CWIN17 Toulouse / Automated security for the real time enterprise-trend micro-h.a muscate

Editor's Notes

• #4: With todays speed of business, companies are re-evaluating how they run their operations, provide products and services to their customers, and grow brand recognition. Operations teams often have to do more with less, and in some cases forced to take shortcuts to meet business demands. Workload, network and cloud virtualization introduced a quantum leap in our operational capabilities.
• #5: Organizations are taking advantage of changes in computing technology to position themselves for a more agile future.
• #6: Technology leaders and architects see value beyond the data center with new public cloud models and are keen on adopting hybrid infrastructure approaches to their compute environments.
• #7: The speed of change in the data center with virtualization was unprecedented. The promise that virtualization would only lower costs and drive consolidation didn’t end up that way…virtualization has changed the way mentality of the IT organization to a point where there are now more servers than ever, all in support of new business initiatives. Because of this unimaginable environment, the idea of simply using legacy security in the data center and cloud simply doesn’t work. 75% of server workloads are virtualized1 (Gartner) 87% using public cloud
• #8: Teams: SecOps to DevSecOps We see a shift in skills where teams are evolving from high-security-skilled SecOps teams to smaller DevSecOps teams. SecOps = High skilled in security, but skill gaps in Cloud, CI/CD pipelines, microservices. Primarily focused on protection and compliance. DevSecOps = Highly skilled in CI/CD pipeline, release automation, Ops automation. Lower skill in security where primary drivers are completely automating security, typically through APIs. CISOs have a tough time getting more budget for headcount, forced to be more resourceful. When they do get budget, they have a hard time finding the skillsets More teams are asked to protect more workloads without growing the team, forcing them to change they way they work. Seeing trends from security teams to Ops teams with security expertise Sensitive to helping Security professionals ‘get in front’ of Cloud Ops through best practices, leveling up their skillsets The next gen set of security professionals expect the product to work, and when they get stuck, they can google their question and figure it out from there. No more massive admin guides, complicated installation procedures, no more layers of support. Customers now expect help immediately. Applications: Changing More Frequently, shorter Lifespan Legacy applications change in years, virtualized applications change in months, cloud applications in weeks/days, microservices in days/hours, serverless in minutes/seconds Ops models are changing – from static, “locked” servers in the Data Center to cloud workloads swapped out daily (as a security policy), to immutable architectures for container environments Many vendors focus on protecting some subject of this. We focus on protecting all of it. As application change velocity increases, security should not get in the way, it should be invisible. Customers need a solution that embraces frequent and rapid change – from windows patches on live production servers all the way to microservices updates in Docker environments coming out of a CI/CD pipeline Deep Security understands the security needs from legacy applications to ephemeral microservices – all in one solution Threat Sophistication Threats are becoming more unknown, more targeted, causing a move from signature-based controls to security controls such as application control, whitelisting, sandbox analysis, behavior analysis, and machine learning Have a breadth of security controls protecting a set of multi-generational applications across data center and cloud in one solution is robust protection strategy Licensing and Procurement: Static to Consumption-based, cross environment There’s been a significant shift in enterprise buying behavior with the cloud Paying for what you use vs. paying for your ‘worst case’ or ‘peak’ Customers now expect this for security solutions Trend Micro is leading this charge through Enterprise buying behavior shifting to consumption-pricing, simpler procurement Procurement is changing – static to consumption-based Procurement teams want fewer vendors, shorter evaluation times, less human friction, and terms that meet their business needs Customers want to pay for what they protect, not ‘worst case or peak’
• #9: There’s a real market force out there to: Rationalize to fewer toolsets and simplify operations Do more without growing teams, focus on automation e.g. 1 person to 1000s of servers to protect To delegate more security responsibility to server admins, product teams Typically coming from the executive team When there’s only so many security dollars to spend, point solutions (point solution on security control or compute evolution) are at more risk to more comprehensive solutions like Trend Micro Deep Security Example of ‘points solutions on compute evolution’: Containers, Twistlock and Aqua just do containers, not anything else Physical and Virtualized: McAfee and Symantec have yet to struggle acquire new customers in cloud, and lack product attributes that embrace the differences of cloud Examples of ‘points solutions of security controls’ Cylance claims that all you need is machine learning, but once customers learn more, they realize it is not a silver bullet that can simply replace all other controls, and has a high false positive rate We hear customers wanted to replace Tripwire with our Integrity Monitoring solution to reduce cost, procurement pain, operational complexity Customers tell us that they would never consider deploying Bit 9 in the cloud for application control We don’t believe in a silver bullet control. We believe in layered defense with multiple controls. <Note the Gartner quote>
• #10: Businesses are looking to reduce the number of security tools and management interfaces throughout their organization. Security solutions that deliver multiple capabilities managed through a single connected dashboard with full visibility into leading environments like VMware, AWS, Microsoft Azure and Docker are key for a modern threat defense solution allowing skilled resources to focus on business goals. These three points reflect Capgemini’s own beliefs as noted by Mike Turner, Chief Operating Officer (COO) of Capgemini’s Global Cybersecurity Practice as well as Head of Cybersecurity Services in the UK Region. 
• #11: Trend Micro hybrid cloud security, powered by XGen, puts protection close to your workloads, protecting your servers and applications with a cross-generational blend of threat defense techniques. Using the right technique at the right time gives you the best protection against the broadest range of threats, with the most efficient performance for each environment, whether in physical, virtual, or cloud.   A good way to illustrate this is using a funnel analogy. All the data arriving at or activity requested of your servers via the network can be classified as: Known good, represented by the white bubbles Known bad– represented by the black bubbles, or Unknown – where we don’t know if it is good or bad, and this is represented by the grey bubbles   At the top of the funnel we have a wide range of powerful techniques that bat away all the known bad data and allow through the known good data. These techniques are highly accurate and efficient, with very low false positive rates. These include techniques such as Anti-malware and Web Reputation Intrusion Prevention and Firewall Integrity Monitoring and Log Inspection Application Control, with a new hybrid cloud server-focused approach   This now leaves sophisticated detection techniques – which are more computationally intensive and can have higher false positive rate— to focus only on the unknown data, delivering maximizing efficiency and performance. The next technique is machine learning which looks at static file features to predict maliciousness. This will block some unknown threats, but a few will still make it through to behavioral analysis, which looks for behaviors that are indicators of maliciousness, including actions like the encryption of files with ransomware. The final layer sends unknown suspicious files to a custom sandbox, for specialized analysis in a contained environment. If discovered to be malicious, that information is shared for use across the enterprise, enhancing the protection of servers AND endpoints.   Every threat protection technique has pros and cons, and there is no single technique that can detect every type of threat, particularly across multiple environments like physical, virtual, and cloud. That’s why XGen security delivers multiple threat protection techniques, to protect you against the broadest range of both known and unknown threats across the hybrid cloud.
• #12: Limited bandwidth as the traffic between VMs has to pass back and forth through the next gen firewall, virtually we are doubling our traffic. 2. Lack of context of the guests. The next gen firewall is not able to apply the most appropriate security for each VM. Different VMs have different vulnerabiities.
• #13: 1. Host-based controls have context so they can apply more focused security for operating systems and applications, whereas perimeter defense has less insight to the rich context of the VM, which inevitably provides one-dimensional security.
• #14: Deep Security Manager, single solution, single visibility console for host-based security
• #15: A single Deep Security installation covers multiple environments (including traditional concepts like dev/test/prod) That gives Security the visibility they need through either the API or the web interface More importantly, the platform offers a high level of flexibility fitting in to the tool stack you already use. It won’t slow down the DevOps teams This unifies your security events across your hybrid cloud deployments allowing deep integrations into your ops and security workflows
• #16: 8 layers of security: Anti-Malware Web Reputation Firewall Intrusion Prevention Integrity Monitoring Log Inspection Application Control Protection for SAP systems (NW-VSI)
• #17: Visibility First rule of security: You can’t protect what you don’t see In today’s real-time enterprise, new workloads are generated at the click of a button The Security Team is often not aware of those actions by the Operations Team “During an external audit we were told that several systems were not up to the required standards” Operations has to do “more with less”. The labour-intensive task of patching and securing the new machines is often postponed...and forgotten Automated detection of new systems provides visibility Context Second Rule of Security: Security is all about “context” Once the workloads have been detected, they need to be analyzed - Is it a web server or a database server Is it a Development Machine, or a Production VM Is it Internet facing or is it an internal computer Or is this a VM that has just been moved from “Acceptance Testing” to “Production” And this process needs to be automated, event-based, and in real-time Risk Assessment What is the risk we are running with this specific VM in this specific context Often, newly created VMs are based on a Golden Image or a clone that has not been updated for a while Before the VM is put in use, we want to know what our exposure is with this VM. We need a solution that automatically scan the VM for remotely exploitable vulnerabilities Additionally the VM can be scanned for known malware using the latest Anti-Malware patterns Protect We want to protect our VMs: “Protect against What?” Remember there is no need for the Anti-Malware patterns, nor an agent, to be installed on the VM (the patterns are on the Trend Micro Virtual Appliance and are always up to date, even if the VMs are stopped) 8 layers of security: Anti-Malware Web Reputation Firewall Intrusion Prevention Integrity Monitoring Log Inspection Application Control Protection for SAP systems (NW-VSI)Maintain Integrity Monitoring Monitor sensitive files and sensitive registry keys for changes Application Control: “Freezes” the server and blocks new executables and scripts from running By daily scheduling the Scan for Recommendations with the newest IPS rules, systems can be adequately protected against new zero-days For the APIs, 80% of integration and automation capabilities are provided by Deep Security out of the box, and for the remaining 20%, APIs can be used provided by Trend Micro. For the DevOps audience this diagram can relate to the framework of Define, Design, Implement, and Manage.
• #18: Enable the automation and seamless orchestration of security for virtual & cloud deployments, reduce operational complexity and make security easy to scale with the business and protect the organization’s investments without the risks associated with traditional security offerings. Trend Micro shields unpatched systems (virtual patching), removing the need for expensive emergency patching and helping to align the patching process to business needs and operational realities (not enough time/people. Deep Security also shields end of support systems (Windows XP, 2000, 2003) and applications from attack, removing the need to purchase expensive extended support contracts through virtual patching. How is Trend Micro able to be ahead of the competition and threat landscape? At Trend Micro, we have dedicated teams of experts watching for both attacks and potential vulnerabilities. In fact, through our Zero Day Initiative, we disclosed 51% of vulnerabilities in 2016…we are on the front lines and our customers benefit from advance knowledge and rapid response to new threats. Why do the 92 days matter? In the event of an exploit, you’re protected. Yes, you still need to patch your systems, but you can do it on YOUR schedule – not at 3am with your hair on fire. You’re in control of your patch management. On the flip side of the coin, you also need to think about the length of the exploit campaign as well. Typically the exploits have a lifetime during which they experience the same cycle as other products. There is a beeline of malware or exploits during the initial phase. TP customers are sure to be protected against that first phase of exploits when its most likely to affect users.
• #19: Conclusion: Deep Security is designed and optimized for the cloud: Single platform for your cloud deployments, supporting multiple CSPs with a single security view. This includes leaders like AWS, Azure, & VMware, as well as over 20 other CSPs like Google & IBM through our Trend Ready for Cloud Service Provider program Support for hybrid deployments, giving a single pane of glass for all environments Deep integration with leaders like AWS, Azure, and VMware to automatically detect and protect new workloads Deploy the way you deploy cloud workloads…fully scriptable with automated script generation and integration with leading orchestration tools Security at the workload to provide context-aware security that scales the way the cloud scales…with no bottlenecks (like traditional security does—perimeter)
• #20: You know you are getting trusted cyber security with Trend Micro. IDC names Trend Micro the market leader for 7 years in a row.
• #21: We would like to invite you to visit our Trend Micro web sites dedicated to VMware, AWS, and Azure for all your on-prem, and hybrid cloud workload security needs. Trend Micro is easy to work with, and we are here to help make securing your server environments a seamless experience.
• #22: CONCLUDE THE PRESENTATION STAYING ON THIS SLIDE WHEN THE PRESENTATION HAS ENDED, OR QUESTIONS ARE BEING ASKED, OR PEOPLE ARE LEAVING etc.