Corp PPT Template - compressed

Transkript

Deep Discovery ve TINBA
Ibrahim Eskiocak
[email protected]
Sales Engineer
2/21/2013
Confidential | Copyright 2012 Trend Micro Inc.
1
TINBA
Copyright 2011 Trend Micro Inc.
YTINBA
NKER
75
Deep Security 9
Yeni Nesil Veri Merkezi Güvenliği
Çözümü
Available Aug 30, 2011
Classification 2/21/2013
Copyright 2009 Trend Micro Inc. 13
Trend Micro Deep Security
Sistem, Uygulama ve Veri Güvenliği :
5 protection modules
Deep Packet Inspection
IDS / IPS
Shields web application
vulnerabilities
Web Application Protection
Application Control
Reduces attack surface.
Prevents DoS & detects
reconnaissance scans
Optimizes the
identification of important
security events buried in
log entries
Detects and blocks known and
zero-day attacks that target
vulnerabilities
Provides increased visibility into,
or control over, applications
accessing the network
Firewall
Anti-Virus
Detects and blocks malware
(web threats, viruses &
worms, Trojans)
Log
Inspection
Integrity
Monitoring
Detects malicious and
unauthorized changes to
directories, files, registry keys…
Protection is delivered via Agent and/or Virtual Appliance
Tüm farklı yapılar icin güvenlik sağlar:
Fiziksel
Sanal
Bulut
Deep Packet Inspection
Antivirus
Firewall
Web App. Application
Virtual Patch Protection
Control
IDS / IPS
Integrity
Log
Monitoring Inspection
Deep Security Integration with VMware APIs
Integrates
with
vCenter
Integrates
with
vCloud
Agentless
Intrusion prevention
Firewall
Agentless
VMsafe
APIs
2
vShield
Endpoint
Antivirus
Web reputation
Agentless
Integrates
with Intel
TPM/TXT
1
Security
Virtual
Machine
3
vShield
Endpoint
Integrity monitoring
Agent-based
4
Log inspection
Security agent
on individual VMs
• 5 years of collaboration and joint product innovation
• First and only agentless security platform
• First and only security that extends from datacenter to cloud
• Hypervisor Integrity Monitoring
v
C
l
v
o
S
u
p
d
h
e
r
e
Trend
Micro
Patchingprotected
for the Entire IT Stack
Sample
listVirtual
of systems
Shields
a 100
server
and
desktop
Deep Securityover
rules shield
vulnerabilities
in these
common
applicationsapplications
Operating Systems
Windows (2000, XP, 2003, Vista, 2008, 7, 8), Sun Solaris (8, 9, 10), Red Hat
EL (4, 5, 6), SuSE Linux (10,11)
Database servers
Oracle, MySQL, Microsoft SQL Server, Ingres
Web app servers
Microsoft IIS, Apache, Apache Tomcat, Microsoft Sharepoint
Mail servers
Microsoft Exchange Server, Merak, IBM Lotus Domino, Mdaemon, Ipswitch,
IMail,, MailEnable Professional,
FTP servers
Ipswitch, War FTP Daemon, Allied Telesis
Backup servers
Computer Associates, Symantec, EMC
Storage mgt servers
Symantec, Veritas
DHCP servers
ISC DHCPD
Desktop applications
Microsoft (Office, Visual Studio, Visual Basic, Access, Visio, Publisher, Excel
Viewer, Windows Media Player), Kodak Image Viewer, Adobe Acrobat Reader,
Apple Quicktime, RealNetworks RealPlayer
Mail clients
Outlook Express, MS Outlook, Windows Vista Mail, IBM Lotus Notes, Ipswitch
IMail Client
Web browsers
Internet Explorer, Mozilla Firefox
Anti-virus
Clam AV, CA, Symantec, Norton, Trend Micro, Microsoft
Other applications
Samba, IBM Websphere, IBM Lotus Domino Web Access, X.Org, X Font
17
Server prior, Rsync, OpenSSL,
Novell Client
Some Vulnerabilities Example 2012
• Windows: Microsoft Remote Desktop Protocol – Mar
2012
• Apache: Armageddon Botnet & Apache Killer Exploit
– Mar 2012
• Windows: TrueType Font (Duqu-like vuln.) – May
2012
• Oracle: TNS Poison – no patch available – May
2012
• Windows: XML Core Services – no patch available –
June 2012
Trend Micro Confidential 2/21/2013
Trend Micro Customers are Already Shielded
• As a member of Microsoft Active
Protections Program, Trend Micro
received advance information about
vulnerability
• March 13, 2012 (same day vulnerabilty
is announced): Trend Micro releases
Deep Security Update DSRU12-006
• Next day, Trend Micro releases
Intrusion Defense Firewall (IDF) update
12007
• These updates provide immediate
vulnerability shielding for Deep Security
and OfficeScan customers
• Trend Micro customers can roll out the
actual Windows patch during a
regularly scheduled maintenance
update
Trend Micro Customers are Already Shielded
The Power of Virtual Patching
• Better Protection for Zero Days Attacks
• As a member of Microsoft Active Protections Program,
Trend Micro received advance information about
vulnerability
• ~2 hours after the advisory update to protect
• Low False Positive
• No Need Reboot
• Does Not Affect Application or Operation System
• Easy to Manage and Deployment
After Virtual Patch applied
Vmware ile Ajansız Koruma
Deep Security Security ile HyperVisor Seviyesinde Güvenlik
• Antivirus
* Gözükmeyen Katmanda Defans yapın
•Firewall
* Sunucu ve Uygulamaların hızını arttırın
• IDS/ IPS
* 3 Katına Kadar daha fazla VM ekleyin
•Sanal Yama
* Tüm Güvenlik Modulleri Kolayca Uygulayın
• Uygulama Kontrol
•Web Application Firewall
DS ileYeni
Yöntem
•Integrity Monitoring
Eski Yöntem
Classification 2/21/2013
Agentless approach uses less ESX memory
Anti-Virus “B”
Anti-Virus “Y”
Anti-Virus “R”
5
10
15
20
25
30
35
40
45
50
55
# of Guest VMs
29
60
65
70
Agentless
Anti-Virus
“T”
Agentless approach uses less bandwidth
Anti-Virus “B”
Anti-Virus “Y”
Anti-Virus “R”
1
6
11
16
21
26
31
36
41
46
51
56
61
66
71
76
81
86
91
96
Agentless
Anti-Virus “T”
Time (Seconds)
30
Agentless Architecture = CAPEX + OPEX Savings
VM servers per host
Agentless AV
75-100
3-10X higher VDI VM consolidation ratios
25
Traditional AV
0
10
20
30
40
50
60
70
80
3-year Savings on 1000 VDI VMs = $539,600
Sources: Tolly Enterprises Test Report, Trend Micro Deep Security vs. McAfee and Symantec, February 2011; Saving estimate based on VMware ROI calculations
Platform Desteği
Windows 2000
Windows 2003 (32 & 64 bit)
Windows XP
Vista (32 & 64 bit)
Windows Server 2008 (32 & 64 bit)
Windows Server 2008 R2
Windows 7-8
HyperV (Guest VM)
8, 9, 10 on SPARC
10 on x86 (64 bit)
Red Hat 4, 5, 6 (32 & 64 bit)
SuSE 10, 11
Ubuntu
VMware ESX Server (guest OS)
VMware Server (host & guest OS)
XenServer (Guest VM)
HP-UX 11i (11.23 & 11.31)
AIX 5.3, 6.1
Integrity Monitoring
& Log Inspection modules
32
Deep Security neden kullanmalıyım?












Fiziksel ve Sanal sunucularım icin aynı anda kullanabilirim.
Windows, Linux, Solaris, Unix icin de kullanabilirim.
Sunucuların ve Uygulamaların performansını arttırabilirim.
Sunucu ve Uygulamaların guvenligi icin gerekli güvenlik modullerini yavaşlık etkisi yaratmadan
devreye alabilirim. Cok hafif ajan avantajım var.
ISO 27001’de Düzenleyici ve Önleyici Faaliyetler maddesi icin kullanabilirim.
Patch Management sureçlerini kolaylaştırabilirim.
PCI, ISO 27001 standartlarının karşılanması icin kullanabilirim.
Yama ve Sistem Güncelleme süreçlerinde Sanal Yamayı kullanabilirim.
Antivirus, Web Security, IDS/IPS, Sanal Yama, Application Control, Application Firewall, Integrity
Monitoring ve Log Inspection ile daha iyi koruma sağlayabilirim.
Integrity Monitoring ile sunucularımda, yetkisiz ve izinsiz erişimleri takip edebilirim
Log Inspection ile işletim sisteminin ve uygulamaların üretiği kiritik loglardan alarm ve
bilgilendirme alabilirim.
Log Inspection ile tüm logları tek bir yerde konsolide edebilir ve tek formata çevirebilirim.
Deep Security neden kullanmalıyım?
 Sanallaştırmada kullandığımız Vmware çözümünde,ajansız olarak ,Hypervisor katmanında Antivirus,
Web Security, IDS/IPS, Sanal Yama, Application Control, Application Firewall, Integrity Monitoring
özelliklerini kullanabilirim.
 Vmware Vcenter ile entegre edebilirim, yeni yaratılan VM makinalarına otomatik olarak hypervisor
katmanında önceden tanımlanmış global kurallar ile koruyabilir ve korumayı otomatikleştirebilirim.
 Sistem Yöneticilerinin günlük iş operasyon yüklerini azaltabilir ve merkezi yönetim sağlayabilirim.
 Agentless çözüm sayesinde Vmware Data Center’da 3 katına kadar daha sanal makina sayısını
artırabilirim.
 Agentless mimaride, sunucularımı dısarıya gözükmeyen katmanda defansımı (hypervisor)
sağlayabilirim. Yeni Nesil Korunma yaklaşımı.
 Tek yatırım ve tek çözüm ile maaliyet avantajı sağlayabilirim.
 Yeni Nesil Güvenlik çözümünün sağladığı etkin korunma ile daha güvende olabilirim. Entegre Multi
Module ve Coordinated Approach, Agentless protection özellikleri.
 Globalde ve Turkiye’de önde gelen kurumların tercih ettigi ve önerdiği ürünü kullanmanın
avantajlarını yaşarım.
Soru-Cevap
Deep Discovery
and The Custom Defense|
Deep Discovery Inspector
Advanced Threat Protection
Across the Attack Sequence
2/21/2013
37
Malicious Content
Suspect Communication
Attacker Behavior
APTs Most Commonly Start with a Spear
Phishing Email with an Attachment
Some of the facts
43%
• Businesses end user PCs are definitely or
almost certainly have undetected Malware
60%
• Businesses have found Malware that was
previously undetected by existing security
75%
• Businesses already see APT’s as a concern
or of increasing concern
70%
• Found that Malware had been targeted and
20% had significant impact
35%
• Businesses believe they have technology to
protect from APT’s. 14% evaluating Tech.
Survey conducted on 300 businesses in UK, Germany and France.
2500-5000 and 5000+ Employee organisations – Nov 2012
Analysts and Influencers Urge Action
— Adoption of Specialized Threat Detection
• “Zero-Trust” security model
• Use of Network Analysis and Visibility Tools
• “Lean Forward” proactive security strategy
• Use of Network Threat Monitoring Tools
Government
Agencies
Worldwide
• Increasingly issuing alerts and guidance
encouraging advanced monitoring
We must assume we will be compromised and must have
better detection capabilities in place that provide visibility
as to when this type of breach occurs.”
— Neil MacDonald | VP & Gartner Fellow
Traditional Security Protection is Insufficient
APTs &
Targeted Attacks
APTs & Targeted Attacks
“The New Norm” — IDC
Copyright 2012Copyright
Trend Micro
2009Inc.
Trend Micro Inc.
Empowered
Employees
Elastic
Perimeter
Trend Micro Custom Defense
A complete lifecycle to combat the attacks that matter to
you
Detect
Analyze
Adapt
Respond
Specialized threat detection
capability at network and
protection points
Deep analysis uses custom
sandboxing & relevant global
intel to fully assess threats
Custom security blacklists &
signatures block further attack
at network, gateway, endpoints
Attack profiles and network-wide
event intelligence guide rapid
containment & remediation
Deep Discovery
APTs Most Commonly Start with a Spear
Phishing Email with an Attachment
The Custom Defense In Action
Advanced Email Protection
InterScan Messaging Security
or ScanMail
Anti-spam
Threat
Analyzer
Anti-phishing
Threat
Intelligence
Center
Security
Update
Server
Web Reputation
Deep Discovery Advisor
Anti-malware
• Blocking of targeted spear phishing
emails and document exploits via
custom sandboxing
Advanced Threat Detection
• Central analysis of detections
• Automated updates of malicious
IP/Domains
quarantine
• Signature file updates
2/21/2013
44
Deep Discovery – How It Works
Watch List
Simulate
GeoPlotting
Detect
Correlate
Out of band feed
of all network
traffic
Alerts, Reports,
Evidence Gathering
Detect Malicious
Content &
Communication
Identify Attack Behavior
& Reduce False Positives
Threat
Connect
Visibility – Real-time Dashboards
Insight – Risk-based Analysis
Action – Remediation Intelligence
2/21/2013
45
Deep Discovery:
Key Technologies
Specialized Threat Detection
Across the Attack Sequence
Malicious Content
• Deep content inspection
across 100’s of protocols
& applications
• Emails containing embedded
document exploits
• Drive-by Downloads
• Zero-day and known malware
• Smart Protection Network reputation
analysis and intelligence
Suspect Communication
• Custom sandbox simulation and analysis
• Communication & behavior fingerprinting
• C&C communication for any
type of malware & bots
• Backdoor activity by attacker
• Multi-level rule-based event correlation
• And more… Driven by Trend Micro threat
researchers and billions of daily events
2/21/2013
46
Attack Behavior
• Malware activity: propagation,
downloading, spamming . . .
• Attacker activity: scan, brute
force, tool downloads. . .
• Data exfiltration communication
Threat Analyzer
Custom Sandbox Simulation & Analysis
• Tracking of malicious actions & events
• Detection of malicious destinations
and connections to C&C servers
• Specific detection rules for Office,
PDF and Flash docs
• General detection rules for all
executables
• Exportable reports & PCAP files
Fully Customizable Attack Surface using standard VMware tools
-
Operating system, Office version, Service Packs
Browsers and standard applications
Custom applications
Visibility, Analysis & Action
Real-Time Threat Console
Threat visibility and deep analysis at your fingertips
• Quick access widgets provide critical information at a glance
• In-depth analysis of attack characteristics, behavior & communication
• GeoTrack identifies the origins of malicious communication
Watch List
Focused monitoring of high severity threats and valuable assets
• Focused tracking of suspicious activity and events on designated hosts
• Hosts to be tracked determined via threat detection or customer selection
• Detailed event timeline tracks all attack activities involving target hosts
Threat Connect
The intelligence you need to understand & remediate an attack
• Direct access to Trend Micro intelligence for a specific attack or malware
• Containment and remediation recommendations
• Direction to available AV/other signature updates for this threat
Deep Discovery Advisor
Threat Intelligence Center
• In-Depth Contextual Analysis including simulation
results, asset profiles and additional security events
• Integrated Threat Connect Intelligence included in
analysis results
• Enhanced Threat Investigation and Visualization
capabilities
• Highly Customizable Dashboard, Reports & Alerts
• Centralized Visibility and Reporting across Deep
Discovery Inspector units
Threat Connect
Intelligence
Real Time
Threat Map
SandBox Analyze Result
URL:
http://mochibot.com/mochiSWF
File Type: Adobe Flash
Country: Germany
Infection Source IP: X.X.X.X
ISP: XXXXX
Risk: Data Lost, Spam Activity
Botnet Infection & IRC Server Usage
Example
Most Effected Endpoint List
Thank you!

Corp PPT Template - compressed

Transkript

Benzer belgeler

deep securıty 9

saldırı yöntemleri

e-Devlet ve Siber Güvenlik - ECE581 e-Devlet ve e