Stopping Advanced Persistent Threats In Cloud and DataCenters Frederik Van Roosendael PSE Belgium Luxembourg 10/9/2015 Copyright 2013 Trend Micro Inc.
Agenda How Threats evolved Transforming Your Data Centers Building a Custom Defense 10/9/2015 Copyright 2013 Trend Micro Inc.
How Threats Evolved Classical protect is not enough
10/9/2015 Copyright 2013 Trend Micro Inc.
How threats evolved In the past: Viruses, Trojans, Rootkits, Worms, Spyware, Adware, Developed to be used multiple times As a single instance (file, network packet) Goal: Information gathering Infect as many systems as possible Denial Of Services 10/9/2015
10/9/2015 Copyright 2013 Trend Micro Inc. Help!!
How threats evolved Now with Advanced Threats: Combine different techniques Developed to be used only once Penetrates environments in different stages Toolkits widely available Services available with SLA Goal: Money 10/9/2015
Today s reality 99? % of malware < 10 infect victims 80? % of malware = 1 infect victim 10/9/2015
Basic Attack stages 10/9/2015 1. Intelligence Gathering Identify & research target individuals using public sources (LinkedIn, Facebook, etc) and prepare a customized attack. 2. Point of Entry The initial compromise is typically malware delivered via social engineering (email/im or drive by download). A backdoor is created and the network can now be infiltrated. 3. Command & Control (C&C) Communication Allows the attacker to instruct and control the compromised machines and malware used for all subsequent phases. 4. Lateral Movement Once inside the network, attacker compromises additional machines to harvest credentials, escalate privilege levels and maintain persistent control. 5. Asset/Data Discovery Several techniques and tools are used to identify the noteworthy servers and the services that house the data of interest. 6. Data Exfiltration Once sensitive information is gathered, the data is funneled to an internal staging server where it is chunked, compressed and often encrypted for transmission to external locations.
APT and Targeted Attack Profile What is mostly done: Sandbox analysis puts the focus on Stage 2: Point of Entry Most solutions focus on Stage 3: Command & Control (C&C) Communication Focuses on the edge Building smart walls, shields, intruder intelligence, Nobody can guarantee 100% catch rate in 1 layer.
APT and Targeted Attack Profile You need to look into every stage of the attack Build a custom defence on every layer Use multi-layer / multi-technology approach Correlate every detection Minimize the impact
Transforming your Data Centers to become future prove
Your top 3 security concerns for your DC Provisioning Apply the right security the moment the VM is provisioned or spun up? Management Easily manage all security incidents and requirements consistently across the data center & cloud? Performance Minimize the bottlenecks created by traditional security capabilities? 10/9/2015
ADAPTIVE Intelligent, dynamic provisioning & policy enforcement Host Firewall Intrusion Prevention Integrity Monitoring CONTEXT Workload & applicationaware SOFTWARE Optimized for virtualization & cloud infrastructure Anti-malware Data Encryption Application Scanning Log Inspection PLATFORM Comprehensive capabilities across data center & cloud
Intrusion Prevention Host Firewall Integrity Monitoring Anti-malware Log Inspection Data Protection Application Scanning
Minimize impact One console for everything On premise and in the cloud server security All platforms All detection/protection engines like AM, FW, WR, IDS/IPS, IM, LI Integration with for automation Vmware vcenter, vcloud Director, VMWare NSX Amazon, Azure,.. Protection on hypervisor level (agentless) when using VMWare ESX servers 10/9/2015
Protect against vulnerabilities before you patch Reduce risk of exposure to vulnerability exploits especially as you scale Protect legacy OS & Apps when no patch exists Vulnerability Disclosed or Exploit Available Virtually patch with Trend Micro Intrusion Prevention Exposure Soak Patched Save money avoiding costly emergency patching Patch at your convenience Patch Available Test Begin Deployment Complete Deployment 10/9/2015
An automated approach of Virtual Patching Typical patch cycle without Virtual Patching 12 x patching /year Monthly Security Patching Half-yearly Full Patching Typical patch cycle with Virtual Patching 10/9/2015
Real Customer Case: 5 days after ShellShock went public: 766 attacks blocked by Deep Security Automated Virtual Patching on Sept 30th, at a customer managing 100+ instances Emergency Patching? 19
External Collaboration + Consumerization Risk Employees Partners, Customers Remote workers Contractors, Consultants
On Premise Security Inbound email inspected for zero-day malware OWA Multiple security layers Outlook Exchange APT Protection Gateway Network boundary 21
What happens with Office 365 Included baseline security lacks controls to find hidden malware and zero day threats OWA Network boundary Outlook APT Protection No opportunity to inspect 22
An attacker sends a zeroday infected PDF to a remote employee s personal email
The employee uploads to Office 365 Another employee sees the PDF and downloads it to their ipad
And this employee sends the PDF to a customer Customer
Trend Micro Cloud App Security Trend Micro Cloud App Security Advanced Threat Detection Finds zero-day malware and hidden threats Sandbox malware analysis in the cloud DLP 200+ customizable templates Discovery and visibility capabilities Direct API integration No email re-routing, client changes, or web proxy Copyright 2015 Trend Micro Inc. 26
Integrating Cloud App Security to Office 365 Direct cloud-to-cloud integration No impact to Office 365 functionality 5 minute setup API Trend Micro Cloud App Security MX R e c o r d S o f t w a r e U s e r settings Copyright 2015 Trend Micro Inc. 27
Stand Alone as part of the endpoint platform Smart Protection for Endpoints Smart Protection Complete Endpoint Protection Web & other Gateways Cloud App Security Standalone: add on to your Office 365 deployment As part of EPP suite: a great reason to pick Trend for your overall endpoint protection platform. Central Visibility & Management
Custom Defense How to achieve security efficiency based on your needs?
What Gartner says: The Adaptive Security Architecture 10/9/2015
Full Lifecycle of Threat Defense prioritize areas for Containment, remediation and adapt protection RESPOND PREVENT Proactively protect endpoints, servers and applications Analyze risk and nature of attack and attacker, and assess impact of threats retrospectively ANALYZE MONITOR & CONTROL Midsize & Enterprise Business DETECT Detect advanced malware, behavior and communications invisible to standard defenses
What techniques are used? Real-time signature/rule updates Quarantine items Isolate endpoint RESPOND PREVENT Signatures/Blacklist Vulnerability shielding App Whitelisting Isolation Insight & Control Endpoint Behavioral Investigation/Forensics Sandbox Behavioral ANALYZE DETECT Network Anomaly
All together Signatures Detection Rules Web / File / App / Email reputations 3 rd party products Non-Trend Micro products Suspicious Objects IOC Suspicious Objects Indications of Compromise Control Manager Suspicious Objects Control / Updates Indications of Compromise Actions HP ATA TM DD Inspector / Analyzer Custom Defense OfficeScan Block Endpoint Sensor IOC InterScan Web Block InterScan Messaging Security Block ScanMail Block Deep Security Block.
Prioritize your actions Control Managers will highlight the critical threat detection which might result higher impact for the organization Copyright 2015 Trend Micro Inc.
Visibility by user Copyright 2015 Trend Micro Inc. 35
Visibility by user Copyright 2015 Trend Micro Inc. 36
Visibility by device Copyright 2015 Trend Micro Inc. 37
Visibility by event, across all users Copyright 2015 Trend Micro Inc. 38
Thank You!