The What, Why and How of Recommendation Scans

Published

May 25, 2016

Topics

Security tips,

Posted By

Trend Micro

Share

The What, Why and How of Recommendation Scans 

Deep Security’s Recommendation Scan offers a unique method of identifying vulnerabilities that may exist on your instances. This results in the ability to seamlessly protect those instances at a greater level. Whether you prefer an automated approach, or hands on approach.  Whether your instances are online for a month or an hour.  The Recommendation Scan feature amounts to the convenience and ease, which you’ve grown accustomed to in the Cloud and can help accommodate your security needs, regardless of how you approach your Cloud operations. It is important to note that our recommendation scan only covers vulnerabilities that Deep Security has rules to protect

The “WHAT”

Recommendation Scans in Deep Security

The “WHY”

Configuring the different modules in Deep Security can be a bit overwhelming, especially if you do not have a strong security background. Deep Security can run Recommendation Scans on computers to identify known vulnerabilities. Recommendation Scans can also help automate the assignment of rules associated to not only the Intrusion Prevention Module, but also the Integrity Monitoring module and even the Log Inspection module. Once assigned, Intrusion Prevention rules can help protect your agents against known vulnerabilities.

During a Recommendation Scan, Deep Security Agents scan:

  • Operating system
  • Installed applications
  • Windows registry
  • Open ports
  • Directory listings
  • The file system
  • Running processes and services
  • Users

Here is a quick overview video on Recommendation Scans:

 

The “HOW”

There are many ways to initiate and configure a recommendation scan. Here we will discuss the following methods:

  1. Configuring scheduled tasks to perform scheduled recommendation scans
  2. Initiating a manual recommendation scan
  3. Configuring the “Perform Ongoing Recommendation Scan” option at the Policy and/or computer properties level
  4. Initiating a recommendation scan via script, command line or API
  5. Configuring the automated assignment of rules at the Policy and/or computer properties level
  6. Configuring the manual assignment of rules at the Policy and/or computer properties level

1. Configuring scheduled tasks to perform scheduled recommendation scans: 

You can create a simple scheduled task to allow for the recommendation scans to occur in a more automated and scheduled fashion. The best practice is to perform recommendation scans on a weekly basis. Trend Micro typically releases new Intrusion Prevention rules on Tuesdays, so it is suggested to schedule a recommendation scan shortly after those releases (ie. Tuesday nights or Wednesday mornings).

  • From the Deep Security Manager console > Access the Administration section
  • Click on the Scheduled Tasks option from the left hand panel
  • Click New…
  • Select the “Scan Computers for Recommendations” type
  • Select the “Weekly” bullet
  • Click Next
  • Choose your start time and select the day of the week
  • Click Next
  • Identify the computer (s) you wish to scan for recommendations
  • Click Next
  • Provide a custom name for the task if you’d like, and ensure the “Task Enabled” checkbox is selected
  • Click Finish
Lindsey Post pic #1

2. Initiating a manual recommendation scan

 In addition to scheduling a recommendation task to occur, you also have the option to initiate a manual scan for recommendations on a computer or computers. A manual scan for recommendations is helpful if you’ve recently made significant platform or application changes/updates, and wish to forcefully check for new recommendations, rather than waiting for the scheduled task to kick off

  • From the Deep Security management console > Access the Computers section
  • Locate the machine you wish to perform a manual scan for recommendations on. If you wish to run a manual scan for recommendations on multiple machines at once, simply use the Control key to select the different machines
  • Right click on the machines > Go to Actions
  • Select “Scan for Recommendations
lindsey blog pic#2

3. Configuring the “Perform Ongoing Recommendation Scan” option at the Policy and/or computer properties level

The ongoing recommendation scan, can be used as an alternative to the scheduled task option. When enabled, the ongoing recommendation scan will allow for a recommendation scan to occur at a configured interval. The scan will check the timestamp of the last scan which occurred, and follow the configured interval thereafter to perform future scans. This will result in recommendation scans occurring at different times in your environment. This setting will also initiate a scan automatically, if enabled at the time of agent activation. This is helpful to ensure a recommendation scan occurs immediately upon activation of an agent. This setting is also helpful in environments wherein an agent may not be online for more than a few days (ie. in cloud environments which are building and decommissioning instances on a frequent basis).

  • Access the Security Policy and/or computer you wish to modify
  • Go to the Settings section on the left hand panel
  • Click on the Scanning tab
  • Under the Recommendations section, set the “Perform ongoing Recommendation Scans:” setting to YES
  • Configure the “Ongoing Scan Interval” (it is recommended to configure this to 7 days)
  • Click Save
Lindsey blog pic #3

4. Initiating a recommendation scan via script, command line or API

In addition to scheduling and/or manually kicking off a recommendation scan, you also have the option to initiate a recommendation scan via script or command line!

The DSA_control command can be called upon for several different actions… A recommendation scan being one of them! The following command can be run, to initiate a recommendation scan:

Dsa_control –m RecommendationScan:true

**Note: The dsa_control command must be ran from the Deep Security Agent install folder. Additionally, the dsa_control command will ONLY work, if the agent is configured for Bi-directional and/or Agent Initiated Communication

You may find additional information on the DSA_control command in the Administrator’s Guide, pages 180-182:

Administrator’s Guide

Additionally, there is an API which can be called upon, to initiate a recommendation scan. You may find additional information on this API (and all other API options here): Deep Security 96 SP1 WebService SDK.pdf

Specifically, page 162 of the “Deep Security 96 SP1 WebService SDK.pdf” document

5. Configuring the automated assignment of rules at the Policy and/or computer properties level:

As demonstrated in the video link above, you can configure a Security Policy and/or an individual computer, to automatically assign or unassign the recommended rules found during the recommendation scan.

  • Access the Security Policy and/or computer you wish to modify
  • Click on the module you wish to allow for automated rule assignment

**Note: Each module’s setting is configured individually (ie. Intrusion Prevention, Integrity Monitoring, Log Inspection)

  • From the General tab, you will find the “Automatically implement Intrusion Prevention Recommendations (when possible):” dropdown
  • Set this to “Yes”
Lindsey blog pic #4  
  • Click Save and Close

6. Configuring the manual assignment of rules at the Policy and/or computer properties level

If you’d prefer to have more control over the rules assigned to your agents, you have the option to manually assign rules as an alternative to the automatic assignment option.

  • Access the Security Policy and/or computer you wish to modify
  • Click on the module you wish to manually assign rules to
  • Click on the Assign/Unassign button near the middle of the screen
lindsey blog pic # 5  
  • Ensure that you are sorting your rules by Recommended for Assignment by clicking the middle dropdown option and selecting “Recommended for Assignment”
lindsey blog pic #6  
  • This will display a list of rules which are recommended for assignment, but have not been assigned. You may manually assign any rule by clicking the checkbox. Alternatively, you may use the Shift and/or Control key to select multiple rules at once > Right click > Select Assign rule > To All Interfaces
lindey blog pic #7  
  • Once you have the rules selected/checked, which you wish to assign, simply click the OK button to assign the rules!
  • You may also follow the above steps to remove rules, which are recommended for unassignment. Simply change your sorting option to “Recommended for Unassignment” to view the rules which are recommended to be unassigned. Uncheck the rules to unassign them and click OK.
Written by Cloud Security Expert Lindsey Petrone 

Related Content

Automate Vulnerability Shielding New vulnerabilities are being discovered every day—are you confident that you’re protected?
Accelerate Compliance with One Tool Deep Security gives you the most complete set of security capabilities to achieve and maintain compliance without impacting your business.
Hybrid Cloud Security Automation Hybrid cloud security doesn’t have to be complicated
Read More