Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... ·...

45
Protecting Your Endpoints and Datacenter

Transcript of Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... ·...

Page 1: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Protecting Your Endpoints and Datacenter

Page 2: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Stop Bad People Allow Good People

Deal with

tiny bit of

Grey

Anti Malware Blacklisting

Content FilteringEncryption

WhitelistingApplication

Control

Page 3: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Dealing with Just Black is not working

Zero Day

118

Discovered Vulnerabilities

Over1000In 2017

New Ransomware Variants

Monthly average

27

Is getting Popular

Ransomware

as a service

Page 4: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Dealing with Just White is not Working

Good Apps gone bad

Insider Threats

Stolen Credentials

Business Email

Compromise

Page 5: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

and that little bit of Grey!

Average cost of Breach

$4,000,000

of attacks discovered

externally

53%Before targeted attacks

Are detected

99days

Page 6: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Fifty Shades of Grey

fileless malwares

Pre-disclosed and unpatched vulnerabilities

Attacks using native scripts

Page 7: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.7

Cloud and Virtualization

Consumerization(Devices, WFH, Apps…)

Complex Networks

Page 8: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.8

Cloud and Virtualization

Consumerization(Devices, WFH, Apps…)

Complex Networks

Page 9: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.9

All of our solutions are powered by XGen™ security, which leverages a cross-generational blend of

threat-defense techniques

Page 10: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.10

Application Control

BehavioralAnalysis

Response & Containment

Intrusion Prevention

Machine Learning

Sandbox Analysis

Integrity Monitoring

Anti-Malware & Content Filtering

SMARTMaximizes protection

Page 11: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.11

Application Control

BehavioralAnalysis

Response & Containment

Intrusion Prevention

Machine Learning

Sandbox Analysis

Integrity Monitoring

Anti-Malware & Content Filtering

Application Control

BehavioralAnalysis

Response & Containment

Intrusion Prevention

Machine Learning

Sandbox Analysis

Integrity Monitoring

Anti-Malware & Content Filtering

Application Control

BehavioralAnalysis

Response & Containment

Intrusion Prevention

Machine Learning

Sandbox Analysis

Integrity Monitoring

Anti-Malware & Content Filtering

OPTIMIZEDMinimizes IT impact

Page 12: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.12

OPTIMIZEDMinimizes IT impact

SaaS

CSP

Software

Appliance Software

Software

SaaS

MSP

Page 13: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.13

CONNECTEDSpeeds time to protect, detect and respond

Page 14: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Copyright 2018 Trend Micro Inc.14

New Trends in Endpoint Protection

Page 15: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Copyright 2018 Trend Micro Inc.15

Web & File ReputationExploit PreventionApplication ControlVariant Protection

Behavioral AnalysisRuntime Machine Learning

Safe files allowed

Malicious files blocked

Pre-execution Machine Learning

LEG

END

Known Good Data

Known Bad Data

Unknown Data

Noise Cancellation

Custom Sandbox Analysis

Smart: The Right Technique At The Right Time

Investigation & Response

Page 16: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.16

Endpoint Detection and Response (EDR)

• Network, event, process, files, commands, operations, etc.

• Tons of telemetry data points

• Stored on endpoints or in server, or a hybrid approach

1. Endpoint Data Recording 2. Investigation of Data & Responding

Sweep (search) for Indicators of Compromise to understand the impact of detections

Hunt for Indicators of Attack based on behavior rules or threat intelligence. Automatic (detection) or manual

Find the root cause of a detection and remediate/prevent/investigate again

Page 17: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.17

Powerful Investigative Capabilities (EDR)

Investigation:IOC Sweeping(server-side metadata sweep)Patient Zero ID / Root Cause AnalysisIOA Behavior Hunting/Detection

NEW

API’s for query / automationMDR Service Support (Win/Mac)Modern UX w/prioritized guidanceUnknown file guidance

Page 18: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.18

POST DETECTION

“How did this happen?”

“Who else has been affected?”

“How do I respond?”

Page 19: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.19

Apex Central™ Management Console

• Single console/workflow

• Seamless integration of EDR investigation and automated detection/response

• Select any detection to investigate

Page 20: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.20

Determine what other users may have been impacted

• Endpoint protection shows detection (in this case there was one)

• But were more users impacted before it was “known”?

• Select Analyze Impact to sweep for more

Page 21: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.21

Impact Assessment

• Impact assessment found five more undetected instances

• Root Cause Analysis begins for all detected users

• Users can be isolated at any time (without firewalls)

Page 22: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.22

Root Cause Analysis Results

• Simplified or full graphical “kill chain” diagram (can also be tabular)

• Enhanced with Trend intelligence and guidance

Page 23: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.23

• Selecting an object provides more details

• Options for termination, creating a detection pattern, or further investigation

Response Options

Page 24: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.24

PRE DETECTION

“Am I protected?”

“What if…”

Page 25: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.25

Multiple Ways to Hunt for Attacks:

• User Defined Suspicious Objects (UDSO) from Deep Discovery

Page 26: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.26

Sources of Intelligence to Hunt with:

• User Defined Suspicious Objects (UDSO)

• Open IOC (Indicator of Compromise) or STIXfrom threat feed.

• Customized Criteria:

• Host (host name and IP address are included)

• Filename, path, and SHA-1 hash value

• User account• Windows auto-run registry• Command lines

Page 27: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.27

Preliminary Assessment:

• Initial assessment based on single multiple search items

Page 28: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.28

Preliminary Assessment:

• Initial assessment based on single multiple search items

• Results with threat intelligence and prevalence

Page 29: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.29

• Initial assessment based on single multiple search items

• Results with threat intelligence and prevalence

• Generate Root Cause Analysis for further investigation

Preliminary Assessment:

Page 30: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.30

Root Cause Analysis:

• Initial assessment based on single multiple search items

• Results with threat intelligence and prevalence

• Generate Root Cause Analysis for further investigation

Page 31: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.31

POST DETECTIONPRE DETECTION

“How did this happen?”

“Who else has been affected?”

“How do I respond?”

“Am I protected?”

“What if…”

Page 32: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

© 2019 Trend Micro Inc.32

SENSORS

• Apex One™ with integrated Endpoint Sensor

• Deep Discovery Inspector

• Deep Security

• Delivered to management console

• Automated security updates

RESPONSE

Managed Detection and Response

SERVICE PLATFORM

TREND MICRO ANALYSTS

Expert Rules

Threat Intelligence

Machine Learning

Page 33: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Copyright 2018 Trend Micro Inc.33

Datacenter Protection

Page 34: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Copyright 2017 Trend Micro Inc.34

Hybrid Cloud Security Solution

Network Security

Firewall Vulnerability Scanning

Intrusion Prevention

Stop network attacks,

shield vulnerable

applications & servers

Anti-Malware

Sandbox Analysis

Malware Prevention

Stop malware &

targeted attacks

Behavioral Analysis & Machine Learning

(2H/17)

System Security

Lock down systems &

detect suspicious activity

Application Control

Integrity Monitoring

Log Inspection

Page 35: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Copyright 2019 Trend Micro Inc.35

New Technologies…

Page 36: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Copyright 2018 Trend Micro Inc.36

Detecting Credential Phishing with Computer Vision

Patent pending

[username]

Page 37: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Copyright 2019 Trend Micro Inc.37

Email Account Takeover Attacks

Page 38: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Copyright 2018 Trend Micro Inc.38

Fake URL, sometimes with valid SSL sign, sometimes within a legitimate domain

Favicon is identical or similar to the real website

Login form looks similar to the real website

Credential Phishing Sites Look Convincing

Displays user’s email address in form

[username]

Page 39: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Copyright 2019 Trend Micro Inc.39

Detecting Credential Phishing Attacks

with Computer Vision + AI

▪ After pre-filtering, computer vision image analysis

and machine learning analyze branded elements,

login form, other site content

▪ Combines with site reputation elements and OCR to

recognize fake sites while reducing false positives

URL reputation checkCAS blocked 2.8M additional

malicious URLs in 2017

Computer Vision + Aireal-time detection of fake credential sites

Page 40: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Copyright 2018 Trend Micro Inc.40

AI based Business Email

Compromise (BEC) Detection

Routing behavior

Cousin domain

High-profile user similarity

…Beh

avio

r

Financial impact

Urgency

…Inte

nti

on

Behavior + Intention analysis New! Authorship analysis

WRITING STYLE DNA

Page 41: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Copyright 2018 Trend Micro Inc.41

What Is Writing Style DNA?

• Everyone has a unique style of writing when viewed across hundreds of email

• Writing Style DNA detects email forgeries by comparing to a trained AI model of a users’ writing style

Three Enron execs with different styles

Page 42: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Copyright 2018 Trend Micro Inc.42

Simplified Graphical Representation

of Training the AI Model

Page 43: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Copyright 2018 Trend Micro Inc.43

Workflow of Writing Style DNA

Imposter sends email to ”Max” impersonating “Eva”

Recipient “Max”

Max,

How are you doing? There is something that I need your assistance with, let me know if you are less busy so I can give you the details

Regards,Eva

WarningConfirmation

?

Doesn’t match AI model of “Eva’s” Writing Style DNA

Trend Micro Cloud App Security / ScanMail

Impersonated User, “Eva”

exec

Page 44: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Copyright 2018 Trend Micro Inc.44

Writing Style DNA demo

Page 45: Protecting Your Endpoints and Datacenter › app › webroot › content_files › 13... · Compromise) or STIX from threat feed. •Customized Criteria: • Host (host name and IP

Copyright 2019 Trend Micro Inc.45

Thank You!