Deep Security Integration with Sumo Logic

Similar documents
Network Security Protection Alternatives for the Cloud

SIEM Solutions from McAfee

Compare Security Analytics Solutions

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Microsoft Security Management

Sentinet for Microsoft Azure SENTINET

TREND MICRO SMART PROTECTION SUITES

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

CAS Quick Deployment Guide January 2018

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Consumerization. Copyright 2014 Trend Micro Inc. IT Work Load

Securing the Modern Data Center with Trend Micro Deep Security

CLOUD WORKLOAD SECURITY

SIEM: Five Requirements that Solve the Bigger Business Issues

DATA SHEET AlienVault USM Anywhere Powerful Threat Detection and Incident Response for All Your Critical Infrastructure

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

SaaS Providers. ThousandEyes for. Summary

Enhanced Threat Detection, Investigation, and Response

Moving Beyond Prevention: Proactive Security with Integrity Monitoring

ThousandEyes for. Application Delivery White Paper

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Managed Networks for IWAN

RSA INCIDENT RESPONSE SERVICES

The Reigning King of IP Camera Botnets and its Challengers

Powerful Insights with Every Click. FixStream. Agentless Infrastructure Auto-Discovery for Modern IT Operations

Security Operations & Analytics Services

TREND MICRO SMART PROTECTION SUITES

ALERT LOGIC LOG MANAGER & LOG REVIEW

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

Infoblox as Part of the Ecosystem

Cisco ISR G2 Management Overview

trend micro smart Protection suites

Top 5 NetApp Filer Incidents You Need Visibility Into

Forescout. Configuration Guide. Version 3.5

Data safety for digital business. Veritas Backup Exec WHITE PAPER. One solution for hybrid, physical, and virtual environments.

Cisco Cloud Application Centric Infrastructure

McAfee Public Cloud Server Security Suite

May the (IBM) X-Force Be With You

How your network can take on the cloud and win. Think beyond traditional networking toward a secure digital perimeter

CONFIDENTLY INTEGRATE VMWARE CLOUD ON AWS WITH INTELLIGENT OPERATIONS

Product Guide Revision B. McAfee Cloud Workload Security 5.0.0

RSA INCIDENT RESPONSE SERVICES

SOLUTION BRIEF RSA NETWITNESS SUITE & THE CLOUD PROTECTING AGAINST THREATS IN A PERIMETER-LESS WORLD

SOLUTION MANAGEMENT GROUP

CLOUD SECURITY CRASH COURSE

RSA NetWitness Suite Respond in Minutes, Not Months

Datacenter Management and The Private Cloud. Troy Sharpe Core Infrastructure Specialist Microsoft Corp, Education

5 Steps to Government IT Modernization

Extending Enterprise Security to Public and Hybrid Clouds

IBM Netcool Operations Insight Version 1 Release 4. Integration Guide IBM SC

ForeScout Extended Module for Splunk

Symantec Advanced Threat Protection: Endpoint

M365 Powered Device Proof of Concept Overview

ForeScout Extended Module for Carbon Black

TREND MICRO LEGAL DISCLAIMER

Best Practices in Securing a Multicloud World

Cloudamize Agents FAQ

Commercial Product Matrix


TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

Installation Guide Revision B. McAfee Cloud Workload Security 5.0.0

Security. Made Smarter.


THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

A10 HARMONY CONTROLLER

DRIDEX s New Tricks Lead to Global Spam Outbreak

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

White Paper Integrating The CorreLog Security Correlation Server with McAfee epolicy Orchestrator (epo)

Avanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.

Managed Endpoint Defense

Integrated, Intelligence driven Cyber Threat Hunting

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

MySQL CLOUD SERVICE. Propel Innovation and Time-to-Market

Are Device Response Times a Neglected Risk of IoT?

DEPLOY MODERN APPS WITH KUBERNETES AS A SERVICE

SteelConnect. The Future of Networking is here. It s Application-Defined for the Cloud Era. SD-WAN Cloud Networks Branch LAN/WLAN

The Future of Threat Prevention

Sentinet for BizTalk Server SENTINET

CyberArk Privileged Threat Analytics

ENTERPRISE-GRADE MANAGEMENT FOR OPENSTACK WITH RED HAT CLOUDFORMS

This hot fix provides four registry keys to hide redundant notification/log created for cached messages.

DEPLOY MODERN APPS WITH KUBERNETES AS A SERVICE

McAfee MVISION Cloud. Data Security for the Cloud Era

HARNESSING THE HYBRID CLOUD TO DRIVE GREATER BUSINESS AGILITY

AppDefense Cb Defense Configuration Guide. AppDefense Appendix Cb Defense Integration Configuration Guide

McAfee Endpoint Threat Defense and Response Family

McAfee Cloud Workload Security Product Guide

MCAFEE INTEGRATED THREAT DEFENSE SOLUTION

USM Anywhere AlienApps Guide

Deployment Guide For Microsoft Exchange With Cohesity DataProtect

Hybrid Cloud Management: Transforming hybrid cloud delivery

Feature Focus: Context Analysis Engine. Powering CylanceOPTICS Dynamic Threat Detection and Automated Response

ForeScout Extended Module for Splunk

Android Backdoor GhostCtrl can Silently Record Your Audio, Video, and More

Automated Security for the Real-time Enterprise with VMware NSX and Trend Micro Deep Security Chris Van Den Abbeele, Global Solution Architect, Trend

Subscriber Data Correlation

Private Cloud Management Manage and Operate Applications

Symantec Endpoint Protection

Transcription:

A Trend Micro White Paper I May 2016 Install, Integrate and Analyze» This paper is aimed at information security and solution architects looking to integrate the Trend Micro Deep Security with Sumo Logic. This paper will help you to design, implement and integrate the Trend Micro Deep Security Platform with Sumo Logic.

TABLE OF CONTENTS TABLE OF CONTENTS... 2 GETTING STARTED... 3 Introduction... 3 Intended Audience... 3 About this Paper... 3 Help and Support... 3 SOLUTION COMPONENTS... 4 Deep Security Manager (DSM)... 4 Sumo Logic Data Analytics Service and Web UI... 4 Deep Security Agent (DSA)... 4 Sumo Logic Installed Collectors and Sources... 4 HOW THE INTEGRATED SOLUTION WORKS?... 5 Overview... 5 INSTALL... 6 Install options... 6 Installed Collector with Syslog Sources... 6 INTEGRATE... 8 System event log forwarding... 8 Security event log forwarding... 9 Integration Options for security event logs... 10 Relay Via Deep Security Manager... 10 Direct Forward... 11 Comparison between Two Integration Options... 12 ANALYZE... 13 Supported Event Log Formats... 13 Parsing Event Log Messages... 13 Field Extraction Rules... 14 Sumo Logic Dashboard... 15 What s Coming?... 16 Page 2 of 16 Trend Micro White Paper

GETTING STARTED INTRODUCTION The Trend Micro Deep Security Software and Deep Security as a Service provides a comprehensive security solution that easily integrates with log management, security analytics and Security Information and Event Manager (SIEM) products. Enterprises are running their workloads across complex, hybrid infrastructures, and need solutions that provide full-stack, 360-degree visibility to support rapid time to identify and resolve security threats. Trend Micro Deep Security offers seamless integration with Sumo Logic s data analytics service to enable rich analysis, visualizations and reporting of critical security and system data. INTENDED AUDIENCE This paper is intended for information security and solution architects looking to integrate the Trend Micro Deep Security with Sumo Logic. It is expected that the reader is comfortable with common computing and networking terminologies and topics. ABOUT THIS PAPER This paper includes architectural considerations and configuration steps required to integrate the Trend Micro Deep Security Platform and Sumo Logic. This paper also provides a detailed walkthrough of event forwarding and incident analysis. HELP AND SUPPORT This paper is not meant to substitute for product documentation. For detailed information regarding installation, configuration, administration and usage of the Deep Security product, please refer to the following links to online resource, documentation and self-help tools; http://docs.trendmicro.com/en-us/enterprise/deep-security.aspx For detailed information regarding installation, configuration and administration of Sumo Logic, please refer to the following link: http://help.sumologic.com/ Page 3 of 16 Trend Micro White Paper

SOLUTION COMPONENTS DEEP SECURITY MANAGER (DSM) This is the management component of the system and is responsible for sending rules and security settings to the Deep Security Agents. The DSM is controlled using the web-based management console. Using the console, the administrator can define security policies, manage deployed agents, query status of various managed instances, etc. The integration with Sumo Logic is done using this interface and no additional component or software is required. DEEP SECURITY AGENT (DSA) This component provides for all protection functionality. The nature of protection depends on the rules and security settings that each DSA receives from the Deep Security Manager. Additionally, the DSA sends a regular heartbeat to the DSM, and pushes event logs and other data points about the instance being protected to the DSM. SUMO LOGIC INSTALLED COLLECTORS AND SOURCES Sumo Logic Installed Collectors receive data from one or more Sources. Collectors collect raw log data, compress it, encrypt it, and send it to the Sumo Logic, in real time via HTTPS. The Deep Security Solution Components forward security events to Installed Collectors with a syslog source. SUMO LOGIC DATA ANALYTICS SERVICE AND WEB UI The Sumo Logic Web UI is browser-based and provides visibility and analysis of log data and security events sent by the Deep Security Platform to the Sumo Logic service and also provides administration tools for checking system status, managing your deployment, controlling user access and managing Collectors. Page 4 of 16 Trend Micro White Paper

OVERVIEW HOW THE INTEGRATED SOLUTION WORKS? Trend Micro Deep Security Software and Deep Security as a Service integrates with Sumo Logic through the Installed Collector and Syslog Source. This Syslog Source operates like a syslog server listening on the designated port to receive syslog messages from Trend Micro Deep Security Solution. The Installed Collectors can be deployed in your environment either on a local machine, a dedicated server or in the cloud. The Deep Security platform sends system and security event logs to this server, which forwards them securely to the Sumo Logic Data Analytics Service. Figure 1 provides a high-level overview of the integration process. Install Install Collector & configre Syslog Source Integrate Integrate Deep Security with Sumo Logic Analyze Perform visualizations and forensic investigations from the Sumo service FIGURE 1 - INTEGRATION OVERVIEW Page 5 of 16 Trend Micro White Paper

INSTALL OPTIONS INSTALL The first thing to consider when you set up the integration is how to collect data from your Deep Security deployment and forward it to Sumo Logic. There are three basic methods available, local host data collection, centralized syslog data collection and hosted collector. Deep Security uses an installed centralized collector with syslog source. In this method, an installed Collector with Syslog Sources can be used to collect all relevant data in a centralized location before forwarding it on to Sumo Logic s cloud-based service. INSTALLED COLLECTOR WITH SYSLOG SOURCES The installation process involves the deployment of a Sumo Logic collector in your environment and then adding a Syslog Source to it. A Sumo Logic Installed Collector can be installed on any standard server and used to collect local files, remote files or to aggregate logs from network services via syslog. You can choose to install a small number of collectors to minimize maintenance or you can choose to install many Collectors on many machines to leverage existing configuration management and automation tools like Puppet or Chef. At the minimum you will need one Installed Collector setup for Deep Security. The number of syslog sources you need depends on the types of event logs that you are sending to Sumo logic. You will need one syslog source for each type of event. There are two types of events in Deep Security: System Events and Security Events. In the example shown below, we have configured Sumo Logic Installed Collector with two Syslog Sources using UDP protocol. FIGURE 2 - LIST OF COLLECTORS FROM SUMO LOGIC S WEB CONSOLE In this example setup, the first syslog source is listening on UDP port 514 for System Event Log forwarding. Page 6 of 16 Trend Micro White Paper

FIGURE 3 - INSTALLED COLLECTOR SYSLOG SOURCE FOR SYSTEM EVENTS The second syslog source below is listening on UDP port 1514 for Security modules event log forwarding. FIGURE 4 - INSTALLED COLLECTOR SYSLOG SOURCE FOR SECURITY EVENTS Page 7 of 16 Trend Micro White Paper

SYSTEM EVENT LOG FORWARDING INTEGRATE The integration of Trend Micro Deep Security for system events forwarding to Sumo Logic is done via system setting (Administration System Settings SIEM) configuration as shown below; FIGURE 5 - SYSTEM SETTINGS FOR INTEGRATION OF SYSTEM EVENTS WITH SUMO LOGIC Page 8 of 16 Trend Micro White Paper FIGURE 6 - SYSTEM EVENTS FORWARDING TO SUMO LOGIC

SECURITY EVENT LOG FORWARDING The integration of Trend Micro Deep Security for security event forwarding to Sumo Logic is done via Policy configuration and requires a Syslog Source with UDP protocol and connection information to be added to the policy. Deep Security allows Policy heritance where child policies inherit their settings from their parent Policies. This way you can create a policy tree that begins with a top/base parent policy configured with settings and rules that will apply to all computers. When you have a single collector installed in your environment to collect logs from Deep Security it is recommended to set the integration details at the Top (root/base) policy as shown below; FIGURE 7 - POLICY SETTINGS FOR INTEGRATION OF SECURITY EVENTS WITH SUMO LOGIC Additionally, you can configure individual collectors for each security protection module or have all Deep Security modules to send logs to one collector depending on your requirements. Page 9 of 16 Trend Micro White Paper

INTEGRATION OPTIONS FOR SECURITY EVENT LOGS There are two integration options available to configure Deep Security Solution to forward security events to Sumo Logic, Relay via Deep Security Manager and Direct Forward. RELAY VIA DEEP SECURITY MANAGER This option sends the syslog messages from the Deep Security Manager after events are collected on heartbeats as shown below. FIGURE 8 - SECURITY EVENT FORWARDING VIA DEEP SECURITY MANAGER Page 10 of 16 Trend Micro White Paper

DIRECT FORWARD This option sends the security events/messages in real time directly from the Agents as shown below. FIGURE 9 - DIRECT EVENTS FORWARDING OF SECURITY EVENTS Page 11 of 16 Trend Micro White Paper

COMPARISON BETWEEN TWO INTEGRATION OPTIONS When you are deciding what integration option to choose from to send security events to Sumo Logic Installed Collectors among these two integration choices, consider your deep security deployment (as a Service, AWS and Azure Marketplace AMI/VM or software), your network topology/design, your available bandwidth, and deep security policy design. The table below provides comparison between these two choices for easier decision process; RELAY VIA DEEP SECURITY MANAGER Delivery of security event logs is not in real time. Note: Security events are sent from Deep Security Agents to Deep Security Manager on every regular heartbeat interval (By default every 10 minutes) and then forwarded to Sumo Logic Installed Collector Transport protocol is UDP Easier network design with a single installed collector configuration. Since this option requires only one network connection path to Installed Collector Server i.e. From DSM to Installed Collector Server. Single Security policy configuration can help integrate with Sumo Logic. Not Recommended with Deep Security as a Service deployment model because the event data is sent to your local installed collector in clear text. DIRECT FORWARD Delivery of Security event logs is real time. Note: Security events are sent directly by the Deep Security Agents in real time hence there is no dependency on heartbeat. Transport protocol is UDP Requires more network connection path to Installed Collector Server i.e. From each DSA to Installed Collector Server. This may require complex network design based on where Deep Security Agents are running. This option could require multiple Installed Collector Servers. May require multiple policies to help integrate with Sumo Logic. Recommended with Deep Security as a Service deployment model because the event data is sent to your local installed collector and all the traffic is local to your network e.g. Never leave the VPC network in clear text. Page 12 of 16 Trend Micro White Paper

ANALYZE Once the install and integration steps are done, you are all set to analyze Deep Security event data in Sumo Logic s web console. You can run searches, identify anomalies and correlate events across your protected workloads. You can also create powerful dashboards to unify, enrich and visualize security related information across your entire physical, virtual and cloud infrastructure. SUPPORTED EVENT LOG FORMATS Deep Security can forward events to a Sumo Logic collector over syslog in these formats; Common Event Format 1.0 Log Event Extended Format (LEEF) 2.0 There is also a basic syslog format available for legacy installations. This format should not be used for new installations because not all security events modules support basic syslog format. The event format selection for security events is done via Policy configuration and for system events it is done via the system setting. It is recommended to pick an event format that help with the interoperability between various event or log-generating devices in your deployment. PARSING EVENT LOG MESSAGES In each supported event format, the Extension part of the event message is a placeholder for additional custom fields used by Deep Security. These additional fields are documented in the Deep Security Administration Guide under Syslog Integration section. All the extensions described in the event log format tables of the administration guide will not necessarily be included in each log entry. Sumo Logic provides a number of ways to parse fields in your log messages. For example, the Parse Regex operator enables users comfortable with regular expression syntax to extract data from log messages. You can use parse regex operator to extract Deep Security event log messages. When parsing Deep Security event log messages, make sure; The search query expressions do not depend on each key/value pair to be there. Use nodrop option with parse regex expression to ensure this. The search query expressions don t expect key/value pairs to be in a particular order. For example; to parse Anti-Malware log events in CEF format, you can use a search query; Page 13 of 16 Trend Micro White Paper

FIGURE 10 - SAMPLE PARSE REGEX QUERY TO EXTRACT ANTI-MALWARE EVENTS FIELD EXTRACTION RULES Automatic field parsing can also be configured using Field Extraction Rules. This feature allows the Sumo Logic user the ability to explore the data without writing parse statements into every search. See below for sample field extraction rules and deployment guidance. For additional information and instructions on configuring field extraction rules, see the Sumo Logic documentation here. Also, sample Trend Micro Deep Security specific field extraction rules can be found here Page 14 of 16 Trend Micro White Paper

SUMO LOGIC DASHBOARD The Sumo Logic dashboards are a powerful visualization tool to help accelerate the time to identify anomalies and indicators of compromise (IOC). The saved searches powering these dashboards can also be leverage for forensic investigations and to reduce the time it takes for root cause analysis and remediation. The uses for Dashboards are nearly endless. Perhaps your IT security group wants to keep an eye on who is installing virtual machines. You can edit, create and save the queries you run as a panel in a Dashboard, and watch for spikes over time in a line graph. Multiple graphical options/formats are supported. Dashboards bring additional assurance, knowing that unusual activity will be displayed real time in an easy-to-digest graphical format. The data that matters the most to you is even easier to track. FIGURE 11 - SUMO LOGIC DASHBOARD WITH TREND MICRO DEEP SECURITY PANELS Page 15 of 16 Trend Micro White Paper

WHAT S COMING? Sumo Logic Apps deliver out-of-the-box Dashboards, saved searches, and field extraction for popular data Sources. When you install a Sumo Logic App, these pre-set searches and Dashboards are customized with your source configurations and populated in a folder selected by you. The Sumo Logic App for Trend Micro Deep Security will be released in the near future to provide pre-set searches and extractions rules with out-of-the box dashboard for each security module it offers. Trend Micro Incorporated, a global leader in security software, strives to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses and governments provide layered content security to protect information on mobile devices, endpoints, gateways, servers and the cloud. All of our solutions are powered by cloud-based global threat intelligence, the Trend Micro Smart Protection Network, and are supported by over 1,200 threat experts around the globe. For more information, visit www.trendmicro.com. 2016 by Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, and Smart Protection Network are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice. [WPXX_templates_160318US] Page 16 of 16 Trend Micro White Paper

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback