Deep dive into Trend Micro Deep Security integration modules

Deep dive into Trend Micro Deep Security integration modules

At AnsibleFest 2020, we announced the extension of our security automation initiative to support endpoint protection use cases. If you have missed it, check out the recording of the talk "Automate your endpoint protection using Ansible" on the AnsibleFest page.

Today, following this announcement we release the supported Ansible Content Collection for Trend Micro Deep Security. We will walk through several examples and describe the use cases and how we envision the Collection being used in real world scenarios.

About Trend Micro Deep Security

Trend Micro Deep Security is one of the latest additions to the Ansible security automation initiative. As an endpoint protection solution it secures services and applications in virtual, cloud and container environments. It provides automated security policies and consolidates the security aspects across different environments in a single platform.

How to install the Certified Ansible Content Collection for Trend Micro Deep Security

The Trend Micro Deep Security Collection is available to Red Hat Ansible Automation Platform customers at Automation Hub, our software-as-a-service offering on cloud.redhat.com and a place for Red Hat subscribers to quickly find and use content that is supported by Red Hat and our technology partners.

The blog post "Getting Started with Automation Hub" gives an introduction to Automation Hub and how to configure your Ansible command line tools to access Automation Hub for Collection downloads.

Once that is done, the Collection is easily installed:

ansible-galaxy collection install trendmicro.deepsec

What's in the Ansible Content Collection for Trend Micro Deep Security?

The focus of the Collection is on modules and plugins supporting them: there are modules for interacting with Trend Micro Deep Security agents, like deepsec_firewallrules, deepsec_anti_malware, deepsec_log_inspectionrules and others. Basically the integration modules cover the REST APIs exposed by TM Deep security firewall.  If you are familiar with firewall Collections and modules of Ansible, you will recognize this pattern: all these modules provide the most simple way of interacting with endpoint security and firewall solutions. Using those, general data can be received, arbitrary commands can be sent and configuration sections can be managed.

While these modules provide a great value for environments where the devices are not automated at all, the focus of this blog article is on the endpoint security use-cases where  modules in the respective Collection can help automate. Being modules they have a precise scope, but enable users of the Collection to focus on that particular resource/REST API scenario without being disturbed by other content or configuration items. They also enable a simpler cross-product automation since other security Collections follow the same pattern.

Connect to Trend Micro Deep Security, the Collection way

The Collection supports httpapi as a connection type.

Trend Micro Deep security currently supports two ways for how their REST API can be interacted with, and for each of the respective cases, the Ansible inventory will be changed slightly as mentioned below:

In case of the newer REST APIs the Ansible inventory will work with the network OS trendmicro.deepsec.deepsec, a Trend Micro API secret key and ab api-version key:

[deepsec]
host_deepsec.example.com

[deepsec:vars]
ansible_network_os=trendmicro.deepsec.deepsec
ansible_httpapi_use_ssl=true
ansible_httpapi_validate_certs=false
ansible_connection=httpapi
ansible_python_interpreter=/usr/bin/python
ansible_httpapi_session_key={'api-secret-key': 'secret-key', 'api-version': 'v1'}

In case of APIs using the legacy REST APIs, the Ansible inventory will also require the network OS trendmicro.deepsec.deepsec, but uses a username and a password.

[deepsec]
host_deepsec.example.com

[deepsec:vars]
ansible_network_os=trendmicro.deepsec.deepsec
ansible_user=admin
ansible_httpapi_pass=password
ansible_httpapi_use_ssl=true
ansible_httpapi_validate_certs=false
ansible_connection=ansible.netcommon.httpapi
ansible_python_interpreter=python

Note that in a productive environment those variables should be supported in a secure way, for example, with the help of Red Hat Ansible Tower credentials

Use Case: Firewall Rule Configuration

A firewall is highly flexible and users can configure it to be restrictive or permissive. Like the intrusion prevention and web reputation modules, firewall policies are based on two principles: either they can permit any service unless it is explicitly denied or they deny all services unless explicitly allowed.

For example, using Ansible and Trend Micro Deep Security integration, modules users can take a restrictive firewall approach. This is often the recommended practice from a security perspective: All traffic is stopped by default and only traffic that's explicitly allowed is permitted.

A playbook to implement the "deny all traffic" approach is shown in the following listing:

---
- name: Deny all traffic
  hosts: deepsec
  collections:
   - trendmicro.deepsec
  gather_facts: false
  tasks:
   - name: Create Restrictive firewall rule
     trendmicro.deepsec.deepsec_firewallrules:
       state: present
       name: deny_all_firewallrule
       description: Deny all traffic by default over tcp
       action: deny
       priority: "0"
       source_iptype: any
       destination_iptype: any
       direction: incoming
       protocol: tcp
       tcpflags:
         - syn

Running this play will create a firewall rule that'll explicitly deny all TCP syn bound traffic. Keep in mind that the state keyword is used and set to present. It means that the specified rule is created and that the module will go ahead and create the config rule. On the contrary, if the user wants to delete/drop any specific firewall rule, then the state should be set to absent: in that case, during the play run, the module will check if the specified firewall rule pre-exists and if so the module will go ahead and delete/drop the respective firewall rule config.

Use Case: Antimalware Rule Configuration

Antimalware config helps agents on computers by providing real-time and on-demand protection against a variety of file based threats including malware, viruses, trojans and spyware. Using Ansible deepsec antimalware config module, users can fire all types of available scans:

  • Real-time scan
  • Manual scan
  • Scheduled scan
  • Quick scan

The playbook example we'll be discussing here will be with respect to real time scans as based on incident responses. Users can check for the threats and quarantine the observed threats.

---
- name: Scan and Quarantine in TrendMicro agents
  hosts: deepsec
  collections:
   - trendmicro.deepsec
  gather_facts: false
  tasks:
   - name: Create AntiMalware config
     trendmicro.deepsec.deepsec_anti_malware:
       name: scan_real_time
    description: scan and quarantine via anti-malware config
    scan_action_for_virus: pass
    alert_enabled: true
    scan_type: real-time
    real_time_scan: read-write
    cpu_usage: medium
       scan_action_for_virus: quarantine
       scan_action_for_trojans: quarantine
       scan_action_for_cve: quarantine
       scan_action_for_other_threats: quarantine
    state: present

The playbook listed above will create an antimalware config rule, which will initiate a real-time scan over Trend Micro agents every time there's a file received, copied, downloaded or modified. 

All files will be scanned for any security threats. If during the scan the agents detect any threat based on virus, trojans, cve's and others, the agents will display the information with respect to the infected file and the respective files will be quarantined as specified in the playbook.

Use Case: Log Inspection Rule Configuration

The log inspection integration module helps users to identify events that are generally logged at system/OS level. It also includes application logs. Using the log rule configuration, users can forward the logged events to the SIEM system or to some centralized logging server for analytics, reporting and archiving.

Log inspection helps in real-time monitoring of third parties log files as well. The playbook listed below creates a rule for log inspection.

---
- name: Set up log inspection
  hosts: deepsec
  collections:
   - trendmicro.deepsec
  gather_facts: false
  tasks:
   - name: Create a Log inspection rule
     trendmicro.deepsec.deepsec_anti_malware:
       state: present
       name: custom log_rule for mysqld event
       description: some description
       minimum_agent_version: 6.0.0.0
       type: defined
       template: basic-rule
       pattern: name
       pattern_type: string
       rule_id: 100001
       rule_description: test rule description
       groups:
         - test
       alert_minimum_severity: 4
       alert_enabled: true
       log_files:
         - location: /var/log/mysqld.log
           format: mysql-log
     register: log