Advanced Threat Defense Certification Testing Report. Trend Micro Incorporated Trend Micro Deep Discovery Inspector

Similar documents
Advanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection

Fortinet, Inc. Advanced Threat Protection Solution

Defending Against Known & Unknown Threats

TREND MICRO SMART PROTECTION SUITES

TREND MICRO SMART PROTECTION SUITES

ICSA Labs Network Firewall Certification Testing Report Corporate Criteria Version 4.2. Huawei Technologies. USG Series/Eudemon-N Series

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

trend micro smart Protection suites

What to Look for When Evaluating Next-Generation Firewalls

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

CAS Quick Deployment Guide January 2018

Measuring cloud-based anti-malware protection for Office 365 user accounts

This course incorporates a variety of hands-on lab exercises allowing participants to put the lesson content into action.

Commercial Product Matrix

Correlation and Phishing

Gladiator Incident Alert

Building Resilience in a Digital Enterprise

MRG Effitas 360 Degree Assessment & Certification Q1 2018

Consumerization. Copyright 2014 Trend Micro Inc. IT Work Load

Technical Brochure F-SECURE THREAT SHIELD

Network Security Protection Alternatives for the Cloud

DRIDEX s New Tricks Lead to Global Spam Outbreak

Imperva Incapsula Website Security

Trend Micro. Apex One as a Service / Apex One. Best Practice Guide for Malware Protection. 1 Best Practice Guide Apex One as a Service / Apex Central

The Reigning King of IP Camera Botnets and its Challengers

Copyright 2011 Trend Micro Inc.

Investor Overview 2018

Moving Beyond Prevention: Proactive Security with Integrity Monitoring

Isla Web Malware Isolation and Network Sandbox Solutions Security Technology Comparison and Integration Guide

1.0 High Availability (HA) Firewall Module Lab Report. Elitecore Technologies Ltd. Cyberoam CR50i Version build 25.

Verizon Software Defined Perimeter (SDP).

MRG Effitas 360 Degree Assessment & Certification Q4 2017

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

Trend Micro Deep Discovery Training Advanced Threat Detection 2.0 for Certified. Professionals Course Description

Trend Micro and IBM Security QRadar SIEM

MRG Effitas 360 Degree Assessment & Certification Q MRG Effitas 360 Assessment & Certification Programme Q2 2017

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

FIREWALL BEST PRACTICES TO BLOCK

Trend Micro Deep Discovery Training for Certified Professionals

Live Attack Visualization and Analysis. What does a Malware attack look like?

Strategies for a Successful Security and Digital Transformation

Maximum Security with Minimum Impact : Going Beyond Next Gen

Combating APTs with the Custom Defense Solution. Hans Liljedahl Peter Szendröi

Defending Against Unkown Automation is the Key. Rajesh Kumar Juniper Networks

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Trend Micro Deep Discovery Training for Certified Professionals

MRG Effitas 360 Assessment & Certification Programme Q4 2015

County of El Paso Purchasing Department 800 E. Overland Room 300 El Paso, Texas (915) / Fax: (915)

Incident Response Agility: Leverage the Past and Present into the Future

deep (i) the most advanced solution for managed security services

McAfee Advanced Threat Defense

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Identity-Based Cyber Defense. March 2017

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

TRUE SECURITY-AS-A-SERVICE

SE Labs Test Plan for Q Endpoint Protection : Enterprise, Small Business, and Consumer

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

SO YOU THINK YOU ARE PROTECTED? THINK AGAIN! NEXT GENERATION ENDPOINT SECURITY

SMASHING THE TOP 7 VIRTUALIZATION SECURITY MYTHS

Fighting Spam, Phishing and Malware With Recurrent Pattern Detection

Easy Activation Effortless web-based administration that can be activated in as little as one business day - no integration or migration necessary.

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Security

Android Backdoor GhostCtrl can Silently Record Your Audio, Video, and More

Transforming Security from Defense in Depth to Comprehensive Security Assurance

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

Security Gap Analysis: Aggregrated Results

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

PEOPLE CENTRIC SECURITY THE NEW

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

TRIPWIRE VULNERABILITY RISK METRICS CONNECTING SECURITY TO THE BUSINESS

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

BREACH DETECTION SYSTEMS COMPARATIVE ANALYSIS

Kaspersky Cloud Security for Hybrid Cloud. Diego Magni Presales Manager Kaspersky Lab Italia

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

SECURING DEVICES IN THE INTERNET OF THINGS

SOLUTION OVERVIEW. Enterprise-grade security management solution providing visibility, management and reporting across all OSes.

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Securing the Modern Data Center with Trend Micro Deep Security

Kaspersky Security Network

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

Proofpoint, Inc.

Symantec Ransomware Protection

with Advanced Protection

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Why Machine Learning is More Likely to Cure Cancer Than to Stop Malware WHITE PAPER

Comodo IT and Security Manager Software Version 5.4

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT. August prevoty.com. August 2015

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

Trend Micro Deep Discovery for Education. Identify and mitigate APTs and other security issues before they corrupt databases or steal sensitive data

Comodo Unknown File Hunter Software Version 5.0

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

The Bots Are Coming The Bots Are Coming Scott Taylor Director, Solutions Engineering

Cisco Advanced Malware Protection against WannaCry

Threat Landscape vs Threat Management. Thomas Ludvik Næss Country Manager

Transcription:

Advanced Threat Defense Certification Testing Report Trend Micro Deep Discovery Inspector ICSA Labs Advanced Threat Defense July 12, 2016 Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA 17050 www.icsalabs.com ATD-TRENDMIC-2016-0712-02

ICSA Labs Advanced Threat Defense Report-at-a-Glance Executive Summary Trend Micro Deep Discovery Inspector During 34 consecutive days of testing during the second quarter of 2016, ICSA Labs tested the detection capabilities of the Trend Micro Deep Discovery Inspector with a mix of over 650 test runs. The mix was primarily composed of new and little-known malicious threats i.e., recently harvested threats not detected by traditional security products. Periodically, ICSA Labs launched innocuous applications and activities to additionally test the Deep Discovery Inspector in terms of false positives. Throughout testing ICSA Labs observed product logs to ensure not only that the Deep Discovery Inspector indicated the existence of a malicious threat but also that logged threats were distinguishable from other logged traffic and events. The Deep Discovery Inspector passed, having met all criteria requirements. As seen in Figure 1 below, the Deep Discovery Inspector did remarkably well during this test cycle - detecting previously unknown threats while having few false positives. Figures 2 and 3 below further break down the Deep Discovery Inspector s detection effectiveness and false positives. www.trendmicro.com Test Length 34 days Malicious Samples 436 Innocuous Apps 227 Test Runs 663 % Detected 99.5% % False Positives 4.4% Fig. 1 High Detection Effectiveness & Few False Positives ICSA Labs Advanced Threat Defense Certified Test Period: Q2 2016 Certified Since: 12 / 2015 Fig. 2 Detected 434 of 436 New & Little-Known Malicious Samples Fig. 3 Few Alerts on Innocuous Applications ATD-TRENDMIC-2016-0712-02 Page 1 of 8

Introduction This is Trend Micro s third ICSA Labs Advanced Threat Defense Certification testing report for Deep Discovery Inspector. ICSA Labs Advanced Threat Defense (ATD) testing is aimed at vendor solutions designed to detect new threats that other traditional security products miss. Thus the focus is on how effectively vendor ATD solutions detect these unknown and little-known threats. The remainder of the report presents a more detailed look at how Trend Micro Deep Discovery Inspector performed during this cycle of ICSA Labs Advanced Threat Defense Certification testing. To better understand what the results mean, this report documents not just the testing results themselves but the threat vectors and sample sources that ICSA Labs employed for this cycle of ATD testing against Deep Discovery Inspector. Threat Vectors The current set of threat vectors used in ICSA Labs ATD Certification Testing map directly to many of the top threat vectors that lead to enterprise cybersecurity breaches as reported in the Verizon Data Breach Investigation Report (DBIR). That is, the tested malicious threat vectors are among the most common ones leading to breaches in both the most recent DBIR as well as historically. Figure 4 depicts the most common threat vectors in the DBIR over time while Figure 5 illustrates those threat vectors that were most common in the 2015 DBIR. 0 1000 2000 3000 4000 Direct Install Email Attachment Web Download Web Drive-By Email Link Download by Malware Network Propagation Remote Injection Removable Media Other 869 588 551 453 230 138 72 16 13 3706 Fig. 4 DBIR Threat Vectors All Time 0 200 400 600 800 1000 Direct Install Email Link Email Attachment Web Drive-By Download by Malware Web Download Remote Injection Network Propagation Removable Media Other 49 31 17 6 4 2 167 410 334 795 Fig. 5 DBIR Threat Vectors 2015 ATD-TRENDMIC-2016-0712-02 Page 2 of 8

Figures 4 and 5 above indicate that there is much overlap between current and historic threat vectors. ICSA Labs ATD testing includes the threat vector that is by far the most prevalent, Direct Install. In addition, the testing currently includes the threat vectors labeled Web Download, Web Drive-By, and Download by Malware. The malicious threats themselves that are used in testing target weaknesses in end-user Windows desktop machines. While some threats are generically applicable to servers as well, test cases target services and software typically found on desktop machines in enterprises. The threats often involve: a. Local execution or loading of a malicious executable or data file (covering means by which an attacker has access or a user is tricked into doing so), or b. Exploitation of a client-side vulnerability in the OS, web browser, or other commonly installed application subject to malicious data files being loaded without intentional user action, or c. There may also be attacks involving remotely-accessible components of such machines. Note that in most threat detection related test cases, a file of some sort is involved. Throughout this report such a file is referred to as a sample. ATD Solution Tested ICSA Labs tested Trend Micro s Deep Discovery Inspector. The Deep Discovery Inspector is a single-component advanced threat defense solution. The version tested is described in more detail below. Deep Discovery Inspector v3.82.1133 Deep Discovery Inspector is a network appliance. Its specialized detection engines and custom sandboxes identify and analyze malware, command-and-control (C&C) communications, and evasive attacker activities. In-depth threat intelligence enables a rapid response and is shared automatically with your other Trend and third-party security products to create a real-time custom defense against your attackers. For more information about the Trend Micro Deep Discovery Inspector, please visit: www.trendmicro.ca/en-ca/enterprise/security-risk-management/deep-discovery/index.html Test Cycle Information This report reflects the results of one test cycle at ICSA Labs. Test cycle duration ranges from three to five weeks. To be eligible for certification, vendor solutions must be tested for at least 3 consecutive weeks. For vendors, like Trend Micro, that has registered for ICSA Labs Advanced Threat Defense (ATD) testing, ICSA Labs tests their ATD solutions as many as four times during a twelve-month contract term. Each quarterly test is performed using the latest, new and little-known malicious threats. During each test cycle ICSA Labs subjects ATD solutions to hundreds of test runs comprised of a mix of new threats, little-known threats and innocuous applications and activities sent one after another continuously. Below in Figure 6 is information about the test cycle from which this findings report is based: Start Date April 22, 2016 Days of Continuous Testing 34 End Date May 29, 2016 Test Runs 663 Fig. 6 Information On This Test Cycle ATD-TRENDMIC-2016-0712-02 Page 3 of 8

Prior ATD Reports Following the thirty-four days of continuous advanced threat defense testing during the 2 nd quarter 2016 test cycle, the Trend Micro Deep Discovery Inspector retained ICSA Labs Advanced Threat Defense (ATD) Certification. Successful completion of this test cycle marks Trend Micro s third consecutive quarter having met the ICSA Labs ATD certification testing criteria. This and all earlier Trend Micro Deep Discovery Inspector certification testing reports can be found on the ICSA Labs web site at: https://www.icsalabs.com/product/deep-discovery-inspector Source of Samples A number of sample sources feed ICSA Labs ATD testing. One source is the spam ICSA Labs collects. The labs spam honeypots receive approximately 250,000-300,000 spam email messages/day. For ICSA Labs ATD testing, the team harvests attachments in that spam, making use of the ones that are malicious. Another sample source is from malicious URLs. Some of these come from the spam mentioned above. From feeds like this ICSA Labs filters and checks the URLs to see if there is a malicious file on the other end of that URL -- either as a direct file link or a series of steps (e.g. a drive-by attack with a multi-stage download process) leading to it. If so, ICSA Labs collects the sample for potential use in testing. ICSA Labs additionally uses other tools and techniques to create unique malicious files as an attacker or penetration tester might do. In some cases these are trojanized versions of clean executables. In other cases they may be original executables that are malicious. Still another source of samples is the samples themselves. Any dropped files resulting from running another malicious sample are also evaluated and potentially used in testing. Finally and importantly to test for false positives ICSA Labs also launches legitimate executables. Running innocuous applications helps ensure that vendor solutions aren t just identifying everything as malicious. Regarding The Samples From This Test Cycle Samples harvested for use in ATD testing are often unmodified and used as is. That is the case if ICSA Labs determines that the sample is new enough and/or not being detected by traditional security products. In many cases malicious samples require modification before they can avoid detection by traditional security products. ATD-TRENDMIC-2016-0712-02 Page 4 of 8

Of the 436 malicious samples, Figure 7 shows that there were many more original samples used and far fewer samples that required some kind of modification before use in testing. As there were many more unmodified samples, Figure 8 reveals the source of the 405 malicious samples used in testing that were both unmodified and non-dropped (i.e., not left behind by other malware). Fig. 7 Malicious Samples Original vs. Modified Fig. 8 Unmodified/Non-Dropped Sample Sources Detection Effectiveness To meet the criteria requirements and attain (or retain) certification through ICSA Labs testing, advanced threat defense solutions must be at least 75% effective at detecting new malicious threats. As shown in Figure 9 the Deep Discovery Inspector detected 99.5% of the threats it encountered during testing, considerably better than the percentage required for certification. Fig. 9 Deep Discovery Inspector s Detection Effectiveness A second plot depicting the detection effectiveness of the Deep Discovery Inspector appears in Figure 10. For Trend Micro s solution the chart sheds light on whether or not their Deep Discovery Inspector did better or worse the newer the malicious sample. Trend Micro s Deep Discovery Inspector detected over 98.4% of threats one hour old or less. It detected 100% of the threats it faced that were between two and twenty-four hours old. ATD-TRENDMIC-2016-0712-02 Page 5 of 8

Fig. 10 Detection Effectiveness by Age of Threat (Threats < 24 Hours Old) A final effectiveness-related plot to consider for Trend Micro Deep Discovery Inspector during this test cycle is Figure 11 below. Plotted below is each of the 34 days during the test cycle along with how effective the Deep Discovery Inspector was on each of those days. With the exception of two days during the test cycle, the Deep Discovery Inspector was always 100% effective. For those two days it was better than 94% effective. Fig. 11 Detected & Missed Threats by Day of Test Cycle ATD-TRENDMIC-2016-0712-02 Page 6 of 8

Significance of the Test & Results Readers of certification testing reports often wonder what the testing and results really mean. They ask, In what way is this report significant? The four statements below sum up what this ICSA Labs Advanced Threat Defense Certification Testing report should indicate to the reader: 1. ICSA Labs tested the Trend Micro Deep Discovery Inspector using the primary threat vectors leading to enterprise breaches according to Verizon s Data Breach Investigations Report (DBIR). 2. ICSA Labs tests with malicious threats that other security products typically miss. 3. The Trend Micro Deep Discovery Inspector demonstrated superb threat detection effectiveness against over 430 new and little-known threats. 4. The Deep Discovery Inspector had few false positives. ATD-TRENDMIC-2016-0712-02 Page 7 of 8

Authority Report Date: July 12, 2016 This report is issued by the authority of the Managing Director, ICSA Labs. Tests are done under normal operating conditions. ICSA Labs The goal of ICSA Labs is to significantly increase user and enterprise trust in information security products and solutions. For more than 20 years, ICSA Labs, an independent division of Verizon Business, has been providing credible, independent, 3rd party security product testing and certification for many of the world s top security product developers and service providers. Enterprises worldwide rely on ICSA Labs to set and apply objective testing and certification criteria for measuring product compliance and performance. ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA 17050, a global leader in security software, strives to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses and governments provide layered content security to protect information on mobile devices, endpoints, gateways, servers and the cloud. All of our solutions are powered by cloud-based global threat intelligence, the Trend Micro Smart Protection Network, and are supported by over 1,200 threat experts around the globe. For more information, visit www.trendmicro.com. USA Headquarters 225 E. John Carpenter Freeway, Suite 1500 Irving, Texas 75062 U.S.A. ATD-TRENDMIC-2016-0712-02 Page 8 of 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback