Deep Security 11.0
Below are the major changes in Deep Security 11.0:
- FIPS 140-2 support: This release provides settings that enable you to run Deep Security in a mode that is compliant with FIPS 140-2 standards. For details, see FIPS 140-2 support.
- Application control - software changes filter exclusions: The Actions page shows all software change events and the list can get very long, especially on servers running many applications. Previous releases allowed you filter the list using the "contains" operator, which is useful when looking for a particular event. This release adds a new "does not contain" filtering option that enables you to filter out all software changes occurring in a particular directory or created by a particular process. You can use this option to focus on remaining software change events so you can look for anomalies or areas of interest. See Set up application control.
- Integrity monitoring - improvements to real-time scans: Real-time file integrity monitoring is now provided using the Application Control engine and allows real-time detection of file changes on Linux agents. Previously, Linux integrity scans were scheduled only. The updated file monitoring engine also captures information about who made changes to a monitored file. This feature is supported with Deep Security Agent 11.0 or later. For details about which platforms support this feature, see Supported features by platform.
- Support for mature agent platforms: A core value of Deep Security is the breadth of platform support and deployment flexibility we provide our customers. As a result of customer feedback, we have re-introduced support for some older platforms in Deep Security 11.0. For a complete list of Deep Security Agent platforms and versions supported with Deep Security Manager 11.0, see Deep Security Agent platforms .
We do encourage customers to upgrade agents regularly. New agent releases provide additional security features and protection, higher quality, performance improvements, and updates to stay in sync with releases from each platform vendor. Due to the technical challenges of supporting mature OS platforms beyond the OS vendor extended end of support date, it may not be possible to support all features on mature platforms. Please see Supported features by platform for details on which features are supported on each platform.
- New support for Amazon Linux 2: There is a new Deep Security 11.0 Agent for Amazon Linux 2.
- Minimum TLS version enforcement: In 2015, the Payment Card Industry Security Standards Council (PCI SSC) extended the migration completion date to 30 June 2018 for transitioning from SSL and TLS 1.0 to a secure version of TLS. Many enterprises, in response to public exploits such as POODLE, have already started and completed the migration to TLS 1.2. For others, the June 30, 2018 deadline will be the event that drives completion of the migration across all solution components. Deep Security provides configuration flexibility to support customers who would like to enforce TLS 1.2 to increase the overall security of their deployment and meet PCI obligations. Deep Security also provides backward compatibility with TLS 1.0 to ensure customers who require interoperability with older components have the flexibility to do so, if required. For details, see Use TLS 1.2 with Deep Security.
- Deep Security 11.0 is ArcSight Certified. For details, see https://marketplace.microfocus.com/arcsight/content/trend-micro-deep-security.
Deep Security 11.0 also includes these features that were previously delivered in the Deep Security 10.3, 10.2, and 10.1 feature releases:
- Cloud VDI (Amazon WorkSpaces support): Amazon WorkSpaces is a fully managed, secure desktop computing service that runs on the AWS cloud. Deep Security 10.3 or later offers improved management capabilities for Amazon WorkSpaces. For more information, see Add Amazon WorkSpaces.
- Relay management: This release makes it easier to manage your relay-enabled agents. With previous releases, customers sometimes accidentally promoted Deep Security Agents to act as relays. With this release, the "Enable Relay" button has been removed from the Computers page. You can now perform all actions related to relays from the new Administration > Relay Management page. For customers who have accidentally promoted an agent to a relay, demoting the relay back to an agent is now a much simpler process. For more information, see Distribute security and software updates with relays.
- Advanced threat detection (machine learning): Advanced threats have become the most prevalent form of attack. While there is a still a need for signature based anti-malware, there is an increased need for advanced forms of malware detection. Deep Security offers strong protection from known and unknown threats in our customers environments. Machine learning is the next step in the evolution of detecting those unknown threats. For more information, see Predictive Machine Learning and Detect emerging threats using Predictive Machine Learning This feature is supported with Deep Security Agent 10.2 or Deep Security Virtual Appliance 10.2 (or later).
- Application control - new platform support: Application control, which was introduced in Deep Security 10.0, is now supported on Windows and additional Linux platforms. For details, see Supported features by platform.This feature is supported with Deep Security Agent 10.1 (or later).
- Application control - global block by hash: Application control has been enhanced with a new "block by hash" feature that enables administrators to submit known bad hash values to Deep Security for Application Control blacklist enforcement. The control will now recognize a new "global rule set" that includes a list of hash values to be blocked. This rule set takes precedence over any other rules from existing shared or local rule sets, and will be enforced by every Deep Security Agent enabled with Application Control. This feature provides a simple way for users to block unwanted or bad software from running at a global system-wide level. The design allows the workflow to be fully automated, with APIs for creating the global rule set, adding and deleting hash values. For more information, see Reset application control after too much software change. This feature is supported with Deep Security Agent 10.2 (or later).
- Application control - trusted updater: Application control creates a software change event log whenever new executable files are detected on protected systems. Sometimes these changes are generated as part of the normal operation of trusted software. For example, when Windows self-initiates a component update, hundreds of new executable files may be installed. Application control will now auto-authorize many file changes that are created by well-known Windows processes and not create corresponding change log events for them. Removing the "noise" associated with expected software changes provides you with clearer visibility into changes that may need your attention. This feature is supported with Deep Security Agent 10.2 (or later).
- Application control - security event aggregation: Application control now includes event aggregation logic that will reduce the volume of logs when the same event occurs repeatedly. This removal of redundant entries makes it easier to see important application events. This feature is supported with Deep Security Agent 10.2 (or later).
- Fail open option: The Deep Security network driver for intrusion prevention and firewall controls was designed for "fail closed" behavior, which puts the Deep Security Agent into a block state when maximum threshold limits are exceeded. This design objective ensures that protected computers are not exposed if the security service is subjected to a denial of service attack. In this release, you can choose to change this behavior and allow traffic in certain failure scenarios. For more information, see "Failure response" in Network engine settings. This feature is supported with Deep Security Agent 10.2 (or later).
- Tipping Point Equivalent Rule ID Mapping: Many customers are benefiting from both Tipping Point network security and Deep Security host security. To make it easier for you to know which Deep Security intrusion prevention rule maps to an equivalent Tipping Point rule, the Intrusion Prevention Rules table can now display a "Tipping Point ID" column that will show the equivalent Tipping Point rule if it exists. For more information, see Configure intrusion prevention rules.
- Identity provider support via SAML 2.0: When Deep Security is deployed and configured to work with your identity provider, there is no longer a need to manage administrative users directly in Deep Security. In addition, you can leverage features of your IdP, such as password strength and change enforcement, one-time password (OTP), and two-factor or multi-factor authentication (2FA/MFA) when signing in to Deep Security using SAML. Supported identity providers include Active Directory Federation Services (ADFS), Okta, PingOne, and Shibboleth. For more information, see Implement SAML single sign-on.
- Single deployment script for Windows and Linux: Deep Security Manager now provides a single curl deployment script for both Windows and Linux agents and enables you to add a proxy setting. For more information, see Use TLS 1.2 with Deep Security.
- New support for Microsoft Windows Server 2016: Deep Security Manager is supported on Windows Server 2016. (Deep Security Agent was already supported on Microsoft Windows Server 2016.)
- New support for Microsoft SQL 2016: Deep Security supports the use of Microsoft SQL 2016 for its database. It also supports Microsoft SQL Server 2016 Express in certain limited deployments. For details, see Microsoft SQL Server Express considerations.
- Support for Amazon RDS PostgreSQL Multi-AZ deployments: Customers who use Deep Security AMI from AWS Marketplace or implement software installations to AWS may use RDS PostgreSQL as the Deep Security Manager database. Amazon RDS provides high availability and failover support for database instances using Multi-AZ deployments. For more information, see https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html.
- PostgreSQL support: Deep Security supports the use of PostgreSQL as a low-cost database option. This option is supported only with new installations of Deep Security 11.0 or upgrades of Deep Security 10.1 or later that used PostgreSQL as the Deep Security database. For more information, see
Prepare a database for Deep Security Manager on AWS.
- PostgreSQL multi-tenant support: The initial introduction of PostgreSQL support in Deep Security 10.1 was limited to single-tenant deployments. In version 10.2 or later, Deep Security supports multi-tenant deployments with PostgreSQL. For more information, see
Prepare a database for Deep Security Manager on AWSand Set up a multi-tenant environment.
- SQL Server Express support: Deep Security supports the use of SQL Server Express in certain limited deployments. For details, see Microsoft SQL Server Express considerations.
- Docker enhancements: Deep Security 10.1 continued to build on the feature set introduced in Deep Security 10.0. Enhancements include container information for anti-malware events. This feature is supported with Deep Security Agent 10.1 (or later).
- News feed: The news feed feature enables you to stay up-to-date on product related topics. For more information, see How do I get news about Deep Security?
- Computers page enhancements: Changes to the Computers page in the Deep Security Manager provide a more intuitive experience and improved page responsiveness.
- Zero impact network driver install: Agent upgrades no longer cause a brief server network disconnect. This allows non-disruptive upgrades on production networks. This feature is supported with Deep Security Agent 10.1 (or later).
- Time-boxed anti-malware scans: You can now specify a timeout value for scheduled malware scans. (Go to Administration > Scheduled Tasks and add or edit a Scan Computers for Malware scheduled task.) The timeout option is available for daily, weekly, monthly, and once-only scans. When a scheduled malware scan is running and the timeout limit has been reached, any tasks that are currently running or pending will be canceled. Combined with a start time setting, scans can now be time-boxed so they can run exclusively during non-impacting hours. This feature is supported with Deep Security Agent 9.6 or Deep Security Virtual Appliance 10.0 (or later).
- Real-time anti-malware scans for Oracle Linux: Real-time anti-malware scanning is now supported on Oracle Linux 6 (64-bit) and Oracle Linux 7 (64-bit). This feature is supported with Deep Security Agent 10.0 (or later).