Trend Micro Deep Security 7

Overview:

Protect physical, virtual and cloud servers from malicious attack

Enterprises are increasingly online and data-centric, and no matter what the purpose—connecting partners, personnel, suppliers, or customers—applications face a growing danger of cyber attacks. These targeted threats are greater and more sophisticated than ever before, and data security compliance becomes more stringent every day. Your company needs uncompromising security that enables you to modernize your datacenter with virtualization and cloud computing without reducing performance.

Trend Micro delivers streamlined, integrated products, services, and solutions that cost-effectively protect sensitive data and minimize risk. Deep Security is comprehensive server and application protection software that enables physical, virtual, and cloud computing environments to become self-defending. Whether implemented as software, virtual appliance, or in a hybrid approach, this solution minimizes overhead, streamlines management, and strengthens transparent security for virtual machines. Deep Security also addresses a wide range of compliance requirements, including six major PCI compliance requirements with web application-layer firewall, IDS/IPS, file integrity monitoring, and network segmentation.

Trend Micro Deep Security 7 provides advanced protection for servers in the dynamic datacenter, whether physical, virtual or in the cloud. Brought to Trend Micro through the acquisition of Third Brigade, Deep Security combines intrusion detection and prevention, firewall, integrity monitoring and log inspection capabilities in a single, centrally managed software agent.

Deep Security protects confidential data and critical applications to help prevent data breaches and ensure business continuity, while enabling compliance with important standards and regulations such as PCI, FISMA and HIPAA. Whether implemented as software, virtual appliance, or in a hybrid approach, this solution equips enterprises to identify suspicious activity and behavior, and take proactive or preventive measures to ensure the security of the datacenter.

Deployment and Integration

Rapid Deployment Leverages Existing IT and Security Investments

• VMware integration with VMware vCenter and ESX Server enables organizational and operational information to be imported into Deep Security Manager, and detailed security to be applied to an enterprise’s VMware infrastructure
• Integration with VMsafe™ APIs enables rapid deployment on ESX servers as a virtual appliance to immediately and transparently protect vSphere virtual machines
• Detailed, server-level security events are provided to a SIEM system, including ArcSight™, Intellitactics, NetIQ, RSA Envision, Q1Labs, Loglogic, and other systems through multiple integration options
• Directory integration with enterprise-scale directories, including Microsoft Active Directory
• Configurable management communication minimizes or eliminates firewall changes typically needed for centrally managed systems by enabling either the Manager or the Agent to initiate communication
• Agent software can be deployed easily through standard software distribution mechanisms such as Microsoft SMS, Novel Zenworks, and Altiris

Deep Security Difference

Get server and application protection that meets the challenging operational security and compliance needs of today’s dynamic datacenter.

• Advanced, modular protection. Provides a single solution for firewall, intrusion detection and prevention, web application protection, integrity monitoring, and log inspection.
• Coordinated, virtualization security. Transparently enforces security policies on VMware vSphere virtual machines—coordinating with Deep Security Agent, to deliver optimal protection and performance.
• Greater operational efficiency: Deploys quickly and widely with automated tasks that increase the ease and efficiency of management with minimal impact on IT resources.
• Superior platform support: Delivers full functionality across more platforms, enabling you to adopt the newest virtualization platforms and OS releases without sacrificing protection.
• Tighter integration: Ensures effective enterprise deployment and continued vendor flexibility with tighter integration with directory and virtualization platforms as well as SIEM.
• More responsive: Safeguards servers and applications with a focus and expertise that allow us to more quickly respond to your support, product, and evolving protection requirements.

Virtualization

Trend Micro offers the industry’s first hypervisor-aware security VM that actively coordinates security with VM-based security agents to deliver optimal protection and security performance for operating systems, applications, and data on virtual and cloud servers.

Features & Benefits:

Key Benefits:

Prevents Data Breaches and Business Disruptions

• Provides a line of defense at the server, whether physical, virtual, or in the cloud
• Shields known and unknown vulnerabilities in applications and operating systems
• Protects web applications from SQL injection and cross-site scripting attacks
• Blocks attacks to enterprise systems
• Identifies suspicious activity and behavior, enabling proactive and preventive measures

Helps Comply with PCI and Other Regulations and Standards

• Addresses six major PCI data security standards, and a wide range of other, compliance requirements
• Provides detailed, auditable reports that document prevented attacks and policy compliance status
• Reduces the preparation time and effort required to support audits

Achieves Operational Cost Reductions

• Optimizes the savings of virtualization or cloud computing by consolidating server resources
• Streamlines administration by automating management of security events
• Provides vulnerability protection to prioritize secure coding and costeffective implementation of unscheduled patching
• Eliminates the cost of deploying multiple software clients with a centrally managed, multi-purpose software agent or virtual appliance

Key Features:

Deep Packet Inspection

• Examines all incoming and outgoing traffic for protocol deviations, content that signals an attack, or policy violations
• Operates in detection or prevention mode to protect operating systems and enterprise application vulnerabilities
• Defends against application-layer attacks, SQL injection, and cross-site scripting
• Provides valuable information, including who attacked, when they attacked, and what they attempted to exploit
• Automatically notifies administrators when an incident has occurred

Intrusion Detection and Prevention

• Protects against known and zero-day attacks by shielding known vulnerabilities from unlimited exploits
• Automatically shields newly discovered vulnerabilities within hours, pushing protection to thousands of servers in minutes without a system reboot
• Includes out-of-the-box vulnerability protection for over 100 applications, including database, web, email, and FTP servers
• Smart rules provide zero-day protection from unknown exploits that attack an unknown vulnerability, by detecting unusual protocol data containing malicious code

Integrity Monitoring

• Monitors critical operating system and application files, such as directories, registry keys, and values, to detect malicious and unexpected changes
• Detects modifications to existing file systems and new file creations and reports them in real time
• Enables on-demand, scheduled or realtime detection, checks file properties (PCI 10.5.5), and monitors specific directories
• Delivers flexible and practical monitoring through includes/excludes and auditable reports

Web Application Protection

• Assists compliance (PCI DSS 6.6) to protect web applications and the data they process
• Defends against SQL injection, cross-site scripting, and other web application vulnerabilities
• Shields against vulnerabilities until code fixes can be completed

Application Control

• Provides increased visibility into, or control over applications accessing the network
• Uses application control rules to identify malicious software accessing the network
• Reduces vulnerability exposure of servers

Bidirectional Stateful Firewall

• Decreases the attack surface of physical, cloud, and virtual servers
• Centrally manages server firewall policy, including templates for common server types
• Features fine-grained filtering (IP and MAC addresses, ports), design policies per network interface, and location awareness
• Prevents denial of service attacks and detects reconnaissance scans
• Covers all IP-based protocols (TCP, UDP, ICMP, etc.) and all frame types (IP, ARP, etc.)

Log Inspection

• Collects and analyzes operating system and application logs for security events
• Assists compliance (PCI DSS 10.6) to optimize the identification of important security events buried in multiple log entries
• Forwards events to SIEM system or centralized logging server for correlation, reporting, and archiving
• Detects suspicious behavior, collects security events and administrative actions across your datacenter, and creates advanced rules using OSSEC syntax

Architecture:

Server and Application Protection

Deep Security is server and application protection software that, combined with vulnerability response services, allows systems to become self defending. The solution consists of: the Deep Security Agent, Deep Security Manager, and the Security Center.

Deep Security Virtual Appliance
Transparently enforces security policies on VMware vSphere virtual machines for IDS/IPS, web application protection, application control, and firewall protection—coordinating with Deep Security Agent, if desired, for integrity monitoring and log inspection.

Deep Security Agent
The Deep Security Agent is a small software component that is deployed on the server or virtual machine being protected and enforces the security policy. This Agent enables IDS/IPS, web application The Deep Security Agent is a small software component that is protection, application control, firewall, integrity monitoring and log inspection.

Deep Security Manager
The Deep Security Manager powerful management system that allows administrators to create security profiles and apply them to servers. It has a centralized console for monitoring alerts and preventive actions taken in response to threats. The Manager can be configured to automate or distribute security updates to servers on demand. The Manager can be used to generate reports to gain visibility into activity and meet compliance requirements. New Event Tagging functionality streamlines the management of high-volume events and enables workflow of incident response.

Security Center
The Security Center is a dedicated team of security experts who help customers stay ahead of the latest threats by rapidly developing and delivering security updates that address newly discovered vulnerabilities. The Security Center manages the customer portal used for accessing these security updates and information. Security updates can be delivered to Deep Security Manager automatically, or on-demand for deployment to thousands of servers within minutes. Learn more about Security Center.

Protection Modules:

Deep Security is a software solution that protects dynamic datacenters. One or more of the following protection modules can be deployed to the server or virtual machine in a single Deep Security Agent. The Deep Security Agent is unified across physical and virtual environments.

• Deep Packet Inspection. Enables Intrusion Detection and Prevention, Web Application Protection and Application Control.
• Firewall. Decreases the attack surface of your physical and virtual servers.
• Integrity Monitoring. Monitors files, systems and registry for changes.
• Log Inspection. Provides visibility into important security events buried in log files.

The table below outlines key datacenter security requirements and the specific Deep Security modules used to address them.

Deep Security Modules
Datacenter Requirement	Deep Packet Inspection			Firewall	Integrity Monitoring	Log Inspection
	IDS/IPS	Web Application Protection	Application Control
Server Protection
Web Application Security
Virtualization Security
Suspicious-Behavior Detection
Cloud Computing Security
Compliance Reporting

= Essential

= Advantageous

Deep Packet Inspection (DPI) Protection Module

The high-performance deep packet inspection engine examines all incoming and outgoing traffic, including SSL traffic, for protocol deviations, content that signals an attack, or policy violations. It can operate in detection and prevention modes to protect operating systems and enterprise application vulnerabilities. It protects web applications from application-layer attacks including SQL injection and cross-site scripting. Detailed events provide valuable information, including who attacked, when they attacked and what they attempted to exploit. Administrators can be automatically notified via alerts when an incident has occurred. Deep packet inspection is used for intrusion detection and prevention, web application protection, and application control.

Intrusion Detection and Prevention (IDS/IPS)
By shielding vulnerabilities in operating systems and enterprise applications until they can be patched, Intrusion detection and prevention helps enterprises achieve timely protection against known and zero-day attacks. Vulnerability rules shield a known vulnerability—for example those disclosed monthly by Microsoft—from an unlimited number of exploits. Deep Security includes out-of-the-box vulnerability protection for over 100 applications, including database, web, email and FTP servers. Rules that shield newly discovered vulnerabilities are automatically delivered within hours, and can be pushed out to thousands of servers in minutes, without a system reboot. Learn more about vulnerability gaps.

Web Application Protection
Deep Security enables compliance with PCI Requirement 6.6 for the protection of web applications and the data that they process. Web application protection rules defend against SQL injections attacks, cross-site scripting attacks and other web application vulnerabilities, and shield these vulnerabilities until code fixes can be completed.

Application Control
Application control rules provide increased visibility into, or control over, the applications that are accessing the network. These rules can also be used to identify malicious software accessing the network, or to reduce the vulnerability exposure of your servers.

Firewall Protection Module

The bi-directional stateful firewall provides centralized management of server firewall policy, and includes pre-defined templates for common enterprise server types. Key features and benefits include:

• Virtual machine zoning
• Fine-grained filtering (IP & MAC addresses, Ports)
• Coverage of all IP-based protocols (TCP, UDP, ICMP, …)
• Coverage of all frame types (IP, ARP, …)
• Prevents Denial of Service (DoS) attacks
• Design policies per network interface
• Detection of reconnaissance scans

Integrity Monitoring Protection Module

This module monitors critical operating system and application files (files, directories, registry keys and values, etc.), this module detects malicious and unexpected changes. Key features and benefits include:

• Real-time, on-demand, or scheduled detection of change
• Extensive file property checking, including attributes (PCI 10.5.5)
• Monitor specific directories, file system modifications, and new file creations
• Flexible, practical monitoring through includes/excludes
• Auditable reports

Log Inspection Protection Module

This module collects and analyzes operating system and application logs for security events. Log Inspection rules optimize the identification of important security events buried in multiple log entries. These events are forwarded to a security information and event management (SIEM) system or centralized logging server for correlation, reporting and archiving. This module leverages and enhances open-source software available at OSSEC. Key features and benefits include:

• Suspicious behavior detection
• Collection of security-related administrative actions
• Optimized collection of security events across your datacenter
• Advanced rule creation using OSSEC rule syntax

Vulnerability Gaps:

Challenge

The process of patching applications—including operating systems, enterprise applications such as database, email and FTP servers, ERP or CRM applications, as well as custom web applications—can be disruptive and expensive:

Patches need to be properly tested, installed, and documented before they’re deployed. Often it can be months before patches are made available by vendors. Your Service Level Agreements with customers, pertaining to up-time, can impair your ability to quickly deploy necessary patches.

In the case of custom-built web applications, the developers with the necessary subject matter expertise may not be available to fix the application: they may be busy with other projects, or no longer with the company.

A vulnerability gap exists between the time the vulnerability is first discovered, and the time that it is patched or shielded. In many cases, this gap can extend for weeks or months before it is deployed to all production systems. In most cases, systems need to be rebooted to apply the patch, and it can be weeks or months before a suitable window of opportunity is available to do this with a mission critical system.

During this gap, critical systems, applications and data are vulnerable to attacks.

Solution

Trend Micro’s best-of-breed host intrusion defense system provides a virtual patch that complements your normal patching process. It allows organizations to avoid emergency, event-driven patching costs by shielding newly discovered vulnerabilities until the appropriate patch is developed, properly tested and deployed.

Provides out-of-the-box protection for over 100 commercial off the shelf enterprise applications, including servers (database, web, FTP, mail, DNS), desktops (web and email clients, plug-ins, Microsoft Office), and web applications.

Filters that shield newly discovered vulnerabilities are automatically delivered within hours, and can be pushed out to thousands of hosts in minutes, without a system reboot. This dramatically reduces the vulnerability gap, and allows organizations to deploy patches more efficiently, on a scheduled basis.

Once the vendor-supplied patch is deployed, the filters can be turned off, to help maximize system performance.

System Requirements:

 

Documentation:

Trend Micro Deep Security Datasheet (.PDF)