Trend Micro Products (Deep Discovery Inspector, Deep Security and SecureCloud) - Version 1.0. Document TMIC-004-ISO Version 1.



Similar documents
Security Standards Compliance NIST SP Revision 4. Trend Micro Products (Deep Discovery Inspector, Deep Security and SecureCloud) - Version 2.

Devising a Server Protection Strategy with Trend Micro

Devising a Server Protection Strategy with Trend Micro

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

FISMA / NIST REVISION 3 COMPLIANCE

How To Protect Your Cloud From Attack

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

How To Manage Security On A Networked Computer System

Trend Micro. Advanced Security Built for the Cloud

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Did you know your security solution can help with PCI compliance too?

SANS Top 20 Critical Controls for Effective Cyber Defense

Ovation Security Center Data Sheet

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Cisco Advanced Malware Protection for Endpoints

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

OVERVIEW. Enterprise Security Solutions

Security Standards Compliance NIST Framework for Improving Critical Infrastructure Cybersecurity

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

PCI DSS 3.0 Compliance

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

DETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs?

Cloud and Data Center Security

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Document TMIC-003-PD Version 1.1, 23 August

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Trend Micro. Secure virtual, cloud, physical, and hybrid environments easily and effectively INTRODUCTION

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Ovation Security Center Data Sheet

Total Cloud Protection

Netzwerkvirtualisierung? Aber mit Sicherheit!

External Supplier Control Requirements

ISO Controls and Objectives

Endpoint protection for physical and virtual desktops

External Supplier Control Requirements

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

The Hillstone and Trend Micro Joint Solution

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

Strengthen security with intelligent identity and access management

Data Management Policies. Sage ERP Online

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

05.0 Application Development

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

McAfee Endpoint Protection Products

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

The Education Fellowship Finance Centralisation IT Security Strategy

Vulnerability Management

HIPAA Compliance Evaluation Report

Security Standards Compliance NIST SP Release 4 Trend Micro Products (Deep Security and SecureCloud) - Version 1.00

Deep Security Vulnerability Protection Summary

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

IBM Endpoint Manager for Core Protection

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

March

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Supplier Information Security Addendum for GE Restricted Data

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Privacy + Security + Integrity

GFI White Paper PCI-DSS compliance and GFI Software products

Trend Micro Cloud Security for Citrix CloudPlatform

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Trend Micro OfficeScan Best Practice Guide for Malware

IBM Endpoint Manager Product Introduction and Overview

Endpoint protection for physical and virtual desktops

Retention & Destruction

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

White Paper How Noah Mobile uses Microsoft Azure Core Services

Extreme Networks Security Analytics G2 Vulnerability Manager

Data Security Incident Response Plan. [Insert Organization Name]

Cisco Advanced Malware Protection

Security Issues in Cloud Computing

ISO27001 Controls and Objectives

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

Payment Card Industry Data Security Standard

State of Oregon. State of Oregon 1

ARS v2.0. Solution Brief. ARS v2.0. EventTracker Enterprise v7.x. Publication Date: July 22, 2014

Best Practice Configurations for OfficeScan (OSCE) 10.6

IT Security Incident Management Policies and Practices

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Office 365 Cloud App Security MARKO DJORDJEVIC CLOUD BUSINESS LEAD EE TREND MICRO EMEA LTD.

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Guideline on Auditing and Log Management

Achieving PCI-Compliance through Cyberoam

IBM Security QRadar Vulnerability Manager

ISO COMPLIANCE WITH OBSERVEIT

Microsoft s Compliance Framework for Online Services

Transcription:

Security Standards Compliance ISO / IC 27002:2013 (Information technology - Security Techniques - Code of practice for Information Security Controls) -- Trend Micro roducts (Deep Discovery Inspector, Deep Security and SecureCloud) - Version 1.0 Document TMIC-004-ISO Version 1.0, February 2015 1

Security and rivacy Controls for Federal Information Systems and Organizations ISO / IC 27002:2013 Security Standards Compliance -- Trend Micro roducts (Deep Discovery Inspector, Deep Security and SecureCloud) References: A. ISO / IC 27001 Information Technology Security Techniques Information Security Management Systems Requirements, dition 2, 1 Oct 2013 B. ISO / IC 27002 Information Technology Security Techniques Code of ractice for Information Security Controls, dition 2, 1 Oct 2013 C. ISO / IC 15408, Common Criteria for Information Technology Security valuation, Ver. 3.1 Rev. 4, Sep 2012 The ISO 27002 international standard is used by organizations to select controls when implementing an Information Security Management System as defined in ISO 27001 or as guidance for organizations implementing commonly accepted information security controls. This standard is also intended for use in developing industry- and organization-specific information security management guidelines, taking into consideration their specific security risk environments. This document provides details of how the Trend Micro products Deep Discovery Inspector v3.7, Deep Security v9.5 and SecureCloud v3.7 help satisfy the requirements of ISO 27002, at both the application/system enterprise level and as security features specific to the products, such as product access controls, audit capability, etc. The appropriate context of each compliancy statement is indicated: - how the Trend Micro products help satisfy the nterprise level security requirements; and - how the Trend Micro products satisfy the roduct level security requirements. The product-specific compliancy details are needed by managers, security systems engineers and risk analysts in order that they may select and architect cost-effective secure solutions that will protect their nterprise systems and sensitive information assets from the modern hostile threat environment. The context compliancy statements include those related to the SFRs and SARs 1 used in the most recent ISO 15408 Common Criteria evaluations: Deep Discovery Inspector v3.1 AL2 2 ; and Deep Security v9.5 -- AL2 evaluation in progress 3. The ISO 27002 compliancy analysis also recognized that SecureCloud cryptographic capabilities were developed using FIS 140-2 evaluated libraries 4. The Common Criteria validation ensures that these products have been methodically designed, tested and reviewed by fully qualified and government certified laboratories. Many of the ISO 27002 security controls address the need for organizations to detect and effectively respond to security incidents including those related to advanced persistent threats. The standard provides a foundation of security controls for incorporating into an organization s overall security requirements baseline for mitigating risk and improving systems and application security in their physical and virtualized environments. Many of these organizations using this standard also have obligations to be able to demonstrate compliance in the context of their own continuous improvement program in the constantly changing modern threat environment. From a security product vendor s viewpoint, there is also a need to clearly demonstrate to such users of their products, how their products will, help satisfy the ISO 27002 enterprise and product specific security requirements. Virtualized servers and cloud computing environments, are being implemented by organizations and by their Cloud Service roviders. They face many of the same security challenges as their physical counterparts and additionally have to contend with a number of security concerns specific to the virtual environment such as: inter VM traffic, resource contention, blurring of system and network security boundaries, mixed trust levels, security zoning, and separation of duties. In particular, organizations need to specifically protect their sensitive information assets in the virtualized multi-tenant cloud environment where the physical storage locations are unknown to them and distributed across the cloud. The Deep Discovery Inspector s combined functionality of Virtual Analysis (sandbox threat behavior simulation), Advanced Threat Scans, and AT Detection has been certified to the ISO 15408 Common Criteria AL2 level. The primary Deep Discovery Inspector modules include: Management Console, provides a built-in online management console through which users can view system status, configure threat detection, configure and view logs, run reports, administer Deep Discovery Inspector, and obtain help. Virtual Analyzer, provides a virtualized environment where untrusted files can be safely inspected. 1 The CC evaluation Security Targets also included Trend Micro product specific Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) related to Intrusion Detection and Anti-Malware. 2 Deep Discovery Inspector v 3.1 CC Certification Report 283-4-252-CR, CSC, dated 21 Jan 2014. 3 The current Common Criteria evaluation of Deep Security v9.5 is an update to the earlier evaluations to AL4+ for Deep Security v7.5 S2 (Certification Report #383-4-152) and for Deep Security v8.0 S1 (Maintenance Report # 383-7-79-MR). 4 SecureCloud utilizes FIS 140-2 Level 2 Certified, Validation Number 1123:Cryptographic Libraries Document TMIC-004-ISO Version 1.0, February 2015 2

Network Content Correlation ngine is a module that implements rules or policies defined by Trend Micro. Trend Micro regularly updates these rules after analyzing the patterns and trends that new and modified viruses exhibit. Advance Threat Scan ngine is a file-based detection-scanning engine that has true file type, multi-packed files, and IntelliTrap detection. The scan engine performs the actual scanning across the network and uses a virus pattern file to analyze the files passing through the network. The virus pattern file contains binary patterns of known viruses. Trend Micro regularly releases new virus pattern files when new threats are detected. Network Virus Scan uses a combination of patterns and heuristics to proactively detect network viruses. It monitors network packets and triggers events that can indicate an attack against a network. It can also scan traffic in specific network segments. Network Content Inspection ngine is a module used to scan the content passing through the network layer. The Deep Security product provides, in both virtualized and physical environments, has the combined functionality of a Common Criteria AL2 validated Firewall, Anti-Virus, Deep acket Inspection, Integrity Monitoring Log Inspection, Role Based Access Control (RBAC) and support for multi-tenant virtual environments. The primary Deep Security modules include: Deep Security Manager is a centralized Web-based management console which administrators use to configure security policy and deploy protection to the enforcement components: the Deep Security Virtual Appliance and the Deep Security Agent. Firewall Module centralizes management of server firewall policy using a bidirectional stateful firewall. Supports virtual machine zoning and prevents denial of service attacks. rovides broad coverage for all I-based protocols and frame types as well as fine-grained filtering for ports and I and MAC addresses. Anti-malware Module provides both real-time and on-demand protection against file-based threats, including threats commonly referred to as malware, viruses, Trojans, and spyware. To identify threats, Anti-Malware checks files against a comprehensive threat database, portions of which are hosted on servers or kept locally as updatable patterns. Anti-Malware also checks files for certain characteristics, such as compression and known exploit code. To address threats, Anti-Malware selectively performs actions that contain and remove the threats while minimizing system impact. Anti-Malware can clean, delete, or quarantine malicious files. It can also terminate processes and delete other system objects that are associated with identified threats. Recommendation Scans identifies known vulnerabilities. The operation scans the operating system and also installed applications. Recommendation Scans automate scanning of systems and patch levels against the latest Critical Vulnerability and xposure (CV) database, to automatically apply Deep Security signatures, engines, patterns, and rules/filters to detect/prevent exploitation of these vulnerabilities and to produce audit logs and reports which can be used to support a continuous monitoring program or audits. Integrity Monitoring Module detects and reports malicious and unexpected changes to files and systems registry in real time, and is available in agentless form factor. rovides administrators with the ability to track both authorized and unauthorized changes made to the instance. The ability to detect unauthorized changes is a critical component in a cloud security strategy as it provides the visibility into changes that could indicate the compromise of an instance. Log Inspection Module provides visibility into important security events buried in log files. Optimizes the identification of important security events buried in multiple log entries across the data center. Forwards suspicious events to a SIM system or centralized logging server for correlation, reporting and archiving. Leverages and enhances open-source software available at OSSC. Intrusion revention Module is both an Intrusion Detections System (IDS) and an Intrusion revention System (IS) which protects computers from being exploited by attacks against known and zero-day vulnerability attacks as well as against SQL injections attacks, cross-site scripting attacks, and other web application vulnerabilities. Shields vulnerabilities until code fixes can be completed. It identifies malicious software accessing the network and increases visibility into, or control over, applications accessing the network. Intrusion revention prevents attacks by detecting malicious instructions in network traffic and dropping relevant packets. Web Reputation Module protects against web threats by blocking access to malicious URLs. Deep Security uses Trend Micro's Web security databases from Smart rotection Network sources to check the reputation of Web sites that users are attempting to access. The Web site's reputation is correlated with the specific Web reputation policy enforced on the computer. Depending on the Web Reputation Security Level being enforced, Deep Security will either block or allow access to the URL. SecureCloud provides FIS 140-2 full disk encryption either in the virtualized or physical environments, and has been specifically designed to assist in a multi tenancy Cloud environment to ensure that each tenant s data is isolated, using cryptography and cryptographic keys unique to each tenant. These three products and other Trend Micro web services can be integrated into various enterprise architectures to effectively minimize the organization s cyber security risks. Such Trend Micro web services include: Control Manager provides a centralized management function for Deep Discovery Inspector (and other Trend Micro products). Smart rotection Network provides a URL and file reputation rating service. Document TMIC-004-ISO Version 1.0, February 2015 3

TrendLabs is a global network of research, development, and action centers committed to 24x7 threat surveillance, attack prevention, and timely and seamless solutions delivery. Serving as the backbone of the Trend Micro service infrastructure, TrendLabs is staffed by a team of several hundred engineers and certified support personnel that provide a wide range of product and technical support services. Threat Management Services provides organizations with an effective way to discover, mitigate, and manage stealthy and zero-day internal threats. Threat Management Services brings together security experts and a host of solutions to provide ongoing security services. These services ensure timely and efficient responses to threats, identify security gaps that leave the network vulnerable to threats, help minimize data loss, significantly reduce damage containment costs, and simplify the maintenance of network security. Threat Management Service ortal is an on premise or hosted service which receives logs and data from registered products (DDI) and creates reports to enable product users to respond to threats in a timely manner and receive up-to-date information about the latest and emerging threats. Threat Connect correlates suspicious objects detected in the organizations environment and threat data from the Trend Micro Smart rotection Network. By providing ondemand access to Trend Micro intelligence databases, Threat Connect enables an organization to identify and investigate potential threats to their environment. Mobile App Reputation Services (MARS) collects data about detected threats in mobile devices. Mobile App Reputation Service is an advanced sandbox environment that analyzes mobile app runtime behavior to detect privacy leaks, repacked mobile apps, third-party advertisement SDKs, vulnerabilities, and app categories. Threat Mitigator receives mitigation requests from Deep Discovery Inspector after a threat is detected. Threat Mitigator then notifies the Threat Management Agent installed on a host to run a mitigation task. Mitigation (Module) Devices performs threat cleanup activities on network endpoints. Document TMIC-004-ISO Version 1.0, February 2015 4

6.1 Organization of Information Security / Internal Organization Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization. 6.1.2 Organization of Information Security / Internal Organization / Segregation of duties The segregation of duties and responsibilities is supported by both Deep Discovery Inspector and Deep Security products through the Role Based Access Control (RBAC) mechanisms that both products use. This Conflicting duties and areas of responsibility shall be segregated to RBAC capability has been independently validated by the Common Criteria (ISO 15408) AL2 level reduce opportunities for unauthorized or unintentional modification certification obtained for Deep Discovery v3.1 and currently under evaluation for Deep Security v9.5. or misuse of the organization s assets. SecureCloud makes use of RBAC mechanism in support of this requirement. 6.1.4 Organization of Information Security / Internal Organization / Contact with special interest groups Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained. 6.2 Organization of Information Security / Mobile Devices and Teleworking Objective: To ensure the security of teleworking and use of mobile devices. 6.2.1 Organization of Information Security / Mobile Devices & Teleworking / Mobile device policy A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. 7.2 Human Resource Security / During mployment Objective: To ensure that employees and contractors are aware of and fulfil their information security responsibilities. 7.2.2 Human Resource Security / During mployment / Information security awareness, education and training All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. 9.2 Access Control / User Access Management Objective: To ensure authorized user access and to prevent unauthorized access to systems and services. 9.2.3 Access Control / User Access Management / Management of privileged access rights The allocation and use of privileged access rights shall be restricted and controlled. With the purchase of Deep Discovery Inspector and Deep Security products an organization gains access to the specialist security forums provided by the TrendLabs and the Smart rotection Network services of Trend Micro. These services provide additional expert analysis on security events to identify potential cyber attacks. The TrendLabs is a global network of research, development, and action centers committed to 24x7 threat surveillance, attack prevention, and timely and seamless solutions delivery. Serving as the backbone of the Trend Micro service infrastructure, TrendLabs is staffed by a team of several hundred engineers and certified support personnel that provide a wide range of product and technical support services. TrendLabs monitors the worldwide threat landscape to deliver effective security measures designed to detect, preempt, and eliminate attacks. The daily culmination of these efforts is shared with organizations through frequent virus pattern file updates and scan engine refinements. The Smart rotection Network is a globally-scaled cloud-based infrastructure that provides reputation services to Deep Discovery Inspector and other Trend Micro products that leverage the smart protection technology. Deep Discovery Inspector integrates with the Smart rotection Network that determines the reputation of websites users attempt to access. Deep Discovery Inspector logs URLs that smart protection technology verifies to be fraudulent or known sources of threats. The product then uploads the logs for report generation. Selecting the Smart rotection Network option also allows the use of Retro Scan, a cloud-based service that scans historical web access logs for callback attempts to C&C servers and other related activities in an organizations network. Web access logs may include undetected and unblocked connections to C&C servers that have only recently been discovered. xamination of such logs is an important part of forensic investigations and may help determine if the organizations network is affected by attacks. The supporting security measures provided by Deep Discovery Inspector can assist in meeting this requirement through the Mobile App Reputation Service (MARS), which collects data about detected threats in mobile devices. Mobile App Reputation Service is a sandbox environment that analyzes mobile app runtime behavior to detect privacy leaks, repacked mobile apps, third-party advertisement SDKs, vulnerabilities, and app categories. With the purchase of Trend Micro products Trend Micro provides relevant product training which will support this control requirement. Such online and in class training addresses how the products can be used in effective cyber security incident response and handling in accordance with related job functions. The allocation and use of privileged access rights is supported by Deep Discovery Inspector and Deep Security through the use of Role Based Access Controls, which are audited in terms of defined auditable events. This has been demonstrated in the Common Criteria process. Deep Discovery Inspector v3.1 has been AL2 certified by the Common Criteria valuation and Certification Scheme; Deep Security v9.5 is currently being evaluated to AL2; The SecureCloud solution satisfies this requirement by using Role Based Access Controls and integration with Active Directory to provide the access control and account management. Document TMIC-004-ISO Version 1.0, February 2015 5

9.4 Access Control / System and Application Access Control Objective: To prevent unauthorized access to systems and applications. 9.4.1 Access Control / System and Application Access Control / Information access restriction Access to information and application system functions shall be restricted in accordance with the access control policy. 9.4.2 Access Control / System and Application Access Control / Secure log-on procedures Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. The Common Criteria certifications and evaluations have demonstrated that the functionality of the Trend Micro products support this ISO 15408 enterprise-level user access control requirement to the AL2 level. Deep Discovery Inspector, SecureCloud, and Deep Security solutions specifically support compliance with this requirement through the use of Role Based Access Controls and integration with Active Directory to provide controlled access to system resources. Deep Discovery Inspector, and Deep Security make use of a secure log-on process, which has been demonstrated in the Common Criteria (ISO 15408) AL2 level process. Deep Discovery Inspector v3.1 has been AL2 certified by the Common Criteria valuation and Certification Scheme; Deep Security v9.5 is currently being evaluated to AL2. SecureCloud makes use of a secure log-on process. 10.1 Cryptography / Cryptographic Controls Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. 10.1.1 Cryptography / Cryptographic Controls / olicy on the use of cryptographic controls A policy on the use of cryptographic controls for protection of information shall be developed and implemented. 10.1.2 Cryptography / Cryptographic Controls / Key management A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle. In accordance with the Implementation Guidelines provided for this control the policy must address the cryptographic standards to be adopted and approach to key management. The SecureCloud data at rest cryptographic solution makes use of: NIST FIS 140-2 validated crypto module to produce, control and distribute cryptographic keys for key management technology and processes; and Key Management Interoperability rotocol (KMI) standard, which establishes a single, protocol for the communication between key management systems, providing a compatible key management process between systems. In accordance with the Implementation Guidelines provided for this control the policy must address the cryptographic algorithms to be adopted and key management standards. The SecureCloud data at rest cryptographic solution makes use of: NIST FIS 140-2 validated crypto module to produce, control and distribute cryptographic keys for key management technology and processes; All cryptographic operations are compliant with FIS 140-2 Level 1 & 2 based on installed OS (cryptographic module), FIS 197 (AS), FIS 46-3 (3DS), FIS 180-2 (SHS), FIS 198 (HMAC) and ANSI X9.31 (RNG) and that the keys for those operations are managed accordingly; and The Key Management Interoperability rotocol (KMI) standard, which establishes a single, protocol for the communication between key management systems, providing a compatible key management process between systems. 12.1 Operations Security / Operational rocedures and Responsibilities Objective: To ensure correct and secure operations of information processing facilities. 12.1.2 Operations Security / Operational rocedures and Responsibilities / Change management Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled. 12.1.4 Operations Security / Operational rocedures and Responsibilities / Separation of development, testing and operational environments Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment. The detailed Implementation Guidance for this control, states that "provision of an emergency change process to enable quick and controlled implementation of changes needed to resolve an incident". Deep Security Integrity Monitoring through continuous monitoring detects and reports malicious and unexpected changes to critical files and systems registry in real time. It provides administrators with the ability to track both authorized and unauthorized changes made to physical, virtual and cloud environments. The ability to detect unauthorized changes is a critical component in a cloud security strategy as it provides the visibility into changes that could indicate the compromise of a virtual machine instance. Integrity Monitoring module allows organizations to monitor specific areas on a computer for changes. Deep Security has the ability to monitor installed software, running services, processes, files, directories, listening ports, registry keys, and registry values. It functions by performing a baseline scan of the areas on the computer specified in the assigned rules and then periodically rescanning those areas to look for changes. The Deep Security Manager ships with predefined Integrity Monitoring Rules and new Integrity Monitoring Rules are provided in Security Updates. The firewall component of Deep Security can provide the separation of development, testing, and operational "zones" in a virtualized, physical and cloud environment. The Deep Security firewall creates and controls access to different "zones" within an organizations environment. The centralized management of server firewall policy using a bidirectional stateful firewall, supports zoning and prevents attacks. It provides broad coverage for all I-based protocols and frame types as well as fine-grained filtering for ports and I and MAC addresses. The SecureCloud solution can provide cryptographic separation between different environments. Document TMIC-004-ISO Version 1.0, February 2015 6

12.2 Operations Security / rotection from Malware Objective: To ensure that information and information processing facilities are protected against malware. 12.2.1 Operations Security / rotection from Malware / Controls against malware Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness. 12.4 Operations Security / Logging and Monitoring Objective: To record events and generate evidence. 12.4.1 Operations Security / Logging and Monitoring / vent logging vent logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. The Deep Discovery Inspector, Virtual Analyzer is a secure virtual environment used to manage and analyze samples submitted by Trend Micro end point products. Sandbox images allow observation of file and network behavior in a protected setting without any risk of compromising the network. Virtual Analyzer performs static analysis and behavior simulation to identify potentially malicious characteristics. During analysis, Virtual Analyzer rates the characteristics in context and then assigns a risk level to the sample based on the accumulated ratings. Virtual Analyzer includes the following features: Threat execution and evaluation summary; In-depth tracking of malware actions and system impact; Network connections initiated; System file/registry modification; System injection behavior detection; Identification of malicious destinations and command-and-control (C&C) servers; xportable forensic reports and CA files; and Generation of complete malware intelligence for immediate local protection. The Deep Security Anti-Malware module provides both real-time and on-demand protection against file-based threats, including threats commonly referred to as malware, viruses, Trojans, and spyware. To identify threats, Anti-Malware checks files against a comprehensive threat database, portions of which are hosted on servers or kept locally as updatable patterns. Anti-Malware also checks files for certain characteristics, such as compression and known exploit code. To address threats, Anti-Malware selectively performs actions that contain and remove the threats while minimizing system impact. Anti-Malware can clean, delete, or quarantine malicious files. It can also terminate processes and delete other system objects that are associated with identified threats. Deep Security Log Inspection provides visibility into important security events buried in log files and optimizes the identification of important security events buried in multiple log entries across the data center. Forwards suspicious events to a SIM system or centralized logging server for correlation, reporting and archiving. The Log Inspection ngine is integrated into Deep Security and gives an organization the ability to inspect the logs and events generated by the operating systems and applications running on the computers. Log Inspection Rules can be assigned directly to computers or can be made part of a Security rofile. Like Integrity Monitoring vents, Log Inspection events can be configured to generate alerts in the Deep Security Manager. Deep Discovery Inspector can be integrated with the Retro Scan service, which is a cloud-based service that scans historical web access logs for callback attempts to C&C servers and other related activities in a network. Web access logs may contain undetected and unblocked connections to C&C servers that have only recently been discovered. Document TMIC-004-ISO Version 1.0, February 2015 7

12.6 Operations Security / Technical Vulnerability Management Objective: To prevent exploitation of technical vulnerabilities. 12.6.1 Operations Security / Technical Vulnerability Management / Management of technical vulnerabilities Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. The Deep Discovery Inspector Virtual Analyzer performs static analysis and behavior simulation to identify potentially malicious characteristics. During analysis, Virtual Analyzer rates the characteristics in context and then assigns a risk level to the sample based on the accumulated ratings. The Deep Security Intrusion rotection helps achieve timely protection against known and zero-day attacks. Uses vulnerability rules to shield a known vulnerability -- for example those listed in the Common Vulnerability and xposures (CV) database and those disclosed monthly by Microsoft -- from an unlimited number of exploits. Offers out-of-the- box vulnerability protection for over 100 applications, including database, web, email and FT servers. Automatically delivers rules that shield newly discovered vulnerabilities within hours, and can be pushed out to thousands of servers in minutes, without a system reboot. Intrusion revention can also be used for the following functions: Virtual patching: Intrusion revention rules can drop traffic designed to leverage unpatched vulnerabilities in certain applications or the operating system itself. This protects the host while awaiting the application of the relevant patches; rotocol hygiene: this detects and blocks traffic with malicious instructions; and Application control: this control can be used to block traffic associated with specific applications like Skype or file-sharing utilities. The Trend Micro Smart rotection Network uses a global network of threat intelligence sensors to continually update email, web, and file reputation databases in the cloud, identifying and blocking threats in real time before they reach the organization. To respond to the continuous emergence of new threats which are created at a rate of 1.5 every second, old methods required virus signature files which would then have to be delivered to the premises equipment. This caused network loads, memory usage, and system loads to gradually increase daily. The Trend Micro Smart rotection Network works by storing the information required for security countermeasures in a cloud database rather than on individual computers and Trend Micro then carries out updates and management via the cloud. Therefore, a long-term reduction in work and system loads produced by delivering virus signature files is eliminated while simultaneously providing greater security countermeasures. 12.7 Operations Security / Information Systems Audit Considerations Objective: To minimize the impact of audit activities on operational systems. 12.7.1 Operations Security / Information Systems Audit Considerations / Information systems audit controls Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes. 13.1 Communications Security / Network Security Management Objective: To ensure the protection of information in networks and its supporting information processing facilities. 13.1.1 Communications Security / Network Security Management / Network controls Networks shall be managed and controlled to protect information in systems and applications. Deep Discovery Inspector, Deep Security and SecureCloud provide audit records of all security related events. The strength and functionality of the audit mechanisms of Deep Discovery Inspector and Deep Security, which have minimum impact during normal or test usage has been demonstrated by the Common Criteria (ISO 15408) AL 2 validation/evaluation and documented in the Deep Discovery Inspector, and Deep Security, Security Targets. Deep Discovery Inspector provides protection of an organizations systems, networks and applications through detection of breaches, including Advanced ersistent Threats. This is achieved through the Advanced Threat Scan ngine, the Virtual Analyzer, and the Network Content Inspection and Correlation ngines of the Deep Discovery Inspector. When integrated with the Trend Micro, Threat Management Services there is also the capability to create reports, which enable product users to respond to threats in a timely manner and receive up-to-date information about the latest and emerging threats. Deep Security provides server security for physical, virtual, and cloud servers. It protects enterprise applications and data from breaches and business disruptions without requiring emergency patching. This centrally managed platform helps an organization manage and control security operations while enabling regulatory compliance. The following modules provide server, application, and data security across physical, virtual, and cloud servers, as well as virtual desktops: Anti-malware; Web Reputation; Integrity Monitoring; Intrusion revention; Firewall, and Log Inspection. SecureCloud Hosted Service protects critical data stored on cloud devices by using full-disk encryption. SecureCloud controls access to confidential information stored on disk drives by encrypting them, so that data remains private and meets compliance regulations. The following types of disk drives are protected: Boot devices for cloud environments Data and ephemeral storage devices RAID devices Document TMIC-004-ISO Version 1.0, February 2015 8

13.1.3 Communications Security / Network Security Management / Segregation in networks Groups of information services, users and information systems shall be segregated on networks. The Deep Security firewall component provides a segregation of networks using a centralized management of firewall policy through a bidirectional stateful firewall. The Deep Security firewall supports virtual machine zoning and prevents network attacks. It provides coverage for all I-based protocols and frame types as well as fine-grained filtering for ports and I and MAC addresses. The SecureCloud provides segregation of information systems through the use of cryptography. ach system or domain can be assigned a unique encryption key for data stored within that system or domain. 13.2 Communications Security / Information Transfer Objective: To maintain the security of information transferred within an organization and with any external entity. 13.2.1 Communications Security / Information Transfer / Information transfer policies and procedures Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. The Deep Discovery Inspector, Deep Security, and SecureCloud products make use of the SSL protocol to provide self-protection of the product, management and control data when communications is established between the different components of the products over the network. In addition SSH is used to protect the data in transit when a command line control is required to access the product. The Implementation Guidance for this control specifically mentions that "procedures for the detection of and protection against malware that may be transmitted through the use of electronic communications" should be considered. Both Deep Security and Deep Discovery Inspector provide at the systems enterprise level security features, such as anti-virus, deep packet inspection, virtual analysis of suspect software, and anti-malware modules that provide both real-time and on-demand protection against file-based threats, including threats commonly referred to as malware. SecureCloud cryptographically protects data at rest on storage media. However, in the virtualized environments when VM images and their associated data are being transmitted/moved using such mechanisms as vmotion, this cryptographic protection of the virtual machine data can be used during the movement of VM images using VMotion. SecureCLoud can encrypt the image data during the transmission of the image. Deep Discovery Inspector, Deep Security, and SecureCloud provide security features at the systems enterprise level, which can be used by an organization to control the organizational data, in terms of confidentiality, and detection of malware in a Cloud Service roviders environment (communication facility). 14.1 System Acquisition, Development and Maintenance / Security Requirements of Information Systems Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. 14.1.2 System Acquisition, Development and Maintenance / Security Requirements of Information Systems / Securing application services on public networks Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. 14.1.3 System Acquisition, Development and Maintenance / Security Requirements of Information Systems / rotecting application services transactions Information involved in application service transactions shall be protected to prevent incomplete transmission, miss-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. The Deep Discovery Inspector, Deep Security, and SecureCloud all make use of the SSL protocol to provide self-protection of the product and organizations data when communications is established between the different components of the product over the network. In addition SSH is used to protect the data in transit when command line control is required to access the product(s). Connections to other Trend Micro services such as the Smart rotection Network, Threat Management Services, and Control Manager are protected by SSL communications links. The Deep Discovery Inspector, Deep Security, and SecureCloud all make use of the SSL protocol to provide self-protection of the product and organizations data when communications is established between the different components of the product over the network. In addition SSH is used to protect the data in transit when command line control is required to access the product(s). Connections to other Trend Micro services such as the Smart rotection Network, Threat Management Services, and Control Manager are protected by SSL communications links. 14.2 System Acquisition, Development and Maintenance / Security in Development and Support rocesses Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems. Document TMIC-004-ISO Version 1.0, February 2015 9

14.2.2 System Acquisition, Development and Maintenance / Security in Development and Support rocesses / System change control procedures Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. 14.2.6 System Acquisition, Development and Maintenance / Security in Development and Support rocesses / Secure development environment Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. 14.2.8 System Acquisition, Development and Maintenance / Security in Development and Support rocesses / System Security Testing Testing of security functionality should be carried out during development. Deep Security and Deep Discovery Inspector are products, which have been validated or are under evaluation by the Common Criteria (ISO 15408) Scheme to the AL2 level. This level of assurance provides, through active investigation, how changes to the security mechanisms are formally controlled through the Development, Life Cycle Support, Tests, and Vulnerability classes. At an enterprise level Deep Security can provide an indication of changes made to a system through the Integrity Monitoring function. The Integrity Monitoring allows an organization to monitor specific areas on a computer for changes. Deep Security has the ability to monitor installed software, running services, processes, files, directories, listening ports, registry keys, and registry values. It functions by performing a baseline scan of the areas on the computer specified in the assigned rules and then periodically rescanning those areas to look for changes. At the enterprise level Deep Security can be used to enforce secure zones for development, test, and production environments across the entire systems development lifecycle by a combination of firewall and security policy rules which can follow virtual machines that are moved into different environments. SecureCloud can, through the use of encryption, protect data in the different environments and provide the cryptographic safeguards to permit testing using actual organizational or customer data. Trend Micro provides a secure product development environment in terms of personnel, processes and technology by implementing a secure development environment for specific system development efforts, taking into consideration: sensitivity of data to be processed, stored and transmitted by the system; applicable external and internal requirements, e.g. from regulations or policies; security controls already implemented by the organization that support system development; trustworthiness of personnel working in the environment; the degree of outsourcing associated with system development; the need for segregation between different development environments; control of access to the development environment; monitoring of change to the environment and code stored therein; backups arc stored at secure offsite locations; and control over movement of data from and to the environment. The development environment also makes use of Configuration Management (CM) tools. The CM tools used within the development environment reduce the likelihood that accidental or unauthorized modifications of the products will occur. The CM system ensures the integrity of the products from early design stages through all subsequent maintenance efforts. Deep Discovery Inspector, is validated, and Deep Security is currently under evaluation, to the Configuration Management, Security Assurance Requirements for Common Criteria (ISO 15408) AL2 certification. The products Deep Discovery Inspector v3.1 has been AL2 certified by the Common Criteria valuation and Certification Scheme; Deep Security v9.5 is currently being evaluated to AL2; have demonstrated testing of security functionality to third party testing authorities. 15.1 Supplier Relationships / Security Requirements of Information Systems Objective: To ensure protection of the organization' assets that is accessible by suppliers. 15.1.3 Supplier Relationships / Security Requirements of Information Systems / Information and communication technology supply chain Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain. The products Deep Discovery Inspector v3.1 has been AL2 certified by the Common Criteria valuation and Certification Scheme; Deep Security v9.5 is currently being evaluated to AL2; have demonstrated a secure delivery method within the supply chain. Document TMIC-004-ISO Version 1.0, February 2015 10

15.2 Supplier Relationships / Supplier Service Delivery Management Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements. 15.2.2 Supplier Relationships / Supplier Service Delivery Management / Managing changes to supplier services Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re- 9ssessrnent of risks. Deep Discovery Inspector v3.1 has been AL2 certified by the Common Criteria valuation and Certification Scheme; Deep Security v9.5 is currently being evaluated to AL2; have demonstrated how life cycle support and delivery procedures that are necessary to maintain security, when distributing versions of the product to the consumer organization are formally controlled. 16.1 Information Security Incident Management / Management of Information Security Incidents and Improvements Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. 16.1.2 Information Security Incident Management / Management of Information Security Incidents and Improvements / Reporting information security events Information security events shall be reported through appropriate management channels as quickly as possible. 16.1.4 Information Security Incident Management / Management of Information Security Incidents and Improvements / Assessment of and Decision on Information Security vents Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents. 16.1.5 Information Security Incident Management / Management of Information Security Incidents and Improvements / Response to information security incidents Information security incidents shall be responded to in accordance with the documented procedures. In accordance with the Implementation Guidelines for this control whereby a "breach of information integrity, confidentiality or availability expectations" has occurred. Deep Discovery Inspector provides breach detection and when integrated with the Threat Management Services ortal (TMS) builds intelligence an organization s network by providing reports at the executive or administrative level. Administrative-level reports keep IT security personnel informed about the latest threats and provide action items that help defend the network from these threats. xecutive-level reports inform key security stakeholders and decision makers about the network s overall security posture, allowing them to fine tune security policies and strategies to address the latest threats. Deep Security through the Intrusion revention module protects computers from being exploited by attacks against known and zero-day vulnerability attacks as well as against SQL injections attacks, cross-site scripting attacks, and other web application vulnerabilities. Shields vulnerabilities until code fixes can be completed. It identifies malicious software accessing the network and increases visibility into, or control over, applications accessing the network. Intrusion revention prevents attacks by detecting malicious instructions in network traffic and dropping relevant packets. Through Log Inspection provides visibility into important security events buried in log files. Optimizes the identification of important security events in multiple log entries across the data center. Reports and forwards suspicious events to a SIM system or centralized logging server for correlation, reporting and archiving. Deep Discovery Inspector contains a list of hosts experiencing an event (threat behavior with potential security risks, known threats, or malware) for a past 1 hour, 24-hour, 7-day, or 30-day time period. Deep Discovery Inspector tags these events as security risks/threats and makes a copy of the files for assessment. Deep Discovery also maintains logs about security incidents and events and generates reports to assist administrators determine the types of incidents, such as ATs and other IOCs affecting the network. Deep Security through the Smart Scan capability references threat signatures that are stored on Trend Micro servers. When Smart Scan is enabled, Deep Security scans and assess the security risks locally. Web addresses that are known to be or are suspected of being malicious are assigned a risk level, and the Log Inspection engine assesses tags generated within the log files being inspected. Deep Discovery Inspector and Deep Security, provide functionality to help satisfy the needs of the 16.1.5 detailed Implementation Guidance: a) collect evidence as soon as possible after the occurrence; b) conduct information security forensics analysis, c) escalation as required; d) ensuring that all involved response activities are properly logged for later analysis; e) communicate the existence of the information security incident or any relevant details thereof to other internal and external people or organizations with a need-to-know; f) deal with information security weakness(es) found to cause or contribute to the incident; and g) Once the incident has been successfully dealt with, formally closing and recording it. ost-incident analysis should take place, as necessary, to identify the source of the incident. Document TMIC-004-ISO Version 1.0, February 2015 11

16.1.6 Information Security Incident Management / Management of Information Security Incidents and Improvements / Learning from information security incidents Knowledge gained from analyzing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents. 16.1.7 Information Security Incident Management / Management of Information Security Incidents and Improvements / Collection of evidence The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. The Deep Discovery Inspector when integrated with the Threat Management Services provides organizations with an effective way to discover, mitigate, AT and IOC's, and manage stealthy and zero-day internal threats. Threat Management Services brings together security experts and a host of solutions to provide ongoing security services. These services ensure timely and efficient responses to threats, identify security gaps that leave the network vulnerable to threats, help minimize data loss, significantly reduce damage containment costs, and simplify the maintenance of network security. Threat Management Services combines years of Trend Micro network security intelligence and in-the-cloud servers that are part of Trend Micro Smart rotection Network to identify and respond to next-generation threats. The Deep Discovery Inspector can support this requirement through the Virtual Analyzer, which is a secure virtual environment used to analyze files and network traffic. Virtual Analyzer performs static analysis and behavior simulation to identify potentially malicious characteristics. During analysis, Virtual Analyzer rates the characteristics in context and then assigns a risk level to the sample based on the accumulated ratings. Virtual Analyzer includes the following features: Threat execution and evaluation summary In-depth tracking of malware actions and system impact Network connections initiated System file/registry modification System injection behavior detection Identification of malicious destinations and command-and-control (C&C) servers xportable forensic reports and CA files Generation of complete malware intelligence for immediate local protection The Deep Security product can also generate pcap files for evidence purposes. 18.1 Compliance / Compliance with Legal and Contractual Requirements Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. 18.1.3 Compliance / Compliance with Legal and Contractual Requirements / rotection of records Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. 18.1.5 Compliance / Compliance with Legal and Contractual Requirements / Regulation of cryptographic controls Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations. Deep Security Integrity Monitoring can be used to detect loss, and modification to organizational records. Additional functionality of Integrity Monitoring and Logging can be achieved through the use of the Deep Security Agent installed on a specific VM. Integrity Monitoring includes: Integrity Monitoring - Security rofiles allow Integrity Monitoring rules to be configured for groups of systems, or individual systems. For example, all Windows 2003 servers use the same operating system rules, which are configured in a single Security rofile, which is used by several servers. However, each server has unique requirements, which are addressed at the individual Host configuration level. Flexible, practical monitoring optimizes monitoring activities. The rule creation and modification interface includes the ability to include or exclude files using wildcards filenames, and control over inspection of subdirectories, and other features. SecureCloud FIS 140-2 validated encryption services provides the cryptographic safeguards to prevent the unauthorized access and release of organizational records. SecureCloud uses encrypted drives, which are encrypted at the drive level (Full Disk ncryption) using the FIS 140-2 Level 2 Certified, Validation Number 1123: Cryptographic Libraries. Document TMIC-004-ISO Version 1.0, February 2015 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information