Upload
annice-parrish
View
232
Download
0
Tags:
Embed Size (px)
Citation preview
Trend Micro Threat Management Solution
Solution Overview
Author: James Payongayong
Contacts: Jai Balasubramaniyan, Paris Trudeau & James Payongayong
Threat Discovery Appliance Hardware Overview
Paramount Q1 2008 - 2
Hardware Overview
Dell 2950
800 Mbps Max Throughput
2 Monitoring ports
2 Management ports
10,000 Max concurrent connections
1 Serial port
Redundant power
Trend Micro Threat Management Solution
Network Deployment
Overall Solution Deployment
Paramount Q1 2008 - 4
Threat Discovery Appliance Deployment
Paramount Q1 2008 - 5
Threat Discovery Appliance's data port is connected to the mirror port of the core switch and mirrors the port to the firewall
Deployment
Trend Micro Confidential
Support TAP Installation
Support multi-TDA installation
Asymmetric route and multi-mirror port installation
Trend Micro Threat Management Solution
Threat Discovery Appliance Feature Overview
Threat Discovery Appliance Features
Paramount Q1 2008 - 8
New and known malware detection
Disruptive application detection
Multiprotocol Threat detection
Powered by SPN
Out-of-band deployment
Threat detection engines
Paramount Q1 2008 - 9
The Threat Discovery Appliance uses Network Content Inspection Technology to detect both known and zero-day threats
How does TDA Analyze Network Traffic?
Paramount Q1 2008 - 10
Assemble packets into one stream
Extract embedded files and send to file scanning engines
Extract embedded URLs and perform WRS check
Scan the traffic stream for exploits and network worms
Perform single-session correlation on the traffic stream
Protocol Support
Paramount Q1 2008 - 11
The Threat Discovery Appliance supports all known protocols used by malware, spanning over 80 protocols. TDA uses port agnostic protocol detection to accurately identify protocols regardless of the port used
Disruptive Application Support
Paramount Q1 2008 - 12
Besides detecting malicious activity, the Threat Discovery Appliance also detects disruptive applications from the following three major categories -
Trend Micro Threat Management Solution
Threat Management Services Feature Overview
Threat Management Services Features
Trend Micro Confidential
Advanced in-the-cloud correlation engine
Collaboration with Trend Micro’s Smart Protection Network
Threat Analysis and Reporting
Advanced Threat Correlation
Paramount Q1 2008 - 15
User receives IM with suspicious link
User visits link and downloads suspicious file
User begins sending out IM messages with same link
TMS correlates these separate events to determine that the user has been infected with an IM worm!
TMS correlates these separate events to determine that the user has been infected with an IM worm!
Events correlated
Business Risk Meters
Risks associated with detected threats
Affected Assets Threat Statistics
Infection Sources Trends Disruptive Applications
Executive Report Details
Groups & Endpoints affected by threats
Malware types found in the network
Sources of malware infection Trending and comparison dataDisruptive Applications in the network
Daily Report
Paramount Q1 2008 - 17
IT Administrator focused
List of high-risk clients
List of incidents for that day in order of severity
Detailed description of the threat that caused the incident
Possible impact of the incident
Recommended response for the incident
Informational events such as disruptive application usage
Location of servers
Paramount Q1 2008 - 18
Tokyo, Japan
Taipei, Taiwan
San Jose, USABeijing ,China
Philippines
What threat information is sent to the cloud?
Paramount Q1 2008 - 19
Threat log Data• IP Address, Hostname, MAC• Threat Detected• Details of the threat• Timestamp
Disruptive Application Logs• IP Address, Hostname, MAC• Application detected• Timestamp
Threat Discovery Appliance
Rsync over SSHRsync over SSH
Rsync over HTTPSRsync over HTTPS
Secure Transmission Channels
Configuration
Trend Micro Confidential
•Case1: only mirror up-link traffic
• Need to mirror DNS/Proxy port traffic to TDA• Register DNS/Proxy IP in Registered service• Register DNS/Proxy IP Detection Exclusion List
• Basic Setting• TMSP registration• Registered Service• System time• Log upload period• Monitor network
Guide line of a good TDS Testing(POC)
Understand TDS position and value– TDS is like a doctor role ,through TDA analysis and combined SPN+TM
professional service . TDS can finish the incident analysis and provide the solution
Need to show TDS value in the POC process– Visible: TDA can find the know/suspicious thread– Precision : TDA precisely identify the infection source and thread type– Solution: Through SPN correction analysis and TM professional to provide
the workable solution
Control POC in short period of time.– TDS in 2 weeks.
Idea timeline of TDS pilot
D-Day D+3 D+8 D+10
TDA 接收到流量
D+5
MOC
SE
Apply Account/PWD
Apply Account/PWD
Create account/
PWD
Create account/
PWD
Provide the daily report and suggestion ,Provide the daily report and suggestion ,
Provide the weekly report and do weekly report description
Provide the weekly report and do weekly report description
Use lightening tool as clean toolsUse lightening tool as clean tools
Provide the POC report material to SE
Provide the POC report material to SE
Decide the POC finish date
Decide the POC finish date
POC Owner : Communicate with customer and feedback the POC statusPOC Owner : Communicate with customer and feedback the POC status
Generate the POC reportGenerate the POC report
There are no high incident in 3 days report, enter Trouble-shooting process
TDA Roadmap
1Q2009 2Q2009 3Q2009 4Q2009
TDA 2.0
TMSP 1.5
TDA 2.0 R7
TMSP 2.0
TDA Patch 4 (Q4 08)
TMSP 1.5 (Q4 08)
► LeakProof 3.1 Integration► Fiber Interface Support► Mitigation enhancements
► Redesigned UI► Smart Navigation System
TDA 2.5
► Outbreak Containment Service (OCS)► Debug tool for traffic analysis► User Name Resolution (Microsoft AD)► Max 100K Concurrent Session Support
TMSP 2.5
► High Profile Malware Alert (OCS)► New TLMS Reports-SC version► Customer Portal-SC version ► Abnormal endpoint Status
TDA 2.5 feature description
TDA 2.5 R1 :Release date : May 27, 2009Major Features:•Outbreak Containment Services (Disconnect network traffic for high profile malwares)•Send OCS events to TMSP in real time mode (HTTPS)•Pop up End User License Agreement during product activation.•Provide the Setup Guide on TDA web console•New PID (AC) for service module•Enlarge concurrent sessions support•Threat detection improvement (Threat rule 8 for SMB file path)•User account name resolution•Support multiple monitored ports (TDA 2.5 can support up to 6 sniffer ports)
TDA 2.5 R2 for Dell 2950Release date : Aug 24, 2009Major Features:•HDD RAID1 support•Support total 7 data/monitor ports and 1 management port•Support NIC cards link status and monitor packet function on web console•Support double byte from UI input (7 UI pages)•Support VLAN detection switch (enable/disable, default ignore VLAN tag check)•Support SSH/Web login auditing debug log•Provide a switch (enable/disable) on hostname query at host 137 port (enable by default)•Support monitor function on management port and link status•Database corruption check and rebuild•TMSP HTTP authentication enhancement
TDA next generation platform- Dell R710
Current Future
PE 2950 III PE R710 PE R710es
Chipset Greencreek Intel Intel
Processor Harperton Intel LV Intel
Socket 2S 2S 2S
Memory 8 x FBD 18 x DDR3 18 x DDR3
Dimm capacity 512MB, 1, 2, 4 GB 1, 2, 4, 8 GB 1, 2, 4 GB
Slots 3 PCIe or PCI-x 2 PCIe x8 + 2 PCIe x4 G2
Or 1 x16 + 2 x4 G2
2 PCIe x8 + 2 PCIe x4 G2
Or 1 x16 + 2 x4 G2
HDD 6x3.5” or 8x 2.5” 6x3.5” or 8x2.5” 8x2.5”
Power Supply Hot Plug rdnt Hot Plug rdnt Hot Plug rdnt
LOM 2 x TOE 4 x TOE 4 x TOE
Diagnostic LCD LCD LCD
Management BMC+DRAC 5 iDRAC + AMEA iDRAC + AMEA
Persistent storage Yes, Unmanaged Yes, Managed Yes, Managed
Security TPM 1.2 TPM 1.2 TPM 1.2
Power budget 750 W 857 W 598 W
1. 9/7 release TDA 2.5 R2 for Dell R710 version
TDA/TDVA 2.5 R1 performance/sizing guide
throughput
(Mbps)
concurrent connection
Transaction rate
CPU usage (%)
Memory usage (%)
Detect virus?
TDA 92 90,000 ~200 cpu0 < 30%
the rest < 10%60% Yes
TDVA 86 17,500(*) ~136 cpu0 < 75%
the rest < 10%55% Yes
throughput
(Mbps)
concurrent connection
Transaction rate
CPU usage (%)
Memory usage (%)
Detect virus?
Baseline 672 10,000 ~600
TDA 672 10,000 ~600 cpu0 < 70%
the rest < 30%13% Yes
TDVA 300 10,000 ~281 cpu0 < 50%
the rest < 20%25% Yes
Performance report
27
A Security Conundrum: Accuracy vs. ResponseMust address known and unknown threats
Trend Micro Focus: High Accuracy Response
112/04/21 28
Competitive Market Landscape
TDSTDS•Malware Infection•Info stealing malware •Disruptive applications
IDS/IPSIDS/IPSExternal threats
(DDOS, malformed packets)
TraditionalTraditionalAVAV
•Noisy with False Alarms • Need SIEMS for correlation•Limited Application Fluency
SIEMSSIEMS•No detection, only correlation•Correlates data from other security devices (IDS, Firewalls ..)
Web, Email or Endpoint AV•Lacks multiprotocol detection•Cannot detect complex & zero- day threats•No Root Cause Analysis •No Threat Mgmt Portal/ReportsCisco, Checkpoint, Juniper,
McAfee, IBM ISS
Cisco MARS, ArcSight, Q1 Labs
Symantec, McAfee, Microsoft
112/04/21 29
Intrusion detection / prevention systems
Trend Micro Threat Management Solution
Focused on external threats Malformed packets, protocol violations, buffer overflow, DDoS (perimeter or datacenter threats)
Focused on internal threats Malware infection, information leaks, disruptive applications (internal network)
Noisy with false alarms. 1. Signature based
2. High rate of false alarms
3. Most signatures harmless in isolation.
Quiet, accurate and actionable. 1. Correlation & root cause analysis 2. Incident analysis review 3. Actionable Remediation plan.
Misses complex threat vectors1. Packet level scan
2. Limited correlation.
3. SIMS required for correlation
Detects complex malware threats1. Application & file level scan. 2. Advanced heuristics & correlation 3. No SIMS required.
High management costs1. Require professional expertise
2. SIMS required for correlation
Low management cost1. Accurate report with remediation solution2. Register with SPN for correlation
How to Sell: Selling TMS against IDPS systems
112/04/21 30TMS vs. IDPS 30
TMS vs. IDPS
Position Detection Management cost
IDS/IPS •External attacks•Hacker behavior
•Signature based•Packet level scan•Worms•DDoS/DoS•Policy violation: P2P/IM
High:• Requires expertise• difficult for process turning• High false alarms• Requires SIMS for further correlation
TMS •Internal security discovery•Malicious behavior
•Anomaly behavior based•Application & File level scan, Web Reputation and SPN•Worms•Virus•Policy violation•Information StealingMalware detection
Low:•Actionable remediation suggestion •Accurate report content•Registered with SPN for further correlation analysis
112/04/21 3131
Competitive Advantages
FEATURESMcAfee
IntruShield
Arbor Networks
PeakFlow XSymantec
SIMTrend Micro
Total DiscoveryTM
Non-disruptive deployment
Real-time analysis Known signatures
3000 120,000+
Correlation Network attacks detection Policy violation detection Information leakage protection File-based malware detection Automatic threat remediation*
Trend Micro Threat Management Solution
Q & A