Changes to Deep Security feature releases in 2019

Deep Security feature releases (FR) are changing in 2019. This article highlights some of the key changes and what this means for you.

For more information, please review the Deep Security release strategy and life cycle policy.

Feature release timing, naming, and versions

  Prior feature releases (10.x, 11.x) New Deep Security 12 feature releases Notes
Timing Quarterly As features and fixes become available Initially, the interval between feature releases will be approximately 4 weeks, but that interval will become shorter.

There is no expectation that you can or will be able to upgrade to every feature release - select the ones you want and skip the ones you do not.
Naming
  • Deep Security 10 Feature Release 1
  • Deep Security 10 Feature Release 2
  • Deep Security 10 Feature Release 3
  • Deep Security 11 Feature Release 1
  • Deep Security 11 Feature Release 2
  • Deep Security 11 Feature Release 3
Deep Security 12 Feature Release (yyyy-mm-dd) Example: Deep Security 12 Feature Release (2019-07-01)
Versions 10.1, 10.2, 10.3, 11.1, 11.2, 11.3 12.5.xxx Deep Security Manager and Deep Security Agent feature release builds can be identified by the minor version (.5).

Simplified support policy

Content

The support policy for feature releases has been updated to ensure that customers using feature releases will never be put in a situation where, during the support experience, they are asked to move to a long-term support (LTS) release to access a fix. All bug and vulnerability fixes available for LTS releases will also be available to customers using the feature releases.

Policy details and a summary table can be found in the "Support services" section of the Deep Security release strategy and life cycle policy.

Duration

All feature release builds are fully supported for 18 months after their release date.

Where are fixes delivered?

Similar to the policy for LTS updates, any fixes required for feature releases will be delivered in the next feature release build.

Upgrades

Each feature release build supports upgrades from any feature release build released in the previous 18 months.

For example, an upgrade from Deep Security 12 Feature Releases (2019-07-01) to Deep Security 12 Feature Releases (2020-12-01) would be supported because there is only an 18-month gap between the releases. An upgrade from Deep Security 12 Feature Releases (2019-06-01) to Deep Security 12 Feature Releases (2021-01-01) would not be supported because there is a 19-month gap between releases.

Downgrades from the Deep Security 12 FR to Deep Security 12 LTS are not supported. If you upgrade to a feature release, the only supported paths back to an LTS release are to perform a fresh install or to wait until the next LTS release.

Should I use long-term support (LTS) releases or feature releases (FR)?

The following table highlights some key questions and considerations when deciding to use LTS or FR software.

Question Considerations for LTS releases Considerations for FRs
Do I want access to the latest features? LTS updates only include vulnerability and bug fixes. FR releases include new features, as well as vulnerability and bug fixes.
How frequently do I plan to upgrade?

LTS releases have 3 years of standard support and 4 years of extended support.

Upgrades are supported from the last two LTS releases (for example, 10.0 to 12 is supported, but 9.6 to 12 is not).

While we recommend updating software as frequently as possible to ensure you have access to the latest fixes and updates, the minimum requirement for LTS releases is that you upgrade at least every 2 years. This ensures that you are on a supported release and that you can directly upgrade to the latest LTS release.

FRs have 18 months of support

The best practice is to upgrade every 12 months to ensure you can always upgrade to the latest available FR.

What is my risk tolerance? LTS updates only include vulnerability and bug fixes, which removes the complexity associated with introducing new features.

FR releases include both vulnerability and bug fixes as well as new features.

New features are being introduced regularly, so if you need to take a new build to get a critical fix, that build may also include new features.

My risk tolerance is low on my production workloads, but I'd still like to try new features and work with Trend Micro to provide feedback on new features. Is there a way to do this? LTS releases only include vulnerability and bug fixes

You can use a Deep Security Manager FR release to support both LTS and FR agents, as long as the minimum manager version for all agents is met. Starting with the first Deep Security 12 feature release in 2019, the minimum manager version for any agent will be displayed as one of the properties of the agent on the software download page.

For example, you can use Deep Security Manager 12 FR with Deep Security 12 LTS agents on your production workloads and with Deep Security 12 FR agents in a development or staging environment.

Using Deep Security Manager 12 FR gives the flexibility to use both older LTS and Deep Security 12 FR agents.

Note: It is not possible to use FR agents with the LTS manager of the same release. For example, DS 12 FR agents are not supported for use with Deep Security Manager 12 LTS.

In summary, there are a number of factors that will influence the decision for each deployment. Here are some common use cases that may help you to determine which type of deployment is best for you:

  • If you don't need access to new features between LTS releases, have a lower risk tolerance, and don't want to upgrade software more than every 2 years, then using LTS releases is the best option.
  • If you want access to new features, can upgrade more frequently, and have a higher risk tolerance, you may be better suited with feature releases.
  • If you are somewhere in the middle, consider using Deep Security Manager feature releases with a mixture of LTS and FR agents.

What will be delivered in a feature release?

Our goal is to provide a complete lineup of software with each feature release; however, to better meet the needs of customers who require critical fixes and feature content, we may choose to release only a subset of components. For example, a feature release may include only Deep Security Manager, only Deep Security Agent, or only specific agent versions. The Deep Security Manager release notes provide details on what's included for any specific feature release.

Deep Security AWS Marketplace deployments

Beginning in the second half of 2019, Deep Security Manager 1-click upgrades for AWS Marketplace deployments will begin using Deep Security feature releases.

The Deep Security Agents used with AWS Marketplace will default to the latest long-term support (LTS) agents available at the time of release.

  • Starting with Deep Security 12 Feature Releases, fix content is now aligned between feature releases and long-term support releases. See the Deep Security release strategy and life cycle policy
  • Feature releases provide you with access to new features without the need to wait 12 months until the next LTS release.
  • Using feature releases for Deep Security Manager provides the ability for you to use any combination of LTS and FR agents, as long the minimum compatible manager version is met. For example, you can use LTS agents for your production deployment, while at the same time using FR agents to test new features on selected development or staging machines with the same Deep Security Manager. This flexibility is only available when using a feature release version of Deep Security Manager.

The recommended best practice upgrade cadence for Deep Security Manager in AWS Marketplace is to follow the 1-click recommendations (quarterly). If it is not possible to upgrade quarterly, then at least once per year is desirable. Once every 12 months ensures that you stay within the 18-month support period associated with Deep Security feature releases. It also ensures that if you raise a support case and it is necessary to move to the latest software release, you will be able to complete the upgrade in a single step.

Deep Security as a Service

Because Trend Micro is responsible for the Deep Security Manager used in Deep Security as a Service deployments, the only LTS vs. FR decision that you are required to make is whether to use LTS or FR agents.

Deep Security as a Service supports the use of both LTS and FR agents. You can choose to use all LTS agents, all FR agents, or a mixture of the two. For example, you could use LTS agents on production workloads and the latest FR agents to test features in a development or staging environment.

Beginning with the release of Deep Security 12 in June 2019, all deployment scripts and the upgrade on activation feature default to deploying only the latest LTS agent. To provide you with finer-grained control over which agents are used with deployment scripts and upgrade on activation, a feature called Agent Version Control will be introduced to allow you to choose "latest", "latest LTS", or a specific agent version for each platform. As of August 2019, this feature is in early engagement testing with a selected set of customers and will be made generally available in the second half of 2019.

Trend Micro updates Deep Security as a Service multiple times per week and it is always running the latest version of Deep Security Manager, so Deep Security as a Service customers can safely ignore the minimum manager version requirement for any agent.