In an ever-evolving threat landscape, cybersecurity is no longer just about safeguarding sensitive data and other digital assets by merely keeping cybercriminals and other threat actors out of networks, systems, devices, and underlying technologies. Now it is also about having to proactively stop them in their tracks before they even gain a foothold in their spheres of operation.
The notable threats in the first half of 2019 drove this point home, what with the prevalence of so-called fileless threats that “lived off the land” — abusing legitimate and typically whitelisted system tools to do their malicious bidding — and the presence of malware and phishing campaigns that took advantage of security lapses and diversified in the ways they counted on the still unpatched flaw that was human vulnerability.
Ransomware operators distinctly set their sights on organizations, with crippling ramifications: Their attacks proved they could strike with such severity that some victims were even strong-armed into acquiescing to the cybercriminals’ exorbitant demands. For many cryptocurrency-mining threats, servers and cloud-based environments, having far more computing resources than endpoints, became their new frontier. Messaging platform — the bedrock underpinning many business transactions — were inundated with a range of threats, including business email compromise scams, sextortion schemes, and phishing incidents that did not rely on hacking human behavior alone.
Two weeks and counting since the initial exposure of the WannaCry Ransomware outbreak, and organizations are still feeling the effects of the attacks. With over 230,000 global users already infected and the emergence of new attacks like UIWIX and EternalRocks, the gravity of the situation is becoming increasingly evident. To keep you up to date, we are consistently providing new information on the latest ransomware threats through our Simply Security blog There you can find a breakdown on the attacks as well as present and future impacts of exposure.
Prevention and Support
Looking to prevent WannaCry using Trend Micro products? Visit out support page for detailed procedures on protecting yourself and your business.
The Reality of Patching
The WannaCry ransomware variant of 12-May-2017 has been engineered to take advantage of the most common security challenges facing large organizations today, unpatched vulnerabilities. It’s not uncommon for it to take 100 days or more for organizations to deploy a patch. Why? The answer is rarely straightforward and differs depending on the objectives and responsibilities of an organization. Read WannaCry & The Reality of Patching for an in depth look into updating legacy systems, costs of patching vs breach and mitigation strategies.
While WannaCry will soon be a thing of the past, ransomware attacks will continue to be a part of the future. With over 1.5B ransomware attacks in 2016, it is clear now that in 2017 we will continue to see exponential growth. Proactively securing your business is the only way to defend against potential breaches. Luckily, you are not alone. Watch our webinar, with VP Cloud Research Mark Nunnikhoven, as he walks through the new threats and vulnerabilities that could put you at risk. Mark covers UIWIX and EternalRocks as well as all the vulnerabilities associated with the ShadowBrokers leak to help you better understand what is going on and how to deal with this situation. The information presented here will help you better communicate to your board or boss what the current situation is with respect to all of these threats.
Breaking down gateway and host-based security approaches in the cloud.
For most organizations, moving to the cloud has become a requirement, not an option. In the cloud, many of the same security controls are required but how they are delivered needs to change in order to fit into the agile cloud environment and DevOps methodologies. In the data center, security controls are delivered at the perimeter either using hardware security appliances for Firewall or Intrusion detection & prevention (IDS/IPS); or delivered through software (agents) on the servers themselves, such as Anti-Malware or File Integrity Monitoring. In the cloud, security is a shared responsibility which means that both the cloud provider and the cloud user share responsibilities for providing protection. Cloud providers like Azure provide immense physical data center security and processes, which is great for cloud users as it takes a lot of work off their plate. But it also means that cloud users can’t bring the hardware firewall or IPS devices to the cloud as they don’t have access to the physical servers. That leaves two options for controls like IPS:
Gateway or virtual appliance
Host-based with security software (agent) running on each workload
To get a better idea of the different approaches let’s dive into an example of IDS/IPS architecture in the cloud, as it is one of the security controls that most organizations have and it is often required for compliance.
Intrusion Detection and Prevention (IDS/IPS) Overview
Intrusion Detection Systems (IDS) were the first generation of network security controls. A reactive control, it would alert you when a breach or attack occurred so you could investigate. Intrusion Prevention Systems (IPS) overtook IDS in popularity because of the ability to proactively block attacks, not just react to them. IDS/IPS systems for data centers were network-based and consisted of dedicated hardware appliance with the performance and throughput being based on the size of the network interface, CPU and memory.
Virtual Appliance (Gateway) Approach
Using the security virtual appliance deployment model there are two methods in which IDS/IPS can be used. Method 1 requires software to be deployed to each instance in order to send a copy of the network traffic to the appliance for inspection. Method 2 requires routing configuration changes to be made in order for the security virtual appliance to inspect the traffic. Figure 1 illustrates both deployment scenarios.
Figure 1: Security Virtual appliance
Host-based Security Approach
The other option is to deploy software (also known as an agent) onto each workload. This allows the security polices to be tailored to the specific software executing on that server. This removes the need to have generic or extraneous rules running and taking up resources. For instance, with Trend Micro Deep Security you can run a Recommendation Scan that quickly determines the specific rules needed to protect the instance, depending on the OS or patches applied. Additionally, the deployment of security software and policies can be automated for environments with auto-scaling requirements with configuration management tools such as Chef, Puppet or OpsWorks. This approach is illustrated in Figure 2. A host-based fits seamlessly with your existing deployment workflow.
Figure 2: Host-based IPS from Deep Security
One of the biggest architectural problems with network-based IDS/IPS is the use of encryption to protect network traffic. This security practice protects the contents of network traffic but it makes it difficult or impossible to analyze traffic and detect exploits. With host-based IDS/IPS, network encryption is less of an issue as the host decrypts traffic before it is analyzed. The following is a summary comparison of the different methods, which can be used to deploy IDS/IPS protection for cloud instances.
Virtual Appliance (Method 1 Inline)
Virtual Appliance (Method 2 Tap)
Parallel to the workload
In proportion to the workload
With the workload
Although both security virtual appliances and host-based software can be used to deliver IDS/IPS in the cloud, there is a strong argument that a host-based approach is easier and more cost effective.
Host-based security can be deployed with automation tools like Chef or Puppet.
Host-based controls seamlessly auto-scale to thousands of instances without requiring additional virtual appliances or managers to be added.
A host-based approach reduces resource requirements as there is no duplication of traffic and no specialized instance is required for a virtual appliance.
Eliminates the requirement to configure SSL/TLS to decrypt and analyze network traffic.
Host-based security enable controls and policies to be customized for each workload.
In the past, IPS and IDS have only been defined in terms of one versus the other. While each offer their own unique attributes, the key to success may lie within a blend of the two. So how can you decipher what is offered with the two intrusion defense tools? In this article, we breakdown the main differences between IPS and IDS and how you can leverage their capabilities to protect your workloads.
IPS vs IDS
Intrusion Prevention System (IPS) is a security control tool; it inspects traffic for vulnerabilities and exploits within the network stream and can remove packets before they reach your applications. It can also act as a protocol enforcing tool by ensuring each packet you are accepting is correct for that application. For example, you can allow any HTTPS packet that comes in on 443, but also block any non-HTTPS packets like SSH on the same port. This allows you do to additional enforcement of the traffic for multiple protocols on the same network port.
Intrusion Detection System (IDS) is a visibility tool; it can alert an administrator on patterns within traffic while allowing the traffic to pass through to the application. This allows you to create IDS rules to give additional information about the traffic being accepted into your environment. For example, you might have an IDS rule to inspect SSL ciphers from servers communicating with you to ensure they are following compliance mandates and security policies. It is a powerful tool for giving in depth information without impacting your applications.
Layering Your Security
Ideally, you want to use both technologies within your environment. This allows you to use the IPS functions to protect your workloads from vulnerabilities and exploits which gives an additional layer of security within your environment. An IDS is helpful for monitoring and investigation within your environment without downtime to users or applications. This allows administrators to build additional IPS policies based on the information displayed within the IDS to keep your environment protected.
Having a tool like Deep Security which can be configured as an IPS, IDS or both is extremely useful in implementing security controls and removing vulnerabilities as well as giving you real-time information about traffic patterns and policies. Each rule within Deep Security can be configured either in Prevent (IPS) or Detect (IDS) giving you granular control of your security posture while still allowing your applications to run without impact. Combine this with our recommendation scan technology and your network security has now become context aware matching the correct IPS and IDS rules to the operating system and applications running on your workload. Deep Security only applies the rules which you need within your environment keeping your performance costs low.
Intrusion detection and prevention are valuable security tools, especially for cloud workloads when you can easily spin up a workload that’s visible to the world. By using Deep Security, you can add another layer of network security controls and visibility to your security arsenal.
When you’re tasked with meeting the compliance requirements to achieve and maintain PCI DSS compliance, you’ll soon realize that minimizing the number of security tools you use can be a huge asset. When it’s time for your PCI DSS audit, you can hit the accelerator with Trend Micro Deep Security as a Service.
What do I need to know about PCI DSS?
Any organization that has applications that deal with credit or payment card data, you are required to go through a process outlined by the Payment Card Industry(PCI).
If your applications are in the cloud, like Azure, PCI compliance can be easier – as long as you choose the right service provider. Infrastructure as a Service (IaaS) providers like Microsoft Azure have Level 2 PCI DSS certification. This means they have validated their security controls, people and processes with auditors and take care of many aspects that you would be responsible for if your application was in a physical data center. If you’re using SaaS offerings for log management, monitoring or security, they need to be PCI DSS certified, even if the service doesn’t directly deal with cardholder data.
Here is the real question.
Are your SaaS products also PCI Level 1 certified? It’s time to check, as of version 3 of the standard, if you use third party Software as a Service (SaaS) offerings, they are included in the scope of your PCI audit!
We’re happy to announce that Trend MicroTM Deep Security as a ServiceTM is now a PCI DSS Level 1 Service Provider for your Azure workloads! This means you can streamline your PCI DSS certification process with a single tool!
Deep Security as a Service removes the cost and effort of running the security management stack. All of your security policies and events are stored securely and managed by Trend Micro. Best of all you can get up and going with Deep Security as a Service in just a few minutes with our 30 day free trial.
Trend Micro has saved users months of precious resource time on PCI DSS projects by meeting many of the requirements with a single tool, including critical controls that address requirements like 11.4 Intrusion Prevention, 11.5 Integrity Monitoring, 5.1 Anti-malware and many more. Here are just a couple examples,
For Royal Gate, Deep Security accelerated PCI DSS compliance for its payment service platform and increased security within its hybrid environment.
For Guess?, Inc., Deep Security helped the company segment traffic and fulfill multiple PCI requirements rapidly.
I’m excited to write about the availability of Deep Security Manager Solution Template in Azure Marketplace. You’re likely asking why we decided to provide our solution in this format versus the other options available through the Azure Marketplace. I can give you technically inclined answer but before I do that, let’s look at a traditional cloud deployment.
In the traditional way of deploying any solution in cloud you build each piece, one by one, and handle their dependencies. For example, to deploy a solution in Azure you will be looking at any number of the following;
Storage account and blob
Network Security Groups
Inbound and outbound Security rules
And so on…
This approach can be ideal for complicated deployments which would require some understanding of the deployed solution before you can start using the deployed solution.
Solution template versus traditional deployment
Time: Some will say this is our most scarce resource. By automating and scripting the deployment of Deep Security in Azure, you can start protecting your Azure based workloads immediately and focus on the tasks that really matters to you.
Simplicity: Simplify the deployment of all the required resources by removing the complexities. For example, Deep Security Manager, Deep Security Relay, and other supporting infrastructure (such as a virtual network, database server, network security groups and firewall rules etc.). In this deployment option you have a complete control over Deep Security in your own environment (azure Account) and you will have the access to the data.
What solutions are available in Azure Marketplace?
Now you understand why we did it, you may be wondering what this offering is and what type of solution Trend Micro is offering in Azure Marketplace. As you may already know, Azure Marketplace supports multiple types of solutions
Virtual Machine Image
Trend Micro offers solutions in two areas: Developer Service and Solution Template. For this blog post my focus is on the Azure Marketplace offering based on Solution Template.
What is a solution template?
Free form vs known configuration solution templates
There are two approaches when it comes to writing solution templates; free-from and known configuration t-shirt size approach. At first, free-form configurations sound appealing but when you dig deeper it is more complex, requires careful planning and you end up having to focus on decisions that can be scripted for you.
We decided to go with the t-shirt size, or Known configuration approach. This approach provides good, known configurations of varying sizes that are preconfigured for you. This enables you to easily select the deployment that fits your environment. Depending on the number of virtual machines you want to protect, you choose a matching Virtual Machine size configured for 25, 50, 100, 150 or 200.
If you’re wondering about protecting more than 200 workloads, we got this covered as well. It’s a matter of adding another Deep Security Virtual Machine (VM) from the Marketplace in your Azure account and picking up a “Use Existing “option for the Azure SQL database during the provisioning wizard.
It’s a concept of horizontal scaling; we call such Deep Security deployments “multi-node” deployments. Alternately, you can go with the BYOL solution template and specify certain attributes of the deployment, such as VM type to go beyond the pre-configured standard offering.
Getting started with the Deep Security Solution Template for Azure
Let’s go on the journey to buy Deep Security Virtual Machine (VM) from Azure Marketplace and look at the information you’ll need to get started. Starting in the Azure Marketplace, search for the keyword “Deep Security”, which will return these results;
First you need to select your license model.
If you’re an existing Deep Security customer, you can leverage your existing (or new) license with Deep Security on Azure marketplace. You can simply click on “Deep Security Manager (BYOL)” option.
If you’re a new Deep Security customer, select the “Deep Security Manager” option to procure and deploy through the Azure Marketplace.
One you decide on the licensing model, the rest of the steps in this journey are the same. The solution template will guide you through a 7-step wizard that collects various parameter values, such as; user credentials, VM size, virtual network details and database selection.
Once you’re finished the quick 7-step wizard, you’ll have a fully optimized, connected configuration of Deep Security on a predefined network topology, ready to be used and protect your Azure workloads.
Here is what the deployment architecture will look like;