Trend Micro Deep Discovery and Custom Defence Protection from Targeted Attacks 23 May 2013 James Walker Snr. EMEA Product Marketing Manager
How threats have evolved! Patterns Reputation Heuristics Custom Defence General Malware High volume (Non Targeted) Targeted Attacks
RSA Sony Copyright 2012 Trend Micro Inc. 3
We see the TIP of the Targeted Attack / APT ICEBERG Attacks in the News Most go unreported. 90% of companies found previously unknown Malware* APTs Cyber Espionage Targeted Attacks Cyber Threats * Trend Micro Study
Analysts and Influencers Urge Action Adoption of Advanced Threat Detection "You need to know what's accessing the data, how the data's being used, and what's happening on your network." John Kindervag Principal Analyst Serving Security & Risk Professionals Forrester Research, Inc. "We must assume we will be compromised and must have better detection capabilities in place that provide visibility as to when this type of breach occurs." Neil MacDonald VP and Gartner Fellow Gartner, Inc. "Hardening existing security defenses... won't be enough to deal with the sophistication and perseverance of APTs." Jon Oltsik Senior Principal Analyst, Enterprise Strategy Group 5/23/2013 Confidential Copyright 2012 Trend Micro Inc. 5
How long do Targeted Attacks / APTs stay hidden? Most companies breached in minutes but not discovered for months! Average time from compromise to discovery is 210days Source: Verizon Data Breach Investigations Report 2012 Confidential Copyright 2012 Trend Micro Inc. 6
Prevention is not the cure! Prevention solutions on their own will not protect you! Criminals test software thoroughly before starting an attack Need visibility of when you are compromised so you can take action quickly. Fast detection Address the compromised machine Actionable information You can t fix what you don t know Make the unknown known Copyright 2012 Trend Micro Inc. 7
The Custom Defence A complete lifecycle to combat the attacks that matter to you Detect Analyze Adapt Respond Specialized threat detection capability on the network and protection points Deep local analysis with custom sandboxing and custom global intel to fully assess threats Custom security blacklists & signatures block further attack at network, gateway, endpoints Attack profiles and network-wide event intelligence guide rapid containment & remediation Targeted Attack Challenges Visibility: What s really happening on my network? Detection: How to identify what is evading my standard defenses? Risk Assessment: What s dangerous? What s not? Who is behind this attack? Prevention: Should I block this attack? How? Remediation: How widespread is this attack and what actions should be taken?
The fully integrated approach to total Anti- Malware threat protection Trend Micro Competition Traditional Endpoint and Gateway providers Network and Sandbox Analysis Point, incomplete solutions Entire Threat Landscape Generic Malware Non Targeted, High Volume, Known Traditional Anti-Malware Solutions - SPN OfficeScan SMEX IMSVA Deep Security IWSVA SMLD Targeted Malware New, Unique, Low Volume, Targeted, Unknown Targeted Attack Solutions Deep Discovery Entire Threat Landscape Complete integrated solution Trend Micro Custom Defence Integrated protection against traditional and targeted threats Copyright 2012 Trend Micro Inc. 10
Deep Discovery The custom detection, intelligence and response capabilities you need to deploy a Custom Defence against the APTs & targeted attacks that matter to you Network Scanning Appliance Sandbox Appliance Deep Discovery Advisor Deep Discovery Inspector Network traffic inspection Malicious Communication Automated Sandbox Malicious Files Real-time analysis & reporting High Capacity Sandbox Integrates into other Trend Micro Solutions Adaptive Protection against attack Centralised reporting and analysis DDI Inspectors / Trend Solutions Log and detection correlation Threat Analysis Visibility Insight Control
The Custom Defense In Action The future Adaptive Protection for All Trend Products Endpoint Security Network Deep Discovery Inspector Server Security OfficeScan Deep Security Messaging Security Threat Analyzer Threat Intelligence Center Security Update Server Deep Discovery Advisor Web Security (Gateway) SMEX / SMLD IMSVA (Mail Svr, Gateway) IP/Domain blacklist updates Signature updates 2H/2013 SIEM Integration IWSVA 5/23/2013 Confidential Copyright 2012 Trend Micro Inc. 12
The Custom Defense In Action Advanced Email Protection InterScan Messaging Security or ScanMail Anti-spam Anti-phishing Web Reputation Anti-malware Advanced Threat Detection quarantine Threat Analyzer Threat Intelligence Center Deep Discovery Advisor Blocking of targeted spear phishing emails and document exploits via custom sandboxing Central analysis of detections Automated updates of malicious IP/Domains Signature file updates Security Update Server 5/23/2013 Confidential Copyright 2012 Trend Micro Inc. 13
APTs Most Commonly Start with a Spear Phishing Email with an Attachment
Deep Discovery Inspector Advanced Threat Protection Across the Attack Sequence Malicious Content Suspect Communication Attacker Behavior 5/23/2013 Confidential Copyright 2012 Trend Micro Inc. 15
Deep Discovery Advisor Threat Analyzer In-depth threat simulation & analysis Custom sandbox execution environments 24 Sandboxes per unit Scalable to 50,000 samples/day Integration with Deep Discovery Inspector Open, automated and manual submission Threat Intelligence Center In-depth analysis of incidents & events Risk-focused monitoring & investigation Trend Micro & open security event collection Context-relevant actionable intelligence Deep Discovery Inspector centralised reporting Security Update Server IP/URL blacklist export Custom security signature updates (future) Threat Analyzer Threat Intelligence Center Security Update Server Deep Discovery Advisor Custom scalable threat simulation Deep investigation & analysis Actionable intelligence & results Supports clustering of up to 5 units for analysing up to 50,000 samples/day 5/23/2013 Confidential Copyright 2012 Trend Micro Inc. 16
Deep Discovery Functionality Summary Functionality Deep Discovery Inspector Deep Discovery Advisor Network Traffic Analysis Yes No File Sandboxing + Number Yes (1) Yes (24) Hardware Appliance Option Yes (500Mbps / 1Gbps) Yes Virtual Appliance Option Yes (100,250, 500Mbps, 1Gbps) No Management / Analysis interface Yes Yes Threat Connect Yes Yes Threat Investigation Centre No Yes Reporting / Analysis Consolidation No Yes Integration with other Trend Solutions No Yes Clustering No Yes Copyright 2012 Trend Micro Inc. 17
Today s Attacks: Social, Sophisticated, Stealthy! Gathers intelligence about organization and individuals Targets individuals using social engineering Attacker Establishes Command & Control server $$$$ Extracts data of interest can go undetected for months! Moves laterally across network seeking data of interest Employees Confidential Copyright 2012 Trend Micro Inc.
Where does Deep Discovery go on the Network? Attacker Endpoint Email Server Management console C&C WWW Port Mirroring Out of band Deep Discovery Advisor Deep Discovery Inspector 1. Place on ingress / egress point to network 2. Place on other sensitive or target network segments Copyright 2012 Trend Micro Inc. 19
Why Deep Discovery vs Competition Detection Custom sandboxing Beyond MSFT & sandboxing Mobile, Mac, Beyond malware Attacker activity, C&C Comms Intelligence Smart Protection Network & Researchers Threat Connect Portal Local log file analysis The Custom Defense Weaves your security into a complete defense against your attackers Custom Detection and Intelligence TCO Single appliance Flexible form factors Competitive pricing Advanced Protection Integration Custom Security Updates Forensics, Containment, Remediation 5/23/2013 Detect Analyze Adapt - Respond
How to help justify Budgets? Regulatory Fine EU Data Protection Directive Ability to remediate infections quickly saving time and resource Cost of brand damage Loss of customers Reduced ability to sell to new customers Loss of Intellectual properly / Loss Competitive advantage Reduce expenditure on pure prevention to gain better visibility and control Improve Ability to work with other companies Decrease the chance of blackmail / Extortion NEW EU Data Protection Regulation Copyright 2012 Trend Micro Inc. 21
How to justify the budget? What s coming in 2014!! EU Data Protection Directive changes 2014 expected updates to Directive as new regulation Regulation means all EU countries have to enforce as set out New Draft Regulation details Fines up to 2% of Global Turnover/Revenue Level of fine will depend of steps taken to prevent data leak» Technologies» Processes Forced Disclosure of Data Breaches 72 hour reporting, plus disclosure to individuals where data leak may adversely effect their privacy. Ability for Individuals to sue organisation if their data is leaked as part of the breach Regulation extends beyond just EU based companies to any companies holding and/or processing EU residents data Prison time for those responsible if found negligent DPO 3000 Amendments Presently - 95/46/EC -Directive Copyright 2012 Trend Micro Inc. 22
One-Click access to similar events across network Thorough Details on Each Event
One-Click Drill-Down from Dashboard to view events per Host
Virtual Analyzer (Sandbox) Results Ability to download Network Activity Capture and Analyze Behavior exhibited by suspicious network traffic by executing it in Virtual Analyzer
Additional Monitoring and Notification Capabilities
Threat Connect Information Portal
Thank You Questions? Copyright 2012 Trend Micro Inc. 29
Questions? Have you been targeted by an attack? Yes! Not sure? But would like to know! How do you know? Data breach, forensic analysis Security audit Incident response, alerts Custom threat defense Third Party Informed Why are you being targeted? What are they after? What can you do about it? 30
Deep Discovery Enhances SIEM Effectiveness Unique Network Intelligence (with verified incidents) enhances correlation capabilities of SIEM DEEP DISCOVERY Specialized Network Threat Detection Deep Network Visibility allows multi-dimensional attack profiling across multiple sources Enables SIEM to be the central console for enterprise wide threat detection & management
Requirements from customer for POC install Access to Server / Switch room to deploy appliance Access to switch port to mirror desired traffic IP address Customer sandbox image of common endpoint required VMWare OVA image of Customer endpoint needs to be created within VCentre Network IP ranges, List of services running on the network Detailed requirements in separate document Copyright 2012 Trend Micro Inc. 32
How Deep Discovery Works Attack Detection Emails containing embedded document exploits Drive-by downloads Zero-day & known malware C&C communication for all malware: bots, downloaders, data stealing, worms, blended Backdoor activity by attacker Detection Methods Decode & decompress embedded files Custom sandbox simulation of suspicious files Browser exploit kit detection Malware scan (Signature & Heuristic) Destination analysis (URL, IP, domain, email, IRC channel, ) via dynamic blacklisting, white listing Smart Protection Network reputation of all requested and embedded URLs Communication fingerprinting rules Malware activity: propagation, downloading, spamming, Attacker activity: scan, brute force, tool download, Data exfiltration Rule-based heuristic analysis Identification and analysis of usage of 100 s of protocols & apps including HTTPbased apps Behavior fingerprinting 5/23/2013 Confidential Copyright 2012 Trend Micro Inc. 33
Deep Discovery Advisor Threat Intelligence Center In-Depth Contextual Analysis including simulation results, asset profiles and additional security events Integrated Threat Connect Intelligence included in analysis results Enhanced Threat Investigation and Visualization capabilities Highly Customizable Dashboard, Reports & Alerts Centralized Visibility and Reporting across Deep Discovery Inspector units Threat Connect Intelligence
Customer - Motel 6 Challenge Prevent infections, especially malicious code that can steal sensitive data, and remain hidden for long periods of time Solution Deep Discovery (With other Trend Technologies) Results Significant reduction in infection rates, with eye-opening discovery of malicious threats attempting to phone home Boosted confidence in protection of customer information and corporate reputation Alignment between company vision and security vendor s directions Deep Discovery is not just a step forward it is a big leap forward Deep Discovery gives us a line of defence against targeted attacks. We can now shut them down quickly ICT Manager Motel 6 Copyright 2012 Trend Micro Inc. 35
2013 Roadmap DDI 3.5 Preview Feb 2013 (RSA), GA 4/13 Global/Custom C&C blacklist adoption and adaptive sharing Multiple DDI management via TMCM Usability & reporting enhancements DDI 3.6 (Q3/Q4 2013) Multi sandbox form factors Role based administration Web sandboxing Common Criteria Certification EAL 2 IPv6 DDA 3.0 Preview Feb 2013 (RSA), GA 4/13 Multiple custom sandbox images Central reporting for DDI DDA 3.2 (Q3/Q4 2013) Additional OS sandbox support Enhanced log event analysis And more 36