IT-Security-Symposium 2019 IT -Security im Fokus · Die neue Komplettlösung für den...

Die neue Komplettlösung für den EndpunktschutzÖzgür Isik – Channel Presales Engineer, ApexOne

IT-Security-Symposium 2019I T - S e c u r i t y i m F o k u s

Die neue Komplettlösung für den EndpunktschutzApexOne

Özgür Isik – Channel Presales Engineer

© 2019 Trend Micro Inc.3

Agenda• Architektur von Apex One und Apex One as a Service• Sicherheitsmodule & Services

– iProducts– Endpoint Detection & Response Funktionalitäten– Managed Detection and Response

• Migration und Upgrade– Hybrider Betrieb

• Q&A


Apex One as a Service• Einstieg in das Thema

Copyright 2019 Trend Micro Inc.5

Trend Micro Apex One™


Trend Micro Apex One™

Apex = der höchste Punkt

einer Form[Beste Aussicht,

alles im Blick]


Trend Micro Apex One™“One” ist Teil des Produktnamens und nicht die Version

Apex = der höchste Punkt

einer Form[Beste Aussicht,

alles im Blick]


Wie starte ich mit einer Testlizenz?Trial registrieren:https://www.trendmicro.com/product_trials/service/index/us/165

❹Provision Completed

❸Provision

Flow

❷Trial

Confirmation

❶Trial Form


Testlizenz• Gültigkeit: 30 Tage• Bestandteile des Trials sind:

– Apex Central as a Service– Apex One as a Service

• Data Loss Prevention• Endpoint Application Control• Vulnerability Protection

– Apex One for Mac– Endpoint Sensor– Sandbox as a Service


Start als mit SPE/SPC Lizenz

❺Provision Completed

❹Provision

Flow

❸ClickOpen

Console

❷select

Apex One as a

Service

❶CLP

console


Start mit SPE/SPC Lizenz

Startet den Rollout des Dienstesfür den Kunden


Lizenzinhalt bei SPE/SPC• Apex Central as a Service• Apex One as a Service

– Data Loss Prevention– Endpoint Application Control– Vulnerability Protection

• Apex One for Mac• Add-on:

– Endpoint Sensor– Sandbox as a Service


Apex One as a Service• Architektur


Westeuropa, Amsterdam (Primär)Central US, Iowa (Primär)

East US-2, Virginia (Backup)

Nordeuropa, Dublin (Backup)

1. Europäisches Datacenter für europäische Kunden2. US Datacenter für den Rest der Welt


Management der Lösung• Zwei Server werden provisioniert

– Apex Central– Apex One

• Maximal 4 Datenbanken– Apex Central– Apex One– Endpoint Sensor– Apex One (Mac)


Agent Platform SupportPlatform Support (Agents) XG XG SP1 Apex OneWindows XP (5.1)Windows 7 (6.1)Windows 8 (6.2)Windows 8.1 (6.3) Windows 10 (10.0)Windows Server 2003 (5.2)Windows Server 2008 (6.0)Windows Server 2008 R2 (6.1)Windows Server 2012 (6.2)Windows Server 2012 R2 (6.3) Windows Server 2016 R2 (10) Windows Server 2019


Apex One (on Premise)

Optional:Edge Relay- Verwaltung externer Clients

- Policy- SO Handling- Updates- Logs & Status

Optional:Smart Protection Server Standalone- Webreputation- Filereputation


Module & Neuerungen


Runtime Exit PointEntry point Pre-Execution


Malicious Site

OS Vulnerability Exploit

Browser Exploit

Malicious USB

Web ReputationBlocks connectionsat kernel level (not onlyin web browsers)

Virtual PatchingBlocks new exploits with industry’smost timely vulnerability research

Browser Exploit ProtectionDetects exploits based on scriptInspection & site behavior

Device ControlBlocks unknown removablemedia devices on Windows and Mac OS

Entry Point

Trend Micro ZDI detected 66% of all vulnerabilities in 2017. This powers unmatched timeliness for virtual patches.

!

!


Pre-execution

Packer DetectionIdentifies packed malware in memory as it unpacks, prior to execution

File-based Threate.g. EXE, DLL, OfficeDocument w/ macros

On Disk

Application ControlBlocks execution of anything that isn’t on the (easily manageable) white list

Variant ProtectionDetects mutations of malicious samples by recognizing known fragments of malware code

File-based SignatureDetects known-bad files (with 3 billion detections globally in 1H/2018)

Predictive Machine LearningScores the file against a cloud-based or local/offline model to detect previously unknown threats

In Memory

!

!


Run-timeRuntime Machine LearningScores real-time behavior against a cloud model to detect previously unknown threatsAnything Executing

EXE, DLL, PowerShell,Document behavior inside MS Office, etc. IOA Behavioral Analysis

Detects behavior that matches known indicators of attack (IOA), including ransomware encryption behaviors, script launching

In-memory runtime analysisMalicious script detection, malicious code injection, runtime un-pack detectionIn Memory

!

!


Command andControl Server

Data Exfiltration

LateralMovement

Web ReputationBlocks connections at kernel level

(not only in web browsers)

Host Intrusion PreventionDetects and blocks

of lateral movement behavior

Exit Point

Data Exfiltration DetectionDLP Detects and blocks sensitive

data leaving the endpoint

Device ControlBlocks unknown removable

media devices

!

!

!


IsolationQuarantineProcess killExecution blockDamage rollbackAPI capabilities Rapid response protection updates to other endpoints/products*

Automated Response

*manual


iProducts im Detail


Integrierte VulnerabilityProtection


Begriffsdefinition

Einbruchsicheres Glas Einbruchsicheres Glas

Normales Glas entgegen Ihres WissensVulnerability / SchwachstelleZero Day


Begriffsdefinition

Einbruchsicheres GlasEinbruchsicheres Glas

Normales Glas entgegen Ihres Wissens

Exploit

Vulnerability / SchwachstelleZero Day


Begriffsdefinition

Exploit

Vulnerability / SchwachstelleZero Day

Payload

Einbruchsicheres Glas Einbruchsicheres Glas

Normales Glas entgegen Ihres Wissens


Begriffsdefinition• Vulnerability oder Schwachstelle

– Anfälligkeit gegen Angriffe aufgrund von Mängeln in der Programmierung, Logik, etc.

• Exploit– Eine Methode, in das System einzubrechen, indem eine Schwachstelle

ausgenutzt wird

• Payload– Der Schadcode, der durch den Angriff in das System geschubst wird


Positiv: Inbetriebnahme spielend & kein Risiko


Integriertes ApplicationControl


Applikationskontrolle• User- und Device-basierende Regeln• Allow & Block• Lockdown


Best Practise

• Start with a Block (Assessment) criteria– E.g., Select all categories in Certified Safe Software list

• Assign policy to Apex OneTM Security Agents


Best Practise• Review with the Application Control violation detections manually

– Widget provides an easy-to-filter entry point


Best Practise• Refine criteria and approve recognized software

– Unselect the categories from Certificated Safe Software List– Create Allow Criteria to exempt from screening


Was und wie wird definiert?

• Certified Safe Software List (von Trend Micro)

• Dateipfade• Zertifikate• Hash Werte• Gray Software List (von Trend Micro)• Suspicious Object List (generiert

durch Ihre Systeme wie Sandbox oder EDR)


Regeln bauen

• Vorsicht bei der Regeldefinition!


Integrierter Endpoint Sensor (EDR)

• Was ist der mehrwert?


POST DETECTION

“How did this happen?”

“Who else has been affected?”

“How do I respond?”


Apex Central™ Management Console

• Single console/workflow • Seamless integration of EDR investigation and automated detection/response• Select any detection to investigate


Wer ist noch betroffen???

• Endpoint protection shows detection (in this case there was one)• But were more users impacted before it was “known”?• Select Analyze Impact to sweep for more


Impact Assessment

• Impact assessment found five more undetected instances• Root Cause Analysis begins for all detected users• Users can be isolated at any time


Root Cause Analysis Results


Response Options


PRE DETECTION

“Am I protected?”

“What if…”


Multiple Ways to Hunt for Attacks:

• User Defined Suspicious Objects (UDSO) from Deep Discovery

Supports SHA-1, IP, Domain


Sources of Intelligence to Hunt with:

• User Defined Suspicious Objects (UDSO)

• Open IOC (Indicator of Compromise) or STIXfrom threat feed.

• Customized Criteria:• Host (host name and IP

address are included)• Filename, path, and SHA-1

hash value• User account• Windows auto-run registry• Command lines


Preliminary Assessment:

• Initial assessment based on single multiple search items



• Results with threat intelligence and prevalence





• Generate Root Cause Analysis for further investigation



Root Cause Analysis:



• Generate Root Cause Analysis for further investigation

ManagedDetection and Response


SENSORS

• Apex One™ with integrated Endpoint Sensor

• Deep Discovery Inspector

• Deep Security

• Delivered to management console

• Automated security updates

RESPONSE

Managed Detection and Response

SERVICE PLATFORM

TREND MICRO ANALYSTS

Expert Rules

Threat Intelligence

Machine Learning


US SOCDallas, Texas, USA

EU SOCCork, Ireland

APAC SOCManila, Philippines

US MDR Node Oregon, USA

EU MDR NodeFrankfurt, Germany

MDR Infrastruktur


Migration und Upgrade


Einstellungen migrierenhttps://success.trendmicro.com/solution/1118375-migrating-on-prem-officescan-xg-sp1-or-higher-to-officescan-as-a-service


Migrate to SaaS – Without Control Manager

Sign up forApex One SaaS

12 Export your Policies and import them into Apex One SaaS

OfficeScan XG Server

OfficeScan XGAgent 3 Move your agents to

Apex One SaaS

Apex One SaaS Agent

4 Decommission the OfficeScan XG Server

Apex Central SaaS


Migrate to SaaS – Retiring Control Manager


1OfficeScan XG Server


Apex One SaaS

Apex One SaaS Agent

4 Decommission the OfficeScan XG and Control Manager Servers

Control ManagerServer

2 Export policies and import them into Apex One SaaS

On-premise Control Manager needed for Connected Threat Defense with other Trend Micro software, hardware or services.

Apex Central SaaS


Migrate to SaaS – Keeping Control Manager


1OfficeScan XG Server


Apex One SaaS

Apex One SaaS Agent


Control ManagerServer -> Inplace

Upgrade Apex Central

2 Connect Apex One SaaS to On-Premise Control Manager

On-premise Control Manager needed for Connected Threat Defense with other Trend Micro software, hardware or services.

Apex One SaaS


On-Premise Upgrades


On-Premise Upgrades – In Place

OfficeScan ServerOn-Premise

Control Manager On-Premise

Apex One ServerOn-Premise

Apex CentralOn-Premise

Apex One Agent

Upgrade to Apex Central Server1

It’s always recommended to take backups before performing upgrades.

Upgrade to Apex One Server2 The agent will automatically upgrade*3

*Unless disabled in the configurations. You can use this to slowly roll out agent updates.


On-Premise Upgrades – New Server

InstallApex One Server

12 Export your Policies and import them into Apex One

OfficeScan XG Server


the new server

Apex One Agent


Apex One ServerOn-Premise


TMVP bereits vorhanden? Kein Problem

Apex One AgentEndpoint Sensor AgentVulnerability Protection Agent

Apex OneSaaS

Endpoint Sensor Server

Vulnerability Protection Server

Enable the Feature in Policies

The existing Vulnerability Protection Agent is automatically uninstalled.

IT-Security-Symposium 2019 IT -Security im Fokus · Die neue Komplettlösung für den...

Documents

Transcript of IT-Security-Symposium 2019 IT -Security im Fokus · Die neue Komplettlösung für den...