Filip DemianiukTechnical Channel Manager EEUR
Trend MicroCisco Expo, Kiev
Layered WEB and MESSAGING security
Copyright 2007 - Trend Micro Inc.
AGENDA
§ Trend Micro Company Overview
§ Threat Landscape
§ Web Security
§ Messaging Security
§ Cisco / Linksys Alliance
2
Trend Micro Company Overview
Copyright 2007 - Trend Micro Inc.6/18/2008 4Classification
Company OverviewFounded
Headquarters
Employees
Market
2007 RevenueCEO | Eva Chen
United States in 1988
Tokyo, Japan
3,600+
Internet Content Security
US $848 Million
• Operations in more than 50 countries; 9 global R&D centers • Tokyo Stock Exchange (4704)
Copyright 2007 - Trend Micro Inc.6/18/2008 5Classification
Internet Content Security Market
• Services • Appliances • Software •
Internet Content Security
NetworkSecurity
EmailSecurity
EndpointSecurity
WebSecurity
Firewall/VPN
UTM
NAC
BehaviorMonitoring
URL Filtering
WebReputation
Web GatewayAntivirus
Email Antivirus
Anti-Spam
EmailReputation
Email Server
Encryption
Compliance/Archiving
Client Antivirus
Client Firewall
Client
Anti-Spyware
Zero-DayProtection
Encryption
NAC
Data LeakPrevention
PartnerPartner
PartnerPartner
Copyright 2007 - Trend Micro Inc.6/18/2008 6Classification
Strategic Partners We’re Working WithToday to Deliver More Value to Customers
Technology Consulting Services Platform
Strategic Partner
Copyright 2007 - Trend Micro Inc.6/18/2008 7Classification
Trend Micro Foundation: TrendLabs
• More than 1,000 threat research,service, and support experts at 10
locations• 24/7 operations
• Real-time alerts for new threats
TrendLabs helps provide a worldwide platform for delivering timelythreat intelligence, service, and support anytime, anywhere.
Protection requires morethan a product…
It requires service—timelyand expert service.
Mexico
New Jersey, USA Paris, France Bavaria, Germany
Cork, Ireland
Tokyo, Japan
Taiwan, ROC
Shanghai, China
TrendLabs HQ, Philippines
Lake Forest, USA
Threat Landscape
Copyright 2007 - Trend Micro Inc.6/18/2008 9Classification
Threat Environment Evolution to Crimeware
Com
plex
ity
Crimeware
Spyware
SpamMass Mailers
IntelligentBotnets
Web Threats
• Multi-Vector• Multi-Component• Web Polymorphic
• Rapid Variants• Single Instance• Single Target
• Regional Attacks• Silent, Hidden• Hard to Clean
• Botnet Enabled• Information
Stealing
VulnerabilitiesWorm/
Outbreaks
Copyright 2007 - Trend Micro Inc.
Who is behind this?
NOW
BEFORE
Malebetween14-34years old
Computer„GEEK”
No girlfriend Need offame
Professionalcyber-criminal
• Creating and renting hugebotnets made of zombiecomputers
Need of money
• Stealing private andcompany data
• Acquiring classifiedinformation for ransom
• Fraudulent profits fromadvertisements
Copyright 2007 - Trend Micro Inc.6/18/2008 11Classification
Asset Going-rate
Pay-out for each unique adware installation 30 cents in the United States, 20 cents inCanada, 10 cents in the UK, 2 cents elsewhere
Malware package, basic version $1,000 – $2,000
Malware package with add-on services Varying prices starting at $20
Exploit kit rental – 1 hour $0.99 to $1
Exploit kit rental – 2.5 hours $1.60 to $2
Exploit kit rental – 5 hours $4, may vary
Undetected copy of a certaininformation-stealing Trojan
$80, may vary
Distributed Denial of Service attack $100 per day
10,000 compromised PCs $1,000
Stolen bank account credentials Varying prices starting at $50
1 million freshly-harvested emails (unverified) $8 up, depending on quality
Underground Economy
Sample data from research on the underground digital economy in 2007
Copyright 2007 - Trend Micro Inc.6/18/2008 12Classification
• Use the Internet to performmalicious activities
• Arrive, propagate, deliverpayload, and entrenchthemselves via the Internet
• Employ blended threats,or combinations of maliciousprograms, and techniques thatwork together to infect PCs
• Are installed on a PC withoutthe user’s implicit knowledgeor permission and aim toclandestinely carry out theiractivities
Web threats are any threatthat uses the Web to do badand unwanted things. They:
2005–2006
Q105
Q205
Q305
Q405
Q106
Q206
Q306
Q406
Q107
1000
10
39%
84%138%
201%263%
328% 399%468% 540%
Web Threats: Total Growth Since 2005
Malware for Profit is driving Web Threats
Copyright 2007 - Trend Micro Inc.6/18/2008 13Classification
What is a Web Threat?
• A Web threat uses the Internet toperform cybercrime
• Possible components of a Webthreat include
– Internet infection vector (Web, Email,Vulnerabilities, etc.)
– Host infection via malicious program(s)– Updates* and possible propagation via
the Internet– Hidden payload delivered without user’s
knowledge or permission
*Updates MUST occur for threat tobe considered a Web threat
Copyright 2007 - Trend Micro Inc.6/18/2008 14Classification
Copyright 2007 - Trend Micro Inc.6/18/2008 15Classification
Web Threats are real!The Italian Job
Copyright 2007 - Trend Micro Inc.6/18/2008 16Classification
Over 2000 Italian Sites infiltrated!IFRAME inserted!
Copyright 2007 - Trend Micro Inc.6/18/2008 17Classification
How it works ?
Copyright 2007 - Trend Micro Inc.6/18/2008 18Classification
Who’s behind?
compromised ISP subnets owned by -->ARUBA.IT (and Vortech)IP Location: ItalyRevolve Host: *.in-
addr.arpa.10799INPTRwebx90.aruba.it.Blacklist Status: Clear
OrgName: RIPE Network CoordinationCentre
OrgID: RIPEAddress: P.O. Box 10096
City: AmsterdamStateProv:
PostalCode: 1001EBCountry: NL
IFRAME redirector from compromised site--> HostFresh, HK
IP Location: Hong Kong, HostfreshBlacklist Status: Clear
Whois Record
person: Piu Lonic-hdl: PL466-AP
e-mail: [email protected]: No. 500, Post Office, Tuen
Mun, N.T., Hong Kongphone: +852-35979788fax-no: +852-24522539
country: HK
otherdownloaded
malware fromvarious sites
control and monitoring server -->FasterServers, Chicago, IL
IP Location: UnitedStates, Chicago, Fastservers Inc
Revolve Host: TRUMAN.DNSPATHING.COM.
Blacklist Status: ClearWhois Record
OrgName: FastServers, Inc.OrgID: FASTS-1
Address: 175 W. JacksonBlvd
Address: Suite 1770City: Chicago
StateProv: ILPostalCode: 60604
Country: US
Copyright 2007 - Trend Micro Inc.19
Web Threats
Copyright 2007 - Trend Micro Inc.20
Copyright 2007 - Trend Micro Inc.21
Copyright 2007 - Trend Micro Inc.22
Nothing is cheap during
With the exception of malware using the VML vulnerability!Utilizing the vulnerability it downloads a ZLOB Variant!
Copyright 2007 - Trend Micro Inc.
The Major Threat Vectors are Business Critical
Internet
MailServer
ServersApplications
StorageProxy
MTA
DNS
INTERNAL THREATSInformation Leaks
ComplianceVulnerabilities
EXTERNAL THREATSViruses & Worms
Spyware & AdwareSpam & Phishing End Point
Port 25
Port 80
Off Network
Multi-Layered Web Protection
Copyright 2007 - Trend Micro Inc.6/18/2008 25Classification
What can you learn from an URL?
Domain name
Registrar
Name Servers
History
Copyright 2007 - Trend Micro Inc.6/18/2008 26Classification
Trend Micro Web Reputation Service
Email ReputationDatabase
DomainBehaviourDatabase
URL FilteringSecurity Rating
Trend Global DNS Network
Web Reputation=
Domain Security Rating+
URL Filtering+
Spam Correlation
3 Billion Hits/Day99.999% Availability
Internet
ZoneFiles
DNS
http://www.cisco.com/
Copyright 2007 - Trend Micro Inc.6/18/2008 27Classification
Total Web Reputation Data feeds
URL CategoryDatabase
RestrictsEmployee
Access to WebSites
SecurityRating
Crawls WebSites to Check
for Malware andutilizes Malware
Analysis
IP LocationCheck
Correlates IPLocation with
URL
Anti-PhishingDatabase
Known andSuspected
Phishing URL‘s
DomainBehaviour
ProvidesAnalysis of ALL
Top LevelDomains (TLD‘s)
Email ReputationService
Looks at ourRBL-database to
enable eventcorrelation
between Spamand Webthreats
Copyright 2007 - Trend Micro Inc.6/18/2008 28Classification
Web Threat ProtectionBackendTrend Micro Web Threat Protection
ReputationAnti-SpywareAntivirus
Anti-SpamAnti-PhishingInappropriate Content
HTTP
Endpoint
Tools and Reports
Trend MicroControl Manager
Threats
Internet
Gateway
HTTP HTTP HTTP
Off Network
SMTP SMTP SMTP
Internet
Web Threat ProtectionBackend
TrendLabs &Malware Knowledge
DatabaseEmail Reputation
Multi-Layered Messaging Security
Copyright 2007 - Trend Micro Inc.6/18/2008 30Classification
The Spam Problem is Increasing
• Spam: At least 90% of all email is spam1– Has increased fivefold in the last couple of years2
– Estimated cost of spam in 2007 is $100bn3
– About 40% of spam is image spam4
• Zombies: Approximately 16-25% ofcomputers are zombies5– Computers that are infected with bot code– Hijacked for the hacker’s use
• Botnets: Networks of zombies sendabout 80% of spam6– Harvest address information, launch DDoS attacks,
send spam, bot code, and blended threats– Optimize distribution based on bandwidth,
location, and other attributes– Steal the resources of the infected computers and hide the email sender1,4 6 Source: TrendLabs, 3/072 Source: Ferris The Global Economic Impact of Spam, 2005. February 2005 (Other statistics)
3 Source: Ferris Research. “The Cost of Spam, 2007.” 4/07.5 Source: Weber, Tim. “Criminals ‘May Overwhelm the Web‘” BBC News. 25 January 2007
Copyright 2007 - Trend Micro Inc.6/18/2008 31Classification
Stop Spam Before it Reaches You
Manages the Email ReputationDatabases
Blocks spam at the network’s edge, improving thesecurity of the gateway and infrastructure.
Copyright 2007 - Trend Micro Inc.
Trend Micro Anti-Spam Technologies
1. Email Reputation– First Line of Defense– Global and dynamic reputation services– Blocks up to 80% before entering the network, including zombies
2. IP Profiler – Customer-Specific Protection– Customer-specific reputation services based on company email traffic– Firewall against DHA and bounced email attacks
3. Anti-Spam Composite Engine – Guards Inbox– Stops any remaining spam before it enters the inbox– Integrates anti-spam technologies, including image spam detection
Copyright 2007 - Trend Micro Inc.
Reputation Services – AdministrativeConsole
Industry-leading insight and control• Global spam update• Spam reports• Spam volume for 100 top ISPs• Block lists by country or ISP using
easy drop-down menus
Copyright 2007 - Trend Micro Inc.
IP Profiler
Customer-SpecificReputation Services
SpamVirusDHA AttacksBounced Mail
Customers set thresholds:
• Duration monitored• Percentage of email threat• Total mails for a relevant sample• Triggering actions – what happens when these thresholds are met
(block temporarily or block permanently)
Provides customer-specific reputation services by blocking IP addresses thatexceed set thresholds—also keeps threats completely off the network
Copyright 2007 - Trend Micro Inc.
IP Profiler Management
Manage currentlymonitoredIP Addresses
Display Logs– Total spam emails– Total malicious
attempts– Total connections– Percentage of
malicious attemptsin the overall # ofconnections
Select IP addresses and permanently or temporarily block themCreate global white/black lists for IP/DomainsWill apply to both NRS and IP Profiler
Copyright 2007 - Trend Micro Inc.
Trend Micro Anti-Spam Engine
Trend Micro anti-spam composite engineUses a “cocktail” approach to block both spam and phishing emails
– Statistical Analysis– Advanced Heuristics– Signature Filtering– Whitelists/Blacklists– Detection for Multi-Languages– Patent-Pending Image Spam Detection Technology
Industry Proven TechnologyInstall base of over 25 million seats over the past four years
Copyright 2007 - Trend Micro Inc.
Image Spam Detection
• Conveys spammessage throughan image
• Not text in thebody of the email
• Approx. 40% ofall spam1
• Image spam is10x larger thantypical text email1
Source: Osterman Research. Image Spamand New Threats Summit Webinar.Conducted on 10 January 2007.
Copyright 2007 - Trend Micro Inc.
Data Privacy and Protection
Enforce Content Compliance• Minimize legal liability• Comply with regulations (SOX, HIPAA, …)• Support internal messaging standards• Prevent data leakage• Antivirus stops any malware sent by email that
could potentially damage or corrupt data.• Anti-phishing helps to prevent the theft of confidential information.• Anti-spyware stops the potentially more targeted attacks sent by email
which attempt to steal corporate data.• Flexible content filtering enables the efficient inspection of messages to
ensure that data does not improperly leave the organization.
Cisco / Linksys Alliance
Copyright 2007 - Trend Micro Inc.
Complementary Security Strategies
Innovative, complementary marriage of solutionsto deliver world-class threat prevention
Cisco SystemCisco System’’ssSelfSelf--Defending NetworkDefending Network
Trend MicroTrend Micro’’ssEnterprise Protection StrategyEnterprise Protection Strategy
Market Leader in NetworkSecurity Solutions
Market Leader inComprehensive Content
Security+
Copyright 2007 - Trend Micro Inc.September2007
41
Trend Micro—Cisco All-in-One GatewaySolution for Internet-Related Threats
Threats VirusesSpam
Spyware
ContentWeb Threats Data Leakage
Phishing
Email ReputationURL Filtering
In-the-CloudSecurityServices
GatewayPlatform
DCS Cleans MalwareDCS Cleans MalwareDCS Cleans MalwareDCS Cleans Malware
AutomatedDesktopCleanup
CentralizedManagement
Solution BenefitsAutomatic,CentrallyManaged,Integrated,
Multilayeredsecurity
Copyright 2007 - Trend Micro Inc.September2007
42
Technical overview of the solutionDCS integration with CSC-SSM
Cisco ISR Cisco ASA5500 CSC-SSM
Infected PC
Cisco Catalyst6500
DCS Server1. Infected PC tries to visit phishing
site
1
2. CSC detects and stopsaccess to phishing site
2
4. DCS cleans infectedmachine using cleanuptemplate
4
3. CSC-SSM triggersDCS cleanup3 5. DCS sends cleanupresult back to CSC-
SSM5
Solutionü Stops Internet attacks at the perimeterü Secures email from threatsü Blocks transmission to phishing sitesü Scans for viruses in web mailü Protect against loss of confidential
informationü Automatically cleans endpoint of malware
Copyright 2007 - Trend Micro Inc.September2007
43
Technical Overview of the SolutionCentralized Mngmt and Reporting with TMCM
• Manages Trend Micro securityinfrastructure - gateway todesktop– Manages multiple DCS servers– Manages multiple CSC-SSM
modules– Generates detailed reports
Cisco ISR Cisco ASA5500 CSC-SSM
PC & ServerNetwork
Cisco Catalyst6500
DCS Server
TMCM-E
DCS Server
DCS Server
Copyright 2007 - Trend Micro Inc.Classification
How ProtectLink Gateway works….• Trend Micro ProtectLink Gateway
– ProtectLink Gateway: Protects email and Web traffic at the gateway• Spam and URL Filtering with Web Reputation
– Hosted: In the Cloud | Even Before Your Gateway | No software orhardware to deploy
Copyright 2007 - Trend Micro Inc.6/18/2008 45Classification
Thank You
Filip DemianiukTechnical Channel [email protected]+48 509 310 990
www.securecloud.comwww.trendsecure.com
mailto:[email protected]://www.securecloud.com/http://www.trendsecure.com/
АКБ «Укрсоцбанк»Cisco Expo, Киев
Опыт внедрения решений Trend Micro
Copyright 2007 - Trend Micro Inc.
• Проверка на вирусы всех информационных потоков локальнойсети;
• Организация многоуровневой защиты:– защита рабочих станций;– защита серверов (файловые, приложений, БД, терминальные);– защита корпоративной почтовой системы (вирусы, спам, фишинг);– защита узла доступа в интернет;– защита на сетевом уровне (firewall);
• Автоматическая система обновления сигнатур и антивируса;• Возможность отката обновлений;• Механизмы оперативного реагирования на угрозы;• Централизованное управление;• Централизованная отчетность и доступ к логам;• Управление удаленными пользователями и офисами.
Задачи антивирусной защиты
Copyright 2007 - Trend Micro Inc.
• Простота установки и дальнейшего управления с единой консоли;• Защита на всех уровнях проникновения и от всех типов угроз;• Общее централизованное управление всеми решениями Trend Microчерез единую веб-консоль;
• Не требуется лицензирование дополнительного ПО;• Наличие дополнительных уникальных сервисов: очистка повреждений
(DCS), веб-репутации (web-threat protection), входящий в стоимостьрешения;
• Прозрачность управления процессом обновления клиентов;• Небольшой размер обновлений клиентов;• Предварительная проверка обновлений на совместимость с ОС исторонними приложениями;
• Делегирование полномочий и разделение ролей;• Скидка 70% на продление лицензии;• Бесплатный переход на новые продукты;• Новая функциональность в обновлениях тоже бесплатна.
Особенности
Copyright 2007 - Trend Micro Inc.
Интернет
серверыпользователи
ДМЗ
удаленный офисмобильныепользователи
Пользователи:OfficeScan Corporate
Серверы:ServerProtect Win/LinuxScanMail Lotus/Exchange
Интернет:InterScan Web SSInterScan Messaging SS
Управление:Control Manager(с каскадированием)
Пример реализации полной антивирусной защиты
Copyright 2007 - Trend Micro Inc.6/18/2008 50Classification
Спасибо за внимание