Advania Fall Conference Securing the Modern Data Center with Trend Micro Deep Security Okan Kalak, Senior Sales Engineer okan@trendmicro.no
Infrastructure change Containers 1011 0100 0010 Serverless Public Cloud AWS Lambda Azure Functions Physical Servers Virtual Servers Virtual Desktops 2
Analyst insights & recommendations Cloud workloads have different requirements for security than end-user-facing endpoints, and the adoption of hybrid private/public cloud computing models compound the differences. Require vendors to support the security and visibility of workloads that span physical, virtual and multiple public cloud IaaS all from a single policy management framework and console. Source: Gartner, Market Guide for Cloud Workload Protection Platforms, March 2017 G00300334 3
Sandbox Analysis Intrusion Prevention Application Control Cross-generational blend of threat defense techniques Machine Learning 2H/17 Integrity Monitoring Behavioral Analysis Response & Containment Anti-Malware & Content Filtering 5
Network Security Sandbox Analysis Intrusion Prevention Application Control Cross-generational blend of threat defense techniques Machine Learning 2H/17 Integrity Monitoring Behavioral Analysis Response & Containment Anti-Malware & Content Filtering 6
Network Security Intrusion Prevention Firewall Vulnerability Scanning Defend against network and application threats Stop lateral movement and reduce server attack surface Automatically assess workload vulnerabilities & apply protection Protect against OS & application vulnerabilities (ex: Struts 2, Shellshock) Detect & stop ransomware (ex: WCRY) Reduce the need for emergency patching Shield end of life systems & applications 7
Reduce operational impacts Reduce operational costs of emergency & ongoing patching Protect systems where no patches will be provided Secure server and application-level vulnerabilities Virtual patch available Time Patch Available (if in support) Continuous protection Test Begin Deployment Completed WannaCry ransomware protection delivered in March, 2017, with enhancements at public disclosure (May 2017) Vulnerability disclosed or exploit available 8
10
File Server Ransomware Protection and early detection Ransomware Infects End users EndPoints have mounted file shares Ransomware encrypts files on shares even though the server is not infected Detection: Rule 1007596 - Identified Suspicious File Extension Rename Activity Over Network Share: - Detects renames to 50 ransomware related extensions. - Provides early detection File Server - Windows or Linux (Samba) Detection and Protection: Rule 1007598 - Identified Suspicious Rename Activity Over Network Share: - Rule to prevent renames after N renames in T1 seconds for T2 seconds. - E.g. if Deep Security Detects 10 renames in 60 seconds stop any rename activity for, say, 24 hrs 12
13
System Security Sandbox Analysis Intrusion Prevention Application Control Machine Learning 2H/17 Integrity Monitoring Behavioral Analysis Response & Containment Anti-Malware & Content Filtering 14
System Security Application Control Lock down servers and prevent changes (whitelisting) Automate protection from malicious attacks like ransomware Integrity Monitoring Detect suspicious or unauthorized changes across files, ports, registries, and more Reduce attack surface and speed compliance Log Inspection Consolidate and report on log information across systems Detect and notify of indicators of compromise (IOCs) 15
Block unknown software from running on Protected Servers When enabled, Application Control will scan servers and create a whitelist of approved software Administrator defined rules can block all unknown software (not included in the whitelist) until explicitly allowed Effectively locks down servers to significantly reduce its attack surface Real-time protection against unknown software Included with the System Security License (along with Integrity Monitoring and Log Inspection) Application Control Many ways for malware to install on your servers Intrusions Lateral Movement Human Error Authorized users installing custom/personalized tools
Stop unauthorized changes Full visibility across the hybrid cloud Lock down applications and servers (Windows & Linux) Support continuous application change with automation 17
Malware Prevention Sandbox Analysis Intrusion Prevention Application Control Machine Learning 2H/17 Integrity Monitoring Behavioral Analysis Response & Containment Anti-Malware & Content Filtering 18
Malware Prevention Anti-Malware & Content Filtering Detect & stop known malware from executing Stop malware and targeted attacks Detect & stop ransomware (ex: WCRY) Behavioral Analysis Machine Learning 2H/17 Detect suspicious files & behavior, stop malicious changes Stop zero-day attacks Sandbox Analysis Send suspicious objects to a customizable network sandbox Analyze unknown threats & share across multiple security products 19
Intelligent Detection and Protection against Ransomware attacks Deep Security detects and monitors suspicious behavior and begins backing up files Ransomware begins encrypting files Anti-malware Behavior Monitoring Unknown Ransomware finds server host and starts legitimate looking process Deep Security Antimalware is protecting server Deep Security determines behavior to be a Ransomware Attack > Stops process Deep Security restores original unencrypted files to directory and logs event 20
21
Turning Unknown threats into Known Threats with Sandbox Analysis! Real-Time Scanning OfficeScan Mail Gateway Analyzer Trend Micro Control Manager Deep Security Deep Security Suspicious Object detected and sent to Deep Discovery Analyzer for confirmation Web Gateway TMCM notified of new malware and sends signature and policy to Deep Security Full System Protection with Trend Micro Connected Threat Defense
2
2
3
LEGEND Protect Against Advanced Threats Known Good Known Bad Unknown Anti-Malware & Content Filtering Intrusion Prevention (IPS) & Firewall Integrity Monitoring & Log Inspection Application Control Machine Learning (2H/17) Behavioral Analysis Safe files & actions allowed Custom Sandbox Analysis Malicious files & actions blocked 31
Remove security complexity Deep Security 33
Smart Folders Demo 34
Eliminate manual security processes Get full visibility across environments Automatically scale up and down without gaps Scan for vulnerabilities & recommend or apply security based on policy Install only security controls required for maximum performance 35
Event-based tasks to profile new systems 36
Protect against the latest vulnerabilities: Scheduled Vulnerability Scans 37
38
Security for VMware Deployments Public Cloud (Multi-cloud) End User Computing VMware, AWS, Azure Operations Horizon Virtual Desktop Infrastructure (VDI) Deep Security vrealize Operations Management 39 vsphere, vcloud Software-Defined Data Center (Private Cloud) NSX
Securing VMware NSX Delivers automated security deployment & micro-segmentation (file & network) Integration enables security event viewing in vsphere with ability to take automated actions (ex: quarantine) 40
41
VMware continuity to NSX DS 10 Supports Agentless deployments with NSX 6.2.4 or higher Agentless AM-only requires NSX for vshield Endpoint license, or Standard license Agentless All Controls requires NSX Advanced license, or NSX Enterprise license Alternatively Agents can be deployed where All Controls are required Agent deployments do not require NSX Deep Security NSX for vshield Endpoint (Free) or NSX Standard vsphere with NSX (Agentless) NSX Advanced NSX Enterprise vsphere (Agent-based) Anti-Malware Web Reputation Firewall IPS / VP Integrity Monitoring Log Inspection 1.With the built-in NSX firewall, the Deep Security firewall will normally not be used and should not be focused on for pure NSX deployments 2.Agent-based functionality in combined mode with Agentless 42
Single pane of glass For Trend Micro events and VMware events 43
Correlate vrops Events with Security Events 44
Remove platform support issues Thousands of supported kernels with rapid updates 45
Protecting Docker Deployments Extends Deep Security server protection techniques to Docker containers Secures micro-service architectures through runtime protection Leverage anti-malware, app control, IPS, and integrity monitoring to secure containers Amazon ECS 46
Streamline information sharing 47
Accelerate compliance Multiple controls with central management & reporting Protect legacy environments Consistent security across the hybrid cloud 800-53 48 FERC
Accelerate compliance & enhance security 8 of 12 requirements 10 of 20 requirements 6 of 10 requirements 49
Gartner Magic Quadrant for Endpoint Protection Platforms January 2017 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from https://resources.trendmicro.com/gartner-magic-quadrant-endpoints.html Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Confidential 2017 Trend Micro Inc. 50
The MARKET LEADER in server security for 7 straight years Other Intel Symantec 30% 51 Source: IDC, Securing the Server Compute Evolution: Hybrid Cloud Has Transformed the Datacenter, January 2017 #US41867116
Questions?
Thank you! okan@trendmicro.no