Date post: | 28-Dec-2015 |
Category: |
Documents |
Upload: | jacob-morris |
View: | 228 times |
Download: | 2 times |
Copyright 2008 - Trend Micro Inc.
Agenda
Threat & Business Risks
TDA Benefits
Threat Discovery Technology
CN sharing
Q&A
2008-01-01 2Sales presentation
Copyright 2008 - Trend Micro Inc.
Enterprise Content Security LandscapeKey IT Concerns!
4
Threat Landscape
Changed:
Profit driven
Sophisticated
Multiplying
Biz Operation Changed:
More Branches
More Mobile Work
force
Technology revolution,
More infection channel, like USB. 3G, Wi-Fi,
Wi-fly connection.
Why is there a gap ?
Profit driven Sophisticated Multiplying
Spam
Spyware
Botnets
Worms
Web
MobilePopulation
Anchored Desktop
Enterprise Mobile DeviceMarket Penetration Over Time
2000 2005 2010
0
100
% P
enetr
ati
on
80604020
Source: The 451 Group and Infolock
Pen drives Portable Hard drives
3G
Copyright 2008 - Trend Micro Inc.2008-01-01 7Sales presentation
Network Traffic generated…
After infected w Downad / Conficker
Copyright 2008 - Trend Micro Inc.
Conclusion:
Require a more proactive/early detection mechanism and non-intrusive deployment
design to discover these emerging (new) threats
Monitoring Access: Internal Network
Copyright 2008 - Trend Micro Inc.Paramount Q1 2008 - 9
Whether the employee visit harmful website?
Whether receive the malicious mail? Whether employee bring the infected USB
into company ? Does employee use P2P to download the
malware?
Where is the high risk client ? How to solve ? Over all how to improve my security
protection ?
Why can not tell me earlier ? What is the risk and the risk level?
ControllableRisk Management
ControllableRisk Management
Goal of New Agent of Anti-Malware
Key issues need to be addressKey issues need to be address
Near Real-time threat analysis system.Near Real-time threat analysis system.
Deep analysis of threat incidents. Deep analysis of threat incidents.
Professional recommendations. Professional recommendations.
Ultimate goalUltimate goalUltimate goalUltimate goal
Am I secure?
What is risk of those threat incidents?
How to solve those threat incident?
Copyright 2008 - Trend Micro Inc.
Requirements of New-Age of Anti-Malware
过滤分析
定位感染源 ,与恶意程序分析
• Out-of-band deployment.
•Support 84 protocols decode and consider to layer 2-7 analysis.
•Build-in intelligence malware behavior and advanced threat analysis engine.
•Integrate with Secure Cloud platform.•identified known / unknown threat thru advanced correlate analysis.• Precise locate infected endpoint.
• Daily incident handling report/ Weekly Management Report.
• Root-Cause Analysis.
• Malware incident handling SOP.
• Professional support powered by Trend Micro Threat Response Center.
Incident analysis& correlation
Locate InfectedEnd-point & infection
Source
Threat analysisReporting and
Recommendations
Copyright 2008 - Trend Micro Inc.
Threat Discovery Suites - Value Proposition
•Trend Micro Threat Management Solution is the industry’s most comprehensive malware detection and mitigation system at the network layer.
•TDA Looks at network traffic and detects:New and known malware (including information-stealing malware)Web ThreatsBot NetInfected endpointsDisruptive applications
Copyright 2008 - Trend Micro Inc.12
The TDS ROIIntelligent Threat Protection
TDS Lowers Overall Threat Exposure
TDS
Copyright 2008 - Trend Micro Inc.2008-07-31 14Sales Presentation 14
Threat Discovery Suites Key Components
Threat Discovery Suite
Key Features:
New and known malware detection Disruptive application detection Multiprotocol Malware detection Powered by SPN Out-of-band deployment
Finds threats in your networkFinds threats in your network
SPN Service
Copyright 2008 - Trend Micro Inc.
Threat Response Center and Secure Cloud integration
ActiveUpdate
DNS-IP Reputation
Phishing Filter
App Reputation
HTTP-URL Reputation
Switch
Threat Analysis Report
Port Mirror
Threat Discovery Appliance
Correlation
New generation of Anti-Malware solution
Service and Support
ProfessionalRecommend-ations
Copyright 2008 - Trend Micro Inc.
• HTTP
• SMTP
• IRC
• P2P
• 80+ 其他协议
Zero-day Attack
Stealing malware
BotNet
•TDA analysis 80+ protocol
• DNSDNS
• DCE-RPCDCE-RPC
• TelnetTelnet
• RDPRDP
• SSHSSH
• HTTPHTTP• AIMAIM
• IRCIRC• FTPFTP
• TFTPTFTP
• SMBSMB
• SMTPSMTP
• GmailGmail
• Bit TorrentBit Torrent
• IRCIRC• MSNMSN
• ICQICQ
• Google TalkGoogle Talk
• SlingboxSlingbox
• iTunesiTunes
• Windows MediaWindows Media
• eMuleeMule
• eDonkeyeDonkey
Copyright 2008 - Trend Micro Inc.18
DownloaderIncident cases can be detected by TDA
Request for download / accessAccess malicious URL. Use bad use-agent connect to malicious website.
Downloader Download known virus. Suspicious files transferred.Executable files with extensions such as suspicious.
Downloader type of unknown malware
Downloader ADownloader B
Downloader CMalicious Code D
・・・For example, the right figure, Downloader A / B / C for each of the "Download Request" and "download" of the two types of behavior can be detected.
Copyright 2008 - Trend Micro Inc.19
Bot-netExample cases can be detected by TDA (※ 3 )
DNS queryDNS query of a known IRC Command and Control Server.
BOT C&C server communications.
Buildup communication with known Bot C&C server.IRC protocol uses non-standard port.IRC Bot command detected.
Others (※ 3 )Spam EmailTry to logon systems ( Logon Fail )Brute-force AttackAccess malicious URL
Unknown type of Bot-Net
BOT A
DNS Server
C&C Server
PROXY Server( Port : 808
0 )
Server
※3 Bot activities are extremely varied. Here, we only have to introduce examples of typical activities or detection 。Server
Malicious Web site
Copyright 2008 - Trend Micro Inc.20
WormIncident cases can be detected by TDA
Files attached in EmailSuspicious packer file.Suspicious files transferred.The subject of the email, match those used by known malware.
File sharingBrute-force Attack via SMB protocolSuspicious packer file.Suspicious files transferred.Executable files with extensions such as suspicious.
OthersTransfer packer file over IM application.Thru application / system vulnerabilities.
Example : Unknown worm type of threat
Worm A
Server
※4 Worm activity is very diverse. Here we have just introduced an example of typical activities and detection 。
Copyright 2008 - Trend Micro Inc.
Daily Administrative Report
Interactive drilldown reporting for navigating through the info of every single incident
Granular view with comprehensible threat intelligence and incident root cause
Actionable remediation recommendations tailored to your environment
Copyright 2008 - Trend Micro Inc.© AirTight 2007
Business Risk Meters
Risks associated with detected threats
Affected Assets Threat Statistics
Infection Sources Trends Disruptive Applications
Executive Report
Groups & Endpoints affected by threats Malware types found in the network
Where is malware coming from ? Trending and comparison data Disruptive Applications in the network
Copyright 2008 - Trend Micro Inc.
Value 1- Visibility
Customer’s pain
TDS TDA will like “magnifier” to find out know/suspicious thread .
• How to rapidly understand Over-All security situation ?
Copyright 2008 - Trend Micro Inc.
Value 2- identify the thread type and infected client
Customer’s pain
TDS
TDA can filter 80+ protocol network traffic and combine the behavior analysis engine/VSAPI with SPN 2.0 to identify the threat type and identify the infected client
•How to rapidly locate the high risk client and threat type
Copyright 2008 - Trend Micro Inc.
Value 3- identify disruptive application usage
Customer’s pain
TDS
• How to rapidly know whether the disruptive application usage?
TDA identify the P2P/MSN/Stream media usage.
Copyright 2008 - Trend Micro Inc.
Value 4- Remedial Suggestion
Customer’s pain
TDS
• TDS report provide the suggestion and protection method• TM provide profession service
•How to solve the thread and improve the protection
Copyright 2008 - Trend Micro Inc.
XXX company feedback after TDS
1.Visible(看得见 ) : Can look through all thread
(所有威胁及隐患,一目了然 )
2. Precise(抓得准 ) : find out the infected client précised
( 定位精准 , 确实定位感染源 )
3. Detail information(分得细 ) : Detail information and workable solution
(详细的数据分析,根据具体需求制定安全策略 )
4. High efficiency (效率高 ) : Profession service Team provide the fast response
(专业的服务团队,高效率的威胁处理 )
Copyright 2008 - Trend Micro Inc.
Global 83 TDS assessment status-by industry
2008-01-01 35Sales presentation
Industry
TotalInfectedEndpoints
IRCBots
NetworkWorms
GenericMalware
Infostealer
MalwareDownloads
Malicious URL Access
Education12 assessments 3488 956 112 2240 813 12044
3536163
Average 291 80 9 187 68 1004 294680
Infection rate 75% 50% 83% 75% 92% 100%
Financial7 assessments 178 27 5 141 12 395 190362
Average 25 4 1 20 2 56 27195
Infection rate 86% 14% 57% 14% 57% 86%
Healthcare5 assessments 509 54 115 355 173 593 143918
Average 102 11 23 71 35 119 28784
Infection rate 80% 100% 100% 100% 100% 100%
Manufacturing27 assessments 1581 281 116 1092 258 39149 2615080
Average 59 10 4 40 10 1450 96855
Infection rate 74% 52% 85% 48% 70% 93%
Professional services2 assessments 17 4 10 3 0 182 20381
Average 9 2 5 2 0 91 10191
Infection rate 50% 50% 50% 0% 100% 100%
Public sector23 assessments 1997 330 866 591 333 4104 494116
Average 87 14 38 26 14 178 21483
Infection rate 83% 39% 91% 65% 83% 91%
Retail6 assessments 52 5 0 25 35 76 200421
Average 9 1 0 4 6 13 33404
Infection rate 50% 0% 83% 50% 83% 83%
Telecom1 assessments 9 5 4 0 0 3 101
Average 9 5 4 0 0 3 101 Infection rate 100% 100% 0% 0% 100% 100%
Copyright 2008 - Trend Micro Inc.36
•2009 Q2 Status update: Selling status
RegionPay customers Units Completed On Going Quit 總計
CN-EC 3 3 22 37 4 69CN-NC 4 4 19 10 2 35CN-SC 8 44 1 53CN-FSI 3 8 2 1 5總計 10 15 50 91 7 162
•* on-going: 還在 POC 中 與 Agree to POC
Copyright 2008 - Trend Micro Inc.
CN HT Security Case sharing - Order with 3 TDA machines and PSP up selling
•Business Objectives
•Business Background•Business Background •Solution•Solution
•Customer profile:
-SH HT Security is one of top 10 security companies in China with 55 branches and 126 transaction counters
nationwide. •- HT’s IT environment includes Security Transaction network, OA network and Data Center.-HT suffers internal outbreak caused by malware threats
• Customer consideration:•- HT concerns about the system application downtime and network performance drop which will impact its customer transaction.
•Trend Micro™ TDA • Solution•Trend Micro™ PSP
• Outstanding point :
• - through multiple TDA deployment to discover malware threat and achieve more holistic coverage
• - TDA out-of-band implementation does not impact customer daily business operation
• - through PSP and SLO to provide malware remediation solution immediately
•
•Benefits Delivered•Benefits Delivered
•Highlight:
- TDA discovered the root cause of HT’s internal outbreak caused by worm.downad and TM threat expert helped HT to mitigate worm.downad effectively
-Actually HT had been evaluated TDA solution in Q4 2008 and put TDA budgeting in 2H 2009.
- Due to the business continuity concern, HT decided to mover ahead of TM TDA purchase in Q2
Copyright 2008 - Trend Micro Inc.
CN Min-Sheng Life Insurance Case sharing - Up sell IWSA5000 by using TDS
•Business Objectives
•Business Background•Business Background •Solution•Solution
•Customer profile:
•- Symatec installation account. Established in year 2002, HQ located in BJ, Min-Sheng life insurance company is one of six nationwide insurance
company.
• Customer consideration:•- Min-Sheng suffered a lot of threats from http and ftp like Troj, spyware, phishing and malicious code.
•TDA as an assessment tool to identify web threat in customer environment
•TDA POC report shows >80% threats form web
•Customer was impressed the data and willing to implement IWSA5000 for evaluation
•IWSA performed good result of web protection capability
• Outstanding point :
• - IWSA5000 can reduce 86.7% of internal malware infection form web
• - both TDA and IWSA can identify the 2nd infection channel is form mail
• - IMSA will be the 2nd phase evaluation
•
•Benefits Delivered•Benefits Delivered
•Highlight:
- During TDA POC period, TDA discovered a total of 8,382 security events in 5 working days.
- Malware reduction rate 86.7% was proved by TDA before and after IWSA deployment
-The total IWSA5000 selling cycle from TDA POC to PO placement is only 1 month
Copyright 2008 - Trend Micro Inc.
Case Sharing 1:Govenment
•Pain Point•Worm_Downad virus outbreak
•U 盘进入内网•针对 MS04-011_LSASS_EXPLOIT 攻击•密码字典•共享协议•在内网侵入服务器后开启 Http服务器•大量发包•Security objective
安全期许:Fast solve current questionFinish the incident reportDon’t tell me after virus outbreak . Need early recommendationKeep the network stable
Copyright 2008 - Trend Micro Inc.
TDA actively find out the thread
事件 说明 次数
检测到扩散病毒的源头客户机
Top 5 客户端150.20.152.198/150.20.129.121/150.20.176.24
0/150.20.177.82/150.20.130.189 的可疑流量佔了 91% ,
對其他客户端透过 SMB 進行传播。方式是网络蠕虫病毒 MS04-011_LSASS_EXPLOIT, 以及 Possible NOP
sled 攻击
1910
客戶端內部通过 Http 协议进行 Exe 文件下载 150.20.8.6 306
已知蠕虫病毒WORM_Downap
感染
150.20.132.166/150.20.132.148/150.20.195.118/15
0.20.75.8/150.20.130.189 感染病毒 对 150.20.14.25/150.20.9.248/150.20.8.96 透過
SMB 传播 Worm_Downap 病毒 , 病毒文件 scardsvr32.exe
8
客戶端有安裝广告 / 间谍软件 4
总计 2228
1.Visible: Major 5 computers cause the 91% thread traffic2.Precise: Identify the 5 infection source and thread type3.Solution :Worm_Down.AD solution proposal
Copyright 2008 - Trend Micro Inc.112/04/19 43Internal Use Only
Hospital Background 1. Description:
① Divide 2 network segment: OA and Medical network
2. Hospital IT pain point
① IT is low-power role . Can not manage all PCs , but need to overcome all thread events
② Every department can buy the medical machine with PC . These PCs almost can not install AV solution
③ Doctor is mighty role in the hospital . Doctor like to bring own computer into OA/Medical network . IT can not manage this
④ In some hospital . The OA/Medical network belong to different IT depart .
Copyright 2008 - Trend Micro Inc.
TDA For Hospital IT value
TDA provide information : Include thread type , infected client Because not all of PCs be managed by IT . IT need TDA to look through all threat events to overcome thread incidentTDS provide the solution: TDA provide the solution and infected client information . IT can easy to handle the incident .TDA as a mechanism : In the hospital environment . IT is a weak role ,but need to take all thread responsibility . TDA can let IT fast/effective handle all thread incident and achieve fast response objective
112/04/19 44Internal Use Only
Copyright 2008 - Trend Micro Inc.
Hospital Request
•Business Objectives
•Request•Request •Solution•Solution
① Ensure the hospital business system can normally operate
② Avoid the virus outbreak and keep the network is stable
③ Detect the virus outbreak
④ Precisely find the infected client and solve the thread
• TDA • TDA can detect know / suspicious thread
• TDA can precisely find the infected client
• TDA report can provide solution and protection advice
•Result•Result
Copyright 2008 - Trend Micro Inc.
測試客戶 – 台灣 X 東醫院• 10 樓醫生樓層 (10.80.235.0/24),VLAN101-103,VLAN 107
– 時間 :2008/8/22 至 2008/10/21
– 10.80.235.X 屬於醫生休息室網段• Total 1000 User seats
• AV: Symantec clients
• 共偵測到 42782 筆事件 .
• 8/23-10/21• 被嘗試登入失敗主機
– 10.80.0.103– 10.80.0.162– 10.80.0.50– 10.80.0.51
• 嘗試登入的工作站– 10.80.235.81 對 10.80.0.103 登入失敗 44118 次 .
• 此電腦從外部信箱收入很多病毒信件 (ms14.hinet.net)– 10.80.235.193 對 10.80.0.162 登入失敗 1332 次 .– 10.80.235.16 對 10.80.0.162 登入失敗 1080 次 .
• Mal_Otorun5– 10.80.235.114, 10.80.235.233, 10.80.130.165
• WORM_SQLP1434.A– 遭受攻擊主機– 10.80.0.107, 10.80.0.21, 10.80.0.27– 10.80.0.82, 10.80.1.32, 10.80.194.207– 10.80.2.21, 10.80.33.10
• KAVO family– 10.80.130.144, 10.80.138.133 10.80.194.140– 10.80.142.82, 10.80.142.211, 10.80.142.212– 10.80.200.139, 10.80.204.138, 10.80.225.154, 172.16.10.89– 10.80.235.41, 10.80.235.55, 10.80.235.56 10.80.235.82
•以猜密碼的方式嘗試登入主機 •已知病毒
•Doctor’s Computer•Doctor’s Computer
Copyright 2008 - Trend Micro Inc.
測試客戶 – 台灣 X 光醫院
• 全院所有網路– 時間 :2008/9/26-2009/5/7
• Total 1,000 User seats• AV: Trend Micro OfficeScan 8.0, NVWE2500,IWSA• 共偵測到 2932 筆事件 .• Situation : Hard to identify the infection source
Copyright 2008 - Trend Micro Inc.
測試客戶 – 台灣 X 光醫院
TDS 分析事件數 TDA Detected TDA Detected-Known virus
惡意程式感染1885
下載已知惡意程式379
資訊竊取惡意程式 332
未註冊的 DNS 伺服器 287
IRC BOT59
合計 2563 379
Copyright 2008 - Trend Micro Inc.
測試客戶 – 台灣 X 民總醫院
• 全院所有網路– 時間 :2009/2/19-2009/5/7
• Total 4,000 User seats• AV: Trend Micro OfficeScan 7.3 /8.0, NVWE2500• 共偵測到 1382 筆事件 .• Situation : Virus outbreak , medical system slow down
Copyright 2008 - Trend Micro Inc.
測試客戶 – 台灣 X 民總醫院
TMS 分析事件數 TDA detectedTDA detected – known virus
資訊竊取惡意程式 404
下載已知惡意程式 387
惡意程式感染 372 收到病毒信 63
IRC Bot (DNS 查詢 ) 62
IRC Bot 56
收到疑似病毒信 38
合計 932 450
Copyright 2008 - Trend Micro Inc.
測試客戶 – 江陰 X 民醫院
112/04/19 51Internal Use Only
• 時間 : 2008/10/24~2008/11/20• 測試產品 :TDA• AV product : 趋势科技防毒墙网络版、防毒墙服务器版• User seats : 600 user seat• 共偵測 10,605个事件 , 其中 IRC Bot 事件佔了 65%
可疑威胁行为 合计Monitored client has a malware that is communicating to an external party.
8442
Monitored client is propagating malware. 1527Monitored client is using a tunneling software to bypass internet usage restrictions.
232
Hacking attempt. 182Monitored client is attempting to access a service using a default account.
179
Monitored client is hosting an unauthorized service that presents a security risk.
37
Monitored client is sending out suspicious email. 5Monitored client is connecting to an unauthorized service that presents a security risk.
1
总计 10605
Copyright 2008 - Trend Micro Inc.
測試客戶 – 江陰 X 民醫院
65% IRC Bot 都是由 192.192.180.86 所產生 , 連上 Proxima.ircgalaxy.pl 服务器 ,会下载 Virut 家族的病毒已知病毒公司内部有病毒进行感染 ,主要是由PE_LOOKED.AC-O, PE_LOOKED.AC, PE_FUJACKS.BE-O,
112/04/19 52Internal Use Only
Top 5 感染源 IP 数量 Top 5 被感染IP
数量
192.192.182.32 270 192.192.182.209
330
192.192.182.193 221 192.192.182.238
242
192.192.182.36 192 192.192.182.137
215
192.192.182.164 178 192.192.182.182
183
192.192.182.204 134 192.192.182.69
116
Copyright 2008 - Trend Micro Inc.
Target Environment
2008-01-01 54Sales presentation
Remote Offices
Manufacturing/Finance/Government
detect new & known malware coming from your remote/ branch offices into corporate network
Mobile Devices
Insurance/High-tech/Law firms
detect new & known Malware introduced by mobile devices into your corporate network
Unprotected Devicesdetect malware comingFrom devices that cannot run AV (productionServers, IP-phones)or segments which do not have endpoint AV.
Manufacturing/Production
Copyright 2008 - Trend Micro Inc.2008-07-31 55Sales Presentation •55
•Cost Of •Information•Leakage &•Data Loss
•Threat•Discovered
•Damage & Loss Stopped
•Time to Protection
•Cost & Effort•Trend Micro
Saves
•Damage & Loss
•Contained
• Early identification of malware activities and data loss:1. Significantly reduces the capital/operating expenses for damage containment
2. Improves company wide security posture
•The cost of a sensitive data breach will increase 20% per year over the next two years…
•Business Value PropositionCost of data loss if left undetected over time
• TJMAX Case Study. Data Loss undetected for 18 months. 45.7 Million card accounts stolen. • Estimated liabilities > 4.5 Billion USD