Copyright 2008 - Trend Micro Inc. Trend Micro Thread Discovery Suites.

Copyright 2008 - Trend Micro Inc.

Trend Micro Thread Discovery Suites


Agenda

Threat & Business Risks

TDA Benefits

Threat Discovery Technology

CN sharing

Q&A

2008-01-01 2Sales presentation


Threat and Business Risks



Enterprise Content Security LandscapeKey IT Concerns!

4

Threat Landscape

Changed:

Profit driven

Sophisticated

Multiplying

Biz Operation Changed:

More Branches

More Mobile Work

force

Technology revolution,

More infection channel, like USB. 3G, Wi-Fi,

Wi-fly connection.

Why is there a gap ?

Profit driven Sophisticated Multiplying

Spam

Spyware

Botnets

Worms

Web

MobilePopulation

Anchored Desktop

Enterprise Mobile DeviceMarket Penetration Over Time

2000 2005 2010

0

100

% P

enetr

ati

on

80604020

Source: The 451 Group and Infolock

Pen drives Portable Hard drives

3G

Copyright 2008 - Trend Micro Inc.112/04/19 5

DOWNAD/Conficker General Behavior

Copyright 2008 - Trend Micro Inc.2008-01-01 6Sales presentation

Uncountable Variants…


Network Traffic generated…

After infected w Downad / Conficker


Conclusion:

Require a more proactive/early detection mechanism and non-intrusive deployment

design to discover these emerging (new) threats

Monitoring Access: Internal Network

Copyright 2008 - Trend Micro Inc.Paramount Q1 2008 - 9

Whether the employee visit harmful website?

Whether receive the malicious mail? Whether employee bring the infected USB

into company ? Does employee use P2P to download the

malware?

Where is the high risk client ? How to solve ? Over all how to improve my security

protection ？

Why can not tell me earlier ? What is the risk and the risk level?

ControllableRisk Management

ControllableRisk Management

Goal of New Agent of Anti-Malware

Key issues need to be addressKey issues need to be address

Near Real-time threat analysis system.Near Real-time threat analysis system.

Deep analysis of threat incidents. Deep analysis of threat incidents.

Professional recommendations. Professional recommendations.

Ultimate goalUltimate goalUltimate goalUltimate goal

Am I secure?

What is risk of those threat incidents?

How to solve those threat incident？


Requirements of New-Age of Anti-Malware

过滤分析

定位感染源 ,与恶意程序分析

• Out-of-band deployment.

•Support 84 protocols decode and consider to layer 2-7 analysis.

•Build-in intelligence malware behavior and advanced threat analysis engine.

•Integrate with Secure Cloud platform.•identified known / unknown threat thru advanced correlate analysis.• Precise locate infected endpoint.

• Daily incident handling report/ Weekly Management Report.

• Root-Cause Analysis.

• Malware incident handling SOP.

• Professional support powered by Trend Micro Threat Response Center.

Incident analysis& correlation

Locate InfectedEnd-point & infection

Source

Threat analysisReporting and

Recommendations


Threat Discovery Suites - Value Proposition

•Trend Micro Threat Management Solution is the industry’s most comprehensive malware detection and mitigation system at the network layer.

•TDA Looks at network traffic and detects:New and known malware (including information-stealing malware)Web ThreatsBot NetInfected endpointsDisruptive applications

Copyright 2008 - Trend Micro Inc.12

The TDS ROIIntelligent Threat Protection

TDS Lowers Overall Threat Exposure

TDS


Threat Discovery Technology


Copyright 2008 - Trend Micro Inc.2008-07-31 14Sales Presentation 14

Threat Discovery Suites Key Components

Threat Discovery Suite

Key Features:

New and known malware detection Disruptive application detection Multiprotocol Malware detection Powered by SPN Out-of-band deployment

Finds threats in your networkFinds threats in your network

SPN Service


Threat Response Center and Secure Cloud integration

ActiveUpdate

DNS-IP Reputation

Phishing Filter

App Reputation

HTTP-URL Reputation

Switch

Threat Analysis Report

Port Mirror

Threat Discovery Appliance

Correlation

New generation of Anti-Malware solution

Service and Support

ProfessionalRecommend-ations


THREAT ENGINES


• HTTP

• SMTP

• IRC

• P2P

• 80+ 其他协议

Zero-day Attack

Stealing malware

BotNet

•TDA analysis 80+ protocol

• DNSDNS

• DCE-RPCDCE-RPC

• TelnetTelnet

• RDPRDP

• SSHSSH

• HTTPHTTP• AIMAIM

• IRCIRC• FTPFTP

• TFTPTFTP

• SMBSMB

• SMTPSMTP

• GmailGmail

• Bit TorrentBit Torrent

• IRCIRC• MSNMSN

• ICQICQ

• Google TalkGoogle Talk

• SlingboxSlingbox

• iTunesiTunes

• Windows MediaWindows Media

• eMuleeMule

• eDonkeyeDonkey


DownloaderIncident cases can be detected by TDA

Request for download / accessAccess malicious URL. Use bad use-agent connect to malicious website.

Downloader Download known virus. Suspicious files transferred.Executable files with extensions such as suspicious.

Downloader type of unknown malware

Downloader ADownloader B

Downloader CMalicious Code D

・・・For example, the right figure, Downloader A / B / C for each of the "Download Request" and "download" of the two types of behavior can be detected.


Bot-netExample cases can be detected by TDA （※ 3 ）

DNS queryDNS query of a known IRC Command and Control Server.

BOT C&C server communications.

Buildup communication with known Bot C&C server.IRC protocol uses non-standard port.IRC Bot command detected.

Others （※ 3 ）Spam EmailTry to logon systems （ Logon Fail ）Brute-force AttackAccess malicious URL

Unknown type of Bot-Net

BOT A

DNS Server

C&C Server

PROXY Server（ Port ： 808

0 ）

Server

※3 　 Bot activities are extremely varied. Here, we only have to introduce examples of typical activities or detection 。Server

Malicious Web site


WormIncident cases can be detected by TDA

Files attached in EmailSuspicious packer file.Suspicious files transferred.The subject of the email, match those used by known malware.

File sharingBrute-force Attack via SMB protocolSuspicious packer file.Suspicious files transferred.Executable files with extensions such as suspicious.

OthersTransfer packer file over IM application.Thru application / system vulnerabilities.

Example ： Unknown worm type of threat

Worm A

Server

※4 　 Worm activity is very diverse. Here we have just introduced an example of typical activities and detection 。


TDS Deliverables - Report



Daily Administrative Report

Interactive drilldown reporting for navigating through the info of every single incident

Granular view with comprehensible threat intelligence and incident root cause

Actionable remediation recommendations tailored to your environment

Copyright 2008 - Trend Micro Inc.© AirTight 2007

Business Risk Meters

Risks associated with detected threats

Affected Assets Threat Statistics

Infection Sources Trends Disruptive Applications

Executive Report

Groups & Endpoints affected by threats Malware types found in the network

Where is malware coming from ? Trending and comparison data Disruptive Applications in the network


TDS Value



Value 1- Visibility

Customer’s pain

TDS TDA will like “magnifier” to find out know/suspicious thread .

• How to rapidly understand Over-All security situation ?


XXX company report


Value 2- identify the thread type and infected client

Customer’s pain

TDS

TDA can filter 80+ protocol network traffic and combine the behavior analysis engine/VSAPI with SPN 2.0 to identify the threat type and identify the infected client

•How to rapidly locate the high risk client and threat type


XXX company report


Value 3- identify disruptive application usage

Customer’s pain

TDS

• How to rapidly know whether the disruptive application usage?

TDA identify the P2P/MSN/Stream media usage.


XXX company report


Value 4- Remedial Suggestion

Customer’s pain

TDS

• TDS report provide the suggestion and protection method• TM provide profession service

•How to solve the thread and improve the protection


XXX Company report


XXX company feedback after TDS

1.Visible(看得见 ) ： Can look through all thread

(所有威胁及隐患，一目了然 )

2. Precise(抓得准 ) ： find out the infected client précised

( 定位精准 , 确实定位感染源 )

3. Detail information(分得细 ) ： Detail information and workable solution

(详细的数据分析，根据具体需求制定安全策略 )

4. High efficiency (效率高 ) ： Profession service Team provide the fast response

(专业的服务团队，高效率的威胁处理 )


CN Status



Global 83 TDS assessment status-by industry


Industry

TotalInfectedEndpoints

IRCBots

NetworkWorms

GenericMalware

Infostealer

MalwareDownloads

Malicious URL Access

Education12 assessments 3488 956 112 2240 813 12044

3536163

Average 291 80 9 187 68 1004 294680

Infection rate 　 75% 50% 83% 75% 92% 100%

Financial7 assessments 178 27 5 141 12 395 190362

Average 25 4 1 20 2 56 27195

Infection rate 　 86% 14% 57% 14% 57% 86%

Healthcare5 assessments 509 54 115 355 173 593 143918

Average 102 11 23 71 35 119 28784

Infection rate 　 80% 100% 100% 100% 100% 100%

Manufacturing27 assessments 1581 281 116 1092 258 39149 2615080

Average 59 10 4 40 10 1450 96855

Infection rate 　 74% 52% 85% 48% 70% 93%

Professional services2 assessments 17 4 10 3 0 182 20381

Average 9 2 5 2 0 91 10191

Infection rate 　 50% 50% 50% 0% 100% 100%

Public sector23 assessments 1997 330 866 591 333 4104 494116

Average 87 14 38 26 14 178 21483

Infection rate 　 83% 39% 91% 65% 83% 91%

Retail6 assessments 52 5 0 25 35 76 200421

Average 9 1 0 4 6 13 33404

Infection rate 　 50% 0% 83% 50% 83% 83%

Telecom1 assessments 9 5 4 0 0 3 101

Average 9 5 4 0 0 3 101 Infection rate 　 100% 100% 0% 0% 100% 100%


•2009 Q2 Status update: Selling status

RegionPay customers Units Completed On Going Quit 總計

CN-EC 3 3 22 37 4 69CN-NC 4 4 19 10 2 35CN-SC 　 8 44 1 53CN-FSI 3 8 2 　 1 5總計 10 15 50 91 7 162

•* on-going: 還在 POC 中與 Agree to POC


•2009H1 Status update : Industry


CN HT Security Case sharing - Order with 3 TDA machines and PSP up selling

•Business Objectives

•Business Background•Business Background •Solution•Solution

•Customer profile:

-SH HT Security is one of top 10 security companies in China with 55 branches and 126 transaction counters

nationwide. •- HT’s IT environment includes Security Transaction network, OA network and Data Center.-HT suffers internal outbreak caused by malware threats

• Customer consideration:•- HT concerns about the system application downtime and network performance drop which will impact its customer transaction.

•Trend Micro™ TDA • Solution•Trend Micro™ PSP

• Outstanding point :

• - through multiple TDA deployment to discover malware threat and achieve more holistic coverage

• - TDA out-of-band implementation does not impact customer daily business operation

• - through PSP and SLO to provide malware remediation solution immediately

•

•Benefits Delivered•Benefits Delivered

•Highlight:

- TDA discovered the root cause of HT’s internal outbreak caused by worm.downad and TM threat expert helped HT to mitigate worm.downad effectively

-Actually HT had been evaluated TDA solution in Q4 2008 and put TDA budgeting in 2H 2009.

- Due to the business continuity concern, HT decided to mover ahead of TM TDA purchase in Q2


CN Min-Sheng Life Insurance Case sharing - Up sell IWSA5000 by using TDS


•Business Background•Business Background •Solution•Solution

•Customer profile:

•- Symatec installation account. Established in year 2002, HQ located in BJ, Min-Sheng life insurance company is one of six nationwide insurance

company.

• Customer consideration:•- Min-Sheng suffered a lot of threats from http and ftp like Troj, spyware, phishing and malicious code.

•TDA as an assessment tool to identify web threat in customer environment

•TDA POC report shows >80% threats form web

•Customer was impressed the data and willing to implement IWSA5000 for evaluation

•IWSA performed good result of web protection capability

• Outstanding point :

• - IWSA5000 can reduce 86.7% of internal malware infection form web

• - both TDA and IWSA can identify the 2nd infection channel is form mail

• - IMSA will be the 2nd phase evaluation

•

•Benefits Delivered•Benefits Delivered

•Highlight:

- During TDA POC period, TDA discovered a total of 8,382 security events in 5 working days.

- Malware reduction rate 86.7% was proved by TDA before and after IWSA deployment

-The total IWSA5000 selling cycle from TDA POC to PO placement is only 1 month


Case Sharing 1:Govenment

•Pain Point•Worm_Downad virus outbreak

•U 盘进入内网•针对 MS04-011_LSASS_EXPLOIT 攻击•密码字典•共享协议•在内网侵入服务器后开启 Http服务器•大量发包•Security objective

安全期许：Fast solve current questionFinish the incident reportDon’t tell me after virus outbreak . Need early recommendationKeep the network stable


TDA actively find out the thread


TDA actively find out the thread

事件说明次数

检测到扩散病毒的源头客户机

Top 5 客户端150.20.152.198/150.20.129.121/150.20.176.24

0/150.20.177.82/150.20.130.189 的可疑流量佔了 91% ,

對其他客户端透过 SMB 進行传播。方式是网络蠕虫病毒 MS04-011_LSASS_EXPLOIT, 以及 Possible NOP

sled 攻击

1910

客戶端內部通过 Http 协议进行 Exe 文件下载 150.20.8.6 306

已知蠕虫病毒WORM_Downap

感染

150.20.132.166/150.20.132.148/150.20.195.118/15

0.20.75.8/150.20.130.189 感染病毒对 150.20.14.25/150.20.9.248/150.20.8.96 透過

SMB 传播 Worm_Downap 病毒 , 病毒文件 scardsvr32.exe

8

客戶端有安裝广告 / 间谍软件 4

总计　 2228

1.Visible: Major 5 computers cause the 91% thread traffic2.Precise: Identify the 5 infection source and thread type3.Solution :Worm_Down.AD solution proposal

Copyright 2008 - Trend Micro Inc.112/04/19 43Internal Use Only

Hospital Background 1. Description:

① Divide 2 network segment: OA and Medical network

2. Hospital IT pain point

① IT is low-power role . Can not manage all PCs , but need to overcome all thread events

② Every department can buy the medical machine with PC . These PCs almost can not install AV solution

③ Doctor is mighty role in the hospital . Doctor like to bring own computer into OA/Medical network . IT can not manage this

④ In some hospital . The OA/Medical network belong to different IT depart .


TDA For Hospital IT value

TDA provide information : Include thread type , infected client Because not all of PCs be managed by IT . IT need TDA to look through all threat events to overcome thread incidentTDS provide the solution: TDA provide the solution and infected client information . IT can easy to handle the incident .TDA as a mechanism : In the hospital environment . IT is a weak role ,but need to take all thread responsibility . TDA can let IT fast/effective handle all thread incident and achieve fast response objective

112/04/19 44Internal Use Only


Hospital Request


•Request•Request •Solution•Solution

① Ensure the hospital business system can normally operate

② Avoid the virus outbreak and keep the network is stable

③ Detect the virus outbreak

④ Precisely find the infected client and solve the thread

• TDA • TDA can detect know / suspicious thread

• TDA can precisely find the infected client

• TDA report can provide solution and protection advice

•Result•Result


測試客戶 – 台灣 X 東醫院• 10 樓醫生樓層 (10.80.235.0/24),VLAN101-103,VLAN 107

– 時間 :2008/8/22 至 2008/10/21

– 10.80.235.X 屬於醫生休息室網段• Total 1000 User seats

• AV: Symantec clients

• 共偵測到 42782 筆事件 .

• 8/23-10/21• 被嘗試登入失敗主機

– 10.80.0.103– 10.80.0.162– 10.80.0.50– 10.80.0.51

• 嘗試登入的工作站– 10.80.235.81 對 10.80.0.103 登入失敗 44118 次 .

• 此電腦從外部信箱收入很多病毒信件 (ms14.hinet.net)– 10.80.235.193 對 10.80.0.162 登入失敗 1332 次 .– 10.80.235.16 對 10.80.0.162 登入失敗 1080 次 .

• Mal_Otorun5– 10.80.235.114, 10.80.235.233, 10.80.130.165

• WORM_SQLP1434.A– 遭受攻擊主機– 10.80.0.107, 10.80.0.21, 10.80.0.27– 10.80.0.82, 10.80.1.32, 10.80.194.207– 10.80.2.21, 10.80.33.10

• KAVO family– 10.80.130.144, 10.80.138.133 10.80.194.140– 10.80.142.82, 10.80.142.211, 10.80.142.212– 10.80.200.139, 10.80.204.138, 10.80.225.154, 172.16.10.89– 10.80.235.41, 10.80.235.55, 10.80.235.56 10.80.235.82

•以猜密碼的方式嘗試登入主機 •已知病毒

•Doctor’s Computer•Doctor’s Computer


測試客戶 – 台灣 X 光醫院

• 全院所有網路– 時間 :2008/9/26-2009/5/7

• Total 1,000 User seats• AV: Trend Micro OfficeScan 8.0, NVWE2500,IWSA• 共偵測到 2932 筆事件 .• Situation : Hard to identify the infection source


測試客戶 – 台灣 X 光醫院

TDS 分析事件數 TDA Detected TDA Detected-Known virus

惡意程式感染1885 　

下載已知惡意程式379

資訊竊取惡意程式 332

未註冊的 DNS 伺服器　287

IRC BOT59

合計 2563 379


測試客戶 – 台灣 X 民總醫院

• 全院所有網路– 時間 :2009/2/19-2009/5/7

• Total 4,000 User seats• AV: Trend Micro OfficeScan 7.3 /8.0, NVWE2500• 共偵測到 1382 筆事件 .• Situation : Virus outbreak , medical system slow down


測試客戶 – 台灣 X 民總醫院

TMS 分析事件數 TDA detectedTDA detected – known virus

資訊竊取惡意程式 404

下載已知惡意程式 387

惡意程式感染 372 收到病毒信 63

IRC Bot (DNS 查詢 ) 62

IRC Bot 56

收到疑似病毒信 38

合計 932 450


測試客戶 – 江陰 X 民醫院


• 時間 : 2008/10/24~2008/11/20• 測試產品 :TDA• AV product : 趋势科技防毒墙网络版、防毒墙服务器版• User seats : 600 user seat• 共偵測 10,605个事件 , 其中 IRC Bot 事件佔了 65%

可疑威胁行为合计Monitored client has a malware that is communicating to an external party.

8442

Monitored client is propagating malware. 1527Monitored client is using a tunneling software to bypass internet usage restrictions.

232

Hacking attempt. 182Monitored client is attempting to access a service using a default account.

179

Monitored client is hosting an unauthorized service that presents a security risk.

37

Monitored client is sending out suspicious email. 5Monitored client is connecting to an unauthorized service that presents a security risk.

1

总计 10605


測試客戶 – 江陰 X 民醫院

65% IRC Bot 都是由 192.192.180.86 所產生 , 連上 Proxima.ircgalaxy.pl 服务器 ,会下载 Virut 家族的病毒已知病毒公司内部有病毒进行感染 ,主要是由PE_LOOKED.AC-O, PE_LOOKED.AC, PE_FUJACKS.BE-O,


Top 5 感染源 IP 数量 Top 5 被感染IP

数量

192.192.182.32 270 192.192.182.209

330

192.192.182.193 221 192.192.182.238

242

192.192.182.36 192 192.192.182.137

215

192.192.182.164 178 192.192.182.182

183

192.192.182.204 134 192.192.182.69

116


Back up slide



Target Environment


Remote Offices

Manufacturing/Finance/Government

detect new & known malware coming from your remote/ branch offices into corporate network

Mobile Devices

Insurance/High-tech/Law firms

detect new & known Malware introduced by mobile devices into your corporate network

Unprotected Devicesdetect malware comingFrom devices that cannot run AV (productionServers, IP-phones)or segments which do not have endpoint AV.

Manufacturing/Production

Copyright 2008 - Trend Micro Inc.2008-07-31 55Sales Presentation •55

•Cost Of •Information•Leakage &•Data Loss

•Threat•Discovered

•Damage & Loss Stopped

•Time to Protection

•Cost & Effort•Trend Micro

Saves

•Damage & Loss

•Contained

• Early identification of malware activities and data loss:1. Significantly reduces the capital/operating expenses for damage containment

2. Improves company wide security posture

•The cost of a sensitive data breach will increase 20% per year over the next two years…

•Business Value PropositionCost of data loss if left undetected over time

• TJMAX Case Study. Data Loss undetected for 18 months. 45.7 Million card accounts stolen. • Estimated liabilities > 4.5 Billion USD

Date post:	28-Dec-2015
Category:	Documents
Upload:	jacob-morris
View:	228 times
Download:	2 times

Copyright 2008 - Trend Micro Inc. Trend Micro Thread Discovery Suites.

Documents