520 likes | 731 Views
Threats beyond Imagination - Cutting the Juggernaut. Goh Chee Hoh Managing Director Asia South Region May, 2005. Vu Quoc Thanh CEO MI SOFT. Agenda. Security Evolution : Challenges on unpredictable threat Digital Operation Continuity : Strategy and Solution
E N D
Threats beyond Imagination - Cutting the Juggernaut Goh Chee Hoh Managing Director Asia South Region May, 2005 Vu Quoc Thanh CEO MISOFT
Agenda • Security Evolution : Challenges on unpredictable threat • Digital Operation Continuity : Strategy and Solution • The Technology : Winning Path RoadMap • The Pioneer : Trend Micro Profile Overview
The Problem Malware’s Growth • Malware – More Than Just Viruses and Worms • New threats detected daily • New vulnerabilities (Mobile, IM, images, etc.) • Variants active for years
BOT Versus Worm • Do not spread uncontrollably like worms, worms spread faster • BOTs are programsthat can be covertly installed on systems • Usually idle until it is called upon to perform a particular function • Hackers or the “BOT Master” have remote control over systems installed with BOTs, through intermediary • BOT Master have motive - malicious intend with profitable gain
BOTNet • A Botnet is a network of systems installed with BOTs, remotely controlled by BOT Master • Can consist of several thousands of systems • Combined bandwidth of 1000 home PCs with an average upstream of 128KBit/s can offer more than 100MBit/s: Higher than the Internet connection of most organizations • Can be used for DDoS attacks, Spamming, spreading BOTs, Phishing
Do we have BOT inside? • During the Blaster and Sasser worms outbreak, there were BOTs using the same exploits. Zotob is newer BOT example. • Customers didn’t realize they had BOT infections, because BOT Master tell their BOTs to go quiet after awhile • Corporations only cleaned their worm-infected systems, ignored BOT-infected systems • Many corporations may be harboring BOTS for a couple of years • BOTs get “exploit upgrades” for later vulnerability New method to infect vulnerable systems!
Review • File Viruses: Projected Decline. • Worms: Remain Stable at 150 per month. • Spam: Projected Increase • Phishing: 14,000-15,000 per month with Projected Increase. - Spear Phishing: Projected Increase • PhishWare: Remain Stable at 500-700 per month. • GrayWare: 1500-1600 per month with Projected Increase. • Bots: 250-300 per month with Potential for Increase. • Mobile Threats: 15 per quarter with Projected Increase
Reported Infections and Growth Projections Reported Infections: 9.5 Million in Q1, 12.1Million in Q2, and 29.5 Million in Q3. 70 percent of all infections occurred in North America. Projected
The Problem Malware’s Growth Infection Count In Asia is Rising, Asia is facing significant threat on cyber attack Source: Trend Micro, Inc.
The Problem Malware’s Impact Global Attacks Cost Billions Each Year
Mobile Threats 2004-2005 20June04 4Apr 7Mar 17Jul04 21Sep 8Jul 8Mar 29Dec04 6Apr 2Oct 5Aug04 1Feb 15Apr 4Jul 19Jul 18Mar 12Aug04 21Nov04 Mabir Cardtrp Doomed Comwar Cardblk Vlasco Fontal Cabir Boottoon Skulls Dampig Qdial Hobbes Skudoo Locknut (Gavno) Drever Win CE DUTS Camdesk = Symbian OS (Nokia, etc) = Windows CE (HP, etc) Win CE BRADOR
IT SECURITY TRENDS FOR 2006InformationRiskManagement Plc, London No 1 new Threat in 2006: Crossover Viruses • Crossover viruses are a product of the mobile age. • Operating systems such as Symbian are extremely powerful and this can be leveraged to write a virus (or act as a means of storing code) that is capable of transferring between a PDA or mobile phone and a laptop or PC or in opposite direction. • Given the lack of anti virus software on the vast majority of mobile devices, this would appear to be a bigger threat. • The first crossover virus was detected in September 2005. ‘Cardtrp’ spreads via Bluetooth and MMS (Multimedia Messaging Service). If the phone has a memory card it sends a copy of a Windows virus known as ‘Wukill’ onto the card. When the card is inserted into a PC the virus appears as a legitimate file icon. Once opened the code installs a backdoor and begins to collect passwords to sent out. • Cardtrp was fairly simple by modern virus standards. Many anti virus vendors considered it a proof-of-concept exercise. We must see much more sophisticated level throughout 2006.
Social Engineering and “Phishing” • How about this email from Citibank asking for recipient to provide personal information?
Patch: MS04-011 Apr 13, 2004 May 1, 2004 17Days SASSER Aug 11, 2003 26Days MSBLAST Patch: MS02-039 Jul 24, 2002 Jan 25, 2003 185 Days SQLP Patch: MS00-078 Oct 17, 2000 Sep 18, 2001 336Days NIMDA 4th Generation: Network Virus SASSER Network Virus’s Characteristics: • Using MS OS Vulnerability to attack • Virus outspread speed fast • No need for users to perform any behavior, users are attacked MSBLAST NACHI Enterprise VA NIMDA Security Mgt Intrusion Detection CodeRed SQLP Fire Wall DoS Protection Exiting AV products VPN The time from patch availability to outbreak diminishes Internet Security Threats of Network Virus ・Combined and automatic attacking behaviors ・The broaden range of potential infected devices ・POS, ATM, Kiosks, …etc special end-point devices are infected by just link to Internet Patch: MS03-026 Jul 16, 2003
The Pain… Medical Devices ATM
The Pain • New ATMs moving to Microsoft™ Windows, but Windows is a popular platform for virus authors. • Microsoft issued 77 patches for Windows OS in 2003 • 42 of them are for Windows XP. • 7 of them resulted from network virus vulnerabilities. • Supposedly isolated ATM networks have been exposed to network virus attacks • 1/2003: Slammer (SQL database attack) • Bank of America – 13,000 ATMs shut down because of attack. • Canadian Imperial Bank of Commerce (CIBC) also impacted. • 8/2003: Nachi worm (“Welchia”) • Infected two “unnamed” ATM banking networks Network worms can inhibit business and stop transactions.
Agenda • Security Evolution : Challenges on unpredictable threat • Digital Operation Continuity : Strategy and Solution • The Technology : Winning Path RoadMap • The Pioneer : Trend Micro Profile Overview
The Strategy AV security cannot be achieved alone, so you shouldn’t be left alone… • Understand the principles: • Outbreaks are series of stages – so address them that way • Protecting perimeter is insufficient • Must protect where information is flowing • All network layers • Gateway • Servers • Applications (e.g. email, messaging) • Remote sites • Wireless/mobile devices (e.g. laptops, PDAs, cellphones)
The Strategy • Change the focus: • From Prevention only (firewall, IPS) to Threat Lifecycle Management • Requires timely updates • More than just a “virus pattern update” • Information update and solution suggestions • Change the approach: • Secure network information flow • Solution must be dynamic • Approach must address Outbreak Management Lifecycle: Assessment and Restoration Vulnerability Prevention Outbreak Prevention Virus Response
The Strategy Trend Micro Enterprise Protection Strategy Outbreak Management Application Layer Network Layer
Pattern Deployed Cleanup Pattern released Policy deployed OPS released Cleanup The Value of EPS Cost and Effort EPS can save
Architectural Evolution - From the Server to the Network Access Point Vulnerability Prevention Outbreak Prevention Virus Response Assessment and Restoration Manage and Coordinate Outbreak Security Actions Mass Mailer Worms Policy Management & Reporting Spam Office Scan TMCM PC-cillin Web/MMC L3 Switch NVW NVW Internet/ISP Firewall VPN Web Site WANRouter ISVW eMailServers FileServers Network Worms SMEX SP L3 Switch Spyware Appliance IMSS SPS NRS Trojan IWSS
Trend Micro Control Manager™ 3.0 • Centralized Management (Web- based) • Supports 3000+ managed servers on Windows, UNIX and Linux • Log collection and reporting • Service update and delivery platform: • Outbreak Prevention Service • Damage Cleanup Service • Vulnerability Assessment Service • Centralized Management and configuration for Network Viruswall 1200 • Cascaded Console for greater scalability
OfficeScan Corporate Edition v7.0 Comprehensive security solution designed for the corporate desktop environment. • Robust security protection against multiple types of threats that threaten corporate desktops users • Powerful web based management console to coordinate effective security policies and deploy rapidly • Accepts and implements Outbreak Policies and Damage Cleanup Templates from Control Manager • Supports security policy enforcement via Cisco NAC
InterScan Messaging Security Suite • Comprehensive messaging security at the Enterprise and ISP gateway. • Virus scanning for SMTP / POP-3 • Special mass-mailing virus handling • Policy-based management enforces corporate email policies • Integrated Anti-spam database and Content Filtering • Implements Outbreak Policies for email virus outbreaks • Supports Heuristic Spam Prevention Solution
InterScan Web Security Suite • HTTP/FTP/ICAP 1.0 Antivirus scanning • Web site (URL) filtering (optional) • Controls access to unproductive sites(raise employee productivity) • Controls access to restricted sites(reduce legal liabilities) • Allows use of pre-approved and/orcustomizable list of sites • Manage internet usage • Displays employee patterns of web usage • Alerts administrators of unusual activitybased on historical & current Web usage • Allows administrators to implement individual surfing quotas
ScanMail for Microsoft Exchange • Server-based e-mail virus protection • Administrator controls and monitors virus activities • Transparent virus scanning at the server mailbox • Stops viruses, malicious code, sensitive content and spam in email and shared folders, before they can reach desktop and spread • Emergency Attachment Blocking for outbreak situations like Sircam, Nimda, Netsky, Bagle...etc. • Alerts sender, recipients and administrator when a virus is found • Microsoft certified for new Exchange Virus Scan API (Microsoft Exchange 2003)
ServerProtect ServerProtect efficiently safeguards multiple servers, domains and NAS from virus attack with next-generation antivirus software that can be installed and managed from a single secure console. • Network OS supported - NT, Win2000, Novell Netware, Linux, Win2003 • Network Attached Storage Supported Platform - EMC, Network appliances
Spam Prevention Solution • Heuristic Spam filtering engine • 90 – 95% Accuracy with 1/80,000 false positive rate • Automatic updates for Heuristic engine from Trend’s Active Update servers • Integrated with IMSS 5.5 for ease of implementation • Increases Spam catch rate over just fingerprint matching • IMSS Policy- based framework allows highly granular Spam sensitivity settings
Architectural Evolution CUSTOMER VALUE Future Past ANALYSIS EXPERTISE Traditional Antivirus Domain POLICY CREATION Application Application Presentation RAPID RESPONSE Presentation Session Session Transport Transport Network Network Data link Data link INFRASTRUCTURE Physical POLICY ENFORCEMENT Physical Collaborative Domain TRAFFIC ANALYSIS/MGMT. Traditional Networking Domain TRANSACTION
Network VirusWall chống worm bùng nổ và tấn công mạng Trong tháng 8/2005 ZOTOB worm tấn công khai thác lỗ hổng bảo mật MS05-039 của Microsoft (sau khi vulnerability này đã được công bố tìm ra chỉ 5 ngày trước đó). UTStarcom là một trong rất nhiều công ty bị Zotob tấn công, (UTStarcom là 1 công ty hàng đầu chuyên về các giải pháp mạng IP và viễn thông). Hệ thống của UTStarcom đòi hỏi hoạt động online 24x7. Khi ZOTOB tấn công mạng của UTStarcom tại Trung Quốc, chúng nhanh chóng tìm cách gây bùng nổ chiếm băng thông làm down hệ thống. Đội ngũ admin cũng đã nhanh chóng phát hiện ra lỗ hổng và các thiết bị đã bị tấn công nhưng không thể cách ly để cài đặt bịt lỗ hổng.
UTStarcom đã triển khai Trend MicroNetwork VirusWall tại 40 điểm trong Trung Quốc
Outbreak Response UTStarcom nhanh chóng cập nhật cho thiết bị Trend Micro Network VirusWall và sử dụng hệ thống Control Manager™ quản trị tập trung các thiết bị Network VirusWall để cấu hình, thực hiện các giải pháp đối phó với ZOTOB: • Deploy Automatic Updates to all Network VirusWall appliances network-wide every five minutes, rather than once a day • Run Trend Micro™ Vulnerability Assessment to scan the entire network and identify vulnerable network segments and PCs without the MS05-039 Service Pack installed • Quarantine PCs without MS05-039 and block them from accessing the Internet Sau đó UTStarcom thực hiện vá các lỗ hổng của hệ thống (cài đặt miếng vá MS05-039 của Microsoft) và sử dụng sản phẩm Trend Micro Damage CleanUp Services (một thành phần của Trend Micro Network VirusWall) để quét và làm sạch các máy đã bị lây nhiễm ZOTOB cùng rác do nó để lại trong hệ thống.=> kết quả: hệ thống đã được an toàn
Agenda • Security Evolution : Challenges on unpredictable threat • Digital Operation Continuity : Strategy and Solution • The Technology : Winning Path RoadMap • The Pioneer : Trend Micro Profile Overview
Our Approach : The Whole Threat Lifecycle Management Antivirus Consultation Service Plan Plan Antivirus Review & Audit Service Knowledge And Expertise Knowledge And Expertise Review Review Deploy Deploy Antivirus Deployment Service Monitor Monitor Respond Respond Outbreak Prevention & Damage Cleanup
Where does the Value comes from In the short term, the benefit reflects on the number of virus outbreak , user downtime and damage severity. No. of Outbreaks • The benefit is the product of reduced outbreaks, range of impact and downtime • If each dimension is reduced by 30%, total damage will reduce by 65% Baseline Damage Damage after adopting ESO Range of Impact Average Downtime
Long-Term Value Proposition In the long term, benefit comes from the improvement of overall company security. Illustrative Total Damage Damage for Clients Without Any Protection • When the client’s organization awareness, reaction process and security environment are improved through adopting ESC, the benefit will reflect in the accelerative decrease of damage caused by malware Damage for Clients Using AV Products Damage for Clients Using Products and ESC Time
The Building Blocks Security Infrastructure Organizational Security Awareness/Behavior Customer 24 x 7 monitoring and service Today: AV Silver Service Trend Micro Partner Trend Micro Provider Technical Account Manager Online real-time monitoring mechanism Service Mechanism Premium Support Program Monitoring Service Offerings Products Consulting Service Service packaging Trend Micro Security Expertise Customer Service Experience Knowledge
Agenda • Security Evolution : Challenges on unpredictable threat • Digital Operation Continuity : Strategy and Solution • The Technology : Winning Path RoadMap • The Pioneer : Trend Micro Profile Overview
Corporate Fact Sheet Trend Micro Incorporated Address: Shinjyuku MAYNDS Tower 27F 2-1-1 Yoyogi, Shibuya-ku Tokyo 151-0053 Japan Founded: 1989, CA, US Founder: Steve Chang, honored “Innovator of the Year” award from 2004 Asia Business Leader Awards (ABLA). Capital: 7,396 million yen (as of Dec. 2003) Traded: Tokyo Stock Exchange (4704), NASDAQ (TMIC) Business Nature: Antivirus and content security software and services Number of Employees: 2,496 (as of Dec. 2004) 2004 Revenue: 62.5 Billion yen (Year 2004) which increase of 29% from Year 2003 Q1/2005 Revenue: 17.3 Billion yen which increase of 27% from Q1/2004 Market Value:620 billion yen (as of Jan 25, 2005)
Trend Micro’s Leadership in server-based market Trend Micro has been the global leader* in 3 market segments of Internet Gateway, Mail Server, and File Server-based Virus Protection. • #1 in the Internet gateway antivirus market for fifth consecutive year • #1 in the mail server antivirus market for four years • #1 in the file server antivirus market • “Trend Micro has for several years now proven themselves to be a substantial player in the antivirus market, having created a niche at the gateway and servers that are now a requirement for other vendors.” • Brian Burke • Senior Research Analyst, IDC *based on results in IDC Market Analysis: Worldwide Antivirus 2004-2008 Forecast and 2003 Competitive Shares (August 2004)
The Growing Trend US$587.4m US$454m US$364m Million Yen US$241m US$208m