Trend micro threat management solution
This presentation is the property of its rightful owner.
Sponsored Links
1 / 32

Trend Micro Threat Management Solution PowerPoint PPT Presentation


  • 126 Views
  • Uploaded on
  • Presentation posted in: General

Trend Micro Threat Management Solution. Solution Overview Author: James Payongayong Contacts: Jai Balasubramaniyan, Paris Trudeau & James Payongayong. Threat Discovery Appliance Hardware Overview. Hardware Overview. Dell 2950. 800 Mbps Max Throughput. 10,000 Max concurrent connections.

Download Presentation

Trend Micro Threat Management Solution

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Trend micro threat management solution

Trend Micro Threat Management Solution

Solution Overview

Author: James Payongayong

Contacts: Jai Balasubramaniyan, Paris Trudeau & James Payongayong


Threat discovery appliance hardware overview

Threat Discovery Appliance Hardware Overview

Hardware Overview

Dell 2950

800 Mbps Max Throughput

10,000 Max concurrent connections

2 Monitoring ports

2 Management ports

1 Serial port

Redundant power

Paramount Q1 2008 - 2


Trend micro threat management solution1

Trend Micro Threat Management Solution

Network Deployment


Overall solution deployment

Overall Solution Deployment

Paramount Q1 2008 - 4


Threat discovery appliance deployment

Threat Discovery Appliance Deployment

Threat Discovery Appliance's data port is connected to the mirror port of the core switch and mirrors the port to the firewall

Paramount Q1 2008 - 5


Deployment

Deployment

Asymmetric route and multi-mirror port installation

Support multi-TDA installation

Support TAP Installation

Trend Micro Confidential


Trend micro threat management solution2

Trend Micro Threat Management Solution

Threat Discovery Appliance Feature Overview


Threat discovery appliance features

Threat Discovery Appliance Features

New and known malware detection

Disruptive application detection

Multiprotocol Threat detection

Powered by SPN

Out-of-band deployment

Paramount Q1 2008 - 8


Threat detection engines

Threat detection engines

The Threat Discovery Appliance uses Network Content Inspection Technology to detect

both known and zero-day threats

Paramount Q1 2008 - 9


How does tda analyze network traffic

How does TDA Analyze Network Traffic?

Assemble packets into one stream

Extract embedded files and send to file scanning engines

Extract embedded URLs and perform WRS check

Scan the traffic stream for exploits and network worms

Perform single-session correlation on the traffic stream

Paramount Q1 2008 - 10


Protocol support

Protocol Support

The Threat Discovery Appliance supports all known protocols used by malware,

spanning over 80 protocols.

TDA uses port agnostic protocol detection to accurately identify protocols

regardless of the port used

Paramount Q1 2008 - 11


Disruptive application support

Disruptive Application Support

Besides detecting malicious activity, the Threat Discovery Appliance

also detects disruptive applications from the following three major categories -

Paramount Q1 2008 - 12


Trend micro threat management solution3

Trend Micro Threat Management Solution

Threat Management Services Feature Overview


Threat management services features

Threat Management Services Features

  • Advanced in-the-cloud correlation engine

  • Collaboration with Trend Micro’s Smart Protection Network

  • Threat Analysis and Reporting

Trend Micro Confidential


Advanced threat correlation

Advanced Threat Correlation

  • User receives IM with suspicious link

  • User visits link and downloads suspicious file

  • User begins sending out IM messages with same link

  • Events correlated

TMS correlates these separate events to determine that the user has been infected with an IM worm!

Paramount Q1 2008 - 15


Trend micro threat management solution

Executive Report Details

Business Risk Meters

Affected Assets

Threat Statistics

Malware types found in the network

Groups & Endpoints affected by threats

Risks associated with detected threats

Infection Sources

Trends

Disruptive Applications

Disruptive Applications in the network

Sources of malware infection

Trending and comparison data


Daily report

Daily Report

  • IT Administrator focused

  • List of high-risk clients

  • List of incidents for that day in order of severity

  • Detailed description of the threat that caused the incident

  • Possible impact of the incident

  • Recommended response for the incident

  • Informational events such as disruptive application usage

Paramount Q1 2008 - 17


Location of servers

Location of servers

San Jose, USA

Beijing ,China

Tokyo, Japan

Taipei, Taiwan

Philippines

Paramount Q1 2008 - 18


What threat information is sent to the cloud

What threat information is sent to the cloud?

Threat Discovery Appliance

  • Threat log Data

  • IP Address, Hostname, MAC

  • Threat Detected

  • Details of the threat

  • Timestamp

  • Disruptive Application Logs

  • IP Address, Hostname, MAC

  • Application detected

  • Timestamp

Secure Transmission Channels

Rsync over SSH

Rsync over HTTPS

Paramount Q1 2008 - 19


Configuration

Configuration

  • Basic Setting

    • TMSP registration

    • Registered Service

    • System time

    • Log upload period

    • Monitor network

  • Case1: only mirror up-link traffic

    • Need to mirror DNS/Proxy port traffic to TDA

    • Register DNS/Proxy IP in Registered service

    • RegisterDNS/Proxy IP Detection Exclusion List

Trend Micro Confidential


Guide line of a good tds testing poc

Guide line of a good TDS Testing(POC)

  • Understand TDS position and value

    • TDS is like a doctor role ,through TDA analysis and combined SPN+TM professional service . TDS can finish the incident analysis and provide the solution

  • Need to show TDS value in the POC process

    • Visible: TDA can find the know/suspicious thread

    • Precision : TDA precisely identify the infection source and thread type

    • Solution: Through SPN correction analysis and TM professional to provide the workable solution

  • Control POC in short period of time.

    • TDS in 2 weeks.


Idea timeline of tds pilot

Idea timeline of TDS pilot

SE

POC Owner : Communicate with customer and feedback the POC status

Decide the POC finish date

Generate the POC report

Use lightening tool as clean tools

Apply Account/PWD

MOC

Create account/PWD

Provide the daily report and suggestion ,

Provide the weekly report and do weekly report description

Provide the POC report material to SE

D+3

D+8

D+5

D+10

D-Day

There are no high incident in 3 days report,enter Trouble-shooting process

TDA 接收到流量


Tda roadmap

3Q2009

4Q2009

1Q2009

2Q2009

TDA 2.5

TDA 2.0 R7

TMSP 2.5

TDA 2.0

TMSP 2.0

TMSP 1.5

TDARoadmap

  • LeakProof 3.1 Integration

  • Fiber Interface Support

  • Mitigation enhancements

  • Outbreak Containment Service (OCS)

  • Debug tool for traffic analysis

  • User Name Resolution (Microsoft AD)

  • Max 100K Concurrent Session Support

TDA Patch 4 (Q4 08)

TMSP 1.5 (Q4 08)

  • Redesigned UI

  • Smart Navigation System

  • High Profile Malware Alert (OCS)

  • New TLMS Reports-SC version

  • Customer Portal-SC version

  • Abnormal endpoint Status


Tda 2 5 feature description

TDA 2.5 feature description

  • TDA 2.5 R1 :

  • Release date : May 27, 2009

  • Major Features:

  • Outbreak Containment Services (Disconnect network traffic for high profile malwares)

  • Send  OCS events to TMSP in real time mode (HTTPS)

  • Pop up End User License Agreement during product activation.

  • Provide the Setup Guide on TDA web console

  • New PID (AC) for service module

  • Enlarge concurrent sessions support

  • Threat detection improvement (Threat rule 8 for SMB file path)

  • User account name resolution

  • Support multiple monitored ports (TDA 2.5 can support up to 6 sniffer ports)

  • TDA 2.5 R2 for Dell 2950

  • Release date : Aug 24, 2009

  • Major Features:

  • HDD RAID1 support

  • Support total 7 data/monitor ports and 1 management port

  • Support NIC cards link status and monitor packet function on web console

  • Support double byte from UI input (7 UI pages)

  • Support VLAN detection switch (enable/disable, default ignore VLAN tag check)

  • Support SSH/Web login auditing debug log

  • Provide a switch (enable/disable) on hostname query at host 137 port (enable by default)

  • Support monitor function on management port and link status

  • Database corruption check and rebuild

  • TMSP HTTP authentication enhancement


Tda next generation platform dell r710

TDA next generation platform- Dell R710

  • 9/7 release TDA 2.5 R2 for Dell R710 version


Tda tdva 2 5 r1 performance sizing guide

TDA/TDVA 2.5 R1 performance/sizing guide


A security conundrum accuracy vs response must address known and unknown threats

A Security Conundrum: Accuracy vs. ResponseMust address known and unknown threats

Trend Micro Focus: High Accuracy Response


Competitive market landscape

Competitive Market Landscape

Traditional

AV

IDS/IPS

TDS

External threats

(DDOS, malformed packets)

Web, Email or Endpoint AV

  • Malware Infection

  • Info stealing malware

  • Disruptive applications

  • Lacks multiprotocol detection

  • Cannot detect complex & zero- day threats

  • No Root Cause Analysis

  • No Threat Mgmt Portal/Reports

  • Noisy with False Alarms

  • Need SIEMS for correlation

  • Limited Application Fluency

Cisco, Checkpoint, Juniper,

McAfee, IBM ISS

Symantec, McAfee,

Microsoft

SIEMS

  • No detection, only correlation

  • Correlates data from other security devices (IDS, Firewalls ..)

Cisco MARS, ArcSight,

Q1 Labs


Trend micro threat management solution

How to Sell:

Selling TMS against IDPS systems


Tms vs idps

TMS vs. IDPS

30

TMS vs. IDPS


Competitive advantages

Competitive Advantages

31


Trend micro threat management solution4

Trend Micro Threat Management Solution

Q & A


  • Login