IT-Security Symposium 2018 24.10.2018 in Stuttgart Workshop TrendMicro Schatz, wir müssen reden Wieso Sicherheitslösungen geschwätzig sein müssen. Vortiele einer Connected Threat Defense -Strategie
Schatz, wir müssen reden! Warum Sicherheitslösungen geschwätzig miteinander schnacken müssen Timo Wege Technical Consultant Channel SE
Trend Micro 3 30 Jahre fokussiert auf Security Software Hauptsitz in Japan Tokyo Exchange Nikkei Index 45 der Top 50-Unternehmen weltweit sind Trend Micro Kunde Über 6000 Mitarbeiter in mehr als 50 Ländern 500.000 Unternehmenskunden & 250+ Mio. geschützte Endpunkte Kleinunternehmen Privatan Privatanwender Mittelstandsunternehmen Großunternehmen
Produkt- & Sicherheitsstrategie 4
Trend Micro 5
Miteinander kommunizierende Schutzmechanismen: besserer, schnellerer Schutz Schnelle Reaktion durch Austausch von Bedrohungsdaten und Bereitstellung von Sicherheitsupdates in Echtzeit Bewertung potenzieller Sicherheitslücken und proaktiver Schutz von Endpunkten, Servern und Anwendungen REAGIEREN SCHÜTZEN 6 Zentrale Transparenz im gesamten System sowie Analyse und Bewertung der Auswirkungen von Bedrohungen ERKENNEN Erkennung komplexer Malware, Verhaltensweisen und Kommunikation, die von Standard-Sicherheitsmechanismen unentdeckt bleiben
High-Fidelity Machine Learning Sandbox Analysis Antimalware Antispyware Personal Firewall Web Reputation Host-based IPS Data Loss Prevention File Reputation Behavioral Analysis Whitelisting Check Data Encryption Variant Protection Exploit Prevention Census Check Application Control Investigation & Forensics (EDR) 7
Unbekannte Dateien LEGENDE Bekannte harmlose Dateien Bekannte schädliche Dateien Unbekannte Dateien Gegenprüfungen Web & File Reputation Exploit Prevention Application Control Variant Protection Pre-execution Machine Learning Behavioral Analysis Harmlose Dateien werden zugelassen Runtime Machine Learning Schädliche Dateien entfernen 8
Mehrschichtiger Schutz Arrival network, email, USB To Disk Execution C&C, Lateral Move, Exfiltration 9 Entry point: Virtual Patching, Browser exploit protection, Device control Web reputation Pre-execution: Predictive ML, Application control, Variant protection, File-level signature Run-time: Run-time ML, IOA Behavioral analysis, Exploit protection Noise Cancellation: Census (Prevalence/Maturity) Whitelist Check Exfiltration: Web reputation, with Host IPS, rollback DLP protection
Phasen eines gezielten Angriffes Information Recon Sammeln von Informationen Angreifer Point of Entry Erstellen & Ausliefern des Angriffscodes C&C Kommunikation Backdoor / Verbindung nach aussen Lateral Movement Ausweiten des Angriffs im Netzwerk Data Discovery Sammeln von Daten Data Exfiltration: Action on Objective 10
Connected Threat Defense DEEP DISCOVERY 11
Trend Micro Deep Discovery Email Inspector Wehrt zielgerichtete Emailangriffe ab, die zu einem Vorfall führen könnten Advanced Malware / APT Inspector Erkennt und analysiert zielgerichtete Angriffe in Ihrem gesamten Netzwerk Analyzer Verbessern Sie die Bedrohungserkennung Ihrer bestehenden Sicherheitsinvestitionen 12
Referenz Architektur 13
Endpoint Sensor Demo 14
Scenario Control Manager-based investigation of recently detected C&C communications 1. C&C detection information from Deep Discovery is imported into Endpoint Sensor investigation app in Control Manager console 2. Investigation finds 3 at risk endpoints 3. Deeper investigation of US-HARRRYCRANE case 4. Optional: OfficeScan and other Trend product logs are also consulted to look for additional suspicious activities 5. Optional: Update security policies updated to reflect the new intelligence 6. Containment and remediation of all infected endpoints can proceed 15
Start an investigation from Deep Discovery C&C alerts 16 10/22/2018
Select DNS records 17 10/22/2018
Import C&C domain names 18 10/22/2018
Search Endpoint Sensor endpoints for evidence 19 10/22/2018
Results indicate there are 3 At Risk hosts 20 10/22/2018
Drilldown on at risk hosts 21 10/22/2018
Zoom in on compromise trail 10/22/2018
Switch to tabular view on details 23 10/22/2018
View additional security threat activities of Harry detected by other Trend Micro products 24 10/22/2018
Review and fortify security posture 25 10/22/2018
Connected Threat Defense 26
Connected Threat Defense: Better, Faster Protection RESPOND RAPID RESPONSE 1. Malware infects an endpoint 2. Deep Discovery detects malware 3. Real-time signature pushed to endpoints (logging or blocking) 4. Endpoint Sensor can investigate whether threat had spread 27
Connected Threat Defense: Better, Faster Protection CENTRALIZED THREAT SHARING AND VISIBILITY RESPOND CUSTOM SANDBOX ENDPOINT PROTECTION OfficeScan Endpoint Sensor URL, Action File, IP IOC, SHA, IP, Domain 28
Connected Threat Defense: Better, Faster Protection CENTRALIZED THREAT SHARING AND VISIBILITY RESPOND CUSTOM SANDBOX ENDPOINT PROTECTION MAIL SECURITY ScanMail for Exchange InterScan Mail Security SHA-1 Risk Level Risk SHA, Level IP, Domain 29
Connected Threat Defense: Better, Faster Protection CENTRALIZED THREAT SHARING AND VISIBILITY RESPOND CUSTOM SANDBOX ENDPOINT PROTECTION MAIL SECURITY WEB GATEWAY InterScan Web Security Action URL, File, IP 30
Connected Threat Defense: Better, Faster Protection CENTRALIZED THREAT SHARING AND VISIBILITY RESPOND CUSTOM SANDBOX ENDPOINT PROTECTION MAIL SECURITY WEB GATEWAY HYBRID CLOUD SECURITY Deep Security ActionURL, File 31
Connected Threat Defense: Better, Faster Protection CENTRALIZED THREAT SHARING AND VISIBILITY RESPOND CUSTOM SANDBOX ENDPOINT PROTECTION MAIL SECURITY WEB GATEWAY HYBRID CLOUD SECURITY INTRUSION PREVENTION TippingPoint IPS URL, File, IP, Domain 32
Connected Threat Defense: Better, Faster Protection CENTRALIZED THREAT SHARING AND VISIBILITY RESPOND CUSTOM SANDBOX Control Manager URL, File, IP, Domain, SHA ENDPOINT PROTECTION MAIL SECURITY WEB GATEWAY HYBRID CLOUD SECURITY INTRUSION PREVENTION 33
Connected Threat Defense: Better, Faster Protection CENTRALIZED THREAT SHARING AND VISIBILITY RESPOND CUSTOM SANDBOX ENDPOINT PROTECTION MAIL SECURITY WEB GATEWAY HYBRID CLOUD SECURITY INTRUSION PREVENTION 34
Connected Threat Defense: Better, Faster Protection THIRD PARTY SHARING RESPOND Threat Information can be shared with third party applications such as SIEMs, Firewalls, IPS and other applications via Web API NETWORK DETECTION CUSTOM SANDBOX API 35 NEXT GEN FIREWALL SIEM NETWORK Check Point IBM Qradar IPS Palo Alto Networks HP Arcsight IBM Blue Coat Splunk AlienVault WEB API
Zusammenfassung 36
Internet Enterprise Security System TippingPoint Appliance Network Environments Deep Discovery Appliance Vulnerability Shielding Early Zero-Day Protection IP/DNS/URL Reputation Deep Packet Inspection SSL Inspection Machine Learning Email Gateway Next Generation IPS Breach Detection Advanced Threat & Lateral Movement Detection Monitors Over 100 Protocols & All Ports Custom Sandbox Analysis Multiple Detection Techniques Machine Learning Smart Protection Suites Software Anti-malware with Behavioral Analysis & Machine Learning Vulnerability Protection Application Control Content Filtering Data Loss Prevention Endpoint Encryption Web Gateway Custom Sandbox Deep Security Anti-malware with Behavioral Analysis & Machine Learning Firewall Software IPS Application Control Integrity Monitoring Log Inspection User Environments Data Center & Cloud Environments MS Exchange MS SharePoint Physical, Virtual, & Container Workloads Public Cloud Workloads Storage Area Network (SAN) 37
Vielen Dank! TIMO WEGE TIMO_WEGE@TRENDMICRO.COM 38