Comprehensive server security “Trend Micro Cloud One (C1WS)”
About Trend Micro Cloud One - Workload Security (C1WS)
Trend Micro Cloud One - Workload Security (C1WS) centrally manages the security functions necessary for server security for the operation system, network layer, and application layer, achieving multi-layered server defense.
In addition, since the management server is provided by Trend Micro as a cloud-based service (SaaS), customers do not need to build a management server themselves, reducing the burden and cost of daily operational work.
| Trend Micro Cloud One service details | Trend Micro Cloud One - Workload Security |
|---|
Seven security functions provided
① Measures against malicious programs
Protects against malware attacks and blocks access to malicious URLs. By leveraging Trend Micro's Smart Protection Network (SPN), you can detect and prevent malware using the latest threat information.
② Web reputation
Block connections to invalid URLs.
When you access the web from the server, you can check the safety of the URL and block the connection if it is invalid.
Normally, users do not intentionally connect to the Internet from servers, but there are cases where malicious programs connect to C&C servers. In that case, the web reputation feature must block unauthorized connections.
③ Hosted firewall
Detailed policy settings covering layers 2 to 4 are possible, reducing opportunities for external attacks. Because it is hosted, it can protect not only attacks from outside the network, but also communication from infected terminals from the internal network to the server.
It is also possible to set policies for TCP/UDP/ICMP using the stateful inspection function.
④ IDS/IPS (Intrusion Detection/Intrusion Prevention)
It uses virtual patching technology (see below) to protect servers from attacks that exploit vulnerabilities. From the time a vulnerability is discovered until the official patch is released, virtual patching technology can reduce the risk of zero-day attacks that exploit this vulnerability.
It usually takes several weeks after a vulnerability is discovered until an official patch is released, and during that time the computer is vulnerable to attacks that exploit this vulnerability.
We provide countermeasures against such attacks in the form of virtual patches within 48 hours after the vulnerability is discovered. *The response period varies depending on the scoring results (severity of vulnerability, etc.).
⑤ Monitoring changes on the system
It monitors files, directories, registries, etc., and promptly detects any unauthorized changes or tampering. Select a rule that defines "where (monitored targets) and what (monitored attributes) to monitor" and create a list of monitored targets called a baseline. Changes can be detected and administrators can check the details from the log.
⑥ Security log monitoring
Discover critical security events early. It is possible to efficiently discover serious security incidents that are often overlooked due to being buried in a huge amount of log entries from the OS and applications.
You can create a rule to monitor specific log entries and set the severity level of the alert to be raised when a log entry that matches the rule is found.
It is also possible to automatically apply rules suitable for each server using recommended searches. *Separate parameter settings for each rule may be required.
⑦ Application control
Whitelist applications installed on your server to detect and block unauthorized programs when they run. You can monitor software, detect unauthorized software, and allow or block the software from running.
When this feature is enabled, all executable files existing on the target server are listed and registered as a whitelist. If an executable file that is not on the whitelist is detected, the administrator can choose whether to allow or block execution of the file. Allowed or blocked executable files are added to the inventory and referenced when the file is detected again.
Protecting vulnerabilities with virtual patching
A virtual patch is the same as a "band-aid" applied to a wound.
Applying emergency patches is an operational burden and issue for users, but by blocking attack codes that target vulnerabilities at the network level using virtual patching technology, it is possible to use virtual patching technology to block attack codes that target vulnerabilities at the network level. - Compatible with over 100 applications such as Microsoft SQL and Oracle. This makes it possible to reduce the number of emergency patches and reduce the operational burden before vulnerabilities are exploited.
Advantages of virtual patching functionality
Apply "recommended scan function" to allocate virtual patches. The recommended scan function is a function in which the agent automatically scans the system information on the server and finds vulnerabilities on the server.
By automatically applying the necessary signature "virtual patch" to the server, it becomes possible for the server to automatically receive only the necessary protection. Signature adaptation can be automated, allowing you to receive optimal protection with minimal operational overhead.
The agent obtains various information such as "startup service, installation module, and configuration information" on the server OS. Based on this information, it finds vulnerabilities in the server and sends that information to the management server (manager).
The management server (manager) distributes a list of ``virtual patches'', which are signatures to be applied to vulnerabilities discovered on the target server side, to the agents. As a result, server vulnerabilities can receive the protection they need with the necessary virtual patches.
Benefits of implementing virtual patching
Even if a vendor's official patch release is delayed, you can protect against vulnerabilities in advance, allowing you to flexibly control the schedule for applying official patches. This allows you to perform verification work with peace of mind and without panic even if a vulnerability is discovered.
