Trend Micro and IBM Security QRadar SIEM Ellen Knickle, PM QRadar Integrations Robert Tavares, VP IBM Strategic Partnership February 19, 2014 1
Agenda 1. Nature of the IBM Relationship with Trend Micro 2. Market Challenges- Opportunities 3. Overview Trend Micro Deep Discovery 4. Value proposition to Customers vs. Competition 5. What products integrate with IBM Security QRadar SIEM 6. Future Roadmap for Trend Micro integrations 7. Contacts and Reference sources 8. Q&A 2
Trend Micro and IBM relationship Trend Micro was one of the early partners to join the SIPP program (Security Intelligence Partner Program) with Q1 Labs Close working relationship with the Deep Discovery team they notify us of future releases, have QRadar installed in their lab test the integrity of the integration when versions change = happy customers, fewer support calls. IBM OEMs the Trend Micro Core Protection product as part of IEM Trend Micro SecureCloud is being used within IBM SmartCloud as the encryption solution 3
Hackers have an Unfair Advantage! Easy access to Resource constrained weapons/expertise Many points of defense Low barriers to entry Competing demands Focused objectives High penalty for failure Low penalty for failure 4 4
Attackers test and use every entry point & means Mobile devices & PCs Different OSs & Client Software FTP IRC Hundreds of protocols Evolving / Morphing Attacks HTTP Unknown Threats Known Threats Port 1145 Dozens of Ports Port 2056 3/31/2014 5 Confidential Copyright 2013 Trend Micro Inc. 5
The Ideal Solution for Targeted Attacks All devices, multiple OS, custom sandboxing and file types Changes in C&C, ports, protocols, signatures and behaviour Attack Evolution Software & Devices Communication Protocols Monitor over 80 protocols Zero day & variations of known threats Unknown Threats Known Threats Network Ports Rapid identification Monitor all ports 6
Trend Micro Deep Discovery Comprehensive 360 o view of targeted attacks 24 Customizable Sandboxes Evolving Attacks 80+ Protocols Unknown Threats Trend Micro Deep Discovery From a single appliance Known Threats All Ports 7
Joint Value Proposition Real-time Protection from Advanced Persistent Threats (APTs) & Targeted Attacks Detect Trend Micro Deep Discovery Advanced Threat Management Real-time Global Threat Intelligence Defend IBM Security QRadar Security Information & Event Mgt. Detect APTs & targeted attacks that are otherwise invisible Characterize threats & risk factors Deliver actionable intelligence to IBM Security QRadar SIEM Assess threats further Correlate with other contextual data Remediate, contain and prevent threats and attacks with existing security systems 8 8
QRadar + Deep Discovery Provides real-time answers to these critical questions: Are we being attacked? By who? Is someone stealing our data? Who? How are they attacking/stealing? What is being attacked or targeted? 9 9
Customer Value for Deep Discovery QRadar integration Web Threat Use Case QRadar receives a web threat event from Deep Discovery. It is correlated with XForce data to confirm a known bad URL, generating an offense. The security team can update their black list policy. Data Loss Threat Use Case Deep Discovery alerts that there is suspicious behavior on a critical asset. When this event is followed by a behavioral rule firing based on excessive network activity at 3:00 AM at corporate HQ over the past week, Qradar generates an offense. The SOC analyst sees the offense on her dashboard first thing the next morning and investigates. 10
Customer Value for Deep Discovery QRadar integration Deep Discovery logs are in LEEF format. The log source is auto detected, reducing configuration effort for the customer QRadar offers broad contextual data to trigger offenses, giving customers visibility to what s happening real time, the tools to do forensic investigations and rapidly see value. 11
Success Stories: QRadar Deep Discovery Large South Korean bank Combined solution successfully used in March 2013 to detect a malicious downloader attached to emails, which would ultimately render systems un-usable. Large University Hospital in Canada Multiple sites and 8,000+ computers Using QRadar & Deep Discovery to help detect and respond to security incidents that would otherwise fly under the radar. 12 12
Security Spotlight Advanced Persistent Threats - Complements ISS NIDS/NIPS Value Proposition: Comprehensive defense against targeted and persistent threats Help IBM complete its product offering in providing end to end security against targeted and advanced persistent threats. Deep Discovery ISS NIDS/NIPS QRAdar SIEM Console IBM Endpoint Manager Desktop(s) Laptop(s) Mobile Virtual/VDI 13
Trend Micro Product Overview OfficeScan is an endpoint security solution to safeguard file servers, desktops, laptops, virtualized desktops and mobile devices. Malware protection against viruses, trojans, worms, spyware and new variants Data Loss Prevention Customer Value: Lower infection rates and management costs. Offers virtual patching for protection from zero-day threats. This is the product that IBM OEMs as part of IBM Endpoint Protection 14
Customer Value for OfficeScan QRadar integration OfficeScan alerts QRadar of endpoints that have been exposed to malware and viruses Use Cases When correlated with Assets security posture based on vulnerability data and importance to the enterprise, QRadar helps customers prioritize which assets to patch and fix. By correlating OfficeScan events with flows, QRadar can detect Botnet C&C activity Competitors do not have the same capability to use vulnerability management to help prioritize remediation QRadar is unique in its visibility to Layer 7 flows to confirm the breadth of attacks 15
IBM Security Solution Endpoint Manager Core Protection Trend Micro Deep Discovery Inspector 16 16
Trend Micro Product Overview Control Manager Centrally manages threat and data policies Enterprise visibility of data protection policy violations ID s botnet and targeted attack C&C communications Customer Value: Simplifies administration, manages consistent policies, increases visibility across the enterprise, and improves compliance 17
Customer Value for Control Manager QRadar integration Control Manager sends QRadar events indicating when policies have been changed, when policy violations occur and malware threats and outbreaks occur Use Cases: Policy changes can be compared with reference sets of privileged users permitted to make changes and lower the severity of the event to avoid false positives. An offense can be generated as a result of correlating Control Manager virus outbreak events with Qflows, enabling SOC analysts to determine the perpetrator and prevent it from spreading. Don t discount the power of flows! 18
Trend Micro Integrations on the QRadar roadmap Deep Discovery Analyzer - an open and scalable platform allowing sandbox analysis to be integrated with QRadar. Use Cases block targeted spear phishing emails block document exploits Supports LEEF format Targeting DSM release to align with Trend s release of Deep Discovery Analyzer likely Q2 19
Trend Micro Integrations with Deep Discovery Analyzer InterScan Web Security and InterScan Messaging Security offer visibility and control of internet activity, stops email threats and protects enterprise data DLP Modules for each product Block URLs to malicious sites Stops advanced malware and phishing attacks Customer Value: Comprehensive Spam protection, increases productivity and reduces management effort and IT costs NOTE: QRadar has a DSM for InterScan VirusWall, an older version of these products which IBM will continue to support 20
Innovative Spear Phishing Protection: InterScan Messaging Security or ScanMail Anti-spam Anti-phishing Web Reputation Anti-malware Advanced Threat Detection Threat Analyzer Threat Intelligence Center Blocking of targeted spear phishing emails and document exploits via custom sandboxing Central analysis of detections Security Update Server Deep Discovery Analyzer quarantine 3/31/2014 21 Copyright 2012 Trend Micro Inc. 21
What Trend Micro integrations are on the roadmap? Deep Security provides physical, virtual and cloud server security against Malware web threats malicious changes to files Intrusion Detection and Prevention Trend has committed to support LEEF format by Q3 or Q4 Why is format important for QRadar? Today, Deep Security logs are only in CEF format. CEF is an ArcSight/HP registered standard, IBM would need ArcSight permission and validation 22
Next Steps & Contacts Trend Micro Contacts Jim Smith, Technical Specialist Jim_Smith@trendmicro.com 1-647-990-0546 Richard Eve, IBM Trend Sales Manager -EMEA Richard_Eve@trendmicro.com 011 44 7500 835125 Rory McCall, IBM/Trend Sales Manager -USA Rory_McCall@trendmicro.com 1-703-201-9209 Robert Tavares VP, IBM Strategic Partnership - APAC,LAR & CANADA Robert_Tavares@trendmicro.com 1-514-816-1548 23 23
Reference information QRadar DSM Roadmap and Integrations Community https://w3- connections.ibm.com/communities/service/html/communityoverview?communityu uid=bfd16c11-a02f-4374-8a71-5a56909786c0 Integration Roadmap is posted on the Community: QRadar Integration Roadmap in slide form.ppt Status of Integrations: https://w3-connections.ibm.com/wikis/home?lang=enus#!/wiki/wa84ee4294cea_414d_9c00_8a48d644e739/page/integration%20and %20DSM%20talking%20points%20&%20elevator%20pitch Solution Briefs on PartnerWorld: https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/w59 a08f1a659b_439f_afee_5e08fab3030e/page/qradar%20solution%20briefs 24
> IBM Security Systems more secure A smarter planet 25