Deep Security Vulnerability Protection Summary

Similar documents
Deep Security Intrusion Detection & Prevention (IDS/IPS) Coverage Statistics and Comparison

Deep Security/Intrusion Defense Firewall - IDS/IPS Coverage Statistics and Comparison

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

Virtual Patching: a Proven Cost Savings Strategy

Nessus and Antivirus. January 31, 2014 (Revision 4)

Devising a Server Protection Strategy with Trend Micro

Devising a Server Protection Strategy with Trend Micro

New possibilities in latest OfficeScan and OfficeScan plug-in architecture

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Virtualization Journey Stages

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

AT&T Global Network Client for Windows Product Support Matrix January 29, 2015

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

Windows Server 2003 End of Support. What does it mean? What are my options?

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

Virtual Patching: a Compelling Cost Savings Strategy

AgriLife Information Technology IT General Session January 2010

IDS or IPS? Pocket E-Guide

Getting Ahead of Malware

Endpoint protection for physical and virtual desktops

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Trend Micro Sicherheit in den Tiefen des Hypervisors. Richard Javet und Gabriel Kälin Trend Micro (Schweiz)

MALWARE THREATS AND TRENDS. Chris Blow, Director Dustin Hutchison, Director

Secure Your Mobile Workplace

Spine Warranted Environment Specification

DETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs?

Deep Security. Προστατεύοντας Server Farm. Σωτήρης Δ. Σαράντος. Available Aug 30, Σύμβουλος Δικτυακών Λύσεων. Copyright 2011 Trend Micro Inc.

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Tracking Anti-Malware Protection 2015

Netzwerkvirtualisierung? Aber mit Sicherheit!

McAfee Endpoint Protection Products

Host-based Intrusion Prevention System (HIPS)

Endpoint protection for physical and virtual desktops

Virtual Desktops Security Test Report

How To Protect Your Network From Attack From A Virus And Attack From Your Network (D-Link)

I D C T E C H N O L O G Y S P O T L I G H T. S e r ve r S e c u rity: N o t W h a t It U s e d t o Be!

Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security

The Challenge of a Comprehensive Network Protection. Introduction

IBM Advanced Threat Protection Solution

PROACTIVE PROTECTION MADE EASY

Networking for Caribbean Development

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Detecting peer-to-peer botnets

Vulnerability Management

FISMA / NIST REVISION 3 COMPLIANCE

Critical Security Controls

Barracuda Intrusion Detection and Prevention System

Real World and Vulnerability Protection, Performance and Remediation Report

IBM Internet Security Systems

The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more

Content Security Gateway Series Real-time Gateway Web Security Against Spyware and Viruses

Guidance Regarding Skype and Other P2P VoIP Solutions

Enterprise Anti-Virus Protection

Fighting Advanced Persistent Threats (APT) with Open Source Tools

NetDefend Firewall UTM Services

AVeS Cloud Security powered by SYMANTEC TM

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Trend Micro. Advanced Security Built for the Cloud

Analysis One Code Desc. Transaction Amount. Fiscal Period

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Enterprise Anti-Virus Protection

Case 2:08-cv ABC-E Document 1-4 Filed 04/15/2008 Page 1 of 138. Exhibit 8

Total Defense Endpoint Premium r12

Zscaler Cloud Web Gateway Test

What Do You Mean My Cloud Data Isn t Secure?

What to Look for When Evaluating Next-Generation Firewalls

Background. How much does EMET cost? What is the license fee? EMET is freely available from Microsoft without material cost.

Cisco Advanced Malware Protection for Endpoints

Enterprise Anti-Virus Protection

End-user Security Analytics Strengthens Protection with ArcSight

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Desktop Security. Overview and Technology Guidance. Michael Ramsey Network Specialist, NC DPI

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

Intrusion Defense Firewall

EMC Software Release and Service Dates for NetWorker and NetWorker Modules Last Updated on August 16, 2012

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Protecting Your Organisation from Targeted Cyber Intrusion

Enterprise-Grade Security from the Cloud

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

Best Practice Configurations for OfficeScan (OSCE) 10.6

24/7 Visibility into Advanced Malware on Networks and Endpoints

Cisco Security Agent (CSA) Network Admission Control (NAC)

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

SD Monthly Report Period : August 2013

THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS

NetDefend Firewall UTM Services

Meeting the Challenges of Virtualization Security

Continuous compliance through good governance

Transcription:

Deep Security Vulnerability Protection Summary Trend Micro, Incorporated This documents outlines the process behind rules creation and answers common questions about vulnerability coverage for Deep Security Version 2.2 April 2015

1. Purpose of this note The Deep Security Vulnerability Labs team is the Trend Micro team that researches vulnerabilities and threats and provides protection via various protection modules in Deep Security. This document explains the process of threat monitoring, rule creation and quality assurance of rules. A list of answers to Frequently Asked Questions (FAQ) is included in Section 3 of the document. While this document is focused on Deep Security, the process outlined in this document also applies to the protection provided by Trend Micro Vulnerability Protection (formerly Intrusion Defense Firewall). 2. Rule Development Process The process involves 3 primary stages: - Monitoring for vulnerabilities and threats - Vulnerability research and rule development - Quality assurance and delivery of rules to customers in a Deep Security Rule Update. 2.1 Monitoring for Vulnerabilities and Threats The entire rule development process starts with monitoring for the latest vulnerabilities and threats. The Deep Security Vulnerability Labs team monitors threats 24/7 from various different sources. These sources include: - Subscriptions to vulnerability research sources - Programs with software vendors such as Microsoft Active Protections Program (MAPP) - Trend Micro sources, including malware and attack information from customers (through the Trend Micro Smart Protection Network), honeypots, and other sources. - Public information The Deep Security Vulnerability Labs team is a member of the TrendLabs team, which is a global team that monitors emerging threats. This team monitors and disseminates key threat information companywide so that all products can provide protection with the threat defense technologies included in each product. 2.2 Vulnerability Research and Rules Development Criteria The focus of vulnerability research is on the server and desktop software likely to exist within end customer environments. This includes operating systems such as Microsoft Windows, Linux, and Unix, as well as enterprise software, including web browsers, web servers, application servers, backup software and databases. Deep Security does not provide protection for network devices, since Deep Security is not in a position to protect those devices. Primarily, it is remote vulnerabilities and exploits which Deep Security provides protection for. This means that the vulnerabilities can be exploited over the network from an attacking computer. The primary protection provided by Deep Security is very similar to a network Intrusion Detection and Prevention (IDS/IPS) system, however it is applied at the host for more granular and specific security. While there are many software vulnerabilities disclosed on a daily basis, Deep Security only provides protection for a subset of these vulnerabilities. The criteria used to determine if protection is provided: 1. Is the vulnerability in enterprise software that many of our customers depend on and for which Deep Security is in a position to protect? 2

2. Can the vulnerability be protected by network inspection (Deep Packet Inspection)? 3. Is the vulnerability information available and sufficient to be able to develop an Intrusion Prevention rule for the vulnerability? 4. Is the vulnerability CVSS severity level significant enough to warrant coverage? Typically, a CVSS score of 4.0 is required, although coverage for CVSS score lower than 4.0 is sometimes provided. It is often the lack of vulnerability information that prevents Deep Security (and all network security companies) from delivering protection for a specific vulnerability. The criteria for developing an Intrusion Prevention (IDS/IPS) rule is shown in Figure 1 below. Figure 1: Intrusion Prevention (IDS/IPS) Rule Criteria for Coverage 2.3 Vulnerability Research and Rules Development Once it has been determined that a specific rule can be developed, a rigorous rule development process is followed in order to develop the rule, including tests for potential False Negative and False Positive conditions. A False Negative is when a rule does not detect certain attack condition and a False Positive is when a rule identifies legitimate traffic as an attack. 3

A rule is created based on all threat information available. The vulnerabilities are imported into a vulnerability tracking system and pushed into the research queue after being subjected to a triage process. The research team selects vulnerabilities from the top of the research queue and researches and collects all relevant threat information. This information is used to develop an Intrusion Prevention (IDS/IPS) rule. Developing a rule is similar to writing a small software program. An Intrusion Prevention (IDS/IPS) rule is very different from an Antivirus Signature. It is not just a pattern but a series of checks that look deep into the protocol, looking for very specific fields and structures in a protocol and/or file. Once an Intrusion Prevention (IDS/IPS) rule is developed, it is subjected to various unit tests to ensure that it covers all aspects of the vulnerability and doesn t cause false positives. These tests are carried out by the developer of the rule, and also a member of the quality assurance team. After Unit Testing is completed, the rule undergoes a Peer Review. Figure 2 summarizes the Intrusion Prevention (IDS/IPS) rule development process: Figure 2 Intrusion Prevention (IDS/IPS) Rule Development Process In addition to the development of the specific rule, most IDS/IPS rules have a corresponding recommendation rule that identifies which software contains the vulnerability. The vulnerability labs team creates rules for the Recommendation Scan feature of Deep Security. This allows Recommendation Scan to ensure that the Intrusion Prevention (IDS/IPS) rule is deployed on the appropriate systems within a customer environment. These recommendation rules are verified against real applications and patches in most of the cases as a part of the rules development process. 2.4 Integration Testing Once the Rule Development Process is completed for a rule, it is included in a potential rule update with other rules scheduled for release. This rule update is subjected to several integration tests to ensure that the entire update works as expected within product and simulated customer environments. This involves: - False Positive Tests: With any IDS/IPS product, false positives are a significant concern. We ensure thorough false positive tests by running the rules through terabytes of good traffic. The traffic has been generated based on thousands of test cases, and also collected from customer environments. 4

- Regression Tests: Ensuring that the rule doesn t have any impact on other rules. We accomplish this by replaying attacks against all rules that could be possibly impacted and making sure the rules prevent those attacks. - Performance Tests: To ensure that there is minimal impact on network throughput, the rules are subjected to network performance tests using industry standard tools. - Staging Tests: These are to ensure that the rule updates work fine with all supported versions of Deep Security. - Soak Tests: A rule update is released to an internal production operational environment within Trend Micro to ensure that the rule update does not have any negative operational impact. - Security Update Testing: Before a rule update is released to the customers, our team ensures that the rule update is posted and there are no issues importing them in the product via the Active Update servers. Once the above process is complete, the rules are delivered and available to a customer. In many cases, such as the ShellShock and Heartbleed vulnerabilities, this is all done within 24 hours of the vulnerability being disclosed publicly. Figure 3 is a summary of the Rule Update Integration Testing process: Figure 3 Rule Update Integration Testing Process 5

3. Frequently Asked Questions (FAQ) 3.1 What are the various sources of threat information used to create rules? A. Deep Security Intrusion Prevention (IDS/IPS) rules are created based on vulnerability research and threat intelligence collected from several different sources, internal and external. These include: - Subscriptions to vulnerability research sources - Programs with software vendors such as Microsoft Active Protections Program (MAPP) - Trend Micro sources, including malware and attack information from customers, honeypots, and other sources. - Public information 3.2 What is the frequency of Deep Security Rule Updates (DSRUs)? - Deep Security Rule Updates are scheduled for 2nd and 4th Tuesdays of the month. The first update is aligned with the Microsoft Patch Tuesday Updates - Microsoft Patch Tuesday updates are available within 4-6 hours of the Microsoft patch release. - Often out-of-band updates are released for vulnerabilities with wide spread impact and active exploitation. These are shipped within 12-48 hrs. Table below summarizes the frequency of updates for the year 2014. Deep Security Rule Updates Per Month - 2014 2 4 2 6 4 3 2 2 4 5 3 3 Jan-14 Feb-14 Mar-14 Apr-14 May-14 Jun-14 Jul-14 Aug-14 Sep-14 Oct-14 Nov-14 Dec-14 Deep Security Rule Update Frequency 6

3.3 What time frame are Deep Security Rule Updates made available for various vulnerabilities? A. Development and delivery of Intrusion Prevention rule are provided on a best effort basis, based on type of software, remote exploitability, available of vulnerability information and severity. Delivery Targets for Security Updates: Criteria Typical Time Frame Microsoft Patch Tuesday Microsoft Monthly security updates (Patch Tuesday) Typically within 4-6 hours Emergency Updates Scheduled Updates Emergency updates for serious vulnerabilities in widespread software (Microsoft out of band patches, Heartbleed, Shellshock) Vulnerabilities with CVSS 9.0-10 Vulnerabilities with CVSS 7.0 9.0 Vulnerabilities with CVSS 4.0 7.0 Typically within 24 hours 3.4 Which software vulnerabilities does Deep Security provide protection for? Next scheduled Rule Update Within 2 Rule Updates from the date of publication Within 3 Rule Updates from the date of publication A. As described in this document, multiple criteria are used to determine if protection is provided for a specific software vulnerability. The following table provides a summary of the software categories Deep Security has provided protection for in the past. 2013-14 Before 2013 Total Platforms 119 458 577 Windows OS and Core Services 49 295 344 Non-Windows OS and Core Services 70 163 233 Server Applications 185 965 1150 Web Servers 13 142 155 Application Servers 73 121 194 Web Console/Management Interfaces 31 141 172 Database Servers 10 99 109 DHCP, FTP, DNS servers 8 41 49 Mail Server 6 94 100 Directory Server/Services 2 22 24 HP Products 25 54 79 Backup Software 8 52 60 News, Media Streaming - 5 5 PPTP Server - 1 1 Anti Spam Server 1 7 8 Other Applications (best effort) 8 186 194 7

Desktop Applications 411 1106 1517 Miscellaneous/Generic Detection 6 67 73 Browsers 227 406 633 DHCP, DNS, FTP Clients - 40 40 PDF Readers 36 72 108 Browser Plugins and media players 94 227 321 Dependent Libraries 10 8 18 Microsoft Office 22 177 199 Media Client 7 44 51 Microsoft products (other than office) 6 18 24 Others (best effort) 3 47 50 Application Control 72 72 File Sharing software/p2p 20 Miscellaneous 8 Instant Messaging 15 Email clients/protocols 10 Remote Administration Tools 8 Web Browsers 6 Web Media 5 3.5 How many rules are shipped every month? A. Every month we ship, on average, 40 new rules and update about the same every month. Rules are updated when more threat information is available, or to fix any discovered issues. The following graph summarizes the number of new and updated rules in 2014. 8

3.6 Does Deep Security provide protection for unsupported/end of life Operating Systems (e.g. Windows XP and Windows 2000) and Applications? Will Trend Micro Deep Security support Windows 2003 after End Of Life on July 14, 2015? A. Yes. This is one of the advantages of the Deep Security platform. Its host- based Intrusion Prevention capabilities help to detect and prevent threats even before the malicious network packets reach your applications. It helps you protect against new vulnerabilities that are uncovered in these platforms and applications, and discover when malicious changes happen on your systems. While you plan your transition from these platforms, Deep Security helps mitigate vulnerabilities and reduce your exposure via: Intrusion Prevention System shielding against new vulnerabilities. Integrity Monitoring System which keeps an eye on your platform and application assets e.g. files, data, registry, installed software etc. and alert you about its integrity. Anti-Malware module keeps your system clear of any malware, spyware or backdoors, remote access Trojans etc. This, additionally, helps you maintain your compliance requirements by shielding vulnerabilities and threats and buys you time for migration. 3.7 How long will the above (e.g.: Windows 2003) be supported? A. Support for the specified unsupported platforms (Windows XP, Windows 2000, and Windows 2003) will be supported at least until 2017. This will allow organizations to make a secure transition to a new platform. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information