Trend Micro Vision One

Trend Micro Vision OneMikhail [email protected]

2

Branch Office

Today, the SOC gets siloed insight into endpoints (EDR)…

…limited visibility to threats affecting cloud

workloads

…a separate siloed view into network

events,

SecurityAnalyst

…and little visibility into email traffic and

mailboxes

3

SecurityAnalyst

Branch Office

Generating incomplete, noisy SIEM alerts without

any context

4

Branch Office

SecurityAnalyst

Attacks don’t stay in silos! Security teams

need to piece together what happened

© 2021 Trend Micro Inc.5

Branch Office

XDR

XDR breaks down the silos and instead of noise, tells a story

6

Organizations with XDR…

Suffered half as many successful attacks over

the last 12 months

2.2X more likely to detect a data breach

/successful attack in a few days or less

60% less likely to report that attack re-

propagation has been an issue.

Are better protected Detect quicker Respond completely

Source: The XDR Payoff: Better Security Posture, ESG Research, Sep 2020

7

See more.Respond Faster.


Manual review/response

LEG

END

RawActivity Known

BadSuspicious

Activity

Raw activity telemetry & detection alerts

Filtered activity via machine learning, data stacking, and expert rules

High QualityAlert

Automated response

Correlated detections

Extended Detection& Response (XDR)

Alerts to XDR console and/or SIEM


Carbanak & FIN7Tradecraft and operational flows in two

simulated breaches

ü Top 3 for visibility & telemetryü 100% of Linux attacks detectedü Highly enriched telemetry for

better investigations

Data Source: MITRE, 2021

Sentinel One

Palo Alto NetworksTrend Micro

Symantec

CrowdStrike

Microsoft

McAfee

80.00%

90.00%

100.00%

80.00% 85.00% 90.00% 95.00% 100.00%

Visib

ility

Telemetry

A complete attack story with visibility and telemetry

Trend Micro is Top 3 - for visibility and telemetry across 29 vendors

Organizations want high confidence detection without alert fatigue:

10

Sentinel One

Palo Alto NetworksTrend Micro

Symantec

CrowdStrike

Microsoft

McAfee

80,00%

90,00%

100,00%

80,00% 85,00% 90,00% 95,00% 100,00%

Visib

ility

Telemetry

A complete attack story with visibility and telemetry

Trend Micro is Top 3 - for visibility and telemetry across 29 vendors

11

Each Layer Adds Value

• Correlates data from more security controls than typical EDR to solutions tell a more complete story.

• What happened within the workload?

• Who else received this email or a similar threat?

• API integration for inside view• Are there compromised

accounts sending internal phishing emails?

• How is the attacker moving across the organization?

• How is a threat communicating?

Network - sees EDR blind spots (unmanaged; legacy, IoT, IIoT)

Email - 94% of malware

Cloud/Workloads/Containers -critical to business operations

• Find threats hidden amongst endpoint telemetry

• What happened within the endpoint? How did it propagate?

Endpoint – most attacks involve users devices


Let’s see it!https://www.youtube.com/watch?v=qyIPJ-BaSHg

https://www.youtube.com/watch?v=odGDYzQbe80


Managed XDR MDR service

14

Managed XDR: MDR Service by Trend Experts

Expert Threat HuntingCutting-edge techniques with verification and enrichment by threat experts

24x7 Monitoring & DetectionContinuous monitoring and routine sweeping of endpoint, server, network, and email

Rapid Investigation and MitigationDetailed response plan and remote actions through Trend Micro products


Events generated by Trend Micro products (which are not actionable but needed for compliance / visibility when investigating)

Standard managed service: distills and prioritizes 50 high severity events which require further investigation by the customer’s Level II/III security analyst

Advanced managed service: Trend Micro security experts investigate each of the 50 events. Through manual and automated means, they were able to run 242 investigations and declared one incident. For that security incident, the service provides threat response and a detailed remediation plan and incident report.

What it Means for the Customer


Zero Trust Secure Access


Multiple Aspects for Precise Access Control

Identity• User• Device• App

Context• Schedule• Geolocation• Device posture

• Browser version• Firewall Status• Anti-malware Status

Risk• Account compromise• Vulnerability detection• Anomaly detection• Cloud app activity• XDR detection• Threat detection


Zero Trust Secure Access

Replay Points

Vision One – Zero Trust

Relay Service

How Private Access Works

1 Connector Registration

2 Tunnel Registration

3 User Authentication

4 External IdP Authentication

6 Authorized APP list

5 Access rule deployment

7 Agent outgoing connection 8 Connector outgoing connection

9 Cloud Stitched virtual connection

Controller

Zero Trust Secure Access Cloud


Why Trend Micro Vision One?

20

How it is different than other approaches?Trend Micro

XDRVendor-to-Vendor

partnershipSOAR / SIEM

Sharing of IOCs between layers for sweeping

Yes Yes Yes

Corelated detection of low confidence events across layers

Yes No partial

Deep understanding of all data generated by layers

Yes No No

Integrated investigations in one console

Yes No partial

Integrated response actions across layers

Yes No Yes

Copyright 2021 Trend Micro Inc.21

Customers Experience with XDR

“The way XDR allows me to drill down is amazing. It literally paints a picture in front of you.”

“It is easier for my team to explain the attack and go through the sequence of events; We aren’t breaking things down in all the different tools; It’s like reading a book. Easier to digest.””ROI is huge.”

22

ESG Economic Validation ReportAnalyzing the Economic Benefits of Trend Micro Vision One

“I estimate it would be 5x to 6x more expensive if we tried to use our own employees and less effective at the same time.” ― Cybersecurity Administrator, local government agency re: Trend Managed XDR service

“Our overall product spend has gone down almost 50% when you look at all of the products that Trend Micro has replaced.” ― CISO, hospitality industry

https://resources.trendmicro.com/ESG-Economic-Validation-Report.htmlESG created an economic model -

organizations save 63% when comparing ad-hoc systems with Trend Micro Vision One.

https://resources.trendmicro.com/ESG-Economic-Validation-Report.html

The Power of XDR: Company with 1000 devices in a 24-hr period

Raw logs processed by the engine 137 M40 M95 K33 K3

Logs identified as valuable to analyze

Detection logsSimilar to what is typically sent to a SIEM

Filter hits 1st round of analytics identifying suspicious activity

XDR detection model hits – high confidence workbenches(includes multiple alerts correlated to a single detection & view)

What would it mean to you to…

go from searching through 95k detection logs in 24 hours to investigating 3 high confidence alerts ?


Correlation is critical, but not possible without XDR

Source: The XDR Payoff: Better Security Posture, ESG Research, Sep 2020


A Leader in the Forrester™Wave

“Trend Micro delivers XDR functionality that can be impactful today.”–The Forrester Wave™: Enterprise Detection and Response, Q1 2020

26

A Leader in 4 Key XDR Building BlocksCloudEndpoint EmailDetection & Response

The Forrester Wave™: Enterprise Detection and Response, Q1 2020

The Forrester Wave™: Endpoint Security Suites, Q2 2021

The Forrester Wave™: Enterprise Email Security, Q2 2021

The Forrester Wave™: Cloud Workload Security, Q4 2019

“The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.”

27

Why Trend Micro Vision One?Purpose-built solution with deep integration into native sensors

Trend Micro Threat Research powered threat analytics and automatic IoCsweeping

1

2

3

Distinctive data sources

Email - visibility + response by integrating at the application layer

Cloud - breadth and timeliness of Linux support

CentOS Red HatOracle

CloudLinux SUSE Amazon debian

ubuntu

4 Additional Risk Insights

Trend Micro discovered over half the disclosed vulnerabilities in 2019

See more. Respond Faster.


Thank you!


Q&AMikhail [email protected]


How is XDR different from SIEM? EDR?

32

SIEM (Security Information and Event Management)

Security alerts, (but not all events)

Email opened

Phishing Worddoc

opened

PowerShelllaunched

Command& Controlcheck-in

AWS CredentialsAccessed

New containercreated

Lateralmovement

to container

33


EDR (Endpoint Detection & Response)

Collecting all endpoint activity, not just alerts

Email opened

Phishing Worddoc

opened

PowerShelllaunched


AWS CredentialsAccessed


Lateralmovement

to container

34


Fewer, higher-fidelity alert that tells a story

Email opened

Phishing Worddoc

opened

PowerShelllaunched


AWS Credentials

Compromised


Lateralmovement

to container

XDR (with cloud data lake collecting all activity)

35

Splunk Add-on – Connector pulls Trend Micro XDR logs and writes it into Splunkdatabase

Splunk pulls detection alerts from Trend Micro Vision One as detections occur.

36

Splunk add on UI

Click this zone and you get in the log view Click Open XDR Consoleto access a Workbench

37

Splunk Log View with Workbench Data

The affected entitiesWill help the SplunkAnalyst to correlateXDR Alerts with otherSplunk Data

38

Click on a Trend alert within Splunkconsole and go directly to associated workbench in Trend Micro Vision One for further visibility, investigation and response.

Triage alerts from Splunk, and examine further within XDR workbench


Complimentary Value: • Fits in within existing

SIEM workflow

• Receive correlated, high-fidelity alerts

• Helps with triaging and narrowing down to the events that need attention and escalating

• Enables analyst to be more efficient

https://automation.trendmicro.com/xdr/home


Additional information on each XDR layer

41

Detect: Security analytics finds threats hidden amongst endpoint telemetry. IOC sweepingInvestigate: What happened within the endpoint? How did it propagate? What tactics/techniques are usedRespond: Isolate, stop process, delete/restore files

Why add XDR to your EndpointsActivity Data:• Processes• Executed Commands• Network Connections• Files Created/Accessed• Registry Modifications

Going further with other XDR layers:• Where did the threat originate?• Where else is this threat in my network, workloads, email?

Most attacks cross endpoints during their lifecycle

42

Detect: Are there compromised accounts sending internal phishing emails? IOC sweeping of mailboxes.Investigate: Who else received this email / threat?Respond: Quarantine email, delete email

Why Extend XDR to Email?Activity Data:• Message Metadata

(external + internal email)

• Attachment Metadata• External Links• User Activity (i.e. logins)

Malware Infection Source

94% Email Source: Verizon Data Breach Investigations Report, May 2019

43

Log Inspection AlertPossible attack on the SSH Server (or version gathering)Source: 3.211.84.114

SIEM

Why XDR for Cloud/Server Workloads

Detect: high-fidelity detections correlated from different security controls and activities to tell a whole story. IOC sweepingInvestigate: Full visibility of activities help answer; What happened within the workload? How did it propagate?

Alerts don’t tell whole storyThis is likely one step of many…What’s the bigger picture?Was the attacker successful?

Activity Data:• User Account Activity• Processes• Executed Commands• Network Connections• Files Created/Accessed• Registry Modifications


Cloud One – Workload Security Sensing Investigation & Response

Workloads - Broader detection

Virtual Data CenterContainers Cloud

Environments

Platforms

AnalysisTelemetry Data

XDR Managed XDR

Host activities

Process, File, Network, User Account, Container

Application level logs

OS Platform System/Audit event logs

Windows service logs (PowerShellservice/Remote desktop/Terminal Service)

Web Server/FTP/Database/ Mail servers logs

Security Events/Anomalies/Changes

Newly Installed software/changes

Application components changes

Indicators of attack (IOAs)

Known attack footprints


Detecting Container Platform Attacks• Auto-detect Docker and Kubernetes• Detect SW changes

– Upgrades, Downgrades, Removal

• Monitor Binaries for attribute changes• Monitor running Processes

– Dockerd, etcd, Kubelet, Kube-apiserver, etc..

• Detect changes to critical files– Config, certs, keys, yaml files, etc..

• Monitor for changes to iptables rules– Protect against unauthorized port changes

• Detect changes to permissions in key directories• Inspects key events

– Eg. Errors from forbidden actions

Docker and Kubernetes

ApplicationContainer(e.g.NGINX)

DockerEngine

OperatingSystemDeepSecurityAgent

Kubernetes

ApplicationContainer

(e.g.Webapp)

ApplicationContainer

(e.g.MySQL)

46

Detect: See across the network including EDR blind spots. Analytics discover complex threats. IOC sweeping.Investigate: How is a threat communicating? How is the attacker moving across the organization? Respond: Where do I need to focus? Which systems/devices are under attack?

Why Extend XDR to your Network?

IoT IIoTLegacyManaged Devices Unmanaged

Activity Data:• Traffic Flow• Perimeter and Lateral

Connections• Suspicious Traffic

BehaviorsEDR blind spotsEDR

Trend Micro Vision One

Documents

Transcript of Trend Micro Vision One