Trend Micro Threat Management Solution

Solution Overview

Author: James Payongayong

Contacts: Jai Balasubramaniyan, Paris Trudeau & James Payongayong

Threat Discovery Appliance Hardware Overview

Paramount Q1 2008 - 2

Hardware Overview

Dell 2950

800 Mbps Max Throughput

2 Monitoring ports

2 Management ports

10,000 Max concurrent connections

1 Serial port

Redundant power

Trend Micro Threat Management Solution

Network Deployment

Overall Solution Deployment

Paramount Q1 2008 - 4

Threat Discovery Appliance Deployment

Paramount Q1 2008 - 5

Threat Discovery Appliance's data port is connected to the mirror port of the core switch and mirrors the port to the firewall

Deployment

Trend Micro Confidential

Support TAP Installation

Support multi-TDA installation

Asymmetric route and multi-mirror port installation

Trend Micro Threat Management Solution

Threat Discovery Appliance Feature Overview

Threat Discovery Appliance Features

Paramount Q1 2008 - 8

New and known malware detection

Disruptive application detection

Multiprotocol Threat detection

Powered by SPN

Out-of-band deployment

Threat detection engines

Paramount Q1 2008 - 9

The Threat Discovery Appliance uses Network Content Inspection Technology to detect both known and zero-day threats

How does TDA Analyze Network Traffic?

Paramount Q1 2008 - 10

Assemble packets into one stream

Extract embedded files and send to file scanning engines

Extract embedded URLs and perform WRS check

Scan the traffic stream for exploits and network worms

Perform single-session correlation on the traffic stream

Protocol Support

Paramount Q1 2008 - 11

The Threat Discovery Appliance supports all known protocols used by malware, spanning over 80 protocols. TDA uses port agnostic protocol detection to accurately identify protocols regardless of the port used

Disruptive Application Support

Paramount Q1 2008 - 12

Besides detecting malicious activity, the Threat Discovery Appliance also detects disruptive applications from the following three major categories -

Trend Micro Threat Management Solution

Threat Management Services Feature Overview

Threat Management Services Features

Trend Micro Confidential

Advanced in-the-cloud correlation engine

Collaboration with Trend Micro’s Smart Protection Network

Threat Analysis and Reporting

Advanced Threat Correlation

Paramount Q1 2008 - 15

User receives IM with suspicious link

User visits link and downloads suspicious file

User begins sending out IM messages with same link

TMS correlates these separate events to determine that the user has been infected with an IM worm!

TMS correlates these separate events to determine that the user has been infected with an IM worm!

Events correlated

Business Risk Meters

Risks associated with detected threats

Affected Assets Threat Statistics

Infection Sources Trends Disruptive Applications

Executive Report Details

Groups & Endpoints affected by threats

Malware types found in the network

Sources of malware infection Trending and comparison dataDisruptive Applications in the network

Daily Report

Paramount Q1 2008 - 17

IT Administrator focused

List of high-risk clients

List of incidents for that day in order of severity

Detailed description of the threat that caused the incident

Possible impact of the incident

Recommended response for the incident

Informational events such as disruptive application usage

Location of servers

Paramount Q1 2008 - 18

Tokyo, Japan

Taipei, Taiwan

San Jose, USABeijing ,China

Philippines

What threat information is sent to the cloud?

Paramount Q1 2008 - 19

Threat log Data• IP Address, Hostname, MAC• Threat Detected• Details of the threat• Timestamp

Disruptive Application Logs• IP Address, Hostname, MAC• Application detected• Timestamp

Threat Discovery Appliance

Rsync over SSHRsync over SSH

Rsync over HTTPSRsync over HTTPS

Secure Transmission Channels

Configuration

Trend Micro Confidential

•Case1: only mirror up-link traffic

• Need to mirror DNS/Proxy port traffic to TDA• Register DNS/Proxy IP in Registered service• Register DNS/Proxy IP Detection Exclusion List

• Basic Setting• TMSP registration• Registered Service• System time• Log upload period• Monitor network

Guide line of a good TDS Testing(POC)

Understand TDS position and value– TDS is like a doctor role ,through TDA analysis and combined SPN+TM

professional service . TDS can finish the incident analysis and provide the solution

Need to show TDS value in the POC process– Visible: TDA can find the know/suspicious thread– Precision : TDA precisely identify the infection source and thread type– Solution: Through SPN correction analysis and TM professional to provide

the workable solution

Control POC in short period of time.– TDS in 2 weeks.

Idea timeline of TDS pilot

D-Day D+3 D+8 D+10

TDA 接收到流量

D+5

MOC

SE

Apply Account/PWD

Apply Account/PWD

Create account/

PWD

Create account/

PWD

Provide the daily report and suggestion ,Provide the daily report and suggestion ,

Provide the weekly report and do weekly report description

Provide the weekly report and do weekly report description

Use lightening tool as clean toolsUse lightening tool as clean tools

Provide the POC report material to SE

Provide the POC report material to SE

Decide the POC finish date

Decide the POC finish date

POC Owner : Communicate with customer and feedback the POC statusPOC Owner : Communicate with customer and feedback the POC status

Generate the POC reportGenerate the POC report

There are no high incident in 3 days report, enter Trouble-shooting process

TDA Roadmap

1Q2009 2Q2009 3Q2009 4Q2009

TDA 2.0

TMSP 1.5

TDA 2.0 R7

TMSP 2.0

TDA Patch 4 (Q4 08)

TMSP 1.5 (Q4 08)

► LeakProof 3.1 Integration► Fiber Interface Support► Mitigation enhancements

► Redesigned UI► Smart Navigation System

TDA 2.5

► Outbreak Containment Service (OCS)► Debug tool for traffic analysis► User Name Resolution (Microsoft AD)► Max 100K Concurrent Session Support

TMSP 2.5

► High Profile Malware Alert (OCS)► New TLMS Reports-SC version► Customer Portal-SC version ► Abnormal endpoint Status

TDA 2.5 feature description

TDA 2.5 R1 :Release date : May 27, 2009Major Features:•Outbreak Containment Services (Disconnect network traffic for high profile malwares)•Send  OCS events to TMSP in real time mode (HTTPS)•Pop up End User License Agreement during product activation.•Provide the Setup Guide on TDA web console•New PID (AC) for service module•Enlarge concurrent sessions support•Threat detection improvement (Threat rule 8 for SMB file path)•User account name resolution•Support multiple monitored ports (TDA 2.5 can support up to 6 sniffer ports)

TDA 2.5 R2 for Dell 2950Release date : Aug 24, 2009Major Features:•HDD RAID1 support•Support total 7 data/monitor ports and 1 management port•Support NIC cards link status and monitor packet function on web console•Support double byte from UI input (7 UI pages)•Support VLAN detection switch (enable/disable, default ignore VLAN tag check)•Support SSH/Web login auditing debug log•Provide a switch (enable/disable) on hostname query at host 137 port (enable by default)•Support monitor function on management port and link status•Database corruption check and rebuild•TMSP HTTP authentication enhancement

TDA next generation platform- Dell R710

Current Future

PE 2950 III PE R710 PE R710es

Chipset Greencreek Intel Intel

Processor Harperton Intel LV Intel

Socket 2S 2S 2S

Memory 8 x FBD 18 x DDR3 18 x DDR3

Dimm capacity 512MB, 1, 2, 4 GB 1, 2, 4, 8 GB 1, 2, 4 GB

Slots 3 PCIe or PCI-x 2 PCIe x8 + 2 PCIe x4 G2

Or 1 x16 + 2 x4 G2

2 PCIe x8 + 2 PCIe x4 G2

Or 1 x16 + 2 x4 G2

HDD 6x3.5” or 8x 2.5” 6x3.5” or 8x2.5” 8x2.5”

Power Supply Hot Plug rdnt Hot Plug rdnt Hot Plug rdnt

LOM 2 x TOE 4 x TOE 4 x TOE

Diagnostic LCD LCD LCD

Management BMC+DRAC 5 iDRAC + AMEA iDRAC + AMEA

Persistent storage Yes, Unmanaged Yes, Managed Yes, Managed

Security TPM 1.2 TPM 1.2 TPM 1.2

Power budget 750 W 857 W 598 W

1. 9/7 release TDA 2.5 R2 for Dell R710 version

TDA/TDVA 2.5 R1 performance/sizing guide

throughput

(Mbps)

concurrent connection

Transaction rate

CPU usage (%)

Memory usage (%)

Detect virus?

TDA 92 90,000 ~200 cpu0 < 30%

the rest < 10%60% Yes

TDVA 86 17,500(*) ~136 cpu0 < 75%

the rest < 10%55% Yes

throughput

(Mbps)

concurrent connection

Transaction rate

CPU usage (%)

Memory usage (%)

Detect virus?

Baseline 672 10,000 ~600

TDA 672 10,000 ~600 cpu0 < 70%

the rest < 30%13% Yes

TDVA 300 10,000 ~281 cpu0 < 50%

the rest < 20%25% Yes

Performance report

27

A Security Conundrum: Accuracy vs. ResponseMust address known and unknown threats

Trend Micro Focus: High Accuracy Response

112/04/21 28

Competitive Market Landscape

TDSTDS•Malware Infection•Info stealing malware •Disruptive applications

IDS/IPSIDS/IPSExternal threats

(DDOS, malformed packets)

TraditionalTraditionalAVAV

•Noisy with False Alarms • Need SIEMS for correlation•Limited Application Fluency

SIEMSSIEMS•No detection, only correlation•Correlates data from other security devices (IDS, Firewalls ..)

Web, Email or Endpoint AV•Lacks multiprotocol detection•Cannot detect complex & zero- day threats•No Root Cause Analysis •No Threat Mgmt Portal/ReportsCisco, Checkpoint, Juniper,

McAfee, IBM ISS

Cisco MARS, ArcSight, Q1 Labs

Symantec, McAfee, Microsoft

112/04/21 29

Intrusion detection / prevention systems

Trend Micro Threat Management Solution

Focused on external threats Malformed packets, protocol violations, buffer overflow, DDoS (perimeter or datacenter threats)

Focused on internal threats Malware infection, information leaks, disruptive applications (internal network)

Noisy with false alarms. 1. Signature based

2. High rate of false alarms

3. Most signatures harmless in isolation.

Quiet, accurate and actionable. 1. Correlation & root cause analysis 2. Incident analysis review 3. Actionable Remediation plan.

Misses complex threat vectors1. Packet level scan

2. Limited correlation.

3. SIMS required for correlation

Detects complex malware threats1. Application & file level scan. 2. Advanced heuristics & correlation 3. No SIMS required.

High management costs1. Require professional expertise

2. SIMS required for correlation

Low management cost1. Accurate report with remediation solution2. Register with SPN for correlation

How to Sell: Selling TMS against IDPS systems

112/04/21 30TMS vs. IDPS 30

TMS vs. IDPS

Position Detection Management cost

IDS/IPS •External attacks•Hacker behavior

•Signature based•Packet level scan•Worms•DDoS/DoS•Policy violation: P2P/IM

High:• Requires expertise• difficult for process turning• High false alarms• Requires SIMS for further correlation

TMS •Internal security discovery•Malicious behavior

•Anomaly behavior based•Application & File level scan, Web Reputation and SPN•Worms•Virus•Policy violation•Information StealingMalware detection

Low:•Actionable remediation suggestion •Accurate report content•Registered with SPN for further correlation analysis

112/04/21 3131

Competitive Advantages

FEATURESMcAfee

IntruShield

Arbor Networks

PeakFlow XSymantec

SIMTrend Micro

Total DiscoveryTM

Non-disruptive deployment

Real-time analysis Known signatures

3000 120,000+

Correlation Network attacks detection Policy violation detection Information leakage protection File-based malware detection Automatic threat remediation*

Trend Micro Threat Management Solution

Q & A