The document discusses advanced persistent threats and how traditional security methods are insufficient for dealing with them. It introduces Trend Micro's Deep Discovery and custom defense solutions, which use specialized threat detection, deep analysis, threat intelligence, and adaptive security updates to detect and block targeted attacks. This is done by monitoring networks for malicious content and communications, analyzing behaviors, and gaining insights to rapidly respond to and remediate threats.
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryTrend Micro
Targeted attacks and advanced persistent threats (APTs) are becoming the new norm of cyber security threats— encompassing organized, focused efforts that are custom-created to penetrate enterprises and government agencies for valuable data, trade secrets, and access to internal systems. We explore the anatomy of targeted attacks: the inner workings of the APT lifecycle, along with an in-depth overview of Trend Micro Deep Discovery advanced threat protection solution, and how it enables enterprise IT to adopt a custom defense strategy that modernizes its risk management program to defend against targeted attacks.
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryTrend Micro
Targeted attacks and advanced persistent threats (APTs) are becoming the new norm of cyber security threats— encompassing organized, focused efforts that are custom-created to penetrate enterprises and government agencies for valuable data, trade secrets, and access to internal systems. We explore the anatomy of targeted attacks: the inner workings of the APT lifecycle, along with an in-depth overview of Trend Micro Deep Discovery advanced threat protection solution, and how it enables enterprise IT to adopt a custom defense strategy that modernizes its risk management program to defend against targeted attacks.
The Custom Defense Against Targeted AttacksTrend Micro
Advanced persistent threats (APTs) and targeted attacks have a proven ability to penetrate standard security defenses and remain undetected for months while siphoning valuable data or carrying out destructive actions. We review challenges faced by information security leaders, their options for dealing with attackers and how to a Custom Defense approach to deploy a comprehensive Detect—Analyze—Adapt—Respond lifecycle that enhances current security investments while providing new weapons to fight back against their attackers.
The variety and complexity of cyber attacks is increasing. The attackers have a strong economic and political motivation thus leading to organized and targeted attacks. We have concluded that intrusions are inevitable, and have focused on strategies to work through the attack while limiting the losses. Our approach, called Self Cleansing Intrusion Tolerance (SCIT), leads to the next generation of secure servers. SCIT shifts the focus from intrusion avoidance to reducing the losses resulting from an intrusion. This additional layer of defense is justified, because the current reactive approaches cannot keep up with the rapidly increasing new threats.
In the cloud, data is not tied to one server or even one group of servers, and it can be accessed from multiple devices simultaneously. To protect data, therefore, security solutions must shift from defense of a fixed perimeter towards an approach that protects the data as it travels from physical to virtual to cloud environments.
In the post-PC era, Trend Micro envisions a smart, data-centric security framework that advances the capabilities of our cloud-based Smart Protection Network™, adds smarter threat protection that correlates local threat intelligence; smarter data protection that follows and protects your data; and unified security management that increases visibility into data access and potential attacks.
This presentation was given at the Information Security Executive Summit on 28th / 29th February 2012
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
The following lecture will cover very advanced techniques and trade craft of subversive multi-vector threat's (SMT's) and advanced persistent threats (APTs) by two of the world's leading experts in this specific field. It is important to understand that APT's have a long history and though typically not talked about unless you are dealing with Governments, Defense Industrial Base (DIB), research organizations and global financials are all too real. The techniques and tradecraft associated are so mature and diverse, they literally go undetected. Today’s Internet is far more complex, dynamic and diverse than ever before. Because of this fast-paced evolution within the threat landscape these types of attacks (as we predicted in a recent lecture at ToorCon in October 2009 in San Diego, Ca), have swiftly become mainstream. The telemetry of the attack surface knows no bounds and includes any mediums necessary for the completing their operational charter and missions. In most instances, these attacks are sponsored by nation state and sub-national entities either politically or economically motivated. During our discussion, we will address the history and psychology of these cyber actors as it relates to APTs and while advancing in an in-depth discussion on SMT's, crypto-virology, asymmetric forms of information gathering, recent use cases and next generation countermeasures for detecting and defending these types of attacks. Lastly, as we predicted last fall on the rise of the APT's into the mainstream, we will also leave you with yet another prediction of what to expect in the coming year.
Attacks are evolving and so must the response – but how? This presentation explores how you get beyond the APT hype and strike a sensible balance between security expenditure and commercial risk. We explain what do you need to just keep doing, what’s new and what’s no longer effective.
The Custom Defense Against Targeted AttacksTrend Micro
Advanced persistent threats (APTs) and targeted attacks have a proven ability to penetrate standard security defenses and remain undetected for months while siphoning valuable data or carrying out destructive actions. We review challenges faced by information security leaders, their options for dealing with attackers and how to a Custom Defense approach to deploy a comprehensive Detect—Analyze—Adapt—Respond lifecycle that enhances current security investments while providing new weapons to fight back against their attackers.
The variety and complexity of cyber attacks is increasing. The attackers have a strong economic and political motivation thus leading to organized and targeted attacks. We have concluded that intrusions are inevitable, and have focused on strategies to work through the attack while limiting the losses. Our approach, called Self Cleansing Intrusion Tolerance (SCIT), leads to the next generation of secure servers. SCIT shifts the focus from intrusion avoidance to reducing the losses resulting from an intrusion. This additional layer of defense is justified, because the current reactive approaches cannot keep up with the rapidly increasing new threats.
In the cloud, data is not tied to one server or even one group of servers, and it can be accessed from multiple devices simultaneously. To protect data, therefore, security solutions must shift from defense of a fixed perimeter towards an approach that protects the data as it travels from physical to virtual to cloud environments.
In the post-PC era, Trend Micro envisions a smart, data-centric security framework that advances the capabilities of our cloud-based Smart Protection Network™, adds smarter threat protection that correlates local threat intelligence; smarter data protection that follows and protects your data; and unified security management that increases visibility into data access and potential attacks.
This presentation was given at the Information Security Executive Summit on 28th / 29th February 2012
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
The following lecture will cover very advanced techniques and trade craft of subversive multi-vector threat's (SMT's) and advanced persistent threats (APTs) by two of the world's leading experts in this specific field. It is important to understand that APT's have a long history and though typically not talked about unless you are dealing with Governments, Defense Industrial Base (DIB), research organizations and global financials are all too real. The techniques and tradecraft associated are so mature and diverse, they literally go undetected. Today’s Internet is far more complex, dynamic and diverse than ever before. Because of this fast-paced evolution within the threat landscape these types of attacks (as we predicted in a recent lecture at ToorCon in October 2009 in San Diego, Ca), have swiftly become mainstream. The telemetry of the attack surface knows no bounds and includes any mediums necessary for the completing their operational charter and missions. In most instances, these attacks are sponsored by nation state and sub-national entities either politically or economically motivated. During our discussion, we will address the history and psychology of these cyber actors as it relates to APTs and while advancing in an in-depth discussion on SMT's, crypto-virology, asymmetric forms of information gathering, recent use cases and next generation countermeasures for detecting and defending these types of attacks. Lastly, as we predicted last fall on the rise of the APT's into the mainstream, we will also leave you with yet another prediction of what to expect in the coming year.
Attacks are evolving and so must the response – but how? This presentation explores how you get beyond the APT hype and strike a sensible balance between security expenditure and commercial risk. We explain what do you need to just keep doing, what’s new and what’s no longer effective.
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Acrodex
Trend Micro Deep Security
#1 Security Platform for Virtualization and the cloud
Trend Micro Deep Discovery
Combating Advanced Persistent Treats (APT’s)
Trend Micro Mobile Security
Manage and control your mobile devices (BYOD)
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
Gainful Information Security is an information security and systems development firm established in Harare, Zimbabwe in 2007 to partner with African private and public sectors for a secure, efficient and cost-effective information lifecycle.
IBM Security Strategy Intelligence, Integration and Expertise
by Marc van Zadelhoff, VP, WW Strategy and Product Management and Joe Ruthven IBM MEA Security Leader
2. Traditional Security is Insufficient
Advanced Empowered Elastic
Persistent Threats Employees Perimeter
Trend Micro evaluations find over 90%
of enterprise networks contain active
malicious malware!
Copyright 2012 Trend Micro Inc.
4. Custom Attacks
• Today’s most dangerous
attacks are those targeted
01010010
directly and specifically 100101001
10001100
at an organization —
00101110
1010101
its people, its systems,
its vulnerabilities,
its data.
10/9/2012 Confidential | Copyright 2012 Trend Micro Inc. 4
5. Deep Discovery & The Custom Defense
Advanced
Threat
Protection
Network Threat
Detection
Deep Discovery
10/9/2012 Confidential | Copyright 2012 Trend Micro Inc. 5
6. APT Activity
Specialized Threat Detection
Across the Attack Sequence
Malicious Content
• Emails containing embedded
document exploits
• Drive-by Downloads
• Zero-day and known malware
Suspect Communication
• C&C communication for any
type of malware & bots
• Backdoor activity by attacker
Attack Behavior
• Malware activity:
propagation, downloading, spam
ming . . .
• Attacker activity: scan, brute
force, tool downloads.
• Data exfiltration communication
7. Switch of mental approach
• Terrorist Paradox • Advanced Threats
– We have to win all the – Many steps have to
time to defend execute in turn to steal
– They only have to get it my data
right once to win – I only need to spot one
step to thwart them
Copyright 2012 Trend Micro Inc. 7
8. Deep Discovery & The Custom Defense
Advanced
Threat
Protection
Network Threat
Detection
Deep Discovery
Attack Analysis & Intelligence
10/9/2012 Confidential | Copyright 2012 Trend Micro Inc. 8
9. Automated Analysis
Bandwidth
Live Cloud
Lookup
Advanced
Heuristics
Threat
Intelligence
Sandbox
Analysis
Focused
Manual
Investigation
Output to SIEM Copyright 2012 Trend Micro Inc. 9
10. Deep Discovery Advisor
Threat Intelligence Center
• In-Depth Contextual Analysis including simulation
results, asset profiles and additional security events
• Integrated Threat Connect Intelligence included in
analysis results
• Enhanced Threat Investigation and Visualization
capabilities
• Highly Customizable Dashboard, Reports & Alerts
• Centralized Visibility and Reporting across Deep
Discovery Inspector units
Threat Connect
Intelligence
11. Deep Discovery & The Custom Defense
Advanced
Threat
Protection
Network Threat
Detection
Deep Discovery
Adaptive Security
Updates Containment
& Remediation
Attack Analysis & Intelligence
10/9/2012 Confidential | Copyright 2012 Trend Micro Inc. 11
12. The Custom Defense
Specialized Threat Deep analysis Custom security Context-relevant
Detection at network based on custom blacklists & views & intel guide
and protection sandboxing and signatures block rapid remediation
points relevant global intel further attack response
10/9/2012 Confidential | Copyright 2012 Trend Micro Inc. 12
13. The Custom Defense In Action
Advanced Email Protection
InterScan Messaging Security
or ScanMail
Anti-spam Threat Threat Security
Analyzer Intelligence Update
Anti-phishing Center Server
Web Reputation Deep Discovery Advisor
Anti-malware • Blocking of targeted spear phishing
emails and document exploits via
Advanced Threat Detection custom sandboxing
• Central analysis of detections
• Automated updates of malicious
quarantine IP/Domains
• Search & Destroy function
10/9/2012 Confidential | Copyright 2012 Trend Micro Inc. 13
14. So what does that look like in context?
Outer Perimeter
Valuable Server
Inner Perimeters
Valuable Server
Endpoint
Valuable Server
Endpoint
15. Deep Discovery
Simulate
Analyze
Out of band
network data
feed of all
Correlate
network traffic
Detect Malicious Content
and Communication
Identify Attack Behaviour
& Reduce False Positives
Visibility – Real-time Dashboards
Insight – Risk-based Analysis
Action – Remediation Intelligence
16. DeepSecurity
Inner Perimeter for valuable assets
Deep Packet Inspection
Firewall
Security
Anti-Virus VM VM VM VM VM VM
Log Inspection Hypervisor
Integrity Monitoring
Traditional Security works against Traditional Threats. It’s not designed to cope with Targeted attacks. Partly because they are unique and so harder to spot. Partly because charges in how we are using IT such as cloud and mobile make the perimeter less effective than it used to be.
But… Don’t throw the baby out with the bath water! Spotting a targeted attack on your network is like finding a needle in a haystack. The way to do it isn’t to start with the biggest haystack possible and throw in lots of pins that look very like needles to confuse the situation. It’s all about filtering. Eliminate standard threats as close to source as you can to make it easier to spot the really clever stuff.
Deep Discovery specialized threat detection focuses on 3 key areas to discovery attacks during every phase of activity Malicious Content (steps 2,3): Deep Discovery detects zero-day and advanced malware – including document exploits and drive-by downloads – used during the initial compromise or later C&C downloadsSuspect Communications (step 3):Deep Discovery detects the C&C communications used by modern malware, as well as backdoor manipulations by remote attackers Attack Behavior (steps 4,5,6): Deep Discovery detects both malware and hacker network behaviors that indicate propagation, scanning, irregular activity, and suspect data access and transmission Today you hear of products that find malware by sandboxing executables or detecting some botnet traffic, but only Deep Discovery indentifies the malicious content, communications and behaviors of malware and human attacker activity across all phases of the attack cycle.
We need a switch of mental approach
Centralized management of all deployed Deep Discovery units provides consolidated threat management and enhanced analysis and reportingin a single console.Centralized Visibility and Reporting over multiple instances of Deep DiscoveryEnhanced Threat Investigation and Visualization capabilitiesHighly Customizable Dashboard, Reports & AlertsContext-based Risk Assessment by enriching events with location and asset severity information
This one shows which bits like to what – need to keep either this one or the previous one but not both.
Can we get this one drawn into the same style as the rest of the deck please. It links to the section of slide 18 that I’ve copied off to the right of the slide. If we can show that linkage that would be great