I tweeted about a vROPS Adapter that is available. To my knowledge, Trend Micro is the first Security vendor to release an adapter for collecting Security Events into vROPS. I have the Adapter installed in my lab and thought to give some use cases on how I was using the Adapter to display security events. First just a quick overview of the adapter.

Overview

The Adapter is supported on Deep Security version 9.0 SP1 and 9.5. You also need vROPS 5.8.x. On the Deep Security side you can have integration with vCenter and thus have the Adapter pull in all the Virtual Machines in your Environment and also Physical. Stats about Security Events is collected every 5min. The Adapter collect stats on the following modules :

  • Anti-Malware
  • Web Reputation
  • Firewall
  • IPS
  • Log Inspection
  • Integrity Monitoring
  • Total Event Count

Use Case 1 : Performance Impact of Security Events

The first use case is to look at the impact on a VM performance if there are a lot of security events. Security events can be Anti-Malware inside the VM, Web Reputation…or any of the above modules. In my use case I have a SQL server that was working at about 10%. As seen below there was an initial spike in CPU Demand but this was not due to Security Events. 3 Hours later there was another spike and this can be clearly seed due to Security Events (Firewall Events).

DSM-SQL

Use Case 2 : Heat Map to display which Computers have Security Events 

If you have a large VDI Deployment..say 1000-2000 VM’s and you want to quicly see which VM’s have Malware on them, or even any security events collected by Deep Security Manager, the Heat Map is for you. For this Heat Map I set the configuration to display all my VM’s in my lab and show Total Events with Range 1-13. Thus 1= Green and 13=Red. As you can see there is a “red” VM and some “Brown” ones.

DSM-VDI

If I click on the “Red” VM I am then shown a Metric Graph for each of the modules(Using Interactions in the Dashboard). Thus a Metric Graph for Total Events, Malware, Web Rep, ect. From here I can see which Security Module that is being exploited.

DSM-Events

Use Case 3 :  TopN of all VM’s and Security Events

This is a very useful dashboard. It will show you the TopN VM’s for each Security Module. thus quickly seeing for each Module the top Exploited VM.

DSM-TopN

Use Case 4 : Creating Application Groups for Security Events 

How about only looking at your DMZ VM’s for Security Events, or any application. vROPS have the ability to create custom application groups and tiers. I create a custom Application called HR Application with 4 tiers:

  • HR Workstations
  • HR Database Servers
  • HR Application Servers
  • HR Mail Servers

Below the Heat Map that I have created showing only this application and all Security Related Events:

DSM-DR-App

As we can see there is some workstations that have reached the threshold and is showing Red.

Conclusion

Trend Micro Deep Security was the first products to integrate Agent Less protection into ESXi. Trend Micro is also the first Vendor to use an Adapter for vROPS to collect Security Related Events into vROPS and be able to overlay Security Events over VM Performance and the ability to create meaningful vROPS Dashboards to display Security related information. I think a bit of creativity and this Adaptor can be really good use in any environment that is using VMWare and Deep Security.

Leave a Reply

Post Navigation