Trend Micro Deep Security 9.6

Rade Švraka M.Sc.E.E.

IT Security Engineer

rsvraka@mds.rs

Šta je Deep Security?!?

12/1/2015 3

PHYSICAL VIRTUAL CLOUD

Integrity Monitoring

Log Inspection

Anti –

Malware Firewall

VMware vShield enabled Agent-less

Web Reputation

Intrusion Prevention

Trend Micro Deep Security A server security platform for:

Protection is delivered via Agent and/or Virtual Appliance * Log Inspection is only available in agent form today

5

Log

Inspection

Anti-Virus

Detects and blocks known and

zero-day attacks that target vulnerabilities

Tracks credibility of

websites and safeguards users from malicious urls

Reduces attack surface.

Prevents DoS & detects reconnaissance scans

Detects malicious and

unauthorized changes to directories, files, registry keys…

Optimizes the

identification of important security events buried in log entries

Detects and blocks malware

(web threats, viruses & worms, Trojans)

Šta je Deep Security?!?

6 protection modules

Integrity

Monitoring

Intrusion

Prevention Firewall

Web

Reputation

Deep Security Virtual Appliance • Intrusion prevention

• Firewall

Virtualization Security with Deep Security Agentless Security Platform for Virtual Environments

6

• Anti-malware

• Web reputation

• Integrity monitoring

VM VM VM

The Old Way

Security Virtual Appliance

VM VM VM

With Deep Security

VM

Easier Manageability

Higher Density

Fewer Resources

Stronger Security

VM

More VMs

Deep Security Architecture

Deep Security

Manager

Reports

Deep Security

Agent

Modules:

• Intrusion Prevention

• Firewall

• Integrity Monitoring

• Log Inspection

• Anti-malware

• Web Reputation

Single Pane

Scalable

Redundant

SecureCloud

Threat

Intelligence Manager

Classification 12/1/2015 7

Deep Security

Virtual Appliance

Includes:

• Intrusion Prevention

• Firewall

• Anti-malware

• Web Reputation

• Integrity Monitoring

• Hypervisor Integrity Monitoring

Deep Security Agentless arhitektura sa Deep Security Virtual Appliance 9.5 (DSVA)

OS

Kernel

BIOS

ESX/ESXi vSphere Platform

Guest VM

OS

Trend Micro Deep Security Manager

vShield Endpoint ESX Module (LKM)

vCenter

EPSec Thin Driver

vShield

Manager

Trend Micro product components

vShield Endpoint Components

VMware

Platform

VI

Admin

Security

Admin APPs

APPs APPs

Trend Micro Deep Security Virtual Appliance

Anti-Malware

- Real-time Scan

- Scheduled &

Manual Scan

Network Security

- IDS/IPS

- Web App Protection

- Application Control

- Firewall

Trend Micro Filter Driver

VMSafe-Net API

vShield Endpoint API

Legend

8

9

Virtual Patching with Deep Security

Filtered Traffic

Allow known good

Raw Traffic

Stop known bad

Shield known

vulnerabilities

Shield unknown

vulnerabilities and protect specific applications

Stateful Firewall

Exploit Rules

Vulnerability Rules

Smart Rules

1

2

3

4

De

ep

pa

ck

et

ins

pe

cti

on

Over 100 applications

shielded including:

Operating Systems

Database servers

Web app servers

Mail servers

FTP servers

Backup servers

Storage mgt servers

DHCP servers

Desktop applications

Mail clients

Web browsers

Anti-virus

Other applications

Example: Microsoft Critical Vulnerability MS12-020 Remote Desktop Protocol Vulnerability

Details

• Tuesday March 13 (Patch Tuesday): Microsoft Releases Security Update MS12-020

• Vulnerability is rated as Critical and affects all versions of Windows where RDP service is ON

• Could allow an attacker to install programs; view, change, or delete data; or create new accounts with full user rights

• The vulnerability is potentially wormable due to it being an unauthenticated, network-based vulnerability

• Microsoft sees a high likelihood of attempts to exploit the vulnerability in the next 30 days

10

Reactivated and cloned VMs can have out-of-date security

Dormant

Active

Reactivated with

out dated security

Cloned

11 12/1/2015 .

Virtualization Security Challenges Challenge: Instant-on Gaps

Attacks can spread across VMs

12 12/1/2015

Virtualization Security Challenges Challenge: Inter-VM Attacks

Virtualization Security Challenges Challenge: Resource Contention

Typical AV

Console 3:00am Scan

Security Storm

Automatic security scans overburden the system

12/1/2015 13

Kontrolisano korišćenje hardverskih resursa

• Scan-storm avoidance

– Control the number of concurrent "scans" to a specific fixed limit across the DSM cluster to reduce the potential for scan storms (default is 50)

– Control the number of concurrent "scans" per ESX (default is 3)

– Control are configured through Performance Profiles

Rezultati testiranja Klasični AV prvi scan

Klasični AV ponovljeni scan

Deep Security Agentless scan

Hvala!