Security Standards Compliance
ISO / IEC 27002:2013
(Information technology - Security Techniques -
Code of practice for Information Security Controls)
--
Trend Micro Products
(Deep Discovery Inspector, Deep Security and SecureCloud)
-
Security and Privacy Controls for Federal Information Systems and Organizations – ISO / IEC 27002:2013
Security Standards Compliance -- Trend Micro Products (Deep Discovery Inspector, Deep Security and SecureCloud)
References: A.
ISO / IEC 27001 Information Technology — Security Techniques — Information Security Management Systems — Requirements, Edition 2, 1 Oct 2013
B.
ISO / IEC 27002 Information Technology — Security Techniques — Code of Practice for Information Security Controls, Edition 2, 1 Oct 2013
C.
ISO / IEC 15408, Common Criteria for Information Technology Security Evaluation, Ver. 3.1 Rev. 4, Sep 2012
The ISO 27002 international standard is used by organizations to select controls when implementing an Information Security Management System as defined in
ISO 27001 or as guidance for organizations implementing commonly accepted information security controls. This standard is also intended for use in developing
industry- and organization-specific information security management guidelines, taking into consideration their specific security risk environments.
This document provides details of how the Trend Micro products Deep Discovery Inspector v3.7, Deep Security v9.5 and SecureCloud v3.7 help satisfy the
requirements of ISO 27002, at both the application/system enterprise level and as security features specific to the products, such as product access controls,
audit capability, etc. The appropriate context of each compliancy statement is indicated: “E” - how the Trend Micro products help satisfy the Enterprise level
security requirements; and “P” - how the Trend Micro products satisfy the Product level security requirements. The product-specific compliancy details are
needed by managers, security systems engineers and risk analysts in order that they may select and architect cost-effective secure solutions that will protect
their Enterprise systems and sensitive information assets from the modern hostile threat environment. The “P” context compliancy statements include those
related to the SFRs and SARs
1used in the most recent ISO 15408 Common Criteria evaluations: Deep Discovery Inspector v3.1 – EAL2
2; and Deep Security
v9.5 -- EAL2 evaluation in progress
3. The ISO 27002 compliancy analysis also recognized that SecureCloud cryptographic capabilities were developed using
FIPS 140-2 evaluated libraries
4. The Common Criteria validation ensures that these products have been methodically designed, tested and reviewed by fully
qualified and government certified laboratories.
Many of the ISO 27002 security controls address the need for organizations to detect and effectively respond to security incidents including those related to
advanced persistent threats. The standard provides a foundation of security controls for incorporating into an organization’s overall security requirements
baseline for mitigating risk and improving systems and application security in their physical and virtualized environments. Many of these organizations using this
standard also have obligations to be able to demonstrate compliance in the context of their own continuous improvement program in the constantly changing
modern threat environment. From a security product vendor’s viewpoint, there is also a need to clearly demonstrate to such users of their products, how their
products will, help satisfy the ISO 27002 enterprise and product specific security requirements.
Virtualized servers and cloud computing environments, are being implemented by organizations and by their Cloud Service Providers. They face many of the
same security challenges as their physical counterparts and additionally have to contend with a number of security concerns specific to the virtual environment
such as: inter VM traffic, resource contention, blurring of system and network security boundaries, mixed trust levels, security zoning, and separation of duties. In
particular, organizations need to specifically protect their sensitive information assets in the virtualized multi-tenant cloud environment where the physical storage
locations are unknown to them and distributed across the cloud.
The Deep Discovery Inspector’s combined functionality of Virtual Analysis (sandbox threat behavior simulation), Advanced Threat Scans, and APT Detection
has been certified to the ISO 15408 Common Criteria EAL2 level. The primary Deep Discovery Inspector modules include:
Management Console, provides a built-in online management console through which users can view system status, configure threat detection, configure and view logs, run
reports, administer Deep Discovery Inspector, and obtain help.
Virtual Analyzer, provides a virtualized environment where untrusted files can be safely inspected.
1
The CC evaluation Security Targets also included Trend Micro product specific Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) related to
Intrusion Detection and Anti-Malware.
2
Deep Discovery Inspector v 3.1 CC Certification Report 283-4-252-CR, CSEC, dated 21 Jan 2014.
3
The current Common Criteria evaluation of Deep Security v9.5 is an update to the earlier evaluations to EAL4+ for Deep Security v7.5 SP2 (Certification Report #383-4-152) and
for Deep Security v8.0 SP1 (Maintenance Report # 383-7-79-MR).
Network Content Correlation Engine is a module that implements rules or policies defined by Trend Micro. Trend Micro regularly updates these rules after analyzing the
patterns and trends that new and modified viruses exhibit.
Advance Threat Scan Engine is a file-based detection-scanning engine that has true file type, multi-packed files, and IntelliTrap detection. The scan engine performs the
actual scanning across the network and uses a virus pattern file to analyze the files passing through the network. The virus pattern file contains binary patterns of known
viruses. Trend Micro regularly releases new virus pattern files when new threats are detected.
Network Virus Scan uses a combination of patterns and heuristics to proactively detect network viruses. It monitors network packets and triggers events that can indicate
an attack against a network. It can also scan traffic in specific network segments.
Network Content Inspection Engine is a module used to scan the content passing through the network layer.
The Deep Security product provides, in both virtualized and physical environments, has the combined functionality of a Common Criteria EAL2 validated
Firewall, Anti-Virus, Deep Packet Inspection, Integrity Monitoring Log Inspection, Role Based Access Control (RBAC) and support for multi-tenant virtual
environments. The primary Deep Security modules include:
Deep Security Manager is a centralized Web-based management console which administrators use to configure security policy and deploy protection to the enforcement
components: the Deep Security Virtual Appliance and the Deep Security Agent.
Firewall Module centralizes management of server firewall policy using a bidirectional stateful firewall. Supports virtual machine zoning and prevents denial of service
attacks. Provides broad coverage for all IP-based protocols and frame types as well as fine-grained filtering for ports and IP and MAC addresses.
Anti-malware Module provides both real-time and on-demand protection against file-based threats, including threats commonly referred to as malware, viruses, Trojans,
and spyware. To identify threats, Anti-Malware checks files against a comprehensive threat database, portions of which are hosted on servers or kept locally as updatable
patterns. Anti-Malware also checks files for certain characteristics, such as compression and known exploit code. To address threats, Anti-Malware selectively performs
actions that contain and remove the threats while minimizing system impact. Anti-Malware can clean, delete, or quarantine malicious files. It can also terminate processes
and delete other system objects that are associated with identified threats.
Recommendation Scans identifies known vulnerabilities. The operation scans the operating system and also installed applications. Recommendation Scans automate
scanning of systems and patch levels against the latest Critical Vulnerability and Exposure (CVE) database, to automatically apply Deep Security signatures, engines,
patterns, and rules/filters to detect/prevent exploitation of these vulnerabilities and to produce audit logs and reports which can be used to support a continuous monitoring
program or audits.
Integrity Monitoring Module detects and reports malicious and unexpected changes to files and systems registry in real time, and is available in agentless form factor.
Provides administrators with the ability to track both authorized and unauthorized changes made to the instance. The ability to detect unauthorized changes is a critical
component in a cloud security strategy as it provides the visibility into changes that could indicate the compromise of an instance.
Log Inspection Module provides visibility into important security events buried in log files. Optimizes the identification of important security events buried in multiple log
entries across the data center. Forwards suspicious events to a SIEM system or centralized logging server for correlation, reporting and archiving. Leverages and
enhances open-source software available at OSSEC.
Intrusion Prevention Module is both an Intrusion Detections System (IDS) and an Intrusion Prevention System (IPS) which protects computers from being exploited by
attacks against known and zero-day vulnerability attacks as well as against SQL injections attacks, cross-site scripting attacks, and other web application vulnerabilities.
Shields vulnerabilities until code fixes can be completed. It identifies malicious software accessing the network and increases visibility into, or control over, applications
accessing the network. Intrusion Prevention prevents attacks by detecting malicious instructions in network traffic and dropping relevant packets.
Web Reputation Module protects against web threats by blocking access to malicious URLs. Deep Security uses Trend Micro's Web security databases from Smart
Protection Network sources to check the reputation of Web sites that users are attempting to access. The Web site's reputation is correlated with the specific Web
reputation policy enforced on the computer. Depending on the Web Reputation Security Level being enforced, Deep Security will either block or allow access to the URL.
SecureCloud provides FIPS 140-2 full disk encryption either in the virtualized or physical environments, and has been specifically designed to assist in a multi
tenancy Cloud environment to ensure that each tenant’s data is isolated, using cryptography and cryptographic keys unique to each tenant.
These three products and other Trend Micro web services can be integrated into various enterprise architectures to effectively minimize the organization’s
cyber security risks. Such Trend Micro web services include:
Control Manager provides a centralized management function for Deep Discovery Inspector (and other Trend Micro products).
Smart Protection Network provides a URL and file reputation rating service.
TrendLabs is a global network of research, development, and action centers committed to 24x7 threat surveillance, attack prevention, and timely and seamless solutions
delivery. Serving as the backbone of the Trend Micro service infrastructure, TrendLabs is staffed by a team of several hundred engineers and certified support personnel
that provide a wide range of product and technical support services.
Threat Management Services provides organizations with an effective way to discover, mitigate, and manage stealthy and zero-day internal threats. Threat Management
Services brings together security experts and a host of solutions to provide ongoing security services. These services ensure timely and efficient responses to threats,
identify security gaps that leave the network vulnerable to threats, help minimize data loss, significantly reduce damage containment costs, and simplify the maintenance of
network security.
Threat Management Service Portal is an on premise or hosted service which receives logs and data from registered products (DDI) and creates reports to enable product
users to respond to threats in a timely manner and receive up-to-date information about the latest and emerging threats.
Threat Connect correlates suspicious objects detected in the organizations environment and threat data from the Trend Micro Smart Protection Network. By providing
on-demand access to Trend Micro intelligence databases, Threat Connect enables an organization to identify and investigate potential threats to their environment.
Mobile App Reputation Services (MARS) collects data about detected threats in mobile devices. Mobile App Reputation Service is an advanced sandbox environment that
analyzes mobile app runtime behavior to detect privacy leaks, repacked mobile apps, third-party advertisement SDKs, vulnerabilities, and app categories.
Threat Mitigator receives mitigation requests from Deep Discovery Inspector after a threat is detected. Threat Mitigator then notifies the Threat Management Agent installed
on a host to run a mitigation task.
ISO 27002:2013 Security Controls
ContextTrend Micro Solution Compliancy
6.1 Organization of Information Security / Internal Organization
Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.
6.1.2 Organization of Information Security / Internal Organization / Segregation of duties
Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.
P The segregation of duties and responsibilities is supported by both Deep Discovery Inspector and Deep
Security products through the Role Based Access Control (RBAC) mechanisms that both products use. This RBAC capability has been independently validated by the Common Criteria (ISO 15408) EAL2 level certification obtained for Deep Discovery v3.1 and currently under evaluation for Deep Security v9.5. SecureCloud makes use of RBAC mechanism in support of this requirement.
6.1.4 Organization of Information Security / Internal Organization / Contact with special interest groups
Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.
E P With the purchase of Deep Discovery Inspector and Deep Security products an organization gains access to
the specialist security forums provided by the TrendLabs and the Smart Protection Network services of Trend Micro. These services provide additional expert analysis on security events to identify potential cyber attacks. The TrendLabs is a global network of research, development, and action centers committed to 24x7 threat surveillance, attack prevention, and timely and seamless solutions delivery. Serving as the backbone of the Trend Micro service infrastructure, TrendLabs is staffed by a team of several hundred engineers and certified support personnel that provide a wide range of product and technical support services. TrendLabs monitors the worldwide threat landscape to deliver effective security measures designed to detect, preempt, and eliminate attacks. The daily culmination of these efforts is shared with organizations through frequent virus pattern file updates and scan engine refinements.
The Smart Protection Network is a globally-scaled cloud-based infrastructure that provides reputation services to Deep Discovery Inspector and other Trend Micro products that leverage the smart protection technology. Deep Discovery Inspector integrates with the Smart Protection Network that determines the reputation of websites users attempt to access. Deep Discovery Inspector logs URLs that smart protection technology verifies to be fraudulent or known sources of threats. The product then uploads the logs for report generation. Selecting the Smart Protection Network option also allows the use of Retro Scan, a cloud-based service that scans historical web access logs for callback attempts to C&C servers and other related activities in an organizations network. Web access logs may include undetected and unblocked connections to C&C servers that have only recently been discovered. Examination of such logs is an important part of forensic
investigations and may help determine if the organizations network is affected by attacks.
6.2 Organization of Information Security / Mobile Devices and Teleworking
Objective: To ensure the security of teleworking and use of mobile devices.
6.2.1 Organization of Information Security / Mobile Devices & Teleworking / Mobile device policy
A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.
E P The supporting security measures provided by Deep Discovery Inspector can assist in meeting this
requirement through the Mobile App Reputation Service (MARS), which collects data about detected threats in mobile devices. Mobile App Reputation Service is a sandbox environment that analyzes mobile app runtime behavior to detect privacy leaks, repacked mobile apps, third-party advertisement SDKs, vulnerabilities, and app categories.
7.2 Human Resource Security / During Employment
Objective: To ensure that employees and contractors are aware of and fulfil their information security responsibilities.
7.2.2 Human Resource Security / During Employment / Information security awareness, education and training
All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.
E P With the purchase of Trend Micro products Trend Micro provides relevant product training which will support
this control requirement. Such online and in class training addresses how the products can be used in effective cyber security incident response and handling in accordance with related job functions.
9.2 Access Control / User Access Management
Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.
9.2.3 Access Control / User Access Management / Management of privileged access rights
The allocation and use of privileged access rights shall be restricted and controlled.
P The allocation and use of privileged access rights is supported by Deep Discovery Inspector and Deep
Security through the use of Role Based Access Controls, which are audited in terms of defined auditable events.
This has been demonstrated in the Common Criteria process. Deep Discovery Inspector v3.1 has been EAL2 certified by the Common Criteria Evaluation and Certification Scheme; Deep Security v9.5 is currently being evaluated to EAL2;
The SecureCloud solution satisfies this requirement by using Role Based Access Controls and integration with Active Directory to provide the access control and account management.
ISO 27002:2013 Security Controls
ContextTrend Micro Solution Compliancy
9.4 Access Control / System and Application Access Control
Objective: To prevent unauthorized access to systems and applications.
9.4.1 Access Control / System and Application Access Control / Information access restriction
Access to information and application system functions shall be restricted in accordance with the access control policy.
P The Common Criteria certifications and evaluations have demonstrated that the functionality of the Trend Micro
products support this ISO 15408 enterprise-level user access control requirement to the EAL2 level. Deep Discovery Inspector, SecureCloud, and Deep Security solutions specifically support compliance with this requirement through the use of Role Based Access Controls and integration with Active Directory to provide controlled access to system resources.
9.4.2 Access Control / System and Application Access Control / Secure log-on procedures
Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.
P Deep Discovery Inspector, and Deep Security make use of a secure log-on process, which has been
demonstrated in the Common Criteria (ISO 15408) EAL2 level process. Deep Discovery Inspector v3.1 has been EAL2 certified by the Common Criteria Evaluation and Certification Scheme; Deep Security v9.5 is currently being evaluated to EAL2.
SecureCloud makes use of a secure log-on process.
10.1 Cryptography / Cryptographic Controls
Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
10.1.1 Cryptography / Cryptographic Controls / Policy on the use of cryptographic controls
A policy on the use of cryptographic controls for protection of information shall be developed and implemented.
E P In accordance with the Implementation Guidelines provided for this control the policy must address the
cryptographic standards to be adopted and approach to key management. The SecureCloud data at rest cryptographic solution makes use of:
NIST FIPS 140-2 validated crypto module to produce, control and distribute cryptographic keys for key management technology and processes; and
Key Management Interoperability Protocol (KMIP) standard, which establishes a single, protocol for the communication between key management systems, providing a compatible key management process between systems.
10.1.2 Cryptography / Cryptographic Controls / Key management A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle.
P In accordance with the Implementation Guidelines provided for this control the policy must address the
cryptographic algorithms to be adopted and key management standards. The SecureCloud data at rest cryptographic solution makes use of:
NIST FIPS 140-2 validated crypto module to produce, control and distribute cryptographic keys for key management technology and processes;
All cryptographic operations are compliant with FIPS 140-2 Level 1 & 2 based on installed OS
(cryptographic module), FIPS 197 (AES), FIPS 46-3 (3DES), FIPS 180-2 (SHS), FIPS 198 (HMAC) and ANSI X9.31 (RNG) and that the keys for those operations are managed accordingly; and
The Key Management Interoperability Protocol (KMIP) standard, which establishes a single, protocol for the communication between key management systems, providing a compatible key management process between systems.
12.1 Operations Security / Operational Procedures and Responsibilities
Objective: To ensure correct and secure operations of information processing facilities.
12.1.2 Operations Security / Operational Procedures and Responsibilities / Change management
Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled.
E The detailed Implementation Guidance for this control, states that "provision of an emergency change process
to enable quick and controlled implementation of changes needed to resolve an incident". Deep Security Integrity Monitoring through continuous monitoring detects and reports malicious and unexpected changes to critical files and systems registry in real time. It provides administrators with the ability to track both authorized and unauthorized changes made to physical, virtual and cloud environments. The ability to detect unauthorized changes is a critical component in a cloud security strategy as it provides the visibility into changes that could indicate the compromise of a virtual machine instance.
Integrity Monitoring module allows organizations to monitor specific areas on a computer for changes. Deep Security has the ability to monitor installed software, running services, processes, files, directories, listening ports, registry keys, and registry values. It functions by performing a baseline scan of the areas on the computer specified in the assigned rules and then periodically rescanning those areas to look for changes. The Deep Security Manager ships with predefined Integrity Monitoring Rules and new Integrity Monitoring Rules are provided in Security Updates.
12.1.4 Operations Security / Operational Procedures and Responsibilities / Separation of development, testing and operational environments
Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment.
E The firewall component of Deep Security can provide the separation of development, testing, and operational
"zones" in a virtualized, physical and cloud environment. The Deep Security firewall creates and controls access to different "zones" within an organizations environment. The centralized management of server firewall policy using a bidirectional stateful firewall, supports zoning and prevents attacks. It provides broad coverage for all IP-based protocols and frame types as well as fine-grained filtering for ports and IP and MAC addresses. The SecureCloud solution can provide cryptographic separation between different environments.
ISO 27002:2013 Security Controls
ContextTrend Micro Solution Compliancy
12.2 Operations Security / Protection from Malware
Objective: To ensure that information and information processing facilities are protected against malware.
12.2.1 Operations Security / Protection from Malware / Controls against malware
Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.
E The Deep Discovery Inspector, Virtual Analyzer is a secure virtual environment used to manage and analyze
samples submitted by Trend Micro end point products. Sandbox images allow observation of file and network behavior in a protected setting without any risk of compromising the network.
Virtual Analyzer performs static analysis and behavior simulation to identify potentially malicious
characteristics. During analysis, Virtual Analyzer rates the characteristics in context and then assigns a risk level to the sample based on the accumulated ratings.
Virtual Analyzer includes the following features: Threat execution and evaluation summary;
In-depth tracking of malware actions and system impact; Network connections initiated;
System file/Registry modification; System injection behavior detection;
Identification of malicious destinations and command-and-control (C&C) servers; Exportable forensic reports and PCAP files; and
Generation of complete malware intelligence for immediate local protection.
The Deep Security Anti-Malware module provides both real-time and on-demand protection against file-based threats, including threats commonly referred to as malware, viruses, Trojans, and spyware. To identify threats, Anti-Malware checks files against a comprehensive threat database, portions of which are hosted on servers or kept locally as updatable patterns. Anti-Malware also checks files for certain characteristics, such as
compression and known exploit code. To address threats, Anti-Malware selectively performs actions that contain and remove the threats while minimizing system impact. Anti-Malware can clean, delete, or quarantine malicious files. It can also terminate processes and delete other system objects that are associated with identified threats.
12.4 Operations Security / Logging and Monitoring
Objective: To record events and generate evidence.
12.4.1 Operations Security / Logging and Monitoring / Event logging Event logs recording user activities, exceptions, faults and
information security events shall be produced, kept and regularly reviewed.
E P Deep Security Log Inspection provides visibility into important security events buried in log files and optimizes
the identification of important security events buried in multiple log entries across the data center. Forwards suspicious events to a SIEM system or centralized logging server for correlation, reporting and archiving. The Log Inspection Engine is integrated into Deep Security and gives an organization the ability to inspect the logs and events generated by the operating systems and applications running on the computers. Log Inspection Rules can be assigned directly to computers or can be made part of a Security Profile. Like Integrity Monitoring Events, Log Inspection events can be configured to generate alerts in the Deep Security Manager.
Deep Discovery Inspector can be integrated with the Retro Scan service, which is a cloud-based service that scans historical web access logs for callback attempts to C&C servers and other related activities in a network. Web access logs may contain undetected and unblocked connections to C&C servers that have only recently been discovered.
ISO 27002:2013 Security Controls
ContextTrend Micro Solution Compliancy
12.6 Operations Security / Technical Vulnerability Management
Objective: To prevent exploitation of technical vulnerabilities.
12.6.1 Operations Security / Technical Vulnerability Management / Management of technical vulnerabilities
Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.
E The Deep Discovery Inspector Virtual Analyzer performs static analysis and behavior simulation to identify
potentially malicious characteristics. During analysis, Virtual Analyzer rates the characteristics in context and then assigns a risk level to the sample based on the accumulated ratings.
The Deep Security Intrusion Protection helps achieve timely protection against known and zero-day attacks. Uses vulnerability rules to shield a known vulnerability -- for example those listed in the Common Vulnerability and Exposures (CVE) database and those disclosed monthly by Microsoft -- from an unlimited number of exploits. Offers out-of-the- box vulnerability protection for over 100 applications, including database, web, email and FTP servers. Automatically delivers rules that shield newly discovered vulnerabilities within hours, and can be pushed out to thousands of servers in minutes, without a system reboot.
Intrusion Prevention can also be used for the following functions:
Virtual patching: Intrusion Prevention rules can drop traffic designed to leverage unpatched vulnerabilities in certain applications or the operating system itself. This protects the host while awaiting the application of the relevant patches;
Protocol hygiene: this detects and blocks traffic with malicious instructions; and
Application control: this control can be used to block traffic associated with specific applications like Skype or file-sharing utilities.
The Trend Micro Smart Protection Network uses a global network of threat intelligence sensors to continually update email, web, and file reputation databases in the cloud, identifying and blocking threats in real time before they reach the organization. To respond to the continuous emergence of new threats which are created at a rate of 1.5 every second, old methods required virus signature files which would then have to be delivered to the premises equipment. This caused network loads, memory usage, and system loads to gradually increase daily. The Trend Micro Smart Protection Network works by storing the information required for security countermeasures in a cloud database rather than on individual computers and Trend Micro then carries out updates and management via the cloud. Therefore, a long-term reduction in work and system loads produced by delivering virus signature files is eliminated while simultaneously providing greater security countermeasures.
12.7 Operations Security / Information Systems Audit Considerations
Objective: To minimize the impact of audit activities on operational systems.
12.7.1 Operations Security / Information Systems Audit Considerations / Information systems audit controls Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes.
P Deep Discovery Inspector, Deep Security and SecureCloud provide audit records of all security related events.
The strength and functionality of the audit mechanisms of Deep Discovery Inspector and Deep Security, which have minimum impact during normal or test usage has been demonstrated by the Common Criteria (ISO 15408) EAL 2 validation/evaluation and documented in the Deep Discovery Inspector, and Deep Security, Security Targets.
13.1 Communications Security / Network Security Management
Objective: To ensure the protection of information in networks and its supporting information processing facilities.
13.1.1 Communications Security / Network Security Management / Network controls
Networks shall be managed and controlled to protect information in systems and applications.
E Deep Discovery Inspector provides protection of an organizations systems, networks and applications through
detection of breaches, including Advanced Persistent Threats. This is achieved through the Advanced Threat Scan Engine, the Virtual Analyzer, and the Network Content Inspection and Correlation Engines of the Deep Discovery Inspector. When integrated with the Trend Micro, Threat Management Services there is also the capability to create reports, which enable product users to respond to threats in a timely manner and receive up-to-date information about the latest and emerging threats.
Deep Security provides server security for physical, virtual, and cloud servers. It protects enterprise applications and data from breaches and business disruptions without requiring emergency patching. This centrally managed platform helps an organization manage and control security operations while enabling regulatory compliance. The following modules provide server, application, and data security across physical, virtual, and cloud servers, as well as virtual desktops: Anti-malware; Web Reputation; Integrity Monitoring; Intrusion Prevention; Firewall, and Log Inspection.
SecureCloud Hosted Service protects critical data stored on cloud devices by using full-disk encryption. SecureCloud controls access to confidential information stored on disk drives by encrypting them, so that data remains private and meets compliance regulations. The following types of disk drives are protected:
Boot devices for cloud environments Data and ephemeral storage devices RAID devices
ISO 27002:2013 Security Controls
ContextTrend Micro Solution Compliancy
13.1.3 Communications Security / Network Security Management / Segregation in networks
Groups of information services, users and information systems shall be segregated on networks.
E The Deep Security firewall component provides a segregation of networks using a centralized management of
firewall policy through a bidirectional stateful firewall. The Deep Security firewall supports virtual machine zoning and prevents network attacks. It provides coverage for all IP-based protocols and frame types as well as fine-grained filtering for ports and IP and MAC addresses.
The SecureCloud provides segregation of information systems through the use of cryptography. Each system or domain can be assigned a unique encryption key for data stored within that system or domain.
13.2 Communications Security / Information Transfer
Objective: To maintain the security of information transferred within an organization and with any external entity.
13.2.1 Communications Security / Information Transfer / Information transfer policies and procedures
Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.
E P The Deep Discovery Inspector, Deep Security, and SecureCloud products make use of the SSL protocol to
provide self-protection of the product, management and control data when communications is established between the different components of the products over the network. In addition SSH is used to protect the data in transit when a command line control is required to access the product.
The Implementation Guidance for this control specifically mentions that "procedures for the detection of and protection against malware that may be transmitted through the use of electronic communications" should be considered. Both Deep Security and Deep Discovery Inspector provide at the systems enterprise level security features, such as anti-virus, deep packet inspection, virtual analysis of suspect software, and anti-malware modules that provide both real-time and on-demand protection against file-based threats, including threats commonly referred to as malware.
SecureCloud cryptographically protects data at rest on storage media. However, in the virtualized environments when VM images and their associated data are being transmitted/moved using such mechanisms as vMotion, this cryptographic protection of the virtual machine data can be used during the movement of VM images using VMotion. SecureCLoud can encrypt the image data during the transmission of the image.
Deep Discovery Inspector, Deep Security, and SecureCloud provide security features at the systems enterprise level, which can be used by an organization to control the organizational data, in terms of confidentiality, and detection of malware in a Cloud Service Providers environment (communication facility).
14.1 System Acquisition, Development and Maintenance / Security Requirements of Information Systems
Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information
systems which provide services over public networks.
14.1.2 System Acquisition, Development and Maintenance / Security Requirements of Information Systems / Securing application services on public networks
Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.
P The Deep Discovery Inspector, Deep Security, and SecureCloud all make use of the SSL protocol to provide
self-protection of the product and organizations data when communications is established between the different components of the product over the network. In addition SSH is used to protect the data in transit when command line control is required to access the product(s). Connections to other Trend Micro services such as the Smart Protection Network, Threat Management Services, and Control Manager are protected by SSL communications links.
14.1.3 System Acquisition, Development and Maintenance / Security Requirements of Information Systems / Protecting application services transactions
Information involved in application service transactions shall be protected to prevent incomplete transmission, miss-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.
P The Deep Discovery Inspector, Deep Security, and SecureCloud all make use of the SSL protocol to provide
self-protection of the product and organizations data when communications is established between the different components of the product over the network. In addition SSH is used to protect the data in transit when command line control is required to access the product(s). Connections to other Trend Micro services such as the Smart Protection Network, Threat Management Services, and Control Manager are protected by SSL communications links.
14.2 System Acquisition, Development and Maintenance / Security in Development and Support Processes
ISO 27002:2013 Security Controls
ContextTrend Micro Solution Compliancy
14.2.2 System Acquisition, Development and Maintenance / Security in Development and Support Processes / System change control procedures
Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.
E P Deep Security and Deep Discovery Inspector are products, which have been validated or are under evaluation
by the Common Criteria (ISO 15408) Scheme to the EAL2 level. This level of assurance provides, through active investigation, how changes to the security mechanisms are formally controlled through the Development, Life Cycle Support, Tests, and Vulnerability classes.
At an enterprise level Deep Security can provide an indication of changes made to a system through the Integrity Monitoring function. The Integrity Monitoring allows an organization to monitor specific areas on a computer for changes. Deep Security has the ability to monitor installed software, running services, processes, files, directories, listening ports, registry keys, and registry values. It functions by performing a baseline scan of the areas on the computer specified in the assigned rules and then periodically rescanning those areas to look for changes.
14.2.6 System Acquisition, Development and Maintenance / Security in Development and Support Processes / Secure development environment
Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.
E P At the enterprise level Deep Security can be used to enforce secure zones for development, test, and
production environments across the entire systems development lifecycle by a combination of firewall and security policy rules which can follow virtual machines that are moved into different environments. SecureCloud can, through the use of encryption, protect data in the different environments and provide the cryptographic safeguards to permit testing using actual organizational or customer data.
Trend Micro provides a secure product development environment in terms of personnel, processes and technology by implementing a secure development environment for specific system development efforts, taking into consideration:
sensitivity of data to be processed, stored and transmitted by the system; applicable external and internal requirements, e.g. from regulations or policies;
security controls already implemented by the organization that support system development; trustworthiness of personnel working in the environment;
the degree of outsourcing associated with system development; the need for segregation between different development environments; control of access to the development environment;
monitoring of change to the environment and code stored therein; backups arc stored at secure offsite locations; and
control over movement of data from and to the environment.
The development environment also makes use of Configuration Management (CM) tools. The CM tools used within the development environment reduce the likelihood that accidental or unauthorized modifications of the products will occur. The CM system ensures the integrity of the products from early design stages through all subsequent maintenance efforts.
Deep Discovery Inspector, is validated, and Deep Security is currently under evaluation, to the Configuration Management, Security Assurance Requirements for Common Criteria (ISO 15408) EAL2 certification. 14.2.8 System Acquisition, Development and Maintenance /
Security in Development and Support Processes / System Security Testing
Testing of security functionality should be carried out during development.
P The products Deep Discovery Inspector v3.1 has been EAL2 certified by the Common Criteria Evaluation and
Certification Scheme; Deep Security v9.5 is currently being evaluated to EAL2; have demonstrated testing of security functionality to third party testing authorities.
15.1 Supplier Relationships / Security Requirements of Information Systems
Objective: To ensure protection of the organization' assets that is accessible by suppliers.
15.1.3 Supplier Relationships / Security Requirements of Information Systems / Information and communication technology supply chain
Agreements with suppliers shall include requirements to address the information security risks associated with information and
communications technology services and product supply chain.
P The products Deep Discovery Inspector v3.1 has been EAL2 certified by the Common Criteria Evaluation and
Certification Scheme; Deep Security v9.5 is currently being evaluated to EAL2; have demonstrated a secure delivery method within the supply chain.
ISO 27002:2013 Security Controls
ContextTrend Micro Solution Compliancy
15.2 Supplier Relationships / Supplier Service Delivery Management
Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.
15.2.2 Supplier Relationships / Supplier Service Delivery Management / Managing changes to supplier services Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re- 9ssessrnent of risks.
P Deep Discovery Inspector v3.1 has been EAL2 certified by the Common Criteria Evaluation and Certification
Scheme; Deep Security v9.5 is currently being evaluated to EAL2; have demonstrated how life cycle support and delivery procedures that are necessary to maintain security, when distributing versions of the product to the consumer organization are formally controlled.
16.1 Information Security Incident Management / Management of Information Security Incidents and Improvements
Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
16.1.2 Information Security Incident Management / Management of Information Security Incidents and Improvements / Reporting information security events
Information security events shall be reported through appropriate management channels as quickly as possible.
E In accordance with the Implementation Guidelines for this control whereby a "breach of information integrity,
confidentiality or availability expectations" has occurred. Deep Discovery Inspector provides breach detection and when integrated with the Threat Management Services Portal (TMSP) builds intelligence an organization’s network by providing reports at the executive or administrative level.
Administrative-level reports keep IT security personnel informed about the latest threats and provide action items that help defend the network from these threats. Executive-level reports inform key security stakeholders and decision makers about the network’s overall security posture, allowing them to fine tune security policies and strategies to address the latest threats.
Deep Security through the Intrusion Prevention module protects computers from being exploited by attacks against known and zero-day vulnerability attacks as well as against SQL injections attacks, cross-site scripting attacks, and other web application vulnerabilities.
Shields vulnerabilities until code fixes can be completed. It identifies malicious software accessing the network and increases visibility into, or control over, applications accessing the network. Intrusion Prevention prevents attacks by detecting malicious instructions in network traffic and dropping relevant packets. Through Log Inspection provides visibility into important security events buried in log files. Optimizes the identification of important security events in multiple log entries across the data center. Reports and forwards suspicious events to a SIEM system or centralized logging server for correlation, reporting and archiving.
16.1.4 Information Security Incident Management / Management of Information Security Incidents and Improvements / Assessment of and Decision on Information Security Events Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents.
E Deep Discovery Inspector contains a list of hosts experiencing an event (threat behavior with potential security
risks, known threats, or malware) for a past 1 hour, 24-hour, 7-day, or 30-day time period. Deep Discovery Inspector tags these events as security risks/threats and makes a copy of the files for assessment. Deep Discovery also maintains logs about security incidents and events and generates reports to assist administrators determine the types of incidents, such as APTs and other IOCs affecting the network. Deep Security through the Smart Scan capability references threat signatures that are stored on Trend Micro servers. When Smart Scan is enabled, Deep Security scans and assess the security risks locally. Web addresses that are known to be or are suspected of being malicious are assigned a risk level, and the Log Inspection engine assesses tags generated within the log files being inspected.
16.1.5 Information Security Incident Management / Management of Information Security Incidents and Improvements / Response to information security incidents
Information security incidents shall be responded to in accordance with the documented procedures.
E Deep Discovery Inspector and Deep Security, provide functionality to help satisfy the needs of the 16.1.5
detailed “Implementation Guidance:
a) collect evidence as soon as possible after the occurrence; b) conduct information security forensics analysis,
c) escalation as required;
d) ensuring that all involved response activities are properly logged for later analysis;
e) communicate the existence of the information security incident or any relevant details thereof to other internal and external people or organizations with a need-to-know;
f) deal with information security weakness(es) found to cause or contribute to the incident; and g) Once the incident has been successfully dealt with, formally closing and recording it. Post-incident analysis should take place, as necessary, to identify the source of the incident.”
ISO 27002:2013 Security Controls
ContextTrend Micro Solution Compliancy
16.1.6 Information Security Incident Management / Management of Information Security Incidents and Improvements / Learning from information security incidents
Knowledge gained from analyzing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents.
E P The Deep Discovery Inspector when integrated with the Threat Management Services provides organizations
with an effective way to discover, mitigate, APT and IOC's, and manage stealthy and zero-day internal threats. Threat Management Services brings together security experts and a host of solutions to provide ongoing security services. These services ensure timely and efficient responses to threats, identify security gaps that leave the network vulnerable to threats, help minimize data loss, significantly reduce damage containment costs, and simplify the maintenance of network security.
Threat Management Services combines years of Trend Micro network security intelligence and in-the-cloud servers that are part of Trend Micro Smart Protection Network to identify and respond to next-generation threats.
16.1.7 Information Security Incident Management / Management of Information Security Incidents and Improvements / Collection of evidence
The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.
E The Deep Discovery Inspector can support this requirement through the Virtual Analyzer, which is a secure
virtual environment used to analyze files and network traffic. Virtual Analyzer performs static analysis and behavior simulation to identify potentially malicious characteristics. During analysis, Virtual Analyzer rates the characteristics in context and then assigns a risk level to the sample based on the accumulated ratings. Virtual Analyzer includes the following features:
Threat execution and evaluation summary
In-depth tracking of malware actions and system impact Network connections initiated
System file/Registry modification System injection behavior detection
Identification of malicious destinations and command-and-control (C&C) servers Exportable forensic reports and PCAP files
Generation of complete malware intelligence for immediate local protection The Deep Security product can also generate pcap files for evidence purposes.
18.1 Compliance / Compliance with Legal and Contractual Requirements
Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.
18.1.3 Compliance / Compliance with Legal and Contractual Requirements / Protection of records
Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.
E Deep Security Integrity Monitoring can be used to detect loss, and modification to organizational records.
Additional functionality of Integrity Monitoring and Logging can be achieved through the use of the Deep Security Agent installed on a specific VM. Integrity Monitoring includes:
Integrity Monitoring - Security Profiles allow Integrity Monitoring rules to be configured for groups of systems, or individual systems. For example, all Windows 2003 servers use the same operating system rules, which are configured in a single Security Profile, which is used by several servers. However, each server has unique requirements, which are addressed at the individual Host configuration level. Flexible, practical monitoring optimizes monitoring activities. The rule creation and modification interface
includes the ability to include or exclude files using wildcards filenames, and control over inspection of sub-directories, and other features.
SecureCloud FIPS 140-2 validated encryption services provides the cryptographic safeguards to prevent the unauthorized access and release of organizational records.
18.1.5 Compliance / Compliance with Legal and Contractual Requirements / Regulation of cryptographic controls Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.
E P SecureCloud uses encrypted drives, which are encrypted at the drive level (Full Disk Encryption) using the
FIPS 140-2 Level 2 Certified, Validation Number 1123: Cryptographic Libraries.