In an ever-evolving threat landscape, cybersecurity is no longer just about safeguarding sensitive data and other digital assets by merely keeping cybercriminals and other threat actors out of networks, systems, devices, and underlying technologies. Now it is also about having to proactively stop them in their tracks before they even gain a foothold in their spheres of operation.

The notable threats in the first half of 2019 drove this point home, what with the prevalence of so-called fileless threats that “lived off the land” — abusing legitimate and typically whitelisted system tools to do their malicious bidding — and the presence of malware and phishing campaigns that took advantage of security lapses and diversified in the ways they counted on the still unpatched flaw that was human vulnerability.

Ransomware operators distinctly set their sights on organizations, with crippling ramifications: Their attacks proved they could strike with such severity that some victims were even strong-armed into acquiescing to the cybercriminals’ exorbitant demands. For many cryptocurrency-mining threats, servers and cloud-based environments, having far more computing resources than endpoints, became their new frontier. Messaging platform — the bedrock underpinning many business transactions — were inundated with a range of threats, including business email compromise scams, sextortion schemes, and phishing incidents that did not rely on hacking human behavior alone.

Read the entire report here.

Come meet us at booth 1435 during Microsoft Ignite 2019 in Orlando Florida November 4th-8th!

This year Trend Micro is excited to once again be a part of the incredible Microsoft Ignite conference in Orlando Florida.

Stop by to hear about our cloud server, endpoint and perimeter defense experts about Trend Micro’s Hybrid Cloud Security, and Cloud Application Security solutions that compliment Azure Cloud and Office 365, powered by XGen™ security.

XGen™ is new class security that powers all Trend Micro security solutions with a cross-generational blend of threat defense techniques that address the full range of ever-changing threats—now and in the future. Whether you are looking to secure your end points, hybrid cloud servers, or container images and applications across your CI/CD pipeline, we are the one solution you need to talk to at Microsoft Ignite. Come see our flagship booth and win great prizes.

Trend Micro is a top global Microsoft Security ISV. Join us to hear more about the great partnership solutions we are delivering with Trend Micro as the security vendor of choice. Our Microsoft channel and security experts will be there to answer all of your questions and show you how we can help you build security into your customer’s Azure cloud, container, and Microsoft Office 365 environments.

Come listen to Jeff Westphal, regional technical leader at Trend Micro, on Monday, November 4, 1:05PM – 1:25PM, Theater D. In this session, he will discuss how to automate build and runtime protection for Azure workloads and applications.

For more information about our products, visit trendmicro.com/azure, or email us at azure@trendmicro.com

Mark your calendar: The 2019 Azure Cloud Security Series is being held in a city near you!

Join us for lunch at a Microsoft Technology Center in your region and become Cloud Confident with Trend Micro and Microsoft

The Azure Cloud Security Series provides an opportunity for customers, partners, developers, influencers, and Azure enthusiasts to come together and learn about how Trend Micro and Azure provide security for your cloud investment.

Whether you are looking at cloud technologies for your workloads and container environments or interested in a deeper dive into Azure and your shared security responsibility, you will hear from Microsoft and Trend Micro on the importance of securing the cloud and the capabilities used to mitigate risk and improve compliance across your business.

While older applications may remain on premise or take time to lift and shift, your business is creating new applications, and moving to the cloud offers more tools and speed to deployment than security can keep up with. Security must be a consideration from your build pipeline to runtime, protecting not only your Azure cloud platform, but also your brand and reputation.

Trend Micro and Microsoft make it easy to migrate legacy servers, both physical and virtual, to the Azure Cloud with ultimate visibility into all your workloads at any given time. You can have complete confidence in the fact that you are protected through a holistic approach with advanced automated security. Furthermore, Trend Micro compliments the Azure Security Center.

So, come and meet Microsoft Azure and Trend Micro and see how easy it is to secure, monitor, and manage the protection of your Azure workloads. You’ll walk away with valuable insight on how Trend Micro™ Deep Security for Microsoft Azure empowers you to:

  • Increase application visibility and control – Ensure visibility into applications running on your Azure cloud while detecting and blocking unauthorized software with application control. Detect applications and lock down the system so no new applications can run without being whitelisted.
  • Expand security for hybrid and cloud environments – Keep malware off your Azure Cloud and Windows workloads by protecting against increasingly complex known and unknown threats.
  • Detect and protect against intrusions – Defend against hackers who can easily exploit vulnerabilities like Shellshock and Heartbleed to gain access to sensitive information. Immediately protect your instances from these and new serious vulnerabilities with intrusion detection and prevention (IDS/IPS).
  • Get valuable information – Identify and understand indicators of compromise and improve compliance using Integrity Monitoring and Log Inspection.
  • Improve security across your software build pipeline and deployment environment – Deliver an integrated security solution that provides a substantial set of APIs allowing DevSecOps to build security into your CI/CD pipeline using automation such as Jenkins for changing cloud or container environments.

Save the date! Join us for lunch at our next event in a city near you.

  • Detroit 3/5/2019 12:00 pm – 3:00 pm
  • Reston 3/11/2019 12:00 pm – 4:00 pm
  • Boston 3/20/2019 12:00 pm – 4:00 pm
  • New York City 3/20/2019 12:00 pm – 3:00 pm
  • St. Louis 3/20/2019 1:00 pm – 4:30 pm
  • Denver 4/3/2019 12:00 pm – 3:00 pm
  • Dallas 4/9/2019 12:00 pm – 4:00 pm
Improve your Azure deployments with a set of comprehensive security capabilities automated for Microsoft Azure workloads. Learn more about Trend Micro and Microsoft Azure.

Mark your calendar, we will see you at The Azure Cloud Security Series.

Register Today for the Azure Cloud Security Series in a city near you, don’t miss out! https://resources.trendmicro.com/2019-MTC-Roadshow.html

In the past, compliance and regulation standards have meant organizations could be limited to housing software within their own data center, removing the option for SaaS and the features and benefits that come with it. SaaS has become a very popular option for software developers these days due to its speed of adoption. But why should these benefits be limited to SaaS? Does storing in your own data center mean having to be constrained to a less agile solution?

We don’t think so.

Big changes are coming with Deep Security 10.1, giving you the opportunity to move at cloud speed. Read our blog, Bringing Data Center Security to Cloud Speed to learn more.

 

With the re-emergence of CI-CD (Continuous Integration – Continuous Deployment) as well as other software engineering techniques like No Patch environments and Blue/Green Deployments, teams are under immense pressure to quickly deliver working software with no downtime to customers.  Whether it’s pushing application updates in a streamlined fashion multiple times a day or redeploying new Azure VM’s with the code updates, an application control tool needs to be as flexible as the deployment it is protecting.

 

Deep Security with its Application Control module enables you to implement software changes in a dynamic way which enables your development team to create and deploy their software without the roadblocks of a security tool.

The first way Deep Security achieves this is with its implementation of Application Control.  When you first enable it, the host takes inventory of the virtual machine and automatically adds all software installed into its approved list.  Perfect for no patch and blue/green deployments, when your new virtual machines are built with the new code, they are automatically added as approved by Deep Security.  Gone are the days of adding every new build to an approved list before the code is pushed.

But, what if you are deploying new code and re-using existing Azure VMs?  The Maintenance Mode feature with API tie-in is the solution for this environment.  Maintenance mode allows a virtual machine to be patched or updated, while automatically adding any changes to its approved application list.  Because Deep Security has an open API architecture, you can add this maintenance step into your code deployment tool like Jenkins.

By using the following API call, you can turn on maintenance mode for x minutes just prior to doing the code deploy.

dsm.set_trusted_update_mode(hostID,minutes)

Here in the GUI, you can see that Maintenance mode has been turned on via the API call:

Also, within Deep Security under the “Actions” section, we give you a comprehensive list of applications that are running in an environment that have yet to be approved so you can quickly see changes that have occurred.  This gives you the ability to approve new programs being deployed or remove access from files which are deemed suspicious or malicious.

With Deep Security, you have the power of Application Control, along with our other security controls, all that be accessed programmatically to help your security be as dynamic and agile as your development teams.

For more information, please contact us at azure@trendmicro.com

 

The Deep Security team released support today for identity provider integration using SAML 2.0. When you integrate Deep Security with your identity provider, you no longer need to manage users, passwords, and MFA tokens in Deep Security. By offloading user management to your identity provider, you can also use features like password strength / change enforcement, one-time password (OTP), and two-factor / multi-factor authentication (2FA/MFA) with your existing policies. We have tested Deep Security SAML integration with Microsoft Windows Active Directory Federation Services (ADFS), Okta, PingOne, and Shibboleth.

This article will help you integrate your ADFS server with Deep Security. I’ve tested the instructions with ADFS 4.0 (Windows Server 2016), but you can set up the same configuration with older versions of ADFS back to ADFS 2.0.

You can follow the instructions in this article today if you have an account on Deep Security as a Service, Trend Micro’s hosted Deep Security solution. SAML support is coming soon to the AWS Marketplace and software releases starting with Deep Security 10.1.

Create a SAML Identity Provider and roles in Deep Security

The Deep Security Help Center has a great SAML single sign-on configuration article that will walk you through the steps to set up Deep Security to trust your ADFS server. You’ll need the federation metadata file from your ADFS server, which you can get from https://<your ADFS server name>/FederationMetadata/2007-06/FederationMetadata.xml.

Adding Deep Security as a relying party in ADFS

This is a quick-start blog post, so I won’t get into a lot of detail. There’s a link at the bottom of the article if you want the full reference documentation.

In this example we’ll use the user’s email address as the Deep Security user name (RoleSessionName in Deep Security SAML-speak).

We’re also going to use a handy trick here that lets us use Active Directory groups to manage the role claims that we issue. This trick uses two custom rules, one to extract the Active Directory group information and the second to transform the group information into claims.

To make this work, you’ll need to have a naming convention where your Active Directory group names can be transformed into Deep Security roles. In this example, we’ll use Active Directory group names in the format TMDS-<tenant ID>-<role name>, so TMDS-0123456789-READONLY would be transformed to the URN for the Deep Security role urn:tmds:identity:us-east-ds-1:0123456789:role/ADFS-READONLY.

To create these AD groups, you’ll need the identity provider and role URNs from the Create a SAML Identity Provider and roles in Deep Security procedure described earlier.

We’ll also create a rule that includes a PreferredLanguage claim that takes its value from the preferredLanguage LDAP attribute. This is optional and won’t do any harm if you don’t have this attribute set, but it can be handy if you have a diverse user base.

Finally, we’ll create a rule that includes a SessionDuration claim limiting the user’s sessions to a maximum of eight hours (28800 seconds). This claim attribute is also optional, and the Deep Security administrator can further limit session duration if they want.

Microsoft provides an ADFS Powershell cmdlet that lets you completely configure everything we need in a single command. Run this as admin on your ADFS server to set up Deep Security as a Service as a relying party for your ADFS. If you’re trying to integrate your own Deep Security installation, replace the Name and MetadataURL parameter values, and check to make sure the URNs in the Roles rule match what you have.

[bs_icon name=”glyphicon glyphicon-warning-sign”] Always read Powershell scripts carefully and make sure you understand what they do before running them. Also, be wary of copy & paste attacks! Always paste into a text editor and review what you’ve copied there before running the script.

Add-AdfsRelyingPartyTrust -Name 'Trend Micro Deep Security as a Service' -MetadataURL 'https://app.deepsecurity.trendmicro.com/saml' -IssuanceAuthorizationRules '@RuleTemplate="AllowAllAuthzRule" => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value="true");' -IssuanceTransformRules '@RuleTemplate = "LdapClaims"
@RuleName = "RoleSessionName"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("https://deepsecurity.trendmicro.com/SAML/Attributes/RoleSessionName"), query = ";mail;{0}", param = c.Value);

@RuleName = "Get AD Groups"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => add(store = "Active Directory", types = ("http://temp/variable"), query = ";tokenGroups;{0}", param = c.Value);

@RuleName = "Roles"
c:[Type == "http://temp/variable", Value =~ "(?i)^TMDS-([^d]+)"]
 => issue(Type = "https://deepsecurity.trendmicro.com/SAML/Attributes/Role", Value = RegExReplace(c.Value, "TMDS-([^d]+)-", "urn:tmds:identity:us-east-ds-1:$1:saml-provider/ADFS,urn:tmds:identity:us-east-ds-1:$1:role/ADFS-"));

@RuleName = "Session Duration"
 => issue(Type = "https://deepsecurity.trendmicro.com/SAML/Attributes/SessionDuration", Value = "28800");

@RuleTemplate = "LdapClaims"
@RuleName = "Preferred Language"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("https://deepsecurity.trendmicro.com/SAML/Attributes/PreferredLanguage"), query = ";preferredLanguage;{0}", param = c.Value);'

That’s it!

Well, close to, anyway. You’ll still need to set up groups in Active Directory that match the pattern you defined (in the examples above, TMDS-<tenant ID>-<role name>) and assign users to those groups, but then you’re done!

References

[Editors note: For the latest WannaCry information as it relates to Trend Micro products, please read this support article.] 

Information on Latest Ransomware Attacks

Two weeks and counting since the initial exposure of the WannaCry Ransomware outbreak, and organizations are still feeling the effects of the attacks. With over 230,000 global users already infected and the emergence of new attacks like UIWIX and EternalRocks, the gravity of the situation is becoming increasingly evident. To keep you up to date, we are consistently providing new information on the latest ransomware threats through our Simply Security blog There you can find a breakdown on the attacks as well as present and future impacts of exposure.

Prevention and Support

Looking to prevent WannaCry using Trend Micro products? Visit out support page for detailed procedures on protecting yourself and your business.

The Reality of Patching

The WannaCry ransomware variant of 12-May-2017 has been engineered to take advantage of the most common security challenges facing large organizations today, unpatched vulnerabilities. It’s not uncommon for it to take 100 days or more for organizations to deploy a patch. Why? The answer is rarely straightforward and differs depending on the objectives and responsibilities of an organization. Read WannaCry & The Reality of Patching for an in depth look into updating legacy systems, costs of patching vs breach and mitigation strategies.

Beyond WannaCry

While WannaCry will soon be a thing of the past, ransomware attacks will continue to be a part of the future. With over 1.5B ransomware attacks in 2016, it is clear now that in 2017 we will continue to see exponential growth. Proactively securing your business is the only way to defend against potential breaches. Luckily, you are not alone. Watch our webinar, with VP Cloud Research Mark Nunnikhoven, as he walks through the new threats and vulnerabilities that could put you at risk. Mark covers UIWIX and EternalRocks as well as all the vulnerabilities associated with the ShadowBrokers leak to help you better understand what is going on and how to deal with this situation. The information presented here will help you better communicate to your board or boss what the current situation is with respect to all of these threats.

This year at RSA 2017, we caught up with VP Cloud Research Mark Nunnikhoven to get his insights on trends and challenges the modern security team is facing and the steps we can take towards a more secure and layered approach to hybrid cloud security. Whether you’re moving to cloud, your DevOps team is feeling the pressure of security responsibilities, or you can’t determine if the latest “silver bullet” solution is what you really need, Mark provides the answers to your burning security questions.

Here are some great takeaways from the interview to help you answer your hybrid cloud security questions.

More and more we see DevOps teams feeling overwhelmed by the challenges of increasing responsibilities with fewer resources. What can your security vendor do to help balance the load?

There is currently an overload in messaging from all vendors, but you have to can’t rely on one thing and have to look to your security best practices. Advanced techniques like machine learning can help, but if you can catch a problem with a simple check of what’s known good or known bad, why wouldn’t you go for the simpler solution?

“Machine learning” is the newest fad in security, but the definition isn’t always so clear. How do you define machine learning and what is it doing to improve security?

It’s a big buzzword right now in security, but it isn’t even a new tool to Trend. Machine learning, to the IEEE Computational Society and tech communities, is clearly defined. The simple result is setting up a computer program that will be able to look at something and make a decision whether it matches a known set of something or not. Over time the model learns and will be able to make judgements based on its learnings.

With that understanding of machine learning, it’s easy to understand why others might consider it to be the be-all end-all solution. Why might it not be enough?

Nothing is perfect. Even the best trained machine learning models are only in the high 90’s for accuracy. You can’t expect there to be a one-trick pony solution for security. When responsible for a customer’s data, you can’t responsibly protect it with one tool. People have made those controls, people make mistakes.

You’ve been hit with ransomware. What are the steps you should take in the first 24 hours?

It depends what level of user you are. Hopefully you’ve take the steps to back up your data and apply basic security controls. While it’s hard to give generic advice, if you have been breached, the easiest thing you can do is disconnect your system from the network, but leave it on. Once you’ve disconnected, you prevent further damage, but if you turn it off, you can actually increase the damage. Then get in touch with an expert, IT help desk, consulting companies, or service providers. But leave it as is! This gives a better chance of recovering your data. This is a nightmare scenario. Ideally it is better to take the preventative measures up front.

Many teams are making the move to a hybrid cloud environment. What can security vendors be doing to help with that move and make the transition easier?

What people need to realize up front, it’s not a spontaneous move, it’s a transition that applies to both security and operations. Look at where you want to be in the cloud and your ideal end state, and the tools needed to make that change and start applying those changes today in your data center. The faster you can get your teams used to those new tools and skill set as you migrate your assets out to the cloud, the smoother transition you will have.

Follow @marknca for your daily dose of cloud security news

As more and more organizations are starting to realize, hybrid cloud is already happening and will continue to evolve as we strive to find better, faster and more efficient ways to store and share data. Not unlike the great cities of our world, we often see old and new side by side – the ancient architectures of yesterday nestled next to the futuristic glass skyscrapers of tomorrow.

When it comes to securing your on-premise and virtual environments it may seem like you’ve got it all figured out, but what happens as we move along the server evolution and bring environments like the cloud and containers into the mix? In an effort to be agile and cost efficient many organizations are using these new environments but may not have the protection to match.

Bridging the hybrid cloud

We are very excited to announce the release of Deep Security 10 powered by XGen™ security. Deep Security 10 continues to embrace the challenge of hybrid cloud, delivering enhancements designed to give you even more visibility across all of your environments—physical, virtual, cloud, and now containers. You’re working to leverage these environments to support your business – and that business needs to be protected.

The first step is visibility. With the new smart folders feature, applications that span different infrastructures can be treated as one using a smart attribute-based grouping system. Now you can manage applications across vastly different infrastructure platforms as if they were one, be it physical, virtual or cloud.

Next, let’s talk about layered security.  Deep Security 10 is powered by XGen™ Security, a blend of cross-generational threat defense techniques. Deep Security leverages server-centric threat defense techniques from tried and true technologies like intrusion prevention, anti-malware, and application control right up to the most leading threat defense techniques like sandbox analysis, machine learning and behavioral analysis to guard against the most sophisticated threats.

New in Deep Security 10 we introduce behavioral monitoring capabilities, which can identify changes in installed software and/or changes in system files. These enhanced protection capabilities for Windows environments including new ransomware capabilities, protection against unauthorized encryption, and new real-time memory scanning, combine to ensure a more advanced layered security protection across Windows environments and your entire hybrid cloud.

This new release adds many integration and management enhancements, including faster connection and time to protection for Azure workloads, along with support for the latest Azure account format, Azure Resource Manager v2 (ARM). It also expands beyond server workloads to protect Docker containers, leveraging proven techniques like anti-malware, IPS and application control to protect dynamic container deployments.

Security that fits your environment, and your team.

Deep Security 10 has at its core the support for flexible deployment, hybrid policy management, support for auto-scaling, and blue/green deployments. We understand how to secure the long-standing physical servers, right up to the ephemeral servers living for mere minutes or even seconds in the cloud. This includes consumption-based licensing options for truly dynamic workloads that you can find in the Azure Marketplace and by using our Deep Security as a Service product. No matter how you manage security, Deep Security is designed to support the traditional IT security model or the latest DevSecOps – or both!

Stay tuned for the general availability of Deep Security 10 this March, and be sure to check back here often for new updates and releases about your favorite hybrid cloud security tool for Azure!