Whether you’ve deployed Deep Security via the AWS Marketplace, signed up for Deep Security as a Service, or setup the Deep Security Manager on-premises, here are six steps you can take in your first 15 minutes using the platform that will set you up for success.
1. Create the identities to connect to AWS
Deep Security connects to AWS in a number of ways but the two foundation connections to Amazon EC2 and Amazon SNS.
The connection to EC2 allows Deep Security to automatically keep your inventory of EC2 instances in sync with the platform and part of your operational view. This gives you consistent information about the security posture of your AWS assets.
Amazon SNS is used to send event information upstream to a topic so you can easily consume it using AWS Lambda or your own tools. The events are simple JSON documents which gives you a lot of flexibility in their use.
Each of these connections should use a unique identity created for the purpose. The AWS IAM policies for the identities are available for download from the Deep Security help site;
- AWS IAM policy for synchronizing EC2 instances with Deep Security
- AWS IAM policy for send Deep Security events to an SNS topic
2. Enable Multi-Factor Authentication
Any administrative account is going to be a target for attackers. An account that can lower your defences…doubly so. Need proof? See Jedi, Return of the.
To increase the security of your Deep Security administrative account (and really you should do this for all of your accounts), you should enable Multi-Factor Authentication (MFA). It only takes a minute and once it’s on, you’ll need your username, your password, and the one-time token generated by your smartphone to login. This puts an additional roadblock in the way of any potential attackers.
3. Strengthen The Base Policy
Customizing a security policy can be a time consuming task. There are a number of factors to consider. With Deep Security, you can let the platform provide an intelligent baseline for you. That will reduce the amount of time you need to spent customizing the policies, if you need to at all.
We’ll make the following changes to the Base Policy;
- enable Anti-Malware leaving the default schedules in place
- enable Web Reputation setting the security level to high
- enable Intrusion Prevention in prevent mode and allow Deep Security to automatically apply recommendations
- enable Integrity Monitoring in real time (Windows only) and allow Deep Security to automatically apply recommendations
- enable Log Inspection and allow Deep Security to automatically apply recommendations
Now when we run a recommendation scan on an instance (which we’ll do shortly), Deep Security will automatically apply or remove rules based on what’s actually running on the instance.
4. Add an AWS Cloud connector
Using one of the AWS identities we created in step #1, we’ll connect Deep Security to Amazon EC2. In the Computers section, we will use the New menu to add a new Cloud Account.
Entering in the user’s access key and secret key (or using an IAM role in an option in some deployment models) and completing the simple wizard will add all of your AWS regions, VPCs, and subnets to Deep Security.
This information is automatically synchronized and will provide you with an up-to-date view of your AWS assets.
5. Deploy the Deep Security Agent
For Deep Security to protect your EC2 instances, the Deep Security Agent needs to be installed and activated on the instance.
You can do this easily in a number of ways. The simplest is to create a bash or PowerShell script directly in the Deep Security UI (Help > Deployment Scripts). If you’re using an orchestration tool like Chef, Ansible, or Puppet, we have resources to help you there as well.
6. Run a recommendation scan
With the agent installed and active, the Base Policy is currently being used to protect your instance. In it’s current state, that will apply anti-malware and web reputation (outbound web filtering) controls to our instance.
If you select the instance, right click and select Recommendation Scan from the Actions menu, you’ll dramatically increase your security posture in a matter of minutes.
A recommendation scan is when the Deep Security Agent examines the instance it’s running on and determines the operating system, which applications installed, and the current patch levels in order to make intelligent recommendations for your security policy.
Because you’ve set the Base Policy to apply those recommendations automatically, Deep Security will create your security policy for you. Some rules may require slight configuration changes (like confirming a specific file path) but a recommendation scan will remove 99% of the challenge of making a highly customized security policy.
Up and running!
These six steps will create a smart foundation from which you can secure your AWS assets using Deep Security. The platform is capable of a lot and can be integrated with various AWS services like; AWS WAF, AWS Config Rules, and Amazon Inspector and more integrations and automations coming soon.
That’s on top of all of the great features and functionality packed into the platform itself. As you explore Deep Security, make sure to refer back to trendmicro.com/aws and our help documentation for more information.