Your SlideShare is downloading. ×
Volume And Vectors 090416
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Volume And Vectors 090416

754
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
754
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1. Volume & Vectors a radical shift in the digital threat landscape
    • 2. Triple challenge to IT security
      • Changing IT
        • BEFORE: 80%+ of daily info available inside the enterprise
        • NOW: 80%+ of daily info comes from outside the enterprise
      • Changing cybercrime
        • BEFORE: vandalism, simple fraud, opportunistic data theft
        • NOW: high tech organized crime for huge profits
      • Changing protection
        • BEFORE: latest threat info deployed to each computer
        • NOW: computers query a cloud database about suspected threats
      1
    • 3. Triple challenge to IT security
      • Changing IT
        • BEFORE: 80%+ of daily info available inside the enterprise
        • NOW: 80%+ of daily info comes from outside the enterprise
      • Changing cybercrime
        • BEFORE: vandalism, simple fraud, opportunistic data theft
        • NOW: high tech organized crime for huge profits
      • Changing protection
        • BEFORE: latest threat info deployed to each computer
        • NOW: computers query a cloud database about suspected threats
      disappearing network boundaries 1
    • 4. Triple challenge to IT security
      • Changing IT
        • BEFORE: 80%+ of daily info available inside the enterprise
        • NOW: 80%+ of daily info comes from outside the enterprise
      • Changing cybercrime
        • BEFORE: vandalism, simple fraud, opportunistic data theft
        • NOW: high tech organized crime for huge profits
      • Changing protection
        • BEFORE: latest threat info deployed to each computer
        • NOW: computers query a cloud database about suspected threats
      disappearing network boundaries overwhelming volume of threat 1
    • 5. Triple challenge to IT security
      • Changing IT
        • BEFORE: 80%+ of daily info available inside the enterprise
        • NOW: 80%+ of daily info comes from outside the enterprise
      • Changing cybercrime
        • BEFORE: vandalism, simple fraud, opportunistic data theft
        • NOW: high tech organized crime for huge profits
      • Changing protection
        • BEFORE: latest threat info deployed to each computer
        • NOW: computers query a cloud database about suspected threats
      disappearing network boundaries overwhelming volume of threat cloud-client protection networks 1
    • 6. Threats now mostly from the Internet INTERNET REMOVABLE MEDIA 92% 8% TARGET 2 worms spyware botnets viruses
      • Top threat infection vectors
      • (how threats arrive on PCs)
        • Visits to malicious websites
          • ( 42% )
        • Downloaded by other malware
          • ( 34% )
        • E-mail attachments & links
          • ( 9% )
        • Transfers from removable disks
          • ( 8% )
        • Other (mostly via Internet)
          • ( 7% )
      source: Trend Micro
    • 7. Delivering today’s malware to the unprotected user WEBSITES FILE TRANSFERS INTERNET REMOVABLE MEDIA E-MAIL spam LINKS & ATTACHMENTS 3 worms spyware botnets viruses
    • 8. Traditional AV anti-malware at the gateway / endpoint FILE TRANSFERS INTERNET E-MAIL spam LINKS & ATTACHMENTS REMOVABLE MEDIA TARGET WEBSITES “ There is a desperate need for new standards for today’s anti-virus products. The dominant paradigm, scanning directories of files , is focused on old and known threats, and reveals little about product efficacy in the wild .” Williamson & Gorelik (2007) 4 threats threats threats AV
    • 9. Traditional AV overwhelmed by the volume of new threats FILE TRANSFERS INTERNET E-MAIL spam LINKS & ATTACHMENTS REMOVABLE MEDIA TARGET WEBSITES 5 > 2000 new threats per hour threats threats threats AV
    • 10. Web threats come from labeled sources FILE TRANSFERS INTERNET E-MAIL spam LINKS & ATTACHMENTS REMOVABLE MEDIA TARGET WEBSITES
      • AV protection networks have multiple layers of protection
        • Consider two layers:
          • Infection Layer
          • blocking the transfer & execution of malware on target computers
          • Exposure Layer
          • blocking access to/from sources capable of delivering malware
      6 Infection Layer inspection based on file content (code, hash) Exposure Layer inspection based on source (url, domain) threats threats threats
    • 11. Trend Micro Smart Protection Network FILE TRANSFERS INTERNET E-MAIL spam LINKS & ATTACHMENTS REMOVABLE MEDIA TARGET WEBSITES
      • Block threats based on their sources, content & behavior
      • In addition to examining files for malicious content & behavior:
        • Web reputation services identify and block bad web sites & URLs
        • E-mail reputation services identify and block spam by sender IP address
        • Correlation between layers enhances threat identification
      7 WEB REPUTATION EMAIL REPUTATION FILE REPUTATION threats threats threats
    • 12. Deployed throughout Trend Micro products Incoming Threats Software as a Services InterScan™ Messaging Hosted Security Desktop & Server Gateway Collaboration/Storage Security Management Threat Management (Network) Internet Outgoing Threats Remote/Off Network InterScan™ Web Security InterScan™ Messaging Security ServerProtect™ OfficeScan™ ScanMail™ IM Security for OCS Solution SharePoint Portal Firewall/UTM IPS/IDS Threat Management IP Smart Protection Network 8
    • 13. Smart Protection Network – Email Reputation | Incoming Threats Software as a Services InterScan™ Messaging Hosted Security Desktop & Server Gateway Collaboration/Storage Security Management Threat Management (Network) Internet Outgoing Threats Remote/Off Network InterScan™ Web Security InterScan™ Messaging Security ServerProtect™ OfficeScan™ ScanMail™ IM Security for OCS Solution SharePoint Portal Firewall/UTM IPS/IDS Threat Management E E E E IP Smart Protection Network E Email Reputation E 9
    • 14. Smart Protection Network – Web Reputation | Incoming Threats Software as a Services InterScan™ Messaging Hosted Security Desktop & Server Gateway Collaboration/Storage Security Management Threat Management (Network) Internet Outgoing Threats Remote/Off Network InterScan™ Web Security InterScan™ Messaging Security ServerProtect™ OfficeScan™ ScanMail™ IM Security for OCS Solution SharePoint Portal Firewall/UTM IPS/IDS Threat Management W W W W W W W W W Smart Protection Network W URL Web Reputation W 10
    • 15. Smart Protection Network – File Reputation | Slide #25 Incoming Threats Software as a Services InterScan™ Messaging Hosted Security Desktop & Server Gateway Collaboration/Storage Security Management Threat Management (Network) Internet Outgoing Threats Remote/Off Network InterScan™ Web Security InterScan™ Messaging Security ServerProtect™ OfficeScan™ ScanMail™ IM Security for OCS Solution SharePoint Portal Firewall/UTM IPS/IDS Threat Management F F F F File Caching Server F Smart Protection Network F File Reputation Files F 11
    • 16. Threats use the Internet after the initial infection http://trafficconverter.biz/4 http://www.maxmind.com/ http://www.getmyip.org http://getmyip.co.uk http://checkip.dyndns.org Infected machines download their own malware piece parts Many mechanisms for initial malware infection 12
    • 17. Web reputation services block downloads by malware http://trafficconverter.biz/4 http://www.maxmind.com/ http://www.getmyip.org http://getmyip.co.uk http://checkip.dyndns.org Infected machines download their own malware piece parts Many mechanisms for initial malware infection 12 WEB REPUTATION
    • 18. It’s all interconnected in the cybercrime economy known malicious domain WHOIS to know registrar’s e-mail more suspicious domains found 13 worms spyware botnets viruses
    • 19. Powerful leverage through correlation among layers 14 Correlation Engine Log Pool Scheduled Jobs Event Trigger Content Retrieve Sniffer Retrieve the content If relative content not found in content storage Operation Solution Distribution Validation & Solution Creation Solution Adoption FRS WRS ERS Black-list / White-list Alert Service Analyzer Email Web File IP Domain Relative content Feedback (from End-point with ID) Live Feed Clustering Critical Warning ( paired ) Summary Result Reputation Result
    • 20. … resolve obscured network boundaries 15
    • 21. … sort out confusing information transactions 16
    • 22. … clarify disguised website identities 17
    • 23. … and track cyber-criminal operations 18
    • 24. Today’s malware is big business
      • The Cybercrime Economy*
      • payout per adware install $0.02 - $0.30
      • basic malware package $1,000 - $2,000
      • exploit kit rental $1 per hr
      • undetected info-seeking trojan $80
      • distributed denial of service attack $100 per day
      • 10,000 compromised PCs (zombies) $1,000
      • 1 million freshly harvested e-mails $8 & up
      • stolen bank account credentials $50 & up
      • credit card + validation info $1 to $2
      • personal ID & their pet’s name $10
      * prices may vary – find your local cybervandal-turned-entrepreneur 19 worms spyware botnets viruses
    • 25. Botnets viewed from the cyber-criminal side 20 Spyware/Tojan Downloader Web Drive By Downloader Email Spam Port Scan Vulnerabilities Infection Vector Spam & Phishing DDoS Data Leakage Adware/Clickware Recruitment Activities Malicious URL Malware Writer Wait for Instructions Get Updates from Command & Control Fool the AV Zombie Management Host Infection IRC DNS Bot Herder Botnet Command & Controller Criminals
    • 26. Smart Protection Network blocks at each link in a botnet 21 IRC DNS Bot Herder Botnet Command & Controller Spyware/Tojan Downloader Web Drive By Downloader Email Spam Port Scan Vulnerabilities Infection Vector Spam & Phishing DDoS Data Leakage Adware/Clickware Recruitment Malicious Activities Break Break Break Break Break Malicious URL Malware Writer Wait for Instructions Get Updates from Command & Control Fool the AV Zombie Management Host Infection Criminals
    • 27. Let’s remove the fear of exchanging digital information ... 22 ’
    • 28. … and return to where websites are what they appear O.K. to 23
    • 29. Smart Protection Network: by the numbers 24 5 billion queries handled daily 1.2 terabyte data processed daily 1,000 dedicated content security experts at TrendLabs 24/7 multiple data centers operating around the world 50 million new IP addresses / URLs processed daily 250 million malware samples processed each year
    • 30. Smart Protection Network less complexity more protection