2. Traditional Security is Insufficient
Advanced Empowered Elastic
Persistent Threats Employees Perimeter
Trend Micro evaluations find over 90%
of enterprise networks contain active
malicious malware!
Copyright 2012 Trend Micro Inc.
4. Custom Attacks
• Today’s most dangerous
attacks are those targeted
01010010
directly and specifically 100101001
10001100
at an organization —
00101110
1010101
its people, its systems,
its vulnerabilities,
its data.
10/9/2012 Confidential | Copyright 2012 Trend Micro Inc. 4
5. Deep Discovery & The Custom Defense
Advanced
Threat
Protection
Network Threat
Detection
Deep Discovery
10/9/2012 Confidential | Copyright 2012 Trend Micro Inc. 5
6. APT Activity
Specialized Threat Detection
Across the Attack Sequence
Malicious Content
• Emails containing embedded
document exploits
• Drive-by Downloads
• Zero-day and known malware
Suspect Communication
• C&C communication for any
type of malware & bots
• Backdoor activity by attacker
Attack Behavior
• Malware activity:
propagation, downloading, spam
ming . . .
• Attacker activity: scan, brute
force, tool downloads.
• Data exfiltration communication
7. Switch of mental approach
• Terrorist Paradox • Advanced Threats
– We have to win all the – Many steps have to
time to defend execute in turn to steal
– They only have to get it my data
right once to win – I only need to spot one
step to thwart them
Copyright 2012 Trend Micro Inc. 7
8. Deep Discovery & The Custom Defense
Advanced
Threat
Protection
Network Threat
Detection
Deep Discovery
Attack Analysis & Intelligence
10/9/2012 Confidential | Copyright 2012 Trend Micro Inc. 8
9. Automated Analysis
Bandwidth
Live Cloud
Lookup
Advanced
Heuristics
Threat
Intelligence
Sandbox
Analysis
Focused
Manual
Investigation
Output to SIEM Copyright 2012 Trend Micro Inc. 9
10. Deep Discovery Advisor
Threat Intelligence Center
• In-Depth Contextual Analysis including simulation
results, asset profiles and additional security events
• Integrated Threat Connect Intelligence included in
analysis results
• Enhanced Threat Investigation and Visualization
capabilities
• Highly Customizable Dashboard, Reports & Alerts
• Centralized Visibility and Reporting across Deep
Discovery Inspector units
Threat Connect
Intelligence
11. Deep Discovery & The Custom Defense
Advanced
Threat
Protection
Network Threat
Detection
Deep Discovery
Adaptive Security
Updates Containment
& Remediation
Attack Analysis & Intelligence
10/9/2012 Confidential | Copyright 2012 Trend Micro Inc. 11
12. The Custom Defense
Specialized Threat Deep analysis Custom security Context-relevant
Detection at network based on custom blacklists & views & intel guide
and protection sandboxing and signatures block rapid remediation
points relevant global intel further attack response
10/9/2012 Confidential | Copyright 2012 Trend Micro Inc. 12
13. The Custom Defense In Action
Advanced Email Protection
InterScan Messaging Security
or ScanMail
Anti-spam Threat Threat Security
Analyzer Intelligence Update
Anti-phishing Center Server
Web Reputation Deep Discovery Advisor
Anti-malware • Blocking of targeted spear phishing
emails and document exploits via
Advanced Threat Detection custom sandboxing
• Central analysis of detections
• Automated updates of malicious
quarantine IP/Domains
• Search & Destroy function
10/9/2012 Confidential | Copyright 2012 Trend Micro Inc. 13
14. So what does that look like in context?
Outer Perimeter
Valuable Server
Inner Perimeters
Valuable Server
Endpoint
Valuable Server
Endpoint
15. Deep Discovery
Simulate
Analyze
Out of band
network data
feed of all
Correlate
network traffic
Detect Malicious Content
and Communication
Identify Attack Behaviour
& Reduce False Positives
Visibility – Real-time Dashboards
Insight – Risk-based Analysis
Action – Remediation Intelligence
16. DeepSecurity
Inner Perimeter for valuable assets
Deep Packet Inspection
Firewall
Security
Anti-Virus VM VM VM VM VM VM
Log Inspection Hypervisor
Integrity Monitoring
Traditional Security works against Traditional Threats. It’s not designed to cope with Targeted attacks. Partly because they are unique and so harder to spot. Partly because charges in how we are using IT such as cloud and mobile make the perimeter less effective than it used to be.
But… Don’t throw the baby out with the bath water! Spotting a targeted attack on your network is like finding a needle in a haystack. The way to do it isn’t to start with the biggest haystack possible and throw in lots of pins that look very like needles to confuse the situation. It’s all about filtering. Eliminate standard threats as close to source as you can to make it easier to spot the really clever stuff.
Deep Discovery specialized threat detection focuses on 3 key areas to discovery attacks during every phase of activity Malicious Content (steps 2,3): Deep Discovery detects zero-day and advanced malware – including document exploits and drive-by downloads – used during the initial compromise or later C&C downloadsSuspect Communications (step 3):Deep Discovery detects the C&C communications used by modern malware, as well as backdoor manipulations by remote attackers Attack Behavior (steps 4,5,6): Deep Discovery detects both malware and hacker network behaviors that indicate propagation, scanning, irregular activity, and suspect data access and transmission Today you hear of products that find malware by sandboxing executables or detecting some botnet traffic, but only Deep Discovery indentifies the malicious content, communications and behaviors of malware and human attacker activity across all phases of the attack cycle.
We need a switch of mental approach
Centralized management of all deployed Deep Discovery units provides consolidated threat management and enhanced analysis and reportingin a single console.Centralized Visibility and Reporting over multiple instances of Deep DiscoveryEnhanced Threat Investigation and Visualization capabilitiesHighly Customizable Dashboard, Reports & AlertsContext-based Risk Assessment by enriching events with location and asset severity information
This one shows which bits like to what – need to keep either this one or the previous one but not both.
Can we get this one drawn into the same style as the rest of the deck please. It links to the section of slide 18 that I’ve copied off to the right of the slide. If we can show that linkage that would be great