330 likes | 667 Views
Trend Micro Threat Management Solution. Solution Overview Author: James Payongayong Contacts: Jai Balasubramaniyan, Paris Trudeau & James Payongayong. Threat Discovery Appliance Hardware Overview. Hardware Overview. Dell 2950. 800 Mbps Max Throughput. 10,000 Max concurrent connections.
E N D
Trend Micro Threat Management Solution Solution Overview Author: James Payongayong Contacts: Jai Balasubramaniyan, Paris Trudeau & James Payongayong
Threat Discovery Appliance Hardware Overview Hardware Overview Dell 2950 800 Mbps Max Throughput 10,000 Max concurrent connections 2 Monitoring ports 2 Management ports 1 Serial port Redundant power Paramount Q1 2008 - 2
Trend Micro Threat Management Solution Network Deployment
Overall Solution Deployment Paramount Q1 2008 - 4
Threat Discovery Appliance Deployment Threat Discovery Appliance's data port is connected to the mirror port of the core switch and mirrors the port to the firewall Paramount Q1 2008 - 5
Deployment Asymmetric route and multi-mirror port installation Support multi-TDA installation Support TAP Installation Trend Micro Confidential
Trend Micro Threat Management Solution Threat Discovery Appliance Feature Overview
Threat Discovery Appliance Features New and known malware detection Disruptive application detection Multiprotocol Threat detection Powered by SPN Out-of-band deployment Paramount Q1 2008 - 8
Threat detection engines The Threat Discovery Appliance uses Network Content Inspection Technology to detect both known and zero-day threats Paramount Q1 2008 - 9
How does TDA Analyze Network Traffic? Assemble packets into one stream Extract embedded files and send to file scanning engines Extract embedded URLs and perform WRS check Scan the traffic stream for exploits and network worms Perform single-session correlation on the traffic stream Paramount Q1 2008 - 10
Protocol Support The Threat Discovery Appliance supports all known protocols used by malware, spanning over 80 protocols. TDA uses port agnostic protocol detection to accurately identify protocols regardless of the port used Paramount Q1 2008 - 11
Disruptive Application Support Besides detecting malicious activity, the Threat Discovery Appliance also detects disruptive applications from the following three major categories - Paramount Q1 2008 - 12
Trend Micro Threat Management Solution Threat Management Services Feature Overview
Threat Management Services Features • Advanced in-the-cloud correlation engine • Collaboration with Trend Micro’s Smart Protection Network • Threat Analysis and Reporting Trend Micro Confidential
Advanced Threat Correlation • User receives IM with suspicious link • User visits link and downloads suspicious file • User begins sending out IM messages with same link • Events correlated TMS correlates these separate events to determine that the user has been infected with an IM worm! Paramount Q1 2008 - 15
Executive Report Details Business Risk Meters Affected Assets Threat Statistics Malware types found in the network Groups & Endpoints affected by threats Risks associated with detected threats Infection Sources Trends Disruptive Applications Disruptive Applications in the network Sources of malware infection Trending and comparison data
Daily Report • IT Administrator focused • List of high-risk clients • List of incidents for that day in order of severity • Detailed description of the threat that caused the incident • Possible impact of the incident • Recommended response for the incident • Informational events such as disruptive application usage Paramount Q1 2008 - 17
Location of servers San Jose, USA Beijing ,China Tokyo, Japan Taipei, Taiwan Philippines Paramount Q1 2008 - 18
What threat information is sent to the cloud? Threat Discovery Appliance • Threat log Data • IP Address, Hostname, MAC • Threat Detected • Details of the threat • Timestamp • Disruptive Application Logs • IP Address, Hostname, MAC • Application detected • Timestamp Secure Transmission Channels Rsync over SSH Rsync over HTTPS Paramount Q1 2008 - 19
Configuration • Basic Setting • TMSP registration • Registered Service • System time • Log upload period • Monitor network • Case1: only mirror up-link traffic • Need to mirror DNS/Proxy port traffic to TDA • Register DNS/Proxy IP in Registered service • RegisterDNS/Proxy IP Detection Exclusion List Trend Micro Confidential
Guide line of a good TDS Testing(POC) • Understand TDS position and value • TDS is like a doctor role ,through TDA analysis and combined SPN+TM professional service . TDS can finish the incident analysis and provide the solution • Need to show TDS value in the POC process • Visible: TDA can find the know/suspicious thread • Precision : TDA precisely identify the infection source and thread type • Solution: Through SPN correction analysis and TM professional to provide the workable solution • Control POC in short period of time. • TDS in 2 weeks.
Idea timeline of TDS pilot SE POC Owner : Communicate with customer and feedback the POC status Decide the POC finish date Generate the POC report Use lightening tool as clean tools Apply Account/PWD MOC Create account/PWD Provide the daily report and suggestion , Provide the weekly report and do weekly report description Provide the POC report material to SE D+3 D+8 D+5 D+10 D-Day There are no high incident in 3 days report,enter Trouble-shooting process TDA 接收到流量
3Q2009 4Q2009 1Q2009 2Q2009 TDA 2.5 TDA 2.0 R7 TMSP 2.5 TDA 2.0 TMSP 2.0 TMSP 1.5 TDARoadmap • LeakProof 3.1 Integration • Fiber Interface Support • Mitigation enhancements • Outbreak Containment Service (OCS) • Debug tool for traffic analysis • User Name Resolution (Microsoft AD) • Max 100K Concurrent Session Support TDA Patch 4 (Q4 08) TMSP 1.5 (Q4 08) • Redesigned UI • Smart Navigation System • High Profile Malware Alert (OCS) • New TLMS Reports-SC version • Customer Portal-SC version • Abnormal endpoint Status
TDA 2.5 feature description • TDA 2.5 R1 : • Release date : May 27, 2009 • Major Features: • Outbreak Containment Services (Disconnect network traffic for high profile malwares) • Send OCS events to TMSP in real time mode (HTTPS) • Pop up End User License Agreement during product activation. • Provide the Setup Guide on TDA web console • New PID (AC) for service module • Enlarge concurrent sessions support • Threat detection improvement (Threat rule 8 for SMB file path) • User account name resolution • Support multiple monitored ports (TDA 2.5 can support up to 6 sniffer ports) • TDA 2.5 R2 for Dell 2950 • Release date : Aug 24, 2009 • Major Features: • HDD RAID1 support • Support total 7 data/monitor ports and 1 management port • Support NIC cards link status and monitor packet function on web console • Support double byte from UI input (7 UI pages) • Support VLAN detection switch (enable/disable, default ignore VLAN tag check) • Support SSH/Web login auditing debug log • Provide a switch (enable/disable) on hostname query at host 137 port (enable by default) • Support monitor function on management port and link status • Database corruption check and rebuild • TMSP HTTP authentication enhancement
TDA next generation platform- Dell R710 • 9/7 release TDA 2.5 R2 for Dell R710 version
A Security Conundrum: Accuracy vs. ResponseMust address known and unknown threats Trend Micro Focus: High Accuracy Response
Competitive Market Landscape Traditional AV IDS/IPS TDS External threats (DDOS, malformed packets) Web, Email or Endpoint AV • Malware Infection • Info stealing malware • Disruptive applications • Lacks multiprotocol detection • Cannot detect complex & zero- day threats • No Root Cause Analysis • No Threat Mgmt Portal/Reports • Noisy with False Alarms • Need SIEMS for correlation • Limited Application Fluency Cisco, Checkpoint, Juniper, McAfee, IBM ISS Symantec, McAfee, Microsoft SIEMS • No detection, only correlation • Correlates data from other security devices (IDS, Firewalls ..) Cisco MARS, ArcSight, Q1 Labs
How to Sell: Selling TMS against IDPS systems
TMS vs. IDPS 30 TMS vs. IDPS