 31 Mar 2011 C CS Guide to Managing Security Risks from Using Information Systems, rotected A / Low Integrity / Low Availability, ITSG-33, Annex 4, 2, final draft, 31 Mar 2011 D CS Guide to Managing Security Risks from Using Information Systems, Secret / Medium Integrity / Medium Availability, ITSG-33, Annex 4, 3, final draft, 31 Mar 2011 Recommended Security Controls for Federal Information Systems and Organizations, NIST Special ublication , Revision 3, Aug F Security and rivacy Controls for Federal Information Systems and Organizations, NIST Special ublication , Revision 4, 15 Jan 2014 G Security Standards Compliance S Revision 4 - (Deep Discovery Inspector and SecureCloud), Trend Micro whitepaper, repared by BD ro, version 2, Feb 2015 H Government nterprise, Large Scale Virtual Server nvironment, Risk Assessment, Trend Micro whitepaper, repared by BD ro, version 1, 11 Feb 2011 I Securing Large Scale Virtual Server nvironments in US Government nterprises, Trend Micro whitepaper, repared by BD ro, version 1, 29 Nov 2011 The Communications Security stablishment (CS) ITSG-33 series of guidelines provides definitions of security controls that security practitioners can use as a foundation for selecting security controls for the protection of Government of Canada information systems. The key guidance documents are the Annex 3 Security Controls Catalogue and 3 companion Annex 4 security control profiles documents: 1: {rotected B / Medium Integrity / Low Availability}; 2: {rotected A / Low Integrity / Low Availability}; and 3: {Secret / Medium Integrity / Medium Availability}. The ITSG-33 Security Controls Catalogue is based on NIST S Revision 3 (Aug 2009). This document is an update to the 2011 whitepaper and includes Deep Discovery Inspector in the compliance analysis. Virtualized servers and cloud computing environments, are being implemented throughout government enterprises and their cloud service providers. They face many of the same security challenges as their physical counterparts and additionally have to contend with a number of security concerns specific to the virtual environment such as: inter VM traffic, resource contention, blurring of system and network security boundaries, mixed trust levels, security zoning, and separation of duties. In particular, organizations need to specifically protect their sensitive information assets in the virtualized multi-tenant cloud environment where the physical storage locations are unknown to them and distributed across the cloud. The ITSG-33 guidance documents provide a foundation of security controls for incorporating into an organization s overall security requirements baseline for mitigating risk and improving systems and application security in their physical and virtualized environments. Many of these organizations using the security requirements also have obligations to be able to demonstrate compliance with the security requirements. From a security product vendor s viewpoint, there is a need to clearly demonstrate to users of their products, how their products will, satisfy, support (i.e. product self-protection), or partially meet the ITSG-33 security requirements. In this document we have indicated how ITSG-33 compliance is addressed by the Trend Micro Deep Discovery Inspector, Deep Security and SecureCloud solutions. The Trend Micro products Deep Discovery Inspector v3.7, Deep Security v9.5 and SecureCloud v3.7 help satisfy the requirements of ITSG-33, at both the application/system enterprise level and as security features specific to the products, such as product access controls, audit capability, etc. The appropriate context of each compliancy statement is indicated: - how the Trend Micro products help satisfy the nterprise level security requirements; and - how the Trend Micro products satisfy the roduct level security requirements. These product-specific compliancy details are needed by managers, security systems engineers and risk analysts in order that they may select and architect costeffective secure solutions that will protect their nterprise systems and sensitive information assets from the modern hostile threat environment. The context compliancy statements include those related to the SFRs and SARs 1 used in most recent Common Criteria evaluations: Deep Discovery Inspector v3.1 AL2 2 ; and Deep Security v AL2 evaluation in progress 3. The Common Criteria certification ensures that these products have been methodically designed, tested and reviewed by fully qualified US and Canadian government certified testing laboratories. The ITSG-33 compliancy analysis also recognized that SecureCloud cryptographic capabilities were developed using FIS evaluated libraries 4. One of the major challenges is for government enterprises and their service providers to remain compliant with the ITSG-33 requirements in the constantly changing threat environment. One objective of this Trend Micro document is to provide focused guidance on how the Trend Micro Deep Discovery Inspector, Deep Security and SecureCloud solutions can effectively help deal with these ongoing challenges. The ITSG-33 security control profiles and priorities are leveraged to provide such focus in this guidance. This rioritized Approach identifies the applicable ITSG-33 implementation priorities (1,, or 3) and the security controls profile (1, 2 or 3). These details will help enterprises and their service provider partners implement a continuous improvement process to protect critical assets data against the highest risk factors and modern escalating threats. The above referenced Trend Micro whitepapers also provide additional guidance related to virtualization implementations. 1 The CC evaluation Security Targets also included Trend Micro product specific Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) related to Intrusion Detection and Anti-Malware. 2 Deep Discovery Inspector v 3.1 CC Certification Report CR, CS, dated 21 Jan The current Common Criteria evaluation of Deep Security v9.5 is an update to the earlier evaluations to AL4+ for Deep Security v7.5 S (Certification Report # ) and for Deep Security v8.0 S1 (Maintenance Report # MR). 4 SecureCloud utilizes FIS Level 2 Certified, Validation Number 1123:Cryptographic Libraries Document TMIC-004-CS Version 2.0, February

3 Deep Discovery Inspector with combined functionality of Virtual Analysis (sandbox threat behavior simulation), Advanced Threat Scans, and AT Detection, has been certified to the ISO Common Criteria AL2 level. The primary Deep Discovery Inspector modules include: Management Console, provides a built-in online management console through which users can view system status, configure threat detection, configure and view logs, run reports, administer Deep Discovery Inspector, and obtain help. Virtual Analyzer, provides a virtualized environment where untrusted files can be safely inspected. Network Content Correlation ngine is a module that implements rules or policies defined by Trend Micro. Trend Micro regularly updates these rules after analyzing the patterns and trends that new and modified viruses exhibit. Advance Threat Scan ngine is a file-based detection-scanning engine that has true file type, multi-packed files, and IntelliTrap detection. The scan engine performs the actual scanning across the network and uses a virus pattern file to analyze the files passing through the network. The virus pattern file contains binary patterns of known viruses. Trend Micro regularly releases new virus pattern files when new threats are detected. Network Virus Scan uses a combination of patterns and heuristics to proactively detect network viruses. It monitors network packets and triggers events that can indicate an attack against a network. It can also scan traffic in specific network segments. Network Content Inspection ngine is a module used to scan the content passing through the network layer. The Deep Security product provides, in both virtualized and physical environments, the combined functionality of a Common Criteria AL2 validated Firewall, Anti-Virus, Deep acket Inspection, Integrity Monitoring, Log Inspection, Role Based Access Control (RBAC) and support for multi-tenant virtual environments. The primary Deep Security modules include: Deep Security Manager is a centralized Web-based management console which administrators use to configure security policy and deploy protection to the enforcement components: the Deep Security Virtual Appliance and the Deep Security Agent. Firewall Module centralizes management of server firewall policy using a bidirectional stateful firewall. Supports virtual machine zoning and prevents denial of service attacks. rovides broad coverage for all I-based protocols and frame types as well as fine-grained filtering for ports and I and MAC addresses. Anti-malware Module provides both real-time and on-demand protection against file-based threats, including threats commonly referred to as malware, viruses, Trojans, and spyware. To identify threats, Anti-Malware checks files against a comprehensive threat database, portions of which are hosted on servers or kept locally as updatable patterns. Anti-Malware also checks files for certain characteristics, such as compression and known exploit code. To address threats, Anti-Malware selectively performs actions that contain and remove the threats while minimizing system impact. Anti-Malware can clean, delete, or quarantine malicious files. It can also terminate processes and delete other system objects that are associated with identified threats. Recommendation Scans identifies known vulnerabilities. The operation scans the operating system and also installed applications. Recommendation Scans automate scanning of systems and patch levels against the latest Critical Vulnerability and xposure (CV) database, to automatically apply Deep Security signatures, engines, patterns, and rules/filters to detect/prevent exploitation of these vulnerabilities and to produce audit logs and reports which can be used to support a continuous monitoring program or audits. Integrity Monitoring Module detects and reports malicious and unexpected changes to files and systems registry in real time, and is available in agentless form factor. rovides administrators with the ability to track both authorized and unauthorized changes made to the instance. The ability to detect unauthorized changes is a critical component in a cloud security strategy as it provides the visibility into changes that could indicate the compromise of an instance. Log Inspection Module provides visibility into important security events buried in log files. Optimizes the identification of important security events buried in multiple log entries across the data center. Forwards suspicious events to a SIM system or centralized logging server for correlation, reporting and archiving. Leverages and enhances open-source software available at OSSC. Intrusion revention Module protects computers from being exploited by attacks against known and zero-day vulnerability attacks as well as against SQL injections attacks, cross-site scripting attacks, and other web application vulnerabilities. Shields vulnerabilities until code fixes can be completed. It identifies malicious software accessing the network and increases visibility into, or control over, applications accessing the network. Intrusion revention prevents attacks by detecting malicious instructions in network traffic and dropping relevant packets. Web Reputation Module protects against web threats by blocking access to malicious URLs. Deep Security uses Trend Micro's Web security databases from Smart rotection Network sources to check the reputation of Web sites that users are attempting to access. The Web site's reputation is correlated with the specific Web reputation policy enforced on the computer. Depending on the Web Reputation Security Level being enforced, Deep Security will either block or allow access to the URL. SecureCloud is based on a Common Criteria AL 4 certified product and provides FIS full disk encryption either in the virtualized or physical environments, and has been specifically designed to assist in a multi tenancy Cloud environment to ensure that each tenant s data is isolated, using cryptography and cryptographic keys unique to each tenant. Document TMIC-004-CS Version 2.0, February

4 These three products and other Trend Micro services can be integrated into various enterprise architectures required to effectively minimize the organization s cyber security risks. Such Trend Micro services include:. Control Manager provides a centralized management function for Deep Discovery Inspector (and other Trend Micro products). Smart rotection Network provides a URL and file reputation rating service. TrendLabs is a global network of research, development, and action centers committed to 24x7 threat surveillance, attack prevention, and timely and seamless solutions delivery. Serving as the backbone of the Trend Micro service infrastructure, TrendLabs is staffed by a team of several hundred engineers and certified support personnel that provide a wide range of product and technical support services. Threat Management Services provides organizations with an effective way to discover, mitigate, and manage stealthy and zero-day internal threats. Threat Management Services brings together security experts and a host of solutions to provide ongoing security services. These services ensure timely and efficient responses to threats, identify security gaps that leave the network vulnerable to threats, help minimize data loss, significantly reduce damage containment costs, and simplify the maintenance of network security. Threat Management Service ortal is an on premise or hosted service which receives logs and data from registered products (DDI) and creates reports to enable product users to respond to threats in a timely manner and receive up-to-date information about the latest and emerging threats. Threat Connect correlates suspicious objects detected in the organizations environment and threat data from the Trend Micro Smart rotection Network. By providing ondemand access to Trend Micro intelligence databases, Threat Connect enables an organization to identify and investigate potential threats to their environment. Mobile App Reputation Services (MARS) collects data about detected threats in mobile devices. Mobile App Reputation Service is an advanced sandbox environment that analyzes mobile app runtime behavior to detect privacy leaks, repacked mobile apps, third-party advertisement SDKs, vulnerabilities, and app categories. Threat Mitigator receives mitigation requests from Deep Discovery Inspector after a threat is detected. Threat Mitigator then notifies the Threat Management Agent installed on a host to run a mitigation task. Mitigation (Module) Devices performs threat cleanup activities on network endpoints. Document TMIC-004-CS Version 2.0, February

5 CS ITSG-33 Control AC-2 Technical / Access Control / Account Management AC-2 Technical / Access Control / Account Management (A) The organization manages information system accounts, including identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary). (B) The organization manages information system accounts, including establishing conditions for group membership. (C) The organization manages information system accounts, including identifying authorized users of the information system and specifying access privileges. (D) The organization manages information system accounts, including requiring appropriate approvals for requests to establish accounts. () The organization manages information system accounts, including establishing, activating, modifying, disabling, and removing accounts. (F) The organization manages information system accounts, including specifically authorizing and monitoring the use of guest/anonymous and temporary accounts. (G) The organization manages information system accounts, including notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes. (H) The organization manages information system accounts, including deactivating: (i) temporary accounts that are no longer required; and (ii) accounts of terminated or transferred users. (I) The organization manages information system accounts, including granting access to the system based on: (i) a valid access authorization; (ii) intended system usage; and (iii) other attributes as required by the organization or associated missions/business functions. (J) The organization manages information system accounts, including reviewing accounts [Assignment: organization-defined frequency]. Supplemental Guidance: The identification of authorized users of the information system and the specification of access privileges is consistent with the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by organizational officials responsible for approving such accounts and privileged access. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC- 17, AC-19, AC-20, AU-9, IA-4, IA-5, GC.ITSG33.11.CM-5, GC.ITSG33.11.CM- 6, MA-3, MA-4, MA-5, SA-7, SC-13, SI-9 1 Deep Discovery Inspector v3.1 has been AL2 certified by the Common Criteria valuation and Certification Scheme; Deep Security v9.5 is currently being evaluated to AL2 and provides the Identification and Authentication, Security Management functions to address this requirement as self-protection of the products. Deep Discovery Inspector solution assists in meeting this requirement through the use of Role Based Access Controls, for Administrator and Viewers. Deep Security solution assists in meeting this requirement through the use of Role Based Access Controls. The role-based access allows multiple administrators (Users), each with different sets of access and editing rights, to edit and monitor different aspects of the system and receive information appropriate to them. The SecureCloud solution assists in meeting this requirement by using Role Based Access Controls for Group Accounts, and Administration to manage System Administrators and by integration with an organizations Active Directory to provide the access control and account management AC-2 (4) Technical / Access Control / Account Management / Automated Audit Actions The information system automatically audits account creation, modification, disabling, and termination actions and notifies, as required, appropriate individuals. Deep Discovery Inspector solution satisfies this requirement through the use of Role Based Access Controls, which are audited in terms of the defined auditable events as documented in the Deep Discovery Inspector, Common Criteria, Security Target. Deep Security solution satisfies this requirement through the use of Role Based Access Controls, which are audited in terms of the defined auditable events. The user and group account management data that is automatically audited as auditable events are documented in the Deep Security, Common Criteria, Security Target. The SecureCloud solution satisfies this requirement by using Role Based Access Controls and integration with Active Directory to provide the access control and account management data, which is automatically captured in the SecureCloud audit logs. Document TMIC-004-CS Version 2.0, February

6 CS ITSG-33 Control AC-2 (7) Technical / Access Control / Account Management The organization: (a) stablishes and administers privileged user accounts in accordance with a role-based access scheme that organizes information system and network privileges into roles; and (b) Tracks and monitors privileged role assignments. Supplemental Guidance: rivileged roles include, for example, key management, network and system administration, database administration, web administration Tailoring and Implementation Guidance: This security control/enhancement can be met using readily available Commercial-Off-The- Shelf (COTS) components, and is considered to be best practice. Consequently, inclusion of this security control/enhancement is strongly encouraged in most cases. The minimization of administrative privileges is an account management best-practice. The Common Criteria AL-2 Certification Report for Deep Discovery Inspector v3.1 includes compliance to Security Roles, through Role Based Access Controls. Deep Security v9.5 which is currently being evaluated to the Common Criteria AL2 level includes compliance to Security Roles through Role Based Access Controls. The SecureCloud solution satisfies this requirement by using Role Based Access Controls and integration with Active Directory AC-3 Technical / Access Control / Access nforcement AC-3 Technical / Access Control / Access nforcement (A) The information system enforces approved authorizations for logical access to the system in accordance with applicable policy. Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed by organizations to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system. In addition to enforcing authorized access at the information system level, access enforcement mechanisms are employed at the application level, when necessary, to provide increased information security for the organization. Consideration is given to the implementation of an audited, explicit override of automated mechanisms in the event of emergencies or other serious events. If encryption of stored information is employed as an access enforcement mechanism, the cryptography used must be compliant with the requirements of control SC-13. For classified information, the cryptography used is largely dependent on the classification level of the information and the clearances of the individuals having access to the information. Mechanisms implemented by AC-3 1 Deep Discovery Inspector enforces access to authorized product administrators using rolebased access control. All product administrators are assigned roles at creation. Authorized product administrators can only access the product through the administrative interface. They have full access to the functions permitted by their roles. Deep Security access enforcement includes Role-based access which allows multiple administrators, each with different sets of access and editing rights, to edit and monitor different aspects of the system and receive information appropriate to them. In addition, digital signatures are used to authenticate system components and verify the integrity of rules. SecureCloud provides an access enforcement mechanism to organizational data through the controlled release of cryptological keys to encrypt or decrypt the organizations data. The cryptological keys are only released when configured criteria (policy and integrity check) is met, this includes the location of the application, host name, the latest operating system patch, and/or the latest Trend Micro engine and pattern file. NOT: AC-3 security controls have been added to the 2012 NIST S Revision 4 security controls catalogue. They are not included in ITSG-33 which is based on the earlier 2009 Revision 3. Deep Discovery Inspector, Deep Security and SecureCloud Compliancy guidance for these new controls are provided in the referenced compliance report for S Revision 4, which is available from Trend Micro: AC-3 (7) Access nforcement / Role-Based Access Control AC-4 Technical / Access Control / Information Flow nforcement AC-4 (4) Technical / Access Control / Information Flow nforcement / Content Check ncrypted Data The information system prevents encrypted data from bypassing contentchecking mechanisms. 1 3 The Deep acket Inspection capability of Deep Security satisfies this requirement by being able to examine SSL encrypted tcp packets. Document TMIC-004-CS Version 2.0, February

7 CS ITSG-33 Control AC-5 Technical / Access Control / Separation of Duties AC-5 Technical / Access Control / Separation of Duties (A) The organization separates duties of individuals as necessary, to prevent malevolent activity without collusion. (B) The organization documents separation of duties. (C) The organization implements separation of duties through assigned information system access authorizations. Supplemental Guidance: xamples of separation of duties include: (i) mission functions and distinct information system support functions are divided among different individuals/roles; (ii) different individuals perform information system support functions (e.g., system management, systems programming, configuration management, quality assurance and testing, network security); (iii) security personnel who administer access control functions do not administer audit functions; and (iv) different administrator accounts for different roles. Access authorizations defined in this control are implemented by control AC-3. Related controls: AC-3 Tailoring and Implementation Guidance: This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases. 1 Deep Discovery Inspector assists separation of duties by providing specific roles and access controls. The Version 3.1 of the product is certified by the Common Criteria valuation and Certification Scheme (CCS) carried out by the Communications Security stablishment Canada which provides evidence of this capability. Deep Security assists separation of duties by providing specific roles and access controls. The Version 9.5 of the product is currently being evaluated to the AL2 level, to provide evidence of this capability. SecureCloud assists separation of duties by providing specific roles and access controls and is integrated with Active Directory. AC-6 Technical / Access Control / Least rivilege AC-6 Technical / Access Control / Least rivilege (A) The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. Supplemental Guidance: The access authorizations defined in this control are largely implemented by control AC-3. The organization employs the concept of least privilege for specific duties and information systems (including specific ports, protocols, and services) in accordance with risk assessments as necessary to adequately mitigate risk to organizational operations and assets, individuals, other organizations, and Canada. Related controls: AC-2, AC-3, GC.ITSG33.11.CM-7 Tailoring and Implementation Guidance: This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases. 1 Deep Discovery Inspector addresses roles and least privilege. The Version 3.1 of the product is certified by the Common Criteria valuation and Certification Scheme (CCS) carried out by the Communications Security stablishment Canada to provide evidence of addressing roles and least privilege. Deep Security address roles and least privilege. The Version 9.5 of the product is currently being evaluated to the AL2 level which will provide evidence of this capability. SecureCloud addresses roles and least privilege through the role based access control and integration with Active Directory. AC-6 (1) Technical / Access Control / Least rivilege / Authorize Access to Security Functions The organization explicitly authorizes access to [Assignment: organizationdefined list of security functions (deployed in hardware, software, and firmware) and security-relevant information]. Supplemental Guidance: stablishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters are examples of security functions. xplicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users. Related control: AC-17. Tailoring and Implementation Guidance: This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases. Deep Discovery Inspector, Deep Security and SecureCloud satisfy this requirement by explicitly authorizing access to security functions through roles with specific permissions and privileges, and defining audit events. SecureCloud explicitly restricts which users have access to the cryptographic key material. Access to product Security Functions is addressed by the Common Criteria, Management of Security Functions Behavior and Management of product security function data. Deep Discovery Inspector v 3.1 is certified the Common Criteria valuation and Certification Scheme (CCS) carried out by the Communications Security stablishment Canada to the AL2 level; and Deep Security v9.5 is currently being evaluated to the AL2 level. Document TMIC-004-CS Version 2.0, February

8 CS ITSG-33 Control AC-6 (2) Technical / Access Control / Least rivilege / Non-rivileged Access for Nonsecurity Functions The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined list of security functions or security-relevant information], use non-privileged accounts, or roles, when accessing other system functions, and if feasible, audits any use of privileged accounts, or roles, for such functions. Supplemental Guidance: This control enhancement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy such as RBAC is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. Audit of privileged activity may require physical separation employing information systems on which the user does not have privileged access. Tailoring and Implementation Guidance: This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases. Deep Discovery Inspector, Deep Security and SecureCloud support compliance with this requirement by the use of a Role Base Access Control, which provides the ability to prevent a privileged user accessing nonprivileged or non security functions with the privileged role security credentials. AC-6 (4) Technical / Access Control / Least rivilege / Separate rocessing Domains The information system provides separate processing domains to enable finer-grained allocation of user privileges. Supplemental Guidance: mploying virtualization techniques to allow greater privilege within a virtual machine while restricting privilege to the underlying actual machine is an example of providing separate processing domains for finer-grained allocation of user privileges. Tailoring and Implementation Guidance: This security control/enhancement specifies a very specialized and/or advanced capability that is not required for all systems. Consequently, inclusion in a departmental profile is made on a case by case basis. Deep Security satisfies this requirement by providing fine grained allocation of user privileges through the implementation of firewall rules/filters on specific virtual machines or physical machines to create separate processing domains/zones. This allows additional privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying actual machine. NOT: AC-6 security controls have been added to the 2014 S Revision 4 security controls catalogue. They are not included in ITSG-33 which is based on the earlier 2009 Revision 3. Deep Discovery Inspector, Deep Security and SecureCloud Compliancy guidance for these new controls are provided in the referenced compliance report for NIST S Revision 4, which is available from Trend Micro: AC-6 (10) Access Control / Least rivilege / rohibit Non-rivileged Users From xecuting rivileged Functions Document TMIC-004-CS Version 2.0, February

9 CS ITSG-33 Control AC-17 Technical / Access Control / Remote Access AC-17 (2) Technical / Access Control / Remote Access / rotection of Confidentiality - Integrity Using ncryption The organization uses cryptography to protect the confidentiality and integrity of remote access sessions. The cryptography must be compliant with the requirements of control SC-13. Supplemental Guidance: The encryption strength of mechanism is selected based on recommendations found in CSC ITSG-32 Guide to Interconnecting Security Domains [Reference 23]. Related controls: SC-8, SC-9, SC-13. Tailoring and Implementation Guidance: This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases. This security control/enhancement can be met using readily available Commercial-Off- The-Shelf (COTS) components. Consequently, inclusion in a departmental profile is strongly encouraged in most cases. Deep Discovery Inspector, Deep Security and SecureCloud solutions support compliance with this requirement through the use of the TLS/SSL protocol for remote access. AC-18 Technical / Access Control / Wireless Access AC-18 (4) Technical / Access Control / Wireless Access The organization does not allow users to independently configure wireless networking capabilities. Deep Security can assist in meeting this requirement to control wireless configuration by the use of Deep Security Firewall rules for wireless laptops. Deep Security addresses the problem, that with many laptops now capable of connecting to both the wired and wireless networks, users need to be aware of the problems that can result from this scenario. The common problem is a "network bridge" configured between the wired and wireless network. There is a risk of forwarding the internal traffic externally and potentially expose internal hosts to external attacks. Deep Security allows administrators to configure a set of firewall rules for these types of users to prevent them from creating a network bridge. AU-2 Technical / Audit and Accountability / Audiable vents AU-2 Technical / Audit and Accountability / Auditable vents (A) The organization determines, based on a risk assessment and mission/business needs, that the information system must be capable of auditing the following events: [Assignment: organization-defined list of auditable events]. (B) The organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events. (C) The organization provides a rationale for why the list of auditable events is deemed to be adequate to support after-the-fact investigations of security incidents. (D) The organization determines, based on current threat information and ongoing assessment of risk, that the following events are to be audited within the information system: [Assignment: organization-defined subset of the auditable events defined in AU-2 a. to be audited along with the frequency of (or situation requiring) auditing for each identified event]. Supplemental Guidance: The purpose of this control is for the organization to identify events which need to be auditable as significant and relevant to the security of the information system; giving an overall system requirement in order to meet ongoing and specific audit needs. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are to be audited at a given point in time. For example, the organization may determine that the information system must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the extreme burden on system performance. In 1 Document TMIC-004-CS Version 2.0, February Deep Discovery Inspector supports this requirement by enabling organizations to audit and log security related events through inspection of network traffic between and within an organizations network including: communications or links to suspicious/malicious endpoints, suspicious/malicious network traffic, and infected files. Logs include, time stamps, source and destination addresses, identifiers, event descriptions, success/fail indications, rules involved. Security event information can be integrated with an organization's SIM product. Deep Security supports this requirement by enabling organizations to audit and log security related events through inspection of host-based network traffic for malicious activity, key files for changes, and system logs for indicators of suspicious activity. Logs include for example, time stamps, source and destination addresses, identifiers, event descriptions, success/fail indications, rules involved. Security event information can be integrated with an organization's SIM product if required. SecureCloud provides audit records for cryptographic key generation, key access, and key destruction and also on the success or failure of cryptographic operations carried out by the validated FIS 140-2, Level 2 cryptographic libraries. Deep Discovery Inspector and Deep Security provide, in their Security Targets, a listing of Audit vents and rationale to further assist an organization in meeting this requirement. Deep Discovery Inspector v3.1 has been AL2 certified by the Common Criteria valuation and Certification Scheme; and Deep Security v9.5 is currently being evaluated to AL2.

10 CS ITSG-33 Control addition, audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the right level of abstraction for audit record generation is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Related control: AU-3 Tailoring and Implementation Guidance: The information system audits the following privileged user/process events at a minimum: (a) Successful and unsuccessful attempts to access, modify, or delete security objects (Security objects include audit data, system configuration files and file or users' formal access permissions.) (b) Successful and unsuccessful logon attempts (c) rivileged activities or other system level access (see notes for AU-2 (4)) (d) Starting and ending time for user access to the system (e) Concurrent logons from different workstations (f) All program initiations (see notes for AU-2 (4)) In addition, the information system audits the following unprivileged user/process events at a minimum: (a) Successful and unsuccessful attempts to access, modify, or delete security objects (b) Successful and unsuccessful logon attempts (c) Starting and ending time for user access to the system (d) Concurrent logons from different workstations AU-2 (3) Technical / Audit and Accountability / Auditable vents / Reviews and Updates The organization reviews and updates the list of auditable events [Assignment: organization-defined frequency]. Supplemental Guidance: The list of auditable events is defined in AU-2. Deep Discovery Inspector, Deep Security and SecureCloud satisfy this requirement to review and update the events that are audited by permitting an organization to define and implement audit event type and frequency. In addition, Deep Security and SecureCloud security event information can be integrated with an organization's SIM product if required. All products have the ability to provide security event data to an organizations central syslog server. AU-3 Technical / Audit and Accountability / Content of Audit Records AU-3 Technical / Audit and Accountability / Content of Audit Records (A) The information system produces audit records that contain sufficient information to, at a minimum, establish what type of event occurred, when (date and time) the event occurred, where the event occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any user/subject associated with the event. Supplemental Guidance: Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Related controls: AU-2, AU-8 1 Deep Discovery Inspector supports, at an enterprise level, this requirement by enabling organizations to audit and log security related events through inspection of network traffic between and within an organizations network including: communications or links to suspicious/malicious endpoints, suspicious/malicious network traffic, and infected files. Logs include, time stamps, source and destination addresses, identifiers, event descriptions, success/fail indications, rules involved. Security event information can be integrated with an organization's syslog server if required. Deep Security supports, at an enterprise level, this requirement by enabling organizations to audit and log security related events through inspection of host-based network traffic for malicious activity, key files for changes, and system logs for indicators of suspicious activity. Logs include for example, time stamps, source and destination addresses, identifiers, event descriptions, success/fail indications, rules involved. Security event information can be integrated with an organization's SIM product if required. SecureCloud supports, at an enterprise level, this requirement by generating log and audit records for cryptographic key generation, cryptographic key access, and cryptographic key destruction. In addition, the success or failure of cryptographic operations is an auditable event. Deep Discovery Inspector, Deep Security, and SecureCloud generate audit data in accordance with this requirement. As evidence Deep Discovery Inspector v3.1 has been AL2 certified by the Common Criteria valuation and Certification Scheme; and Deep Security v9.5 is currently being evaluated to AL2 for audit events and generation. Document TMIC-004-CS Version 2.0, February

11 CS ITSG-33 Control AU-3 (1) Technical / Audit and Accountability / Content of Audit Records / Additional Audit Information The information system includes [Assignment: organization-defined additional, more detailed information] in the audit records for audit events identified by type, location, or subject. Supplemental Guidance: An example of detailed information that the organization may require in audit records is full-text recording of privileged commands or the individual identities of group account users. Tailoring and Implementation Guidance: Additional guidance for enhancement (1): Audit events should always be capable of being associated with an individual identity. Associating audit events with a group or role is insufficient. Deep Discovery Inspector, Detection Logs can be queried for additional information, by detection types (Threats, Disruptive Applications, Malicious URLs, Virtual Analysis, Correlated Incidents, and Custom Detections), and time range. Deep Security supports compliance with this requirement through the defined audit events and the ability to carry out specific queries against the audit records simplifying the ability to locate the information of interest. In addition, deep packet inspection permits the capture of event data, at the packet level, which can be analysed for additional audit data relating to the security event SecureCloud provides a range of predefined reports that administrators can use to monitor and analyze encryption key usage patterns, inventory changes, and SecureCloud Agent activities. Administrators can also use reports to audit user activities such as web console access, policy changes, and responses to pending encryption key requests. Deep Discovery Inspector v3.1 has been AL2 certified by the Common Criteria valuation and Certification Scheme; and Deep Security v9.5 is currently being evaluated to AL2 for audit events and generation of audit data. AU-3 (2) Technical / Audit and Accountability / Content of Audit Records / Management of lanned Audit Record Content The organization centrally manages the content of audit records generated by [Assignment: organization-defined information system components]. Tailoring and Implementation Guidance: This security control/enhancement cannot be met using readily available Commercial-Off-The-Shelf (COTS) components. Consequently, implementation of this security control/enhancement may be somewhat problematic. Deep Discovery Inspector, Deep Security, and SecureCloud when integrated with the Trend Micro Control Manager support this requirement by providing centralized management and configuration of security events, rules and policies. vent information can be integrated with an organization's SIM product. Individually the products provide their own centralized management capability: - Deep Discovery Inspector, Management Console provides a built-in online capability through which users can view system status, configure threat detection, configure and view logs, run reports, and administer Deep Discovery Inspector. - Deep Security through the centralized control of the Deep Security Manager supports the satisfying of this requirement for the audit event management and configuration. SecureCloud through the centralized Web Console and the Key Management Server Web Console support implementing this control for audit event management, policies, and Integrity Checks. AU-4 Technical / Audit and Accountability / Audit Storage Capacity AU-4 Technical / Audit and Accountability / Audit Storage Capacity (A) The organization allocates audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded. Supplemental Guidance: The organization considers the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Related controls: AU-2, AU-5, AU-6, AU-7, SI-4 1 Deep Discovery Inspector through the guarantee of audit data availability and the prevention of audit data loss ensures that if there is insufficient audit storage capacity the latest audit records are maintained and the organization is alerted to the issue. Deep Security satisfies this requirement by monitoring the disk space available for logs and audit records, should free disk space fall below a threshold level alerts will be issued and audit /log data collected will be stored in temporary memory at the agent until sufficient free disk space is available. SecureCloud supports compliance with this requirement by providing log-maintenance-plan functionality and allowing the appropriate account-user roles to delete system logs and manage the log maintenance. These capabilities have been assured by the Deep Discovery Inspector v3.1, which has been AL2 certified by the Common Criteria valuation and Certification Scheme; and Deep Security v9.5 is currently being evaluated to AL2. NOT: AU-4 security controls have been added to the 2014 S Revision 4 security controls catalogue. They are not included in ITSG-33 which is based on the earlier 2009 Revision 3. Deep Discovery Inspector, Deep Security and SecureCloud Compliancy guidance for these new controls are provided in the referenced compliance report for NIST S Revision 4, which is available from Trend Micro: AU-4 (1) Technical / Audit and Accountability / Audit Storage Capacity / Transfer to Alternate Storage Document TMIC-004-CS Version 2.0, February

12 CS ITSG-33 Control AU-5 Technical / Audit and Accountability / Response to Audit rocessing Failures AU-5 (1) Technical / Audit and Accountability / Response to Audit rocessing Failures / Audit Storage Capacity The information system provides a warning when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of maximum audit record storage capacity. Deep Discovery Inspector through the guarantee of audit data availability and the prevention of audit data loss ensures that if there is insufficient audit storage capacity the latest audit records are maintained and the organization is alerted to the issue. Deep Security can satisfy this requirement by monitoring the disk space available for logs and audit records, should free disk space fall below a threshold level alerts will be issued and audit /log data collected will be stored in temporary memory at the agent until sufficient free disk space is available. SecureCloud supports compliance with this requirement by providing log-maintenance-plan functionality and allowing the appropriate account-user roles to delete system logs and manage the log maintenance. These capabilities have been assured by the Deep Discovery Inspector v3.1, which has been AL2 certified by the Common Criteria valuation and Certification Scheme; Deep Security v9.5 is currently being evaluated to AL2. AU-6 Technical / Audit and Accountability / Audit Review, Analysis and Reporting AU-6 Technical / Audit and Accountability / Audit Review, Analysis and Reporting (A) The organization reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of inappropriate or unusual activity, and reports findings to designated organizational officials. (B) The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information. Supplemental Guidance: Related control: AU-7, AC-5 References: TBS Operational Security Standard - Management of Information Technology Security [Reference 8]. Tailoring and Implementation Guidance: In order for audit to be effective, audit logs need to be collected from the various systems, amalgamated centrally and analyzed regularly by an automated tool. This approach ensures that audit logs are scrutinized and that coordinated attacks can be identified. Although an automated capability is preferable, this security control can be met using manual processes. 1 Deep Discovery Inspector can assist in meeting this control requirement through the Retro Scan Service, which scans historical web access logs (audit) for callback attempts to Command & Control(C&C) servers and other related activities in a network. Web access logs may contain undetected and unblocked connections to C&C servers that have only recently been discovered. Deep Discovery Inspector forwards suspicious events to a centralized logging server for further correlation, reporting and archiving. The Deep Security Log Inspection capability provides visibility into important security events buried in log files, and creates audit trails of administrator activity. Optimizes the identification of important security events buried in multiple log entries across the data center. Forwards suspicious events to a SIM system or centralized logging server for correlation, reporting and archiving. Deep Security also maintains information regarding the administration and management of its security functions as part of the audit records. SecureCloud provides a range of predefined reports that administrators can use to monitor and analyze encryption key usage patterns, inventory changes, and SecureCloud Agent activities. Administrators can also use reports to audit user activities such as web console access, policy changes, and responses to pending encryption key requests. SecureCloud records system events including all communication between a SecureCloud Agent and the Key Management Server. AU-6 (1) Technical / Audit and Accountability / Audit Review, Analysis and Reporting / rocess Integration The information system integrates audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. Deep Discovery Inspector employs continuous monitoring of threat detections, which includes information on: Malicious Content, Malicious Behavior, Suspicious Behavior, xploits, Grayware, Web Reputation, and Disruptive Applications. This threat data can be sent to a centralized logging server for correlation, reporting and archiving with audit record data to support organizational processes for investigation and response to suspicious activities. Deep Security, Recommendation Scan supports this requirement by allowing organizations to automate scanning of systems and patch levels against the latest Critical Vulnerability and xposure (CV) database, to automatically apply Deep Security rules/filters to detect/prevent exploitation of these vulnerabilities and to produce audit logs and reports which can be used to support a continuous monitoring program or audits. SecureCloud and Deep Security support this integration of audit capabilities through the audit management functionality of the Deep Security Manager and the SecureCloud Management Server. Document TMIC-004-CS Version 2.0, February