Trend Micro - Cisco · Filip Demianiuk Technical Channel Manager EEUR Trend Micro Cisco Expo, Kiev...

Filip DemianiukTechnical Channel Manager EEUR

Trend MicroCisco Expo, Kiev

Layered WEB and MESSAGING security

Copyright 2007 - Trend Micro Inc.

AGENDA

§ Trend Micro Company Overview

§ Threat Landscape

§ Web Security

§ Messaging Security

§ Cisco / Linksys Alliance

2

Trend Micro Company Overview

Copyright 2007 - Trend Micro Inc.6/18/2008 4Classification

Company OverviewFounded

Headquarters

Employees

Market

2007 RevenueCEO | Eva Chen

United States in 1988

Tokyo, Japan

3,600+

Internet Content Security

US $848 Million

• Operations in more than 50 countries; 9 global R&D centers • Tokyo Stock Exchange (4704)


Internet Content Security Market

• Services • Appliances • Software •

Internet Content Security

NetworkSecurity

EmailSecurity

EndpointSecurity

WebSecurity

Firewall/VPN

UTM

NAC

BehaviorMonitoring

URL Filtering

WebReputation

Web GatewayAntivirus

Email Antivirus

Anti-Spam

EmailReputation

Email Server

Encryption

Compliance/Archiving

Client Antivirus

Client Firewall

Client

Anti-Spyware

Zero-DayProtection

Encryption

NAC

Data LeakPrevention

PartnerPartner

PartnerPartner


Strategic Partners We’re Working WithToday to Deliver More Value to Customers

Technology Consulting Services Platform

Strategic Partner


Trend Micro Foundation: TrendLabs

• More than 1,000 threat research,service, and support experts at 10

locations• 24/7 operations

• Real-time alerts for new threats

TrendLabs helps provide a worldwide platform for delivering timelythreat intelligence, service, and support anytime, anywhere.

Protection requires morethan a product…

It requires service—timelyand expert service.

Mexico

New Jersey, USA Paris, France Bavaria, Germany

Cork, Ireland

Tokyo, Japan

Taiwan, ROC

Shanghai, China

TrendLabs HQ, Philippines

Lake Forest, USA

Threat Landscape


Threat Environment Evolution to Crimeware

Com

plex

ity

Crimeware

Spyware

SpamMass Mailers

IntelligentBotnets

Web Threats

• Multi-Vector• Multi-Component• Web Polymorphic

• Rapid Variants• Single Instance• Single Target

• Regional Attacks• Silent, Hidden• Hard to Clean

• Botnet Enabled• Information

Stealing

VulnerabilitiesWorm/

Outbreaks


Who is behind this?

NOW

BEFORE

Malebetween14-34years old

Computer„GEEK”

No girlfriend Need offame

Professionalcyber-criminal

• Creating and renting hugebotnets made of zombiecomputers

Need of money

• Stealing private andcompany data

• Acquiring classifiedinformation for ransom

• Fraudulent profits fromadvertisements


Asset Going-rate

Pay-out for each unique adware installation 30 cents in the United States, 20 cents inCanada, 10 cents in the UK, 2 cents elsewhere

Malware package, basic version $1,000 – $2,000

Malware package with add-on services Varying prices starting at $20

Exploit kit rental – 1 hour $0.99 to $1

Exploit kit rental – 2.5 hours $1.60 to $2

Exploit kit rental – 5 hours $4, may vary

Undetected copy of a certaininformation-stealing Trojan

$80, may vary

Distributed Denial of Service attack $100 per day

10,000 compromised PCs $1,000

Stolen bank account credentials Varying prices starting at $50

1 million freshly-harvested emails (unverified) $8 up, depending on quality

Underground Economy

Sample data from research on the underground digital economy in 2007


• Use the Internet to performmalicious activities

• Arrive, propagate, deliverpayload, and entrenchthemselves via the Internet

• Employ blended threats,or combinations of maliciousprograms, and techniques thatwork together to infect PCs

• Are installed on a PC withoutthe user’s implicit knowledgeor permission and aim toclandestinely carry out theiractivities

Web threats are any threatthat uses the Web to do badand unwanted things. They:

2005–2006

Q105

Q205

Q305

Q405

Q106

Q206

Q306

Q406

Q107

1000

10

39%

84%138%

201%263%

328% 399%468% 540%

Web Threats: Total Growth Since 2005

Malware for Profit is driving Web Threats


What is a Web Threat?

• A Web threat uses the Internet toperform cybercrime

• Possible components of a Webthreat include

– Internet infection vector (Web, Email,Vulnerabilities, etc.)

– Host infection via malicious program(s)– Updates* and possible propagation via

the Internet– Hidden payload delivered without user’s

knowledge or permission

*Updates MUST occur for threat tobe considered a Web threat


Web Threats are real!The Italian Job


Over 2000 Italian Sites infiltrated!IFRAME inserted!


How it works ?


Who’s behind?

compromised ISP subnets owned by -->ARUBA.IT (and Vortech)IP Location: ItalyRevolve Host: *.in-

addr.arpa.10799INPTRwebx90.aruba.it.Blacklist Status: Clear

OrgName: RIPE Network CoordinationCentre

OrgID: RIPEAddress: P.O. Box 10096

City: AmsterdamStateProv:

PostalCode: 1001EBCountry: NL

IFRAME redirector from compromised site--> HostFresh, HK

IP Location: Hong Kong, HostfreshBlacklist Status: Clear

Whois Record

person: Piu Lonic-hdl: PL466-AP

e-mail: [email protected]: No. 500, Post Office, Tuen

Mun, N.T., Hong Kongphone: +852-35979788fax-no: +852-24522539

country: HK

otherdownloaded

malware fromvarious sites

control and monitoring server -->FasterServers, Chicago, IL

IP Location: UnitedStates, Chicago, Fastservers Inc

Revolve Host: TRUMAN.DNSPATHING.COM.

Blacklist Status: ClearWhois Record

OrgName: FastServers, Inc.OrgID: FASTS-1

Address: 175 W. JacksonBlvd

Address: Suite 1770City: Chicago

StateProv: ILPostalCode: 60604

Country: US

Copyright 2007 - Trend Micro Inc.19

Web Threats


Nothing is cheap during

With the exception of malware using the VML vulnerability!Utilizing the vulnerability it downloads a ZLOB Variant!


The Major Threat Vectors are Business Critical

Internet

MailServer

ServersApplications

StorageProxy

MTA

DNS

INTERNAL THREATSInformation Leaks

ComplianceVulnerabilities

EXTERNAL THREATSViruses & Worms

Spyware & AdwareSpam & Phishing End Point

Port 25

Port 80

Off Network

Multi-Layered Web Protection


What can you learn from an URL?

Domain name

Registrar

Name Servers

History


Trend Micro Web Reputation Service

Email ReputationDatabase

DomainBehaviourDatabase

URL FilteringSecurity Rating

Trend Global DNS Network

Web Reputation=

Domain Security Rating+

URL Filtering+

Spam Correlation

3 Billion Hits/Day99.999% Availability

Internet

ZoneFiles

DNS

http://www.cisco.com/


Total Web Reputation Data feeds

URL CategoryDatabase

RestrictsEmployee

Access to WebSites

SecurityRating

Crawls WebSites to Check

for Malware andutilizes Malware

Analysis

IP LocationCheck

Correlates IPLocation with

URL

Anti-PhishingDatabase

Known andSuspected

Phishing URL‘s

DomainBehaviour

ProvidesAnalysis of ALL

Top LevelDomains (TLD‘s)

Email ReputationService

Looks at ourRBL-database to

enable eventcorrelation

between Spamand Webthreats


Web Threat ProtectionBackendTrend Micro Web Threat Protection

ReputationAnti-SpywareAntivirus

Anti-SpamAnti-PhishingInappropriate Content

HTTP

Endpoint

Tools and Reports

Trend MicroControl Manager

Threats

Internet

Gateway

HTTP HTTP HTTP

Off Network

SMTP SMTP SMTP

Internet

Web Threat ProtectionBackend

TrendLabs &Malware Knowledge

DatabaseEmail Reputation

Multi-Layered Messaging Security


The Spam Problem is Increasing

• Spam: At least 90% of all email is spam1– Has increased fivefold in the last couple of years2

– Estimated cost of spam in 2007 is $100bn3

– About 40% of spam is image spam4

• Zombies: Approximately 16-25% ofcomputers are zombies5– Computers that are infected with bot code– Hijacked for the hacker’s use

• Botnets: Networks of zombies sendabout 80% of spam6– Harvest address information, launch DDoS attacks,

send spam, bot code, and blended threats– Optimize distribution based on bandwidth,

location, and other attributes– Steal the resources of the infected computers and hide the email sender1,4 6 Source: TrendLabs, 3/072 Source: Ferris The Global Economic Impact of Spam, 2005. February 2005 (Other statistics)

3 Source: Ferris Research. “The Cost of Spam, 2007.” 4/07.5 Source: Weber, Tim. “Criminals ‘May Overwhelm the Web‘” BBC News. 25 January 2007


Stop Spam Before it Reaches You

Manages the Email ReputationDatabases

Blocks spam at the network’s edge, improving thesecurity of the gateway and infrastructure.


Trend Micro Anti-Spam Technologies

1. Email Reputation– First Line of Defense– Global and dynamic reputation services– Blocks up to 80% before entering the network, including zombies

2. IP Profiler – Customer-Specific Protection– Customer-specific reputation services based on company email traffic– Firewall against DHA and bounced email attacks

3. Anti-Spam Composite Engine – Guards Inbox– Stops any remaining spam before it enters the inbox– Integrates anti-spam technologies, including image spam detection


Reputation Services – AdministrativeConsole

Industry-leading insight and control• Global spam update• Spam reports• Spam volume for 100 top ISPs• Block lists by country or ISP using

easy drop-down menus


IP Profiler

Customer-SpecificReputation Services

SpamVirusDHA AttacksBounced Mail

Customers set thresholds:

• Duration monitored• Percentage of email threat• Total mails for a relevant sample• Triggering actions – what happens when these thresholds are met

(block temporarily or block permanently)

Provides customer-specific reputation services by blocking IP addresses thatexceed set thresholds—also keeps threats completely off the network


IP Profiler Management

Manage currentlymonitoredIP Addresses

Display Logs– Total spam emails– Total malicious

attempts– Total connections– Percentage of

malicious attemptsin the overall # ofconnections

Select IP addresses and permanently or temporarily block themCreate global white/black lists for IP/DomainsWill apply to both NRS and IP Profiler


Trend Micro Anti-Spam Engine

Trend Micro anti-spam composite engineUses a “cocktail” approach to block both spam and phishing emails

– Statistical Analysis– Advanced Heuristics– Signature Filtering– Whitelists/Blacklists– Detection for Multi-Languages– Patent-Pending Image Spam Detection Technology

Industry Proven TechnologyInstall base of over 25 million seats over the past four years


Image Spam Detection

• Conveys spammessage throughan image

• Not text in thebody of the email

• Approx. 40% ofall spam1

• Image spam is10x larger thantypical text email1

Source: Osterman Research. Image Spamand New Threats Summit Webinar.Conducted on 10 January 2007.


Data Privacy and Protection

Enforce Content Compliance• Minimize legal liability• Comply with regulations (SOX, HIPAA, …)• Support internal messaging standards• Prevent data leakage• Antivirus stops any malware sent by email that

could potentially damage or corrupt data.• Anti-phishing helps to prevent the theft of confidential information.• Anti-spyware stops the potentially more targeted attacks sent by email

which attempt to steal corporate data.• Flexible content filtering enables the efficient inspection of messages to

ensure that data does not improperly leave the organization.

Cisco / Linksys Alliance


Complementary Security Strategies

Innovative, complementary marriage of solutionsto deliver world-class threat prevention

Cisco SystemCisco System’’ssSelfSelf--Defending NetworkDefending Network

Trend MicroTrend Micro’’ssEnterprise Protection StrategyEnterprise Protection Strategy

Market Leader in NetworkSecurity Solutions

Market Leader inComprehensive Content

Security+

Copyright 2007 - Trend Micro Inc.September2007

41

Trend Micro—Cisco All-in-One GatewaySolution for Internet-Related Threats

Threats VirusesSpam

Spyware

ContentWeb Threats Data Leakage

Phishing

Email ReputationURL Filtering

In-the-CloudSecurityServices

GatewayPlatform

DCS Cleans MalwareDCS Cleans MalwareDCS Cleans MalwareDCS Cleans Malware

AutomatedDesktopCleanup

CentralizedManagement

Solution BenefitsAutomatic,CentrallyManaged,Integrated,

Multilayeredsecurity


42

Technical overview of the solutionDCS integration with CSC-SSM

Cisco ISR Cisco ASA5500 CSC-SSM

Infected PC

Cisco Catalyst6500

DCS Server1. Infected PC tries to visit phishing

site

1

2. CSC detects and stopsaccess to phishing site

2

4. DCS cleans infectedmachine using cleanuptemplate

4

3. CSC-SSM triggersDCS cleanup3 5. DCS sends cleanupresult back to CSC-

SSM5

Solutionü Stops Internet attacks at the perimeterü Secures email from threatsü Blocks transmission to phishing sitesü Scans for viruses in web mailü Protect against loss of confidential

informationü Automatically cleans endpoint of malware


43

Technical Overview of the SolutionCentralized Mngmt and Reporting with TMCM

• Manages Trend Micro securityinfrastructure - gateway todesktop– Manages multiple DCS servers– Manages multiple CSC-SSM

modules– Generates detailed reports

Cisco ISR Cisco ASA5500 CSC-SSM

PC & ServerNetwork

Cisco Catalyst6500

DCS Server

TMCM-E

DCS Server

DCS Server

Copyright 2007 - Trend Micro Inc.Classification

How ProtectLink Gateway works….• Trend Micro ProtectLink Gateway

– ProtectLink Gateway: Protects email and Web traffic at the gateway• Spam and URL Filtering with Web Reputation

– Hosted: In the Cloud | Even Before Your Gateway | No software orhardware to deploy


Thank You

Filip DemianiukTechnical Channel [email protected]+48 509 310 990

www.securecloud.comwww.trendsecure.com

mailto:[email protected]://www.securecloud.com/http://www.trendsecure.com/

АКБ «Укрсоцбанк»Cisco Expo, Киев

Опыт внедрения решений Trend Micro


• Проверка на вирусы всех информационных потоков локальнойсети;

• Организация многоуровневой защиты:– защита рабочих станций;– защита серверов (файловые, приложений, БД, терминальные);– защита корпоративной почтовой системы (вирусы, спам, фишинг);– защита узла доступа в интернет;– защита на сетевом уровне (firewall);

• Автоматическая система обновления сигнатур и антивируса;• Возможность отката обновлений;• Механизмы оперативного реагирования на угрозы;• Централизованное управление;• Централизованная отчетность и доступ к логам;• Управление удаленными пользователями и офисами.

Задачи антивирусной защиты


• Простота установки и дальнейшего управления с единой консоли;• Защита на всех уровнях проникновения и от всех типов угроз;• Общее централизованное управление всеми решениями Trend Microчерез единую веб-консоль;

• Не требуется лицензирование дополнительного ПО;• Наличие дополнительных уникальных сервисов: очистка повреждений

(DCS), веб-репутации (web-threat protection), входящий в стоимостьрешения;

• Прозрачность управления процессом обновления клиентов;• Небольшой размер обновлений клиентов;• Предварительная проверка обновлений на совместимость с ОС исторонними приложениями;

• Делегирование полномочий и разделение ролей;• Скидка 70% на продление лицензии;• Бесплатный переход на новые продукты;• Новая функциональность в обновлениях тоже бесплатна.

Особенности


Интернет

серверыпользователи

ДМЗ

удаленный офисмобильныепользователи

Пользователи:OfficeScan Corporate

Серверы:ServerProtect Win/LinuxScanMail Lotus/Exchange

Интернет:InterScan Web SSInterScan Messaging SS

Управление:Control Manager(с каскадированием)

Пример реализации полной антивирусной защиты


Спасибо за внимание

Trend Micro - Cisco · Filip Demianiuk Technical Channel Manager EEUR Trend Micro Cisco Expo, Kiev...

Documents

Transcript of Trend Micro - Cisco · Filip Demianiuk Technical Channel Manager EEUR Trend Micro Cisco Expo, Kiev...