Copyright 2008 - Trend Micro Inc. Trend Micro Thread Discovery Suites.

Author: Jacob Morris

0 downloads 3 Views

4 Copyright 2008 - Trend Micro Inc. Enterprise Content Security Landscape Key IT Concerns! 4  Threat Landscape Changed:  Profit driven  Sophisticated  Multiplying  Biz Operation Changed:  More Branches  More Mobile Work force  Technology revolution,  More infection channel, like USB. 3G, Wi-Fi, Wi-fly connection. Why is there a gap ? Profit drivenSophisticated Multiplying Spam Spyware Botnets Worms Web Mobile Population Anchored Desktop Enterprise Mobile Device Market Penetration Over Time 2000 2005 2010 0 100100 % Penetration 8080 6060 4040 2020 Source: The 451 Group and Infolock Pen drives Portable Hard drives 3G

8 Copyright 2008 - Trend Micro Inc. Conclusion: Require a more proactive/early detection mechanism and non-intrusive deployment design to discover these emerging (new) threats Monitoring Access: Internal Network

9 Copyright 2008 - Trend Micro Inc. Paramount Q1 2008 - 9  Whether the employee visit harmful website?  Whether receive the malicious mail?  Whether employee bring the infected USB into company ?  Does employee use P2P to download the malware?  Where is the high risk client ?  How to solve ?  Over all how to improve my security protection ？  Why can not tell me earlier ?  What is the risk and the risk level? Controllable Risk Management Controllable Risk Management Goal of New Agent of Anti-Malware Key issues need to be address Near Real-time threat analysis system. Deep analysis of threat incidents. Professional recommendations. Ultimate goal Am I secure? What is risk of those threat incidents? How to solve those threat incident ？

10 Copyright 2008 - Trend Micro Inc. Requirements of New-Age of Anti-Malware 过滤分析定位感染源, 与恶意程序分析 Out-of-band deployment. Support 84 protocols decode and consider to layer 2-7 analysis. Build-in intelligence malware behavior and advanced threat analysis engine. Integrate with Secure Cloud platform. identified known / unknown threat thru advanced correlate analysis. Precise locate infected endpoint. Daily incident handling report/ Weekly Management Report. Root-Cause Analysis. Malware incident handling SOP. Professional support powered by Trend Micro Threat Response Center. Incident analysis & correlation Locate Infected End-point & infection Source Threat analysis Reporting and Recommendations

11 Copyright 2008 - Trend Micro Inc. Threat Discovery Suites - Value Proposition Trend Micro Threat Management Solution is the industry’s most comprehensive malware detection and mitigation system at the network layer. TDA Looks at network traffic and detects: New and known malware (including information-stealing malware) Web Threats Bot Net Infected endpoints Disruptive applications

14 Copyright 2008 - Trend Micro Inc. 2008-07-31 14 Sales Presentation 14 Threat Discovery Suites Key Components Threat Discovery Suite Threat Discovery Appliance (TDA) Key Features:  New and known malware detection  Disruptive application detection  Multiprotocol Malware detection  Powered by SPN  Out-of-band deployment Finds threats in your network SPN Service

15 Copyright 2008 - Trend Micro Inc. Threat Response Center and Secure Cloud integration ActiveUpdate DNS-IP Reputation Phishing Filter App Reputation HTTP-URL Reputation Switch Threat Analysis Report Port Mirror Threat Discovery Appliance Correlation New generation of Anti-Malware solution Service and Support Professional Recommend- ations

16 Copyright 2008 - Trend Micro Inc. 2008-01-01 16 Sales presentation THREAT ENGINES VSAPI Engine Known Malware VSAPI xTrap Engine Possible/Packer virus Network Content Inspection Engine Malware Activity Network Virus Engine Network-based Threats Web Reputation Services Web threats

17 Copyright 2008 - Trend Micro Inc. HTTP SMTP IRC P2P 80+ 其他协议 Zero-day Attack Stealing malware BotNet TDA analysis 80+ protocol DNSDNS DCE-RPCDCE-RPC TelnetTelnet RDPRDP SSHSSH HTTPHTTP AIMAIM IRCIRC FTPFTP TFTPTFTP SMBSMB SMTPSMTP GmailGmail Bit TorrentBit Torrent IRCIRC MSNMSN ICQICQ Google TalkGoogle Talk SlingboxSlingbox iTunesiTunes Windows MediaWindows Media eMuleeMule eDonkeyeDonkey

18 Copyright 2008 - Trend Micro Inc. 18 Downloader Incident cases can be detected by TDA Request for download / access Access malicious URL. Use bad use-agent connect to malicious website. Downloader Download known virus. Suspicious files transferred. Executable files with extensions such as suspicious. Downloader type of unknown malware Downloader A Downloader B Downloader C Malicious Code D ・・・ For example, the right figure, Downloader A / B / C for each of the "Download Request" and "download" of the two types of behavior can be detected.

19 Copyright 2008 - Trend Micro Inc. 19 Bot-net Example cases can be detected by TDA （※ 3 ） DNS query DNS query of a known IRC Command and Control Server. BOT C&C server communications. Buildup communication with known Bot C&C server. IRC protocol uses non-standard port. IRC Bot command detected. Others （※ 3 ） Spam Email Try to logon systems （ Logon Fail ） Brute-force Attack Access malicious URL Unknown type of Bot-Net BOT A DNS Server C&C Server PROXY Server （ Port ： 8080 ） Server ※ 3 Bot activities are extremely varied. Here, we only have to introduce examples of typical activities or detection 。 Server Malicious Web site

20 Copyright 2008 - Trend Micro Inc. 20 Worm Incident cases can be detected by TDA Files attached in Email Suspicious packer file. Suspicious files transferred. The subject of the email, match those used by known malware. File sharing Brute-force Attack via SMB protocol Suspicious packer file. Suspicious files transferred. Executable files with extensions such as suspicious. Others Transfer packer file over IM application. Thru application / system vulnerabilities. Example ： Unknown worm type of threat Worm A Server ※ 4 Worm activity is very diverse. Here we have just introduced an example of typical activities and detection 。

22 Copyright 2008 - Trend Micro Inc. Daily Administrative Report Interactive drilldown reporting for navigating through the info of every single incident Granular view with comprehensible threat intelligence and incident root cause Actionable remediation recommendations tailored to your environment

23 Copyright 2008 - Trend Micro Inc. © AirTight 2007 Business Risk Meters Risks associated with detected threats Affected Assets Threat Statistics Infection SourcesTrendsDisruptive Applications Executive Report Groups & Endpoints affected by threatsMalware types found in the network Where is malware coming from ? Trending and comparison data Disruptive Applications in the network

27 Copyright 2008 - Trend Micro Inc. Value 2- identify the thread type and infected client Customer’s pain TDS TDA can filter 80+ protocol network traffic and combine the behavior analysis engine/VSAPI with SPN 2.0 to identify the threat type and identify the infected client How to rapidly locate the high risk client and threat type

29 Copyright 2008 - Trend Micro Inc. Value 3- identify disruptive application usage Customer’s pain TDS How to rapidly know whether the disruptive application usage? TDA identify the P2P/MSN/Stream media usage.

31 Copyright 2008 - Trend Micro Inc. Value 4- Remedial Suggestion Customer’s pain TDS TDS report provide the suggestion and protection method TM provide profession service How to solve the thread and improve the protection

33 Copyright 2008 - Trend Micro Inc. XXX company feedback after TDS 1.Visible( 看得见 ) ： Can look through all thread ( 所有威胁及隐患，一目了然 ) 2. Precise( 抓得准 ) ： find out the infected client précised ( 定位精准, 确实定位感染源 ) 3. Detail information( 分得细 ) ： Detail information and workable solution ( 详细的数据分析，根据具体需求制定安全策略 ) 4. High efficiency ( 效率高 ) ： Profession service Team provide the fast response ( 专业的服务团队，高效率的威胁处理 )

35 Copyright 2008 - Trend Micro Inc. Global 83 TDS assessment status-by industry 2008-01-01 35 Sales presentation Industry Total Infected Endpoints IRC Bots Network Worms Generic Malware Info stealer Malware Download s Malicious URL Access Education 12 assessment s3488956112224081312044 353616 3 Average 291809187681004294680 Infection rate 75%50%83%75%92%100% Financial 7 assessment s17827514112395190362 Average 25412025627195 Infection rate 86%14%57%14%57%86% Healthcare 5 assessments50954115355173593143918 Average 1021123713511928784 Infection rate 80%100% Manufacturin g 27 assessments15812811161092258391492615080 Average 591044010145096855 Infection rate 74%52%85%48%70%93% Professional services 2 assessment s174103018220381 Average 925209110191 Infection rate 50% 0%100% Public sector 23 assessment s19973308665913334104494116 Average 871438261417821483 Infection rate 83%39%91%65%83%91% Retail 6 assessment s5250253576200421 Average 910461333404 Infection rate 50%0%83%50%83% Telecom 1 assessment s954003101 Average 954003101 Infection rate 100% 0% 100%

36 Copyright 2008 - Trend Micro Inc. 36 2009 Q2 Status update: Selling status Region Pay customersUnitsCompletedOn GoingQuit總計 CN-EC332237469 CN-NC441910235 CN-SC 844153 CN-FSI382 15 總計101550917162 * on-going: 還在 POC 中與 Agree to POC

38 Copyright 2008 - Trend Micro Inc. CN HT Security Case sharing - Order with 3 TDA machines and PSP up selling Business Objectives Business Background Solution Customer profile: -SH HT Security is one of top 10 security companies in China with 55 branches and 126 transaction counters nationwide. - HT’s IT environment includes Security Transaction network, OA network and Data Center. -HT suffers internal outbreak caused by malware threats Customer consideration: - HT concerns about the system application downtime and network performance drop which will impact its customer transaction. Trend Micro™ TDA Solution Trend Micro™ PSP Outstanding point : - through multiple TDA deployment to discover malware threat and achieve more holistic coverage - TDA out-of-band implementation does not impact customer daily business operation - through PSP and SLO to provide malware remediation solution immediately Benefits Delivered Highlight: - TDA discovered the root cause of HT’s internal outbreak caused by worm.downad and TM threat expert helped HT to mitigate worm.downad effectively -Actually HT had been evaluated TDA solution in Q4 2008 and put TDA budgeting in 2H 2009. - Due to the business continuity concern, HT decided to mover ahead of TM TDA purchase in Q2

39 Copyright 2008 - Trend Micro Inc. CN Min-Sheng Life Insurance Case sharing - U p sell IWSA5000 by using TDS Business Objectives Business Background Solution Customer profile: - Symatec installation account. Established in year 2002, HQ located in BJ, Min-Sheng life insurance company is one of six nationwide insurance company. Customer consideration: - Min-Sheng suffered a lot of threats from http and ftp like Troj, spyware, phishing and malicious code. TDA as an assessment tool to identify web threat in customer environment TDA POC report shows >80% threats form web Customer was impressed the data and willing to implement IWSA5000 for evaluation IWSA performed good result of web protection capability Outstanding point : - IWSA5000 can reduce 86.7% of internal malware infection form web - both TDA and IWSA can identify the 2nd infection channel is form mail - IMSA will be the 2nd phase evaluation Benefits Delivered Highlight: - During TDA POC period, TDA discovered a total of 8,382 security events in 5 working days. - Malware reduction rate 86.7% was proved by TDA before and after IWSA deployment -The total IWSA5000 selling cycle from TDA POC to PO placement is only 1 month

40 Copyright 2008 - Trend Micro Inc. Case Sharing 1:Govenment Pain Point Worm_Downad virus outbreak U 盘进入内网针对 MS04- 011_LSASS_EXPLOIT 攻击密码字典共享协议在内网侵入服务器后开启 Http 服务器大量发包 Security objective 安全期许： Fast solve current question Finish the incident report Don’t tell me after virus outbreak. Need early recommendation Keep the network stable

42 Copyright 2008 - Trend Micro Inc. TDA actively find out the thread 事件说明次数检测到扩散病毒的源头客户机 Top 5 客户端 150.20.152.198/150.20.129.121/150.20.176.240/150.20.177.82/150.20.130.189 的可疑流量佔了 91%, 對其他客户端透过 SMB 進行传播。方式是网络蠕虫病毒 MS04-011_LSASS_EXPLOIT, 以及 Possible NOP sled 攻击 1910 客戶端內部通过 Http 协议进行 Exe 文件下载 150.20.8.6306 已知蠕虫病毒 WORM_Downap 感染 150.20.132.166/150.20.132.148/150.20.195.118/15 0.20.75.8/150.20.130.189 感染病毒对 150.20.14.25/150.20.9.248/150.20.8.96 透過 SMB 传播 Worm_Downap 病毒, 病毒文件 scardsvr32.exe 8 客戶端有安裝广告 / 间谍软件 4 总计 2228 1.Visible: Major 5 computers cause the 91% thread traffic 2.Precise: Identify the 5 infection source and thread type 3.Solution :Worm_Down.AD solution proposal

43 Copyright 2008 - Trend Micro Inc. 2015/9/14 43 Internal Use Only Hospital Background 1.Description: Divide 2 network segment: OA and Medical network 2.Hospital IT pain point IT is low-power role. Can not manage all PCs, but need to overcome all thread events Every department can buy the medical machine with PC. These PCs almost can not install AV solution Doctor is mighty role in the hospital. Doctor like to bring own computer into OA/Medical network. IT can not manage this In some hospital. The OA/Medical network belong to different IT depart.

44 Copyright 2008 - Trend Micro Inc. TDA For Hospital IT value TDA provide information : Include thread type, infected client  Because not all of PCs be managed by IT. IT need TDA to look through all threat events to overcome thread incident TDS provide the solution: TDA provide the solution and infected client information. IT can easy to handle the incident. TDA as a mechanism : In the hospital environment. IT is a weak role,but need to take all thread responsibility. TDA can let IT fast/ effective handle all thread incident and achieve fast response objective 2015/9/14 44 Internal Use Only

45 Copyright 2008 - Trend Micro Inc. Hospital Request Business Objectives Request Solution  Ensure the hospital business system can normally operate  Avoid the virus outbreak and keep the network is stable  Detect the virus outbreak  Precisely find the infected client and solve the thread TDA TDA can detect know / suspicious thread TDA can precisely find the infected client TDA report can provide solution and protection advice Result

46 Copyright 2008 - Trend Micro Inc. 測試客戶 – 台灣 X 東醫院 10 樓醫生樓層 (10.80.235.0/24),VLAN101-103,VLAN 107 – 時間 :2008/8/22 至 2008/10/21 –10.80.235.X 屬於醫生休息室網段 Total 1000 User seats AV: Symantec clients 共偵測到 42782 筆事件. 8/23-10/21 被嘗試登入失敗主機 –10.80.0.103 –10.80.0.162 –10.80.0.50 –10.80.0.51 嘗試登入的工作站 –10.80.235.81 對 10.80.0.103 登入失敗 44118 次. 此電腦從外部信箱收入很多病毒信件 (ms14.hinet.net) –10.80.235.193 對 10.80.0.162 登入失敗 1332 次. –10.80.235.16 對 10.80.0.162 登入失敗 1080 次. Mal_Otorun5 –10.80.235.114, 10.80.235.233, 10.80.130.165 WORM_SQLP1434.A – 遭受攻擊主機 –10.80.0.107, 10.80.0.21, 10.80.0.27 –10.80.0.82, 10.80.1.32, 10.80.194.207 –10.80.2.21, 10.80.33.10 KAVO family –10.80.130.144, 10.80.138.133 10.80.194.140 –10.80.142.82, 10.80.142.211, 10.80.142.212 –10.80.200.139, 10.80.204.138, 10.80.225.154, 172.16.10.89 –10.80.235.41, 10.80.235.55, 10.80.235.56 10.80.235.82 以猜密碼的方式嘗試登入主機已知病毒 Doctor’s Computer

47 Copyright 2008 - Trend Micro Inc. 測試客戶 – 台灣 X 光醫院全院所有網路 – 時間 :2008/9/26-2009/5/7 Total 1,000 User seats AV: Trend Micro OfficeScan 8.0, NVWE2500,IWSA 共偵測到 2932 筆事件. Situation : Hard to identify the infection source

49 Copyright 2008 - Trend Micro Inc. 測試客戶 – 台灣 X 民總醫院全院所有網路 – 時間 :2009/2/19-2009/5/7 Total 4,000 User seats AV: Trend Micro OfficeScan 7.3 /8.0, NVWE2500 共偵測到 1382 筆事件. Situation : Virus outbreak, medical system slow down

51 Copyright 2008 - Trend Micro Inc. 測試客戶 – 江陰 X 民醫院 2015/9/14 51 Internal Use Only 時間: 2008/ 10/24~2008/11/20 測試產品 :TDA AV product : 趋势科技防毒墙网络版、防毒墙服务器版 User seats : 600 user seat 共偵測10,605个事件,其中IRC Bot 事件佔了 65% 可疑威胁行为合计 Monitored client has a malware that is communicating to an external party. 8442 Monitored client is propagating malware.1527 Monitored client is using a tunneling software to bypass internet usage restrictions. 232 Hacking attempt.182 Monitored client is attempting to access a service using a default account. 179 Monitored client is hosting an unauthorized service that presents a security risk. 37 Monitored client is sending out suspicious email.5 Monitored client is connecting to an unauthorized service that presents a security risk. 1 总计 10605

52 Copyright 2008 - Trend Micro Inc. 測試客戶 – 江陰 X 民醫院 65% IRC Bot 都是由 192.192.180.86 所產生, 連上 Proxima.ircgalaxy.pl 服务器, 会下载 Virut 家族的病毒已知病毒公司内部有病毒进行感染, 主要是由 PE_LOOKED.AC-O, PE_LOOKED.AC, PE_FUJACKS.BE-O, 2015/9/14 52 Internal Use Only Top 5 感染源 IP 数量 Top 5 被感染 IP 数量 192.192.182.32270192.192.182.2 09 330 192.192.182.193221192.192.182.2 38 242 192.192.182.36192192.192.182.1 37 215 192.192.182.164178192.192.182.1 82 183 192.192.182.204134192.192.182.6 9 116

54 Copyright 2008 - Trend Micro Inc. Target Environment 2008-01-01 54 Sales presentation Remote Offices Manufacturing/Finance/Government detect new & known malware coming from your remote/ branch offices into corporate network Mobile Devices Insurance/High-tech/Law firms detect new & known Malware introduced by mobile devices into your corporate network Unprotected Devices detect malware coming From devices that cannot run AV (production Servers, IP-phones)or segments which do not have endpoint AV. Manufacturing/Production

55 Copyright 2008 - Trend Micro Inc. 2008-07-31 55 Sales Presentation 55 Cost Of Information Leakage & Data Loss Threat Discovered Damage & Loss Stopped Time to Protection Cost & Effort Trend Micro Saves Damage & Loss Contained Early identification of malware activities and data loss: 1.Significantly reduces the capital/operating expenses for damage containment 2.Improves company wide security posture The cost of a sensitive data breach will increase 20% per year over the next two years… Business Value Proposition Cost of data loss if left undetected over time TJMAX Case Study. Data Loss undetected for 18 months. 45.7 Million card accounts stolen. Estimated liabilities > 4.5 Billion USD

Copyright 2008 - Trend Micro Inc. Trend Micro Thread Discovery Suites.

Recommend Documents