The document discusses how the threat landscape for IT security has radically shifted, presenting new challenges. It describes how information now largely comes from outside organizations rather than within, how cybercrime has evolved from opportunistic theft to organized crime for profit, and how protection has changed from deploying threat information locally to querying cloud databases. It then outlines how the Trend Micro Smart Protection Network uses multiple layers of inspection and correlation across email, web and file sources to identify and block threats throughout an organization's systems and networks.

1. Volume & Vectors a radical shift in the digital threat landscape

2. Triple challenge to IT security Changing IT BEFORE: 80%+ of daily info available inside the enterprise NOW: 80%+ of daily info comes from outside the enterprise Changing cybercrime BEFORE: vandalism, simple fraud, opportunistic data theft NOW: high tech organized crime for huge profits Changing protection BEFORE: latest threat info deployed to each computer NOW: computers query a cloud database about suspected threats 1

3. Triple challenge to IT security Changing IT BEFORE: 80%+ of daily info available inside the enterprise NOW: 80%+ of daily info comes from outside the enterprise Changing cybercrime BEFORE: vandalism, simple fraud, opportunistic data theft NOW: high tech organized crime for huge profits Changing protection BEFORE: latest threat info deployed to each computer NOW: computers query a cloud database about suspected threats disappearing network boundaries 1

4. Triple challenge to IT security Changing IT BEFORE: 80%+ of daily info available inside the enterprise NOW: 80%+ of daily info comes from outside the enterprise Changing cybercrime BEFORE: vandalism, simple fraud, opportunistic data theft NOW: high tech organized crime for huge profits Changing protection BEFORE: latest threat info deployed to each computer NOW: computers query a cloud database about suspected threats disappearing network boundaries overwhelming volume of threat 1

5. Triple challenge to IT security Changing IT BEFORE: 80%+ of daily info available inside the enterprise NOW: 80%+ of daily info comes from outside the enterprise Changing cybercrime BEFORE: vandalism, simple fraud, opportunistic data theft NOW: high tech organized crime for huge profits Changing protection BEFORE: latest threat info deployed to each computer NOW: computers query a cloud database about suspected threats disappearing network boundaries overwhelming volume of threat cloud-client protection networks 1

6. Threats now mostly from the Internet INTERNET REMOVABLE MEDIA 92% 8% TARGET 2 worms spyware botnets viruses Top threat infection vectors (how threats arrive on PCs) Visits to malicious websites ( 42% ) Downloaded by other malware ( 34% ) E-mail attachments & links ( 9% ) Transfers from removable disks ( 8% ) Other (mostly via Internet) ( 7% ) source: Trend Micro

7. Delivering today’s malware to the unprotected user WEBSITES FILE TRANSFERS INTERNET REMOVABLE MEDIA E-MAIL spam LINKS & ATTACHMENTS 3 worms spyware botnets viruses

8. Traditional AV anti-malware at the gateway / endpoint FILE TRANSFERS INTERNET E-MAIL spam LINKS & ATTACHMENTS REMOVABLE MEDIA TARGET WEBSITES “ There is a desperate need for new standards for today’s anti-virus products. The dominant paradigm, scanning directories of files , is focused on old and known threats, and reveals little about product efficacy in the wild .” Williamson & Gorelik (2007) 4 threats threats threats AV

9. Traditional AV overwhelmed by the volume of new threats FILE TRANSFERS INTERNET E-MAIL spam LINKS & ATTACHMENTS REMOVABLE MEDIA TARGET WEBSITES 5 > 2000 new threats per hour threats threats threats AV

10. Web threats come from labeled sources FILE TRANSFERS INTERNET E-MAIL spam LINKS & ATTACHMENTS REMOVABLE MEDIA TARGET WEBSITES AV protection networks have multiple layers of protection Consider two layers: Infection Layer blocking the transfer & execution of malware on target computers Exposure Layer blocking access to/from sources capable of delivering malware 6 Infection Layer inspection based on file content (code, hash) Exposure Layer inspection based on source (url, domain) threats threats threats

11. Trend Micro Smart Protection Network FILE TRANSFERS INTERNET E-MAIL spam LINKS & ATTACHMENTS REMOVABLE MEDIA TARGET WEBSITES Block threats based on their sources, content & behavior In addition to examining files for malicious content & behavior: Web reputation services identify and block bad web sites & URLs E-mail reputation services identify and block spam by sender IP address Correlation between layers enhances threat identification 7 WEB REPUTATION EMAIL REPUTATION FILE REPUTATION threats threats threats

12. Deployed throughout Trend Micro products Incoming Threats Software as a Services InterScan™ Messaging Hosted Security Desktop & Server Gateway Collaboration/Storage Security Management Threat Management (Network) Internet Outgoing Threats Remote/Off Network InterScan™ Web Security InterScan™ Messaging Security ServerProtect™ OfficeScan™ ScanMail™ IM Security for OCS Solution SharePoint Portal Firewall/UTM IPS/IDS Threat Management IP Smart Protection Network 8

13. Smart Protection Network – Email Reputation | Incoming Threats Software as a Services InterScan™ Messaging Hosted Security Desktop & Server Gateway Collaboration/Storage Security Management Threat Management (Network) Internet Outgoing Threats Remote/Off Network InterScan™ Web Security InterScan™ Messaging Security ServerProtect™ OfficeScan™ ScanMail™ IM Security for OCS Solution SharePoint Portal Firewall/UTM IPS/IDS Threat Management E E E E IP Smart Protection Network E Email Reputation E 9

14. Smart Protection Network – Web Reputation | Incoming Threats Software as a Services InterScan™ Messaging Hosted Security Desktop & Server Gateway Collaboration/Storage Security Management Threat Management (Network) Internet Outgoing Threats Remote/Off Network InterScan™ Web Security InterScan™ Messaging Security ServerProtect™ OfficeScan™ ScanMail™ IM Security for OCS Solution SharePoint Portal Firewall/UTM IPS/IDS Threat Management W W W W W W W W W Smart Protection Network W URL Web Reputation W 10

15. Smart Protection Network – File Reputation | Slide #25 Incoming Threats Software as a Services InterScan™ Messaging Hosted Security Desktop & Server Gateway Collaboration/Storage Security Management Threat Management (Network) Internet Outgoing Threats Remote/Off Network InterScan™ Web Security InterScan™ Messaging Security ServerProtect™ OfficeScan™ ScanMail™ IM Security for OCS Solution SharePoint Portal Firewall/UTM IPS/IDS Threat Management F F F F File Caching Server F Smart Protection Network F File Reputation Files F 11

16. Threats use the Internet after the initial infection http://trafficconverter.biz/4 http://www.maxmind.com/ http://www.getmyip.org http://getmyip.co.uk http://checkip.dyndns.org Infected machines download their own malware piece parts Many mechanisms for initial malware infection 12

17. Web reputation services block downloads by malware http://trafficconverter.biz/4 http://www.maxmind.com/ http://www.getmyip.org http://getmyip.co.uk http://checkip.dyndns.org Infected machines download their own malware piece parts Many mechanisms for initial malware infection 12 WEB REPUTATION

18. It’s all interconnected in the cybercrime economy known malicious domain WHOIS to know registrar’s e-mail more suspicious domains found 13 worms spyware botnets viruses

19. Powerful leverage through correlation among layers 14 Correlation Engine Log Pool Scheduled Jobs Event Trigger Content Retrieve Sniffer Retrieve the content If relative content not found in content storage Operation Solution Distribution Validation & Solution Creation Solution Adoption FRS WRS ERS Black-list / White-list Alert Service Analyzer Email Web File IP Domain Relative content Feedback (from End-point with ID) Live Feed Clustering Critical Warning ( paired ) Summary Result Reputation Result

20. … resolve obscured network boundaries 15

21. … sort out confusing information transactions 16

22. … clarify disguised website identities 17

23. … and track cyber-criminal operations 18

24. Today’s malware is big business The Cybercrime Economy* payout per adware install $0.02 - $0.30 basic malware package $1,000 - $2,000 exploit kit rental $1 per hr undetected info-seeking trojan $80 distributed denial of service attack $100 per day 10,000 compromised PCs (zombies) $1,000 1 million freshly harvested e-mails $8 & up stolen bank account credentials $50 & up credit card + validation info $1 to $2 personal ID & their pet’s name $10 * prices may vary – find your local cybervandal-turned-entrepreneur 19 worms spyware botnets viruses

25. Botnets viewed from the cyber-criminal side 20 Spyware/Tojan Downloader Web Drive By Downloader Email Spam Port Scan Vulnerabilities Infection Vector Spam & Phishing DDoS Data Leakage Adware/Clickware Recruitment Activities Malicious URL Malware Writer Wait for Instructions Get Updates from Command & Control Fool the AV Zombie Management Host Infection IRC DNS Bot Herder Botnet Command & Controller Criminals

26. Smart Protection Network blocks at each link in a botnet 21 IRC DNS Bot Herder Botnet Command & Controller Spyware/Tojan Downloader Web Drive By Downloader Email Spam Port Scan Vulnerabilities Infection Vector Spam & Phishing DDoS Data Leakage Adware/Clickware Recruitment Malicious Activities Break Break Break Break Break Malicious URL Malware Writer Wait for Instructions Get Updates from Command & Control Fool the AV Zombie Management Host Infection Criminals

27. Let’s remove the fear of exchanging digital information ... 22 ’

28. … and return to where websites are what they appear O.K. to 23

29. Smart Protection Network: by the numbers 24 5 billion queries handled daily 1.2 terabyte data processed daily 1,000 dedicated content security experts at TrendLabs 24/7 multiple data centers operating around the world 50 million new IP addresses / URLs processed daily 250 million malware samples processed each year

30. Smart Protection Network less complexity more protection