Protect Microsoft Azure Virtual Machines with Deep Security Manager

To use Deep Security Manager to protect Microsoft Azure Virtual Machines (VM), you must:

  1. Add Virtual Machines from a Microsoft Azure cloud account to Deep Security.
  2. Create a Policy.
  3. Configure the communication direction.
  4. Deploy Deep Security Agents.

Add Virtual Machines from a Microsoft Azure cloud account to Deep Security

The procedure for adding your virtual machines to Deep Security depends on which version of Deep Security you are running. To figure out which procedure you should use, go to the Computers page in your Deep Security Manager. If you see an Add button, follow the instructions for recent versions. If you see a New button, follow the instructions for earlier versions.

If you are running a recent version of Deep Security (including Deep Security as a Service)

If you have already added Azure VMs that are part of this Azure account, they will be moved in the tree structure to appear under this account.

  1. On the Computers page, click Add > Add Azure Account.
  2. Enter the account credentials used to log into the Azure portal and click Sign in.

    The account must be the owner of the Azure subscription and must have the Global Admin role in your Azure Active Directory. These privileges are required so that Deep Security can automate the provisioning of a Service Principal object in your Azure Active Directory. Deep Security uses that Service Principal object to authenticate itself to your Azure subscription so that it can invoke the necessary Azure APIs to synchronize your Azure VMs in the Deep Security Manager console. For instructions on creating a user with global administrator rights, see Microsoft's Add new users or users with Microsoft accounts to Azure Active Directory article.

  3. Click Accept on the Deep Security Connector permissions page.
  4. Select the Azure Active Directory and Subscription Name and click Next.
  5. Review the summary information and click Finish.

The Azure virtual machines now appear in the Deep Security Manager under their own branch on the Computers page.

If you are running an earlier version of Deep Security

To import cloud resources into Deep Security Manager, Deep Security users must first have an account with which to access the cloud provider service resources. For each Deep Security user who will import a cloud account into the Deep Security Manager, Trend Micro recommends creating a dedicated account for that Deep Security Manager to access the cloud resources. That is, users should have one account to access and control the virtual machines themselves, and a separate account for their Deep Security Manager to connect to those resources.

Having a dedicated account for Deep Security ensures that you can refine the rights and revoke this account at any time. It is recommended to give Deep Security an access key or secret key with read-only rights at all times.
The Deep Security Manager only requires read-only access to import the cloud resources and manage their security.

If you have already added Azure VMs that are part of this Azure account, they will be moved in the tree structure to appear under this account.

  1. On the Computers page, click New > Add Cloud Account.

    The cloud account wizard will start.

  2. Select Azure from the Provider Type list.
  3. Enter your Subscription ID, Key Pair and Key Pair Password, and click Next.

The Azure virtual machines now appear in the Deep Security Manager under their own branch on the Computers page.

Create a Policy

After you have added Microsoft Azure virtual machines to Deep Security, your next step is to customize the default policies to suit your particular requirements before you deploy Deep Security Agents to protect your VM instances.

You have two options for creating a policy:

  • You can make a duplicate copy of one of the server policies that comes with Deep Security and modify it as required.
  • You can build your own policy using the Base Policy as your starting point.

It is recommended that you make a duplicate of the policy that most closely relates to the resources you will be protecting (for example, a Windows 2008 or Linux server) and modify it. For example, you can select the Windows Server 2012 policy in Deep Security Manager, create a duplicate of the policy, and assign the new policy a unique name. You can then open the new policy and customize the security module settings as required for your environment. Duplicate a policy

Configure the communication direction

You have to configure how Deep Security Manager will communicate with Deep Security Agents before you deploy them. There are three options for communication between Deep Security Manager and Deep Security Agents: Bidirectional, Manager Initiated, and Agent Initiated. If Deep Security Manager is installed either on premises or on a different cloud service from the Deep Security Agent, we recommend that you select Agent-Initiated communication as the communication direction.

  1. Right-click the policy you want to configure in the Policies tab of Deep Security Manager and select Details.
  2. Go to Settings > Computer > Communication Direction and select an option from the list.

If the Deep Security Manager and Deep Security Agent are on a separate cloud service, select Agent/Appliance initiated. If they are on the same cloud service, select Bidirectional.

  1. Click Save to apply the changes.

For more information on agent-initiated communication, see Use agent-initiated communication with cloud accounts.

Deploy Deep Security Agents

The final step in protecting your Microsoft Azure Virtual Machines is to deploy Deep Security Agents to protect your Azure virtual machines. You can do this in the following four ways:

Add the Deep Security extension to the Microsoft Azure management portal

When you create an Azure virtual machine, you can add the Trend Micro Deep Security Agent to your virtual machine in the Extensions setting. This installs the Deep Security Agent software and also registers the Deep Security Agent with the Deep Security Manager.

  1. Log in to the Azure portal, click +New in the Create blade, click Compute in the Compute blade, and select the virtual machine image you want to create.
  2. Enter the information required by Azure in the Create VM blade and then select Optional Configuration.
  3. Click Extensions in the Optional Configuration blade, click +Add extension in the Extensions blade, select Trend Micro Deep Security in the New Resource blade, and then click Create.
  4. Enter the required information for the extension and then click OK:
Add extension Tenant Identifier The tenant ID of your Deep Security Manager. If you subscribed to Deep Security within Azure, it will be displayed on the blade created for the Deep Security service. Alternatively, you can find the tenant ID embedded within the deployment script dialog box in Deep Security Manager.
Tenant Activation Password The tenant password of your Deep Security Manager. If you subscribed to Deep Security within Azure, it will be displayed on the blade created for the Deep Security service. Alternatively, you can find the tenant password embedded within the deployment script dialog box in Deep Security Manager
Security Policy Identifier (optional) The policy ID in your Deep Security Manager that you want to assign to this Azure VM. It is displayed in the deployment script generated by Deep Security Manager.

Generate and run a deployment script

Instead of manually installing agents on Microsoft Azure Virtual Machines, you can use Deep Security to generate deployment scripts for automatically deploying agents using deployment tools such as RightScale, Chef, Puppet, and SSH.

  1. Select Support > Deployment Scripts in the upper-right corner of Deep Security Manager.
  2. Select the platform where you re deploying the Deep Security Agent.
  3. Select Activate Agent automatically after installation.

Deep Security Agents must be activated by the Deep Security Manager before a protection policy can be implemented.

  1. Copy the script generated by they Deployment Script Generator and save it as a PowerShell (.ps1) or bash shell script (.sh) file.

Do not copy <PowerShell> and </PowerShell> tags in the script for the Windows platform.

Example deployment script for a VM

  1. Run the deployment script on an existing virtual machine.

You can run the deployment script as a shell script or batch file on a virtual machine that is already running. For example, log in to your Windows VM using Remote Desktop, open the PowerShell application, and right-click to paste the deployment script.

Add a custom script extension to an existing virtual machine

You can also add a custom script extension to an existing virtual machine to deploy and activate the Deep Security Agent. To do this, navigate to your existing virtual machine in the Azure management portal and follow the steps below to upload and execute the deployment script on your Azure VM.

  1. Log in to the Azure portal, switch to the preview portal, click the virtual machine that you want to add custom script to, and click All settings in the Virtual Machine blade.
  2. Click Extensions in the Settings blade and then click +Add in the Extensions blade.
  3. Click Custom Script in the New resource blade and then click Create in the Custom Script blade.
  4. Click the upload button under Script File (required) in the Add Extension blade, select the saved .ps1 deployment script and then click OK.
Upload custom script to Azure

Use a PowerShell script to install the Deep Security Extension

The instructions and PowerShell scripts for installing the Deep Security extension are available on our GitHub repository: https://github.com/deep-security/azure-vm-extensions

For more information on using Deep Security as a Service to protect Microsoft Azure virtual machines, see Deep Security as a Service Quick Start Guide (Microsoft Azure).