Volume & Vectors a radical shift in the digital threat landscape
Triple challenge to IT security <ul><li>Changing IT </li></ul><ul><ul><li>BEFORE: 80%+ of daily info available  inside  th...
Triple challenge to IT security <ul><li>Changing IT </li></ul><ul><ul><li>BEFORE: 80%+ of daily info available  inside  th...
Triple challenge to IT security <ul><li>Changing IT </li></ul><ul><ul><li>BEFORE: 80%+ of daily info available  inside  th...
Triple challenge to IT security <ul><li>Changing IT </li></ul><ul><ul><li>BEFORE: 80%+ of daily info available  inside  th...
Threats now mostly from the Internet INTERNET REMOVABLE MEDIA 92% 8% TARGET 2 worms spyware botnets viruses <ul><li>Top th...
Delivering today’s malware to the unprotected user WEBSITES FILE TRANSFERS INTERNET REMOVABLE MEDIA E-MAIL spam LINKS &  A...
Traditional AV anti-malware at the gateway / endpoint FILE TRANSFERS INTERNET E-MAIL spam LINKS &  ATTACHMENTS REMOVABLE M...
Traditional AV overwhelmed by the volume of new threats FILE TRANSFERS INTERNET E-MAIL spam LINKS &  ATTACHMENTS REMOVABLE...
Web threats come from labeled sources FILE TRANSFERS INTERNET E-MAIL spam LINKS &  ATTACHMENTS REMOVABLE MEDIA TARGET WEBS...
Trend Micro   Smart Protection Network FILE TRANSFERS INTERNET E-MAIL spam LINKS &  ATTACHMENTS REMOVABLE MEDIA TARGET WEB...
Deployed throughout Trend Micro products Incoming Threats Software as a Services InterScan™ Messaging  Hosted Security Des...
Smart Protection Network   –  Email Reputation | Incoming Threats Software as a Services InterScan™ Messaging  Hosted Secu...
Smart Protection Network   –  Web Reputation | Incoming Threats Software as a Services InterScan™ Messaging  Hosted Securi...
Smart Protection Network   –  File Reputation | Slide #25 Incoming Threats Software as a Services InterScan™ Messaging  Ho...
Threats use the Internet after the initial infection http://trafficconverter.biz/4 http://www.maxmind.com/ http://www.getm...
Web reputation services block downloads  by  malware http://trafficconverter.biz/4 http://www.maxmind.com/ http://www.getm...
It’s all interconnected in the cybercrime economy known  malicious  domain WHOIS to know  registrar’s e-mail more suspicio...
Powerful leverage through correlation among layers 14 Correlation Engine Log  Pool Scheduled Jobs Event  Trigger Content R...
… resolve obscured network boundaries 15
… sort out confusing information transactions 16
… clarify disguised website identities 17
… and track cyber-criminal operations 18
Today’s malware is big business <ul><li>The Cybercrime Economy* </li></ul><ul><li>payout  per adware install $0.02 - $0.30...
Botnets viewed from the cyber-criminal side 20 Spyware/Tojan Downloader Web Drive By Downloader Email Spam Port Scan Vulne...
Smart Protection Network blocks at each link in a botnet 21 IRC DNS Bot Herder Botnet Command & Controller Spyware/Tojan D...
Let’s remove the fear of exchanging digital information ... 22 ’
… and return to where websites are what they appear O.K. to 23
Smart Protection Network:   by the numbers 24 5 billion queries handled daily 1.2 terabyte data processed daily 1,000 dedi...
Smart Protection Network less complexity more protection
Upcoming SlideShare
Loading in …5
×

Volume And Vectors 090416

967 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
967
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Volume And Vectors 090416

    1. 1. Volume & Vectors a radical shift in the digital threat landscape
    2. 2. Triple challenge to IT security <ul><li>Changing IT </li></ul><ul><ul><li>BEFORE: 80%+ of daily info available inside the enterprise </li></ul></ul><ul><ul><li>NOW: 80%+ of daily info comes from outside the enterprise </li></ul></ul><ul><li>Changing cybercrime </li></ul><ul><ul><li>BEFORE: vandalism, simple fraud, opportunistic data theft </li></ul></ul><ul><ul><li>NOW: high tech organized crime for huge profits </li></ul></ul><ul><li>Changing protection </li></ul><ul><ul><li>BEFORE: latest threat info deployed to each computer </li></ul></ul><ul><ul><li>NOW: computers query a cloud database about suspected threats </li></ul></ul>1
    3. 3. Triple challenge to IT security <ul><li>Changing IT </li></ul><ul><ul><li>BEFORE: 80%+ of daily info available inside the enterprise </li></ul></ul><ul><ul><li>NOW: 80%+ of daily info comes from outside the enterprise </li></ul></ul><ul><li>Changing cybercrime </li></ul><ul><ul><li>BEFORE: vandalism, simple fraud, opportunistic data theft </li></ul></ul><ul><ul><li>NOW: high tech organized crime for huge profits </li></ul></ul><ul><li>Changing protection </li></ul><ul><ul><li>BEFORE: latest threat info deployed to each computer </li></ul></ul><ul><ul><li>NOW: computers query a cloud database about suspected threats </li></ul></ul>disappearing network boundaries 1
    4. 4. Triple challenge to IT security <ul><li>Changing IT </li></ul><ul><ul><li>BEFORE: 80%+ of daily info available inside the enterprise </li></ul></ul><ul><ul><li>NOW: 80%+ of daily info comes from outside the enterprise </li></ul></ul><ul><li>Changing cybercrime </li></ul><ul><ul><li>BEFORE: vandalism, simple fraud, opportunistic data theft </li></ul></ul><ul><ul><li>NOW: high tech organized crime for huge profits </li></ul></ul><ul><li>Changing protection </li></ul><ul><ul><li>BEFORE: latest threat info deployed to each computer </li></ul></ul><ul><ul><li>NOW: computers query a cloud database about suspected threats </li></ul></ul>disappearing network boundaries overwhelming volume of threat 1
    5. 5. Triple challenge to IT security <ul><li>Changing IT </li></ul><ul><ul><li>BEFORE: 80%+ of daily info available inside the enterprise </li></ul></ul><ul><ul><li>NOW: 80%+ of daily info comes from outside the enterprise </li></ul></ul><ul><li>Changing cybercrime </li></ul><ul><ul><li>BEFORE: vandalism, simple fraud, opportunistic data theft </li></ul></ul><ul><ul><li>NOW: high tech organized crime for huge profits </li></ul></ul><ul><li>Changing protection </li></ul><ul><ul><li>BEFORE: latest threat info deployed to each computer </li></ul></ul><ul><ul><li>NOW: computers query a cloud database about suspected threats </li></ul></ul>disappearing network boundaries overwhelming volume of threat cloud-client protection networks 1
    6. 6. Threats now mostly from the Internet INTERNET REMOVABLE MEDIA 92% 8% TARGET 2 worms spyware botnets viruses <ul><li>Top threat infection vectors </li></ul><ul><li>(how threats arrive on PCs) </li></ul><ul><ul><li>Visits to malicious websites </li></ul></ul><ul><ul><ul><li>( 42% ) </li></ul></ul></ul><ul><ul><li>Downloaded by other malware </li></ul></ul><ul><ul><ul><li>( 34% ) </li></ul></ul></ul><ul><ul><li>E-mail attachments & links </li></ul></ul><ul><ul><ul><li>( 9% ) </li></ul></ul></ul><ul><ul><li>Transfers from removable disks </li></ul></ul><ul><ul><ul><li>( 8% ) </li></ul></ul></ul><ul><ul><li>Other (mostly via Internet) </li></ul></ul><ul><ul><ul><li>( 7% ) </li></ul></ul></ul>source: Trend Micro
    7. 7. Delivering today’s malware to the unprotected user WEBSITES FILE TRANSFERS INTERNET REMOVABLE MEDIA E-MAIL spam LINKS & ATTACHMENTS 3 worms spyware botnets viruses
    8. 8. Traditional AV anti-malware at the gateway / endpoint FILE TRANSFERS INTERNET E-MAIL spam LINKS & ATTACHMENTS REMOVABLE MEDIA TARGET WEBSITES “ There is a desperate need for new standards for today’s anti-virus products. The dominant paradigm, scanning directories of files , is focused on old and known threats, and reveals little about product efficacy in the wild .” Williamson & Gorelik (2007) 4 threats threats threats AV
    9. 9. Traditional AV overwhelmed by the volume of new threats FILE TRANSFERS INTERNET E-MAIL spam LINKS & ATTACHMENTS REMOVABLE MEDIA TARGET WEBSITES 5 > 2000 new threats per hour threats threats threats AV
    10. 10. Web threats come from labeled sources FILE TRANSFERS INTERNET E-MAIL spam LINKS & ATTACHMENTS REMOVABLE MEDIA TARGET WEBSITES <ul><li>AV protection networks have multiple layers of protection </li></ul><ul><ul><li>Consider two layers: </li></ul></ul><ul><ul><ul><li>Infection Layer </li></ul></ul></ul><ul><ul><ul><li>blocking the transfer & execution of malware on target computers </li></ul></ul></ul><ul><ul><ul><li>Exposure Layer </li></ul></ul></ul><ul><ul><ul><li>blocking access to/from sources capable of delivering malware </li></ul></ul></ul>6 Infection Layer inspection based on file content (code, hash) Exposure Layer inspection based on source (url, domain) threats threats threats
    11. 11. Trend Micro Smart Protection Network FILE TRANSFERS INTERNET E-MAIL spam LINKS & ATTACHMENTS REMOVABLE MEDIA TARGET WEBSITES <ul><li>Block threats based on their sources, content & behavior </li></ul><ul><li>In addition to examining files for malicious content & behavior: </li></ul><ul><ul><li>Web reputation services identify and block bad web sites & URLs </li></ul></ul><ul><ul><li>E-mail reputation services identify and block spam by sender IP address </li></ul></ul><ul><ul><li>Correlation between layers enhances threat identification </li></ul></ul>7 WEB REPUTATION EMAIL REPUTATION FILE REPUTATION threats threats threats
    12. 12. Deployed throughout Trend Micro products Incoming Threats Software as a Services InterScan™ Messaging Hosted Security Desktop & Server Gateway Collaboration/Storage Security Management Threat Management (Network) Internet Outgoing Threats Remote/Off Network InterScan™ Web Security InterScan™ Messaging Security ServerProtect™ OfficeScan™ ScanMail™ IM Security for OCS Solution SharePoint Portal Firewall/UTM IPS/IDS Threat Management IP Smart Protection Network 8
    13. 13. Smart Protection Network – Email Reputation | Incoming Threats Software as a Services InterScan™ Messaging Hosted Security Desktop & Server Gateway Collaboration/Storage Security Management Threat Management (Network) Internet Outgoing Threats Remote/Off Network InterScan™ Web Security InterScan™ Messaging Security ServerProtect™ OfficeScan™ ScanMail™ IM Security for OCS Solution SharePoint Portal Firewall/UTM IPS/IDS Threat Management E E E E IP Smart Protection Network E Email Reputation E 9
    14. 14. Smart Protection Network – Web Reputation | Incoming Threats Software as a Services InterScan™ Messaging Hosted Security Desktop & Server Gateway Collaboration/Storage Security Management Threat Management (Network) Internet Outgoing Threats Remote/Off Network InterScan™ Web Security InterScan™ Messaging Security ServerProtect™ OfficeScan™ ScanMail™ IM Security for OCS Solution SharePoint Portal Firewall/UTM IPS/IDS Threat Management W W W W W W W W W Smart Protection Network W URL Web Reputation W 10
    15. 15. Smart Protection Network – File Reputation | Slide #25 Incoming Threats Software as a Services InterScan™ Messaging Hosted Security Desktop & Server Gateway Collaboration/Storage Security Management Threat Management (Network) Internet Outgoing Threats Remote/Off Network InterScan™ Web Security InterScan™ Messaging Security ServerProtect™ OfficeScan™ ScanMail™ IM Security for OCS Solution SharePoint Portal Firewall/UTM IPS/IDS Threat Management F F F F File Caching Server F Smart Protection Network F File Reputation Files F 11
    16. 16. Threats use the Internet after the initial infection http://trafficconverter.biz/4 http://www.maxmind.com/ http://www.getmyip.org http://getmyip.co.uk http://checkip.dyndns.org Infected machines download their own malware piece parts Many mechanisms for initial malware infection 12
    17. 17. Web reputation services block downloads by malware http://trafficconverter.biz/4 http://www.maxmind.com/ http://www.getmyip.org http://getmyip.co.uk http://checkip.dyndns.org Infected machines download their own malware piece parts Many mechanisms for initial malware infection 12 WEB REPUTATION
    18. 18. It’s all interconnected in the cybercrime economy known malicious domain WHOIS to know registrar’s e-mail more suspicious domains found 13 worms spyware botnets viruses
    19. 19. Powerful leverage through correlation among layers 14 Correlation Engine Log Pool Scheduled Jobs Event Trigger Content Retrieve Sniffer Retrieve the content If relative content not found in content storage Operation Solution Distribution Validation & Solution Creation Solution Adoption FRS WRS ERS Black-list / White-list Alert Service Analyzer Email Web File IP Domain Relative content Feedback (from End-point with ID) Live Feed Clustering Critical Warning ( paired ) Summary Result Reputation Result
    20. 20. … resolve obscured network boundaries 15
    21. 21. … sort out confusing information transactions 16
    22. 22. … clarify disguised website identities 17
    23. 23. … and track cyber-criminal operations 18
    24. 24. Today’s malware is big business <ul><li>The Cybercrime Economy* </li></ul><ul><li>payout per adware install $0.02 - $0.30 </li></ul><ul><li>basic malware package $1,000 - $2,000 </li></ul><ul><li>exploit kit rental $1 per hr </li></ul><ul><li>undetected info-seeking trojan $80 </li></ul><ul><li>distributed denial of service attack $100 per day </li></ul><ul><li>10,000 compromised PCs (zombies) $1,000 </li></ul><ul><li>1 million freshly harvested e-mails $8 & up </li></ul><ul><li>stolen bank account credentials $50 & up </li></ul><ul><li>credit card + validation info $1 to $2 </li></ul><ul><li>personal ID & their pet’s name $10 </li></ul>* prices may vary – find your local cybervandal-turned-entrepreneur 19 worms spyware botnets viruses
    25. 25. Botnets viewed from the cyber-criminal side 20 Spyware/Tojan Downloader Web Drive By Downloader Email Spam Port Scan Vulnerabilities Infection Vector Spam & Phishing DDoS Data Leakage Adware/Clickware Recruitment Activities Malicious URL Malware Writer Wait for Instructions Get Updates from Command & Control Fool the AV Zombie Management Host Infection IRC DNS Bot Herder Botnet Command & Controller Criminals
    26. 26. Smart Protection Network blocks at each link in a botnet 21 IRC DNS Bot Herder Botnet Command & Controller Spyware/Tojan Downloader Web Drive By Downloader Email Spam Port Scan Vulnerabilities Infection Vector Spam & Phishing DDoS Data Leakage Adware/Clickware Recruitment Malicious Activities Break Break Break Break Break Malicious URL Malware Writer Wait for Instructions Get Updates from Command & Control Fool the AV Zombie Management Host Infection Criminals
    27. 27. Let’s remove the fear of exchanging digital information ... 22 ’
    28. 28. … and return to where websites are what they appear O.K. to 23
    29. 29. Smart Protection Network: by the numbers 24 5 billion queries handled daily 1.2 terabyte data processed daily 1,000 dedicated content security experts at TrendLabs 24/7 multiple data centers operating around the world 50 million new IP addresses / URLs processed daily 250 million malware samples processed each year
    30. 30. Smart Protection Network less complexity more protection

    ×