Trend micro threat management solution
1 / 32

Trend Micro Threat Management Solution - PowerPoint PPT Presentation

  • Uploaded on

Trend Micro Threat Management Solution. Solution Overview Author: James Payongayong Contacts: Jai Balasubramaniyan, Paris Trudeau & James Payongayong. Threat Discovery Appliance Hardware Overview. Hardware Overview. Dell 2950. 800 Mbps Max Throughput. 10,000 Max concurrent connections.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Trend Micro Threat Management Solution' - deion

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Trend micro threat management solution

Trend Micro Threat Management Solution

Solution Overview

Author: James Payongayong

Contacts: Jai Balasubramaniyan, Paris Trudeau & James Payongayong

Threat discovery appliance hardware overview
Threat Discovery Appliance Hardware Overview

Hardware Overview

Dell 2950

800 Mbps Max Throughput

10,000 Max concurrent connections

2 Monitoring ports

2 Management ports

1 Serial port

Redundant power

Paramount Q1 2008 - 2

Trend micro threat management solution1

Trend Micro Threat Management Solution

Network Deployment

Overall solution deployment
Overall Solution Deployment

Paramount Q1 2008 - 4

Threat discovery appliance deployment
Threat Discovery Appliance Deployment

Threat Discovery Appliance's data port is connected to the mirror port of the core switch and mirrors the port to the firewall

Paramount Q1 2008 - 5


Asymmetric route and multi-mirror port installation

Support multi-TDA installation

Support TAP Installation

Trend Micro Confidential

Trend micro threat management solution2

Trend Micro Threat Management Solution

Threat Discovery Appliance Feature Overview

Threat discovery appliance features
Threat Discovery Appliance Features

New and known malware detection

Disruptive application detection

Multiprotocol Threat detection

Powered by SPN

Out-of-band deployment

Paramount Q1 2008 - 8

Threat detection engines
Threat detection engines

The Threat Discovery Appliance uses Network Content Inspection Technology to detect

both known and zero-day threats

Paramount Q1 2008 - 9

How does tda analyze network traffic
How does TDA Analyze Network Traffic?

Assemble packets into one stream

Extract embedded files and send to file scanning engines

Extract embedded URLs and perform WRS check

Scan the traffic stream for exploits and network worms

Perform single-session correlation on the traffic stream

Paramount Q1 2008 - 10

Protocol support
Protocol Support

The Threat Discovery Appliance supports all known protocols used by malware,

spanning over 80 protocols.

TDA uses port agnostic protocol detection to accurately identify protocols

regardless of the port used

Paramount Q1 2008 - 11

Disruptive application support
Disruptive Application Support

Besides detecting malicious activity, the Threat Discovery Appliance

also detects disruptive applications from the following three major categories -

Paramount Q1 2008 - 12

Trend micro threat management solution3

Trend Micro Threat Management Solution

Threat Management Services Feature Overview

Threat management services features
Threat Management Services Features

  • Advanced in-the-cloud correlation engine

  • Collaboration with Trend Micro’s Smart Protection Network

  • Threat Analysis and Reporting

Trend Micro Confidential

Advanced threat correlation
Advanced Threat Correlation

  • User receives IM with suspicious link

  • User visits link and downloads suspicious file

  • User begins sending out IM messages with same link

  • Events correlated

TMS correlates these separate events to determine that the user has been infected with an IM worm!

Paramount Q1 2008 - 15

Trend micro threat management solution

Executive Report Details

Business Risk Meters

Affected Assets

Threat Statistics

Malware types found in the network

Groups & Endpoints affected by threats

Risks associated with detected threats

Infection Sources


Disruptive Applications

Disruptive Applications in the network

Sources of malware infection

Trending and comparison data

Daily report
Daily Report

  • IT Administrator focused

  • List of high-risk clients

  • List of incidents for that day in order of severity

  • Detailed description of the threat that caused the incident

  • Possible impact of the incident

  • Recommended response for the incident

  • Informational events such as disruptive application usage

Paramount Q1 2008 - 17

Location of servers
Location of servers

San Jose, USA

Beijing ,China

Tokyo, Japan

Taipei, Taiwan


Paramount Q1 2008 - 18

What threat information is sent to the cloud
What threat information is sent to the cloud?

Threat Discovery Appliance

  • Threat log Data

  • IP Address, Hostname, MAC

  • Threat Detected

  • Details of the threat

  • Timestamp

  • Disruptive Application Logs

  • IP Address, Hostname, MAC

  • Application detected

  • Timestamp

Secure Transmission Channels

Rsync over SSH

Rsync over HTTPS

Paramount Q1 2008 - 19


  • Basic Setting

    • TMSP registration

    • Registered Service

    • System time

    • Log upload period

    • Monitor network

  • Case1: only mirror up-link traffic

    • Need to mirror DNS/Proxy port traffic to TDA

    • Register DNS/Proxy IP in Registered service

    • RegisterDNS/Proxy IP Detection Exclusion List

Trend Micro Confidential

Guide line of a good tds testing poc
Guide line of a good TDS Testing(POC)

  • Understand TDS position and value

    • TDS is like a doctor role ,through TDA analysis and combined SPN+TM professional service . TDS can finish the incident analysis and provide the solution

  • Need to show TDS value in the POC process

    • Visible: TDA can find the know/suspicious thread

    • Precision : TDA precisely identify the infection source and thread type

    • Solution: Through SPN correction analysis and TM professional to provide the workable solution

  • Control POC in short period of time.

    • TDS in 2 weeks.

Idea timeline of tds pilot
Idea timeline of TDS pilot


POC Owner : Communicate with customer and feedback the POC status

Decide the POC finish date

Generate the POC report

Use lightening tool as clean tools

Apply Account/PWD


Create account/PWD

Provide the daily report and suggestion ,

Provide the weekly report and do weekly report description

Provide the POC report material to SE






There are no high incident in 3 days report,enter Trouble-shooting process

TDA 接收到流量

Tda roadmap





TDA 2.5

TDA 2.0 R7

TMSP 2.5

TDA 2.0

TMSP 2.0

TMSP 1.5


  • LeakProof 3.1 Integration

  • Fiber Interface Support

  • Mitigation enhancements

  • Outbreak Containment Service (OCS)

  • Debug tool for traffic analysis

  • User Name Resolution (Microsoft AD)

  • Max 100K Concurrent Session Support

TDA Patch 4 (Q4 08)

TMSP 1.5 (Q4 08)

  • Redesigned UI

  • Smart Navigation System

  • High Profile Malware Alert (OCS)

  • New TLMS Reports-SC version

  • Customer Portal-SC version

  • Abnormal endpoint Status

Tda 2 5 feature description
TDA 2.5 feature description

  • TDA 2.5 R1 :

  • Release date : May 27, 2009

  • Major Features:

  • Outbreak Containment Services (Disconnect network traffic for high profile malwares)

  • Send  OCS events to TMSP in real time mode (HTTPS)

  • Pop up End User License Agreement during product activation.

  • Provide the Setup Guide on TDA web console

  • New PID (AC) for service module

  • Enlarge concurrent sessions support

  • Threat detection improvement (Threat rule 8 for SMB file path)

  • User account name resolution

  • Support multiple monitored ports (TDA 2.5 can support up to 6 sniffer ports)

  • TDA 2.5 R2 for Dell 2950

  • Release date : Aug 24, 2009

  • Major Features:

  • HDD RAID1 support

  • Support total 7 data/monitor ports and 1 management port

  • Support NIC cards link status and monitor packet function on web console

  • Support double byte from UI input (7 UI pages)

  • Support VLAN detection switch (enable/disable, default ignore VLAN tag check)

  • Support SSH/Web login auditing debug log

  • Provide a switch (enable/disable) on hostname query at host 137 port (enable by default)

  • Support monitor function on management port and link status

  • Database corruption check and rebuild

  • TMSP HTTP authentication enhancement

Tda next generation platform dell r710
TDA next generation platform- Dell R710

  • 9/7 release TDA 2.5 R2 for Dell R710 version

A security conundrum accuracy vs response must address known and unknown threats
A Security Conundrum: Accuracy vs. ResponseMust address known and unknown threats

Trend Micro Focus: High Accuracy Response

Competitive market landscape
Competitive Market Landscape





External threats

(DDOS, malformed packets)

Web, Email or Endpoint AV

  • Malware Infection

  • Info stealing malware

  • Disruptive applications

  • Lacks multiprotocol detection

  • Cannot detect complex & zero- day threats

  • No Root Cause Analysis

  • No Threat Mgmt Portal/Reports

  • Noisy with False Alarms

  • Need SIEMS for correlation

  • Limited Application Fluency

Cisco, Checkpoint, Juniper,


Symantec, McAfee,



  • No detection, only correlation

  • Correlates data from other security devices (IDS, Firewalls ..)

Cisco MARS, ArcSight,

Q1 Labs

Trend micro threat management solution

How to Sell:

Selling TMS against IDPS systems

Tms vs idps



Trend micro threat management solution4

Trend Micro Threat Management Solution

Q & A