Microtrend Deep Security Check File Upload for Virus Before Inserting

By Suresh Kanniappan, Solutions Architect – AWS
By Tejas Sheth, Cloud Security Architect – Trend Micro

Cloud security is the highest priority at Amazon Spider web Services (AWS). With this in mind, AWS works closely with industry-leading partners such as Tendency Micro to build security solutions for customers.

In this post, we share a malware scanning solution jointly built past Trend Micro and AWS that detects and automates response to malware payload uploaded to Amazon Simple Storage Service (Amazon S3). The solution uses Trend Micro threat intelligence capabilities and AWS Security Hub.

Trend Micro is an AWS ISV Partner with the Security Competency that delivers cloud-native security to automatically protect and scale across AWS, container, and hybrid environments.

Customers run various types of workloads on AWS that utilize Amazon S3, which is a highly scalable and durable object storage service for storing and processing sensitive data.

Malware protection of the data uploaded to S3 through an application is normally done through generic file type validation, but this is non an effective protection machinery. Businesses demand to scan the content written to S3 for malicious files and malware.

When dealing with malware, scanning isn't the only trouble; the bigger claiming is detecting malware chop-chop and acting on it. Malware finding alerts from Tendency Micro tin can be integrated with AWS Security Hub for centralized event direction and corrective deportment, such as isolating the content and blocking the offending IP address and user agent.

Tendency Micro Cloud I

Tendency Micro Cloud One is a security services platform for cloud builders that enables AWS customers to secure cloud workloads with clarity and simplicity. It'due south purpose-congenital security for deject-native applications.

Tendency Micro Cloud One uncovers indicators of compromise (IoC) and indicators of assault (IoAs). It can detect cloud workload, and container platform attacks with detailed root crusade analysis.

The platform also integrates with diverse developer tools similar continuous integration/continuous delivery (CI/CD) pipeline, developer IDE, and code repository to provide faster feedback to developer to mitigate take a chance at early on stage for evolution.

For technical details, see the Trend Micro Cloud 1 documentation.

Figure 1 – Trend Micro Cloud One security services.

Cloud One File Storage Security is one of the security services in Tendency Micro Cloud One. Deject-native application architectures incorporate cloud file/object storage services into their workflow, creating a new assault vector where they are vulnerable to malicious files.

File Storage Security protects the workflow using serverless event-driven scanning, such every bit malware scanning, integration into your custom workflows, and broad cloud storage platform back up.

How it Works

Cloud One File Storage Security looks for obfuscated or polymorphic variants of malware through fragments of previously seen malware and detection algorithms. Information technology blocks known bad files using Trend Micro anti-malware signatures on all types of malware, including viruses, Trojans, spyware, and more. Irrespective of file size, Cloud One file storage security supports files of various types including .BIN, .EXE, .JPEG, .MP4, .PDF, .TXT, .ZIP, and more.

Cloud Ane File Storage Security with AWS integration has four components:

• Storage stack
• Scanner stack
• Postal service-scan activity
• Import findings to AWS Security Hub

Effigy 2 – Malware Scanning Solution with AWS.

Storage Stack

When a user or application writes or uploads files to the staging S3 saucepan, the Bucket Listener Lambda part is triggered to gather the object details and transport the pre-signed URL link for that object. The pre-signed URL is passed to Amazon Simple Queue Service (Amazon SQS) Scanner Queue in the Scanner stack.

Scanner Stack

The Scanner Lambda code retrieves the object pre-signed URL message from SQS Scanner Queue, finds the files in S3 using the pre-signed URL location, performs scanning on the file, generates file identification data, and sends it to the Trend Micro Global Smart Protection Server in the cloud.

The Trend Micro Global Smart Protection Network scans the file identification data (and not the file). The browse results are sent back to the Scanner Lambda function.

The Scanner Lambda role publishes the browse results to the SNS ScanResult topic and sends the scan results to the File Storage Security panel.

Postal service-Browse Activity

The possible postal service-scan actions include:

• Notify the user well-nigh the malware detection.
• Quarantine the malware-infected objects.
• Delete the malware-infected objects permanently.
• Create a delete object reference from the database (such as Amazon DynamoDB) for batch deletion.

This post specifically covers quarantining the malware-infected objects, which is the 2nd post-scan action.

The SNS ScanResult topic provides notification of the new scan results to the custom post-scan Lambda function. The custom post-browse Lambda analyzes the scan results and either moves the files to the product bucket if it's clean, or quarantines the files to the quarantine saucepan if malware content is detected.

Import the Findings to AWS Security Hub

The SNS ScanResult topic notifies the new scan results to the Security Hub Import Lambda part, which collects the details of the S3 objects, malware, and more. It and then imports the findings to AWS Security Hub using a standard format called the AWS Security Finding Format (ASFF).

The security and operations teams tin use AWS Security Hub to analyze the malware findings and take remedial actions.

Prerequisites for the Malware Scanning Solution

For this walkthrough, y'all should exist familiar with the following AWS services:

• AWS Security Hub
• AWS Serverless Application Model (SAM)
• Amazon S3
• AWS Identity and Admission Management (IAM)
• AWS Lambda
• Amazon Simple Queue Service (SQS)
• Amazon Simple Notification Service (SNS)
• AWS Deject​Germination

You should also have the following before deploying the malware scanning solution:

• AWS account
• Enable AWS Security Hub. Refer to the AWS Security Hub user guide to Enable AWS Security Hub
• You lot need three S3 buckets:
  • Staging bucket
  • Production bucket
  • Quarantine bucket
• IAM user permissions to deploy a CloudFormation stack:
  • Permission to deploy an AWS Lambda function
  • Permission to configure an IAM part for the Lambda function
  • Permission to configure an SNS subscription
• Trend Micro Cloud One Subscription
  • Create a Deject One business relationship
  • Subscribe for a 30-day trial version

Walkthrough

You demand to complete the post-obit steps to enable the S3 malware scanning solution:

1. Enable Trend Micro Cloud One File Storage Security
2. Enable post-scan deportment
3. Button malware findings to AWS Security Hub
4. Validation

Step ane: Enable Trend Micro Cloud One File Storage Security

To enable Trend Micro Cloud One File Storage Security, follow the instructions in the Tendency Micro user guide to Enable File Storage Security and Configure ARNs – File Storage Security.

Footstep two: Enable Post-Browse Actions

To enable mail service-scan actions, follow the instructions in the Tendency Micro GitHub portal.

Step 3: Push button Malware Findings to AWS Security Hub

To push malware findings to AWS Security Hub, the serverless plugin needs to be deployed and configured with an SNS topic created by the Scanner Stack as office of enabling File Storage Security (Pace 1).

Complete the following steps to deploy the serverless plugin to integrate AWS Security Hub with Trend Micro File Storage Security:

1. Deploy the serverless plugin by logging in to AWS using the link AWS Serverless Application Repository.
   .

   Figure 3 – Cloud 1 File Storage Security Serverless Plugin for AWS Security Hub.

2. In Application settings, enter your AWS Account ID and AWS Security Hub ARN as follows:
   • AWSACCOUNTNO: <Provide your AWS Account ID>
   • AWSSecurityHubARN: arn:aws:securityhub: <REGION> : <AWSACCOUNTNO> :product/ <AWSACCOUNTNO> /default

   

   Effigy 4 – Cloud One Serverless Plugin for AWS Security Hub – awarding settings.

3. Copy the ScanResultTopicARN from the scanner CloudFormation stack output (from Step ane).
   .
   

   Figure 5 – Cloud I File Storage Security deployment output from step 1.

4. Enter the ScanResultTopicARN for the serverless awarding parameter, provide acknowledgment to create the custom IAM part, and select Deploy.
   .
   

   Figure 6 – Cloud I Serverless Plugin for AWS Security Hub – Application Settings.

5. To verify that deployment of the serverless plugin was successful, check that the Status field shows Create complete.
   .
   

   Effigy 7 – Cloud One Serverless Plugin for AWS Security Hub – Deployment Status.

Step 4: Validation

To test your malware scanning solution deployment, you lot demand to generate malware detection using the eicar file.

1. To create the eicar file:
   1. Temporarily disable your virus scanner on the laptop or server. Otherwise, it will detect the eicar file and delete it.
   2. Create a sample-malware.txt file and paste the post-obit sample malicious content.

   Important: The preceding cord creates a standard anti-malware sample that doesn't harm the organization. Because anti-malware on your testing laptop is off, nosotros strongly recommend performing this test in an isolated environs.

2. Add together the eicar file to your staging S3 bucket:
   1. In the AWS console, go toServices >S3 and find the staging S3 saucepan to scan.
   2. SelectUpload and upload asample-malware.txt file. File Storage Security scans the file and detects malware.
3. Examine the quarantine bucket and check that the malicious sample file has moved from the staging bucket to the quarantine saucepan.
   .
   

   Figure eight – Malware-infected object moved to quarantine S3 bucket.

4. You lot can see the scan results on the AWS Security Hub findings page.
   .
   

   Figure 9 – Malware-infected Objects Finding in AWS Security Hub.

5. Afterwards testing is complete, re-enable your virus scanner.

Cleaning Upward

To avoid incurring time to come charges, delete the resources by deleting the stack from the CloudFormation panel and disabling AWS Security Hub.

Summary

In this post, we described how to notice, quarantine, and manage malware-infected objects in Amazon S3 using Tendency Micro Cloud 1 File Storage Security and AWS Security Hub. We hope this helps you to integrate AWS Security Hub with Trend Micro File Storage Security and manage malware findings through AWS Security Hub.

For deployment support, delight reach out to Trend Micro for further help to validate the file storage security.

.

.

---

Trend Micro – AWS Partner Spotlight

Tendency Micro is an AWS Competency Partner that helps y'all build secure, transport fast, and run anywhere with security-as-code, continuous automation, and tools designed to secure applications across your evolving hybrid environs.

Contact Trend Micro | Partner Overview | AWS Market

*Already worked with Tendency Micro? Rate the Partner

*To review an AWS Partner, y'all must be a customer that has worked with them directly on a project.

regofrach1947.blogspot.com

Source: https://aws.amazon.com/blogs/apn/amazon-s3-malware-scanning-using-trend-micro-cloud-one-and-aws-security-hub/