Šta je Deep Security?!?
12/1/2015 3
PHYSICAL VIRTUAL CLOUD
Integrity Monitoring
Log Inspection
Anti –
Malware Firewall
VMware vShield enabled Agent-less
Web Reputation
Intrusion Prevention
Trend Micro Deep Security A server security platform for:
Protection is delivered via Agent and/or Virtual Appliance * Log Inspection is only available in agent form today
5
Log
Inspection
Anti-Virus
Detects and blocks known and
zero-day attacks that target vulnerabilities
Tracks credibility of
websites and safeguards users from malicious urls
Reduces attack surface.
Prevents DoS & detects reconnaissance scans
Detects malicious and
unauthorized changes to directories, files, registry keys…
Optimizes the
identification of important security events buried in log entries
Detects and blocks malware
(web threats, viruses & worms, Trojans)
Šta je Deep Security?!?
6 protection modules
Integrity
Monitoring
Intrusion
Prevention Firewall
Web
Reputation
Deep Security Virtual Appliance • Intrusion prevention
• Firewall
Virtualization Security with Deep Security Agentless Security Platform for Virtual Environments
6
• Anti-malware
• Web reputation
• Integrity monitoring
VM VM VM
The Old Way
Security Virtual Appliance
VM VM VM
With Deep Security
VM
Easier Manageability
Higher Density
Fewer Resources
Stronger Security
VM
More VMs
Deep Security Architecture
Deep Security
Manager
Reports
Deep Security
Agent
Modules:
• Intrusion Prevention
• Firewall
• Integrity Monitoring
• Log Inspection
• Anti-malware
• Web Reputation
Single Pane
Scalable
Redundant
SecureCloud
Threat
Intelligence Manager
Classification 12/1/2015 7
Deep Security
Virtual Appliance
Includes:
• Intrusion Prevention
• Firewall
• Anti-malware
• Web Reputation
• Integrity Monitoring
• Hypervisor Integrity Monitoring
Deep Security Agentless arhitektura sa Deep Security Virtual Appliance 9.5 (DSVA)
OS
Kernel
BIOS
ESX/ESXi vSphere Platform
Guest VM
OS
Trend Micro Deep Security Manager
vShield Endpoint ESX Module (LKM)
vCenter
EPSec Thin Driver
vShield
Manager
Trend Micro product components
vShield Endpoint Components
VMware
Platform
VI
Admin
Security
Admin APPs
APPs APPs
Trend Micro Deep Security Virtual Appliance
Anti-Malware
- Real-time Scan
- Scheduled &
Manual Scan
Network Security
- IDS/IPS
- Web App Protection
- Application Control
- Firewall
Trend Micro Filter Driver
VMSafe-Net API
vShield Endpoint API
Legend
8
9
Virtual Patching with Deep Security
Filtered Traffic
Allow known good
Raw Traffic
Stop known bad
Shield known
vulnerabilities
Shield unknown
vulnerabilities and protect specific applications
Stateful Firewall
Exploit Rules
Vulnerability Rules
Smart Rules
1
2
3
4
De
ep
pa
ck
et
ins
pe
cti
on
Over 100 applications
shielded including:
Operating Systems
Database servers
Web app servers
Mail servers
FTP servers
Backup servers
Storage mgt servers
DHCP servers
Desktop applications
Mail clients
Web browsers
Anti-virus
Other applications
Example: Microsoft Critical Vulnerability MS12-020 Remote Desktop Protocol Vulnerability
Details
• Tuesday March 13 (Patch Tuesday): Microsoft Releases Security Update MS12-020
• Vulnerability is rated as Critical and affects all versions of Windows where RDP service is ON
• Could allow an attacker to install programs; view, change, or delete data; or create new accounts with full user rights
• The vulnerability is potentially wormable due to it being an unauthenticated, network-based vulnerability
• Microsoft sees a high likelihood of attempts to exploit the vulnerability in the next 30 days
10
Reactivated and cloned VMs can have out-of-date security
Dormant
Active
Reactivated with
out dated security
Cloned
11 12/1/2015 .
Virtualization Security Challenges Challenge: Instant-on Gaps
Attacks can spread across VMs
12 12/1/2015
Virtualization Security Challenges Challenge: Inter-VM Attacks
Virtualization Security Challenges Challenge: Resource Contention
Typical AV
Console 3:00am Scan
Security Storm
Automatic security scans overburden the system
12/1/2015 13
Kontrolisano korišćenje hardverskih resursa
• Scan-storm avoidance
– Control the number of concurrent "scans" to a specific fixed limit across the DSM cluster to reduce the potential for scan storms (default is 50)
– Control the number of concurrent "scans" per ESX (default is 3)
– Control are configured through Performance Profiles
Rezultati testiranja Klasični AV prvi scan
Klasični AV ponovljeni scan
Deep Security Agentless scan
Hvala!