As enterprises seek to deploy container security, Trend Micro strengthens DevOps chops

August 8 2019
by Fernando Montenegro


One of the key themes we notice in the security industry is the 'innovator's dilemma': how to balance resources between sustaining existing products while building new ones. This is particularly visible in the arena of securing newer cloud workloads, where older methodologies and tools are not a good fit. With that in mind, Trend Micro recently announced improvements to its Hybrid Cloud Security portfolio. The company now puts forth Deep Security Smart Check for image scanning to complement Deep Security Agents for container, orchestrator and host runtime protection and application protection for serverless compute.
The 451 Take

The reality for most organizations engaged in modernizing their environments to support cloud is that the environment will be hybrid and likely multi-cloud. This means supporting everything from virtual machines to containers and serverless compute. As enterprises turn to their security vendors, few can support a wide variety of environments. Trend Micro has long had a strong offering for cloud workload security with Deep Security and has recently added more capabilities to both Deep Security its Smart Check image scanning component. This makes the company a credible alternative to offer that 'full stack' support, but it is far from alone in doing this. Competition looms large in the form of a Palo Alto Networks strengthened by acquiring Twistlock and PureSec earlier this year. As it seeks to increase the awareness for its build pipeline and runtime protection offers, Trend Micro should continue to deliver on its proposed roadmap and ensure that its market messaging is attuned to both security and cloud buyers.


Trend Micro is one of the key vendors in the security industry, having been founded 31 years ago and grown to roughly 6,600 employees worldwide. The company is based in Japan, where it trades publicly, but has significant presence worldwide. Founder Eva Chen is the current CEO. Trend Micro has emphasized it seeks a sustainable path to growth, including regularly paying dividends. The company claims significant presence in enterprise, midmarket and SMB, and highlighted it currently serves nine of the top 10 Fortune Global 500 companies. Trend Micro's capabilities on hybrid cloud security grew from its 2009 acquisition of Third Brigade. The company made a further acquisition in late 2017 as it picked up application security specialist Immunio.


Trend Micro's Hybrid Security offerings fall within what 451 Research considers to be the cloud security market. We further divide this market into cloud access security brokers (CASB), cloud workload protection, cloud infrastructure security and cloud-native security. Trend Micro's current offering is aligned to cloud workload protection – providing security for server-based workloads running in modern cloud environments and legacy datacenters – as well as cloud-native security – providing security for containers, build pipeline, orchestration, serverless compute and similar technologies. Both the cloud workload protection and cloud-native security markets are affected by broader technology trends such as DevOps, which affects both technical choices and organizational structures within target customers. On the technology front, customers demand more support for automation and integration for security tooling. Organizationally, there is a greater push for aligning security responsibilities and operations to service teams, meaning that the role for the traditional security team changes toward becoming more an enabling and verification function.


Trend Micro sees an opportunity to support organizations in a complex, multi-environment, hybrid-cloud world. In this scenario, there is a need to secure both virtual machine-based deployments, which the company aims to support with Deep Security, and container-based deployments, which use a combination of SmartCheck and Deep Security. The company's container security strategy is anchored on three key principles: build secure (security when building container images), ship fast (integration with automation and CI/CD pipelines) and run anywhere (supporting multiple runtime environments). According to the company, it can approach both security and cloud/DevOps personas. Security teams will be familiar with the company and its initiatives such as Zero Day Initiative – focused on security research – while cloud/DevOps teams may appreciate the integration and automation support the company is making available. Trend Micro is aggressively pursuing new logos as well as upselling within its existing client base, across all geographies. According to the company, the offering has been well received in multiple markets. Trend Micro is also leveraging its presence on cloud marketplaces – AWS Marketplace and Azure Marketplace – as a channel for Deep Security. Moving forward, Trend Micro is expecting to provide tighter integration with Kubernetes via admission control, add support for Google Cloud and, importantly, add support for serverless compute.


The two components for Trend Micro's container/Kubernetes security offering are Deep Security and Deep Security Smart Check. Deep Security is its well-known agent-based offering for cloud workload protection, now enhanced to understand and interact with Docker and Kubernetes primitives on each host. Smart Check is the new component, which offers build-time image scanning and security. The two key use cases Trend Micro puts forward are securing the creation of container images during the build phase, then protecting container instances at runtime. The threats it aims to protect against include vulnerabilities in code, malware embedded in sources, misuse of credentials or licenses and compliance violations, as well as active attacks against the container runtime environment. The company sees that customers want to do this in a way that is agnostic about the underlying infrastructure, leverages built-in security primitives in Kubernetes whenever possible and is done in such a way that supports automation of workflows. The Deep Security agent is used for runtime protection and can be managed from an on-premises deployment or from SaaS. Trend Micro will soon release a version of the Deep Security Agent to run as a privileged container application via a Helm chart. Smart Check itself is containerized and requires a running Kubernetes cluster. It has a microservices architecture and connects to build platforms such as Jenkins and a variety of registries. Smart Check can also be deployed with its own registry so that deployments can be scanned prior to being available on a more public registry. Trend Micro offers an 'API first' approach that is agnostic to the underlying runtime environment and can further support integration with other security components in a customer's architecture. Smart Check implements build-time security features such as image scanning at build time – limiting the potential dissemination of vulnerabilities to a registry – and period registry scanning. Smart Check leverages a proprietary scan logic that can scan for some applications from source install, not just package management, and supports YARA rules built by Trend Micro's security researchers (customers can also create their own custom YARA rules to support their unique use cases). Smart Check also supports OpenSCAP for compliance validation. The key threats it seeks are software vulnerabilities, embedded malware and misused credentials, and compliance validation. The runtime protection features cover the underlying host, the container/orchestration platform itself and the container-based workloads. Deep Security implements features such as anti-malware, web reputation filtering, firewalling, intrusion prevention, integrity monitoring and log inspection. For container workloads, the key runtime features are malware protection and intrusion prevention. Trend Micro indicated it will soon add admission control functionality to better integrate Deep Security and Smart Check. Trend Micro announced it should soon release an Application Protection feature – based on its acquisition of Immunio in 2017 – to offer runtime protection such as OWASP Top 10 and others. This will complement and integrate with Deep Security and Smart Check, offering protection for environments such as managed container execution (AWS Fargate, Azure Container Instances and Google Cloud Run) and functions as a service (AWS Lambda, Azure Functions, Google Functions).


Trend Micro's traditional competition in the security space – particularly endpoint – consists of Symantec, McAfee and others including but not limited to Sophos and Kaspersky Lab. Many of these vendors are also either supporting or starting to support container security use cases in their endpoint suites or specialized cloud workload offerings. Trend Micro's broader support of Kubernetes and upcoming serverless security is, for the time being, a differentiator. At present, Trend Micro's offering is more comparable to those coming from vendors such as Aqua Security, StackRox, SysDig, Alcide, NeuVector, Aporeto, Tigera and Lacework. These vendors have, in some cases, support for more advanced use cases, but Trend Micro can look to leverage its enterprise selling experience, broader product portfolio and threat research teams. With its recent acquisitions of Twistlock and PureSec, however, Palo Alto Networks emerges as a key competitor for both container security and serverless security opportunities, with the added heft of a broad network security portfolio and support for cloud infrastructure security posture management. SWOT Analysis SWOT Analysis



Between Deep Security, Deep Security SmartCheck and Immunio, Trend Micro covers a broad swath of use cases for supporting enterprises as they update their security tooling for cloud workloads, be they based on virtual machines or containers, and serverless.

The integration of Deep Security with Kubernetes does not yet use constructs such as namespaces to fine-tune security policies, nor does it currently benefit from integration with service meshes such as Istio, Linkerd or AWS's AppMesh. The broader hybrid cloud story also lacks posture management offerings.



With most enterprises looking at digital transformation and the rethinking or fine-tuning of their technology stacks, many will favorably consider vendors with security offerings that cover a broad range of use cases.

Larger vendors than Trend Micro have either recently acquired or are developing key capabilities in the container security space, meaning that competition will not stand still. At the other end of the spectrum, customers may choose built-in functions in container platforms/services.