Trend Micro Deep Security

Full Life Cycle Container Protection

 Trend Micro
Empowering our customers to prepare for, withstand, and
rapidly recover from threats now and in the future.

Proven Foresight XGen™ Security Passionate People

Demonstrated success Cross-generational threat Committed to our
with new technologies defense techniques for customers every step of
including market-leading the right security at the the way to make your
threat research right time business secure

“Having a partner like Trend Micro who keeps pace with changes in the threat environment
is critical to maintaining the highest level of security."
CISO, Orion Health
 Container Security Challenges
Challenges With Securing Containers

Unsecured pipeline risks Impact on continuous releases Vendor and tool proliferation

DevOps teams are focused on Security teams are negatively IT thinks they need a container
application output and uptime impacted by the limited ways they specific product separate from a
overlooking IT Security protocols can protect continuously delivered unified solution which leads to
and early warning threat signals container applications and allow additional tools and environment
DevOps to move faster complexity
Full Lifecycle, Full Stack Container Security

BUILD SECURE SHIP FAST RUN ANYWHERE

Security fit for DevOps Automated security for the CI/CD Cloud neutral, and multi-
at the speed of business pipeline and cloud based architecture for
from the first build container applications modern applications

4 Copyright 2019 Trend Micro Inc.

Full Lifecycle, Full Stack Container Security

BUILD SECURE SHIP FAST RUN ANYWHERE

Security fit for DevOps Automated security for the CI/CD Cloud neutral, and multi-
at the speed of business pipeline and cloud based architecture for
from the first build container applications modern applications

5 Copyright 2019 Trend Micro Inc.

Growing Threats Across Container Environments
Software Build Pipeline Host Runtime
Vulnerable code Attacks against
Malware from public sources running applications
Embedded secrets
Non-compliant content
Attacks against
container platforms

Attacks against OS
hosting containers
Commit Build Push Deploy

6 Copyright 2019 Trend Micro Inc.

Full Life Cycle, Full Stack Container Security
Intrusion
Prevention

Advanced Intrusion
Anti-Malware Prevention

Application
Control
Cloud Intrusion Trend Micro
WorkloadPrevention
Full Life Cycle,
Vulnerability
Container Threats Integrity Container Container Full Stack
Protection Monitoring Platform
Images Integrity
Monitoring
Container Security
Physical or
Anti-malware
Virtual Server
Log
Secrets Inspection
Advanced
Anti-malware

7 Copyright 2019 Trend Micro Inc.

Securing your CI/CD Pipeline & Docker Runtime
Build Pipeline Scanning/Detection Protection Deployment
Vulnerabilities Secrets & Keys
Host Agent
Malware Compliance & Configuration

Custom/IoC Sweeping

Container Security

Commit Build Push Deploy Inter-Container (E-W) Traffic inspection

Pre-registry Registry Kubernetes & Docker

Scanning Scanning Platform Protection

❑ New Capabilities CVE Whitelisting Protection for Container Workload Host

8 Copyright 2019 Trend Micro Inc. Full Lifecycle, Full Stack Container Security
 "We’re able to protect a container pre-runtime by
What Our Customers are Saying understanding what’s going on in the environment from
a security perspective before it even hits production."
Jason Cradit
Sector Information Technology | Pivvot

9 Copyright 2019 Trend Micro Inc.

 Container Security & Incident Investigation
What was What was Where did
affected? added? it spread?

PREVENT DETECT RESPOND INVESTIGATE

Assess potential Detect advanced malware Respond to detections Gain operational
vulnerabilities and and suspicious behavior with remediation visibility, and investigate
proactively protect that evades standard options and workflow threat severity and
workloads from threats defenses integrations impact

10 Copyright 2019 Trend Micro Inc.

 LEADER in vulnerability discovery
since 2007, with 1449
vulnerabilities reported in 2018

TOP REPORTER of Microsoft &

Adobe vulnerabilities worldwide

Threats Vulnerabilities Targeted AI & IoT OT / IIoT Cybercriminal Future Threat

& Exploits Attacks Machine Learning Undergrounds Landscape

11 Copyright 2019 Trend Micro Inc.

Full Lifecycle, Full Stack Container Security

BUILD SECURE SHIP FAST RUN ANYWHERE

Security fit for DevOps Automated security for the CI/CD Cloud neutral, and multi-
at the speed of business pipeline and cloud based architecture for
from the first build container applications modern applications

12 Copyright 2019 Trend Micro Inc.

Accelerate DevOps with Security Automation
“Security used to be thought of as an inhibitor to development, but not anymore. Our teams understand that security is built into
the environment. The security team is helping to steer the effectiveness of cloud operations,” Security Team - Infor

Security Automation - policy creation, and updates

Deployment Automation - security at scale

Reporting Automation - customizable compliance reports and

leading SEIMs integration

Monitoring Automation - operational and security health of

your environment

Orchestration Automation - integrate with your pipeline tools,

SOAR tools, etc.
 Automation Center
API first for hybrid and cloud native environments

Find - a solution to my problem by searching on Google

Learn - simple guides and example

Code - full RESTful API documentation. Examples of code

Verify - guidance around how to use applications to test APIs

Get Help - Stack Overflow, GitHub, and Trend Help

“Using Deep Security, we were able to improve our efficiency with Docker
containers to realize savings for our AWS licenses and compute costs ,”
Todd Williams – Manager SecOps at MEDHOST
 "Trend Micro is extremely quick to support new technologies, and
successfully strengthened the security of our service platform, which
uses Docker and Kubernetes. ” Shunsuke Shiina - HUE & ATE Div. ATE
Dept. Works Applications Co., Ltd.

15 Copyright 2019 Trend Micro Inc.

Full Lifecycle, Full Stack Container Security

BUILD SECURE SHIP FAST RUN ANYWHERE

Security fit for DevOps Automated security for the CI/CD Cloud neutral, and multi-
at the speed of business pipeline and cloud based architecture for
from the first build container applications modern applications

16 Copyright 2019 Trend Micro Inc.

Containers Can Run Anywhere

EKS GKS AKS

ECR

DTR
GCR
 What Our Customers are Saying

"Smart Check’s ability to perform the final validation

of the binary integrity of a container before it ships
is a great check for us.”
Gerry Miller,
18 Copyright 2019 Trend Micro Inc.
Founder/CEO/CTO, Cloudticity
Full Lifecycle, Full Stack Container Security

BUILD SECURE SHIP FAST RUN ANYWHERE

Security fit for DevOps Automated security for cloud Cloud neutral, and multi-
at the speed of business based container applications architecture for
from the first build modern applications

19 Copyright 2019 Trend Micro Inc.

Deep Security Smart Check
Software Build Pipeline Image Scanning
Growing Threats Across Container Environments
Software Build Pipeline Host Runtime
Vulnerable code Attacks against
Malware from public sources running applications
Embedded secrets
Non-compliant content
Attacks against
container platforms

Attacks against OS
hosting containers
Commit Build Push Deploy

21 Copyright 2019 Trend Micro Inc.

Pipeline Scanning with Deep Security Smart Check
• Advanced Scanning and Detection:
– Vulnerabilities
Image Build Scanning Registry Scanning – Malware
– Embedded Secrets
– IoCs (sweeping)
– Compliance
• Continuous protection:
Commit Push
Build – Build-time scanning for earliest
detection and lowest cost
remediation
– Continuous registry scanning
– Latest Threat Intelligence

22 Copyright 2019 Trend Micro Inc.

 CI/CD Pipeline Integration
Integrated scanning:
• Create pipeline Scan tasks
• Automate scans via APIs
• Invoke scans at any stage of the
pipeline

Image Assertion:
• Allow or Block based on scan results
• Only valid “good” clean images
proceed through pipeline
• Deliver scan details of invalid “bad”
images to Developers for
remediation
Fully Automated Pipeline Scanning
23 Copyright 2019 Trend Micro Inc.
Full Coverage Vulnerability Scanning
• Security and Compliance
• Local and Remote vulnerabilities Source Install

• Trend Micro SPN and Threat Feed Source/Package

• Package Manager applications

Package Mgr

✚ Also detects applications installed from

Deep
source. Eg….. Security
– Wordpress Typical Scan
– Drupal Scanner Coverage
– Fluentd Coverage
– PostgreSQL
– Ruby
– Tomcat

24 Copyright 2019 Trend Micro Inc.

 Smart Check Summary Dashboard
Have all our images been scanned? Do any items need attention? What has been scanned?

25 Copyright 2019 Trend Micro Inc.

 Remediation Assistance for DevOps
Which packages in the image have What are the Is a fix available? What is the fix?
high severity vulnerabilities? vulnerabilities?

26 Copyright 2019 Trend Micro Inc.

Find Security Issues Before Runtime
Continuous scanning of container images Image Assertion – Approve
for malware, vulnerabilities, and secrets containers for deployment
Scan Scan

Sign/Promote

Commit Build Push Deploy

Alert Examine

Remediate
27 Copyright 2019 Trend Micro Inc.
Deep Security
Container Protection
Runtime Container Security
Growing Threats Across Container Environments
Software Build Pipeline Host Runtime
Vulnerable code Attacks against
Malware from public sources running applications
Embedded secrets
Non-compliant content
Attacks against
container platforms

Attacks against OS
hosting containers
Commit Build Push Deploy

29 Copyright 2019 Trend Micro Inc.

 Secure the Host!
Deep Security Agent (DSA) for Hosts

• Containerized apps running on Docker share a common Kernel

o Virtualized workloads have an isolated Guest OS
• If the Docker host is compromised, ALL containers are at risk
• Trend Micro Deep Security supports full policy protection of your Docker hosts

Isolated Guest OS Shared Host OS Kernel

30 Copyright 2019 Trend Micro Inc.

Container Traffic Inspection

• DSA can be configured for optimal inspection

Container n
Container 1

Container 2
of Container traffic
• When “Scan Container Network Traffic” is enabled
o The network traffic hook point is moved local to the container
interface …
o All container traffic, including inter-container “East-West”
traffic is scanned Docker
o Detection accuracy is not impacted by Docker port mappings
Host OS

31 Copyright 2019 Trend Micro Inc.

Detecting Kubernetes and Docker Attacks
• Attackers may target Docker and Kubernetes
to execute attacks
– Image execution
– Networking and Microsegmentation Containerized Apps

• Deep Security monitors key objects to detect

compromised Docker and Kubernetes

App D
App A

App B

App C

App E

App F
instances
– Software upgrades, downgrades or removal Docker Engine

– Attribute changes for binaries Kubernetes

– Running processes Operating System

– Critical files Deep Security Agent

– IPtables rules
– Permissions for key directories
32 Copyright 2019 Trend Micro Inc.
Kubernetes and Docker Monitoring

33 Copyright 2019 Trend Micro Inc.

Deep Security for Containers
Runtime Protection for Docker Deployments
Application Protection

App D

App F
App E
App C
App B
App A
Container Protection

Full Stack Protection

Docker Protection Docker Engine

Kubernetes Protection Kubernetes

Host OS Protection Operating System

Deep Security Agent

Physical, Virtual or Cloud Container Nodes

34 Copyright 2019 Trend Micro Inc.
 Appendix

35 Copyright 2019 Trend Micro Inc.

 Container Growth Needs Security
Container market to grow from $1.6B in 2018 to $3.5B by 2022, at a 35.4% CAGR

What Will Be Your Primary Computing Abstraction by YE2020?

Virtual Machines 71%

62%
Containers 22%
Security and Compliance
28%
Serverless 6% are the Biggest Hurdles to
Container Adoption
Others 2% Source: 451 Research Group (2018)

0% 40% 80%

Percentage of Respondents

Source: Gartner (September 2018)

36 Copyright 2019 Trend Micro Inc.

 8 of 8
Core Controls*

2019
+
Market Guide for
Cloud Workload
21 of 25
Additional Criteria*
Protection Platforms
Trend Micro delivers the
most cloud security
controls and criteria of
Free Download all security vendors*
37 Copyright 2019 Trend Micro Inc.
* As assessed by Trend Micro
 Hybrid Cloud Security Solution
Software Build Pipeline Runtime / Deployed

Image Scanning Network Security System Security Malware Prevention

Vulnerability Malware Sweeping Intrusion Firewall Vulnerability Application Integrity Log Anti- Behavioral Analysis Sandbox
Scanning Detection & Hunting Prevention Scanning Control Monitoring Inspection Malware Machine Learning Analysis
 Smart Check Scan Architecture
Content
Docs Scan
dstf.trendmicro.com
Events
ECR
Frontend
GCR DTR Malware
Scan
Scan Alerts

Build/Push Events Process

Invoke Vulnerability scan
scan Proxy Scan result
Signatures
Registry Openscap
Views
CI/CD Scan
Commit
Frontend Auth

Deep Security
Smart Check
39 Copyright 2019 Trend Micro Inc.
Deep Security Container Control (Preview available soon)
• DS users can create and
enforce Container Control
policies
• Initial Controls
– Privileged containers
• Smart Check Integration
– Scanned Images
– Vulnerability thresholds
– Malware rule
• Addt’l Future Controls:
– Authorized Registries
– Validated Seccomp profile
– Etc…
40 Copyright 2019 Trend Micro Inc.
Deep Security Container Vulnerability Shielding (12.x)
3 DSM builds IPS Ruleset

2 Scan Results sent to DSM 4 Policy applied to DSAs

Deep Security Manager

1 DSSC Scans Image

Deep Security Smart Check Deep Security Agent

5 IPS rules enforced by DSA

6 Container Apps protected

from exploits

Commit Build Push Deploy

Securing your CI/CD Pipeline and Docker Runtime

41 Copyright 2019 Trend Micro Inc.
Deep Security Smart Check and App Protect (2019)
Pipeline policy alerts Only protected webapps
2 of/blocks unprotected admitted for deployment into
webapps
3 production environment
DSSC Scans Image
1 and Detects DSAP Deep Security
Deep Security Smart Check App Protect
Library

Public facing Webapps are

4 protected from OWASP
Top 10, Know/Zero Day
exploits and malware
based attacks

Commit Build Push Deploy

42 Copyright 2019 Trend Micro Inc.