it-security-symposium 2019 it -security im fokus · die neue komplettlösung für den...

Die neue Komplettlösung für den EndpunktschutzÖzgür Isik – Channel Presales Engineer, ApexOne

IT-Security-Symposium 2019I T - S e c u r i t y i m F o k u s

Die neue Komplettlösung für den EndpunktschutzApexOne

Özgür Isik – Channel Presales Engineer

Agenda• Architektur von Apex One und Apex One as a Service• Sicherheitsmodule & Services

– iProducts– Endpoint Detection & Response Funktionalitäten– Managed Detection and Response

• Migration und Upgrade– Hybrider Betrieb

• Q&A

Apex One as a Service• Einstieg in das Thema

Trend Micro Apex One™

Apex = der höchste Punkt

einer Form[Beste Aussicht,

alles im Blick]

Trend Micro Apex One™“One” ist Teil des Produktnamens und nicht die Version

Apex = der höchste Punkt

einer Form[Beste Aussicht,

alles im Blick]

Wie starte ich mit einer Testlizenz?Trial registrieren:https://www.trendmicro.com/product_trials/service/index/us/165

❹Provision Completed

❸Provision

❷Trial

Confirmation

❶Trial Form

Testlizenz• Gültigkeit: 30 Tage• Bestandteile des Trials sind:

– Apex Central as a Service– Apex One as a Service

• Data Loss Prevention• Endpoint Application Control• Vulnerability Protection

– Apex One for Mac– Endpoint Sensor– Sandbox as a Service

Start als mit SPE/SPC Lizenz

❺Provision Completed

❹Provision

❸ClickOpen

Console

❷select

Apex One as a

Service

❶CLP

console

Start mit SPE/SPC Lizenz

Startet den Rollout des Dienstesfür den Kunden

Lizenzinhalt bei SPE/SPC• Apex Central as a Service• Apex One as a Service

– Data Loss Prevention– Endpoint Application Control– Vulnerability Protection

• Apex One for Mac• Add-on:

– Endpoint Sensor– Sandbox as a Service

Apex One as a Service• Architektur

Westeuropa, Amsterdam (Primär)Central US, Iowa (Primär)

East US-2, Virginia (Backup)

Nordeuropa, Dublin (Backup)

1. Europäisches Datacenter für europäische Kunden2. US Datacenter für den Rest der Welt

Management der Lösung• Zwei Server werden provisioniert

– Apex Central– Apex One

• Maximal 4 Datenbanken– Apex Central– Apex One– Endpoint Sensor– Apex One (Mac)

Agent Platform SupportPlatform Support (Agents) XG XG SP1 Apex OneWindows XP (5.1)Windows 7 (6.1)Windows 8 (6.2)Windows 8.1 (6.3) Windows 10 (10.0)Windows Server 2003 (5.2)Windows Server 2008 (6.0)Windows Server 2008 R2 (6.1)Windows Server 2012 (6.2)Windows Server 2012 R2 (6.3) Windows Server 2016 R2 (10) Windows Server 2019

Apex One (on Premise)

Optional:Edge Relay- Verwaltung externer Clients

- Policy- SO Handling- Updates- Logs & Status

Optional:Smart Protection Server Standalone- Webreputation- Filereputation

Module & Neuerungen

Runtime Exit PointEntry point Pre-Execution

Malicious Site

OS Vulnerability Exploit

Browser Exploit

Malicious USB

Web ReputationBlocks connectionsat kernel level (not onlyin web browsers)

Virtual PatchingBlocks new exploits with industry’smost timely vulnerability research

Browser Exploit ProtectionDetects exploits based on scriptInspection & site behavior

Device ControlBlocks unknown removablemedia devices on Windows and Mac OS

Entry Point

Trend Micro ZDI detected 66% of all vulnerabilities in 2017. This powers unmatched timeliness for virtual patches.

Pre-execution

Packer DetectionIdentifies packed malware in memory as it unpacks, prior to execution

File-based Threate.g. EXE, DLL, OfficeDocument w/ macros

On Disk

Application ControlBlocks execution of anything that isn’t on the (easily manageable) white list

Variant ProtectionDetects mutations of malicious samples by recognizing known fragments of malware code

File-based SignatureDetects known-bad files (with 3 billion detections globally in 1H/2018)

Predictive Machine LearningScores the file against a cloud-based or local/offline model to detect previously unknown threats

In Memory

Run-timeRuntime Machine LearningScores real-time behavior against a cloud model to detect previously unknown threatsAnything Executing

EXE, DLL, PowerShell,Document behavior inside MS Office, etc. IOA Behavioral Analysis

Detects behavior that matches known indicators of attack (IOA), including ransomware encryption behaviors, script launching

In-memory runtime analysisMalicious script detection, malicious code injection, runtime un-pack detectionIn Memory

Command andControl Server

Data Exfiltration

LateralMovement

Web ReputationBlocks connections at kernel level

(not only in web browsers)

Host Intrusion PreventionDetects and blocks

of lateral movement behavior

Exit Point

Data Exfiltration DetectionDLP Detects and blocks sensitive

data leaving the endpoint

Device ControlBlocks unknown removable

media devices

IsolationQuarantineProcess killExecution blockDamage rollbackAPI capabilities Rapid response protection updates to other endpoints/products*

Automated Response

*manual

iProducts im Detail

Integrierte VulnerabilityProtection

Begriffsdefinition

Einbruchsicheres Glas Einbruchsicheres Glas

Normales Glas entgegen Ihres WissensVulnerability / SchwachstelleZero Day

Begriffsdefinition

Einbruchsicheres GlasEinbruchsicheres Glas

Normales Glas entgegen Ihres Wissens

Exploit

Vulnerability / SchwachstelleZero Day

Begriffsdefinition

Exploit

Vulnerability / SchwachstelleZero Day

Payload

Einbruchsicheres Glas Einbruchsicheres Glas

Normales Glas entgegen Ihres Wissens

Begriffsdefinition• Vulnerability oder Schwachstelle

– Anfälligkeit gegen Angriffe aufgrund von Mängeln in der Programmierung, Logik, etc.

• Exploit– Eine Methode, in das System einzubrechen, indem eine Schwachstelle

ausgenutzt wird

• Payload– Der Schadcode, der durch den Angriff in das System geschubst wird

Positiv: Inbetriebnahme spielend & kein Risiko

Integriertes ApplicationControl

Applikationskontrolle• User- und Device-basierende Regeln• Allow & Block• Lockdown

Best Practise

• Start with a Block (Assessment) criteria– E.g., Select all categories in Certified Safe Software list

• Assign policy to Apex OneTM Security Agents

Best Practise• Review with the Application Control violation detections manually

– Widget provides an easy-to-filter entry point

Best Practise• Refine criteria and approve recognized software

– Unselect the categories from Certificated Safe Software List– Create Allow Criteria to exempt from screening

Was und wie wird definiert?

• Certified Safe Software List (von Trend Micro)

• Dateipfade• Zertifikate• Hash Werte• Gray Software List (von Trend Micro)• Suspicious Object List (generiert

durch Ihre Systeme wie Sandbox oder EDR)

Regeln bauen

• Vorsicht bei der Regeldefinition!

Integrierter Endpoint Sensor (EDR)

• Was ist der mehrwert?

POST DETECTION

“How did this happen?”

“Who else has been affected?”

“How do I respond?”

Apex Central™ Management Console

• Single console/workflow • Seamless integration of EDR investigation and automated detection/response• Select any detection to investigate

Wer ist noch betroffen???

• Endpoint protection shows detection (in this case there was one)• But were more users impacted before it was “known”?• Select Analyze Impact to sweep for more

Impact Assessment

• Impact assessment found five more undetected instances• Root Cause Analysis begins for all detected users• Users can be isolated at any time

Root Cause Analysis Results

Response Options

PRE DETECTION

“Am I protected?”

“What if…”

Multiple Ways to Hunt for Attacks:

• User Defined Suspicious Objects (UDSO) from Deep Discovery

Supports SHA-1, IP, Domain

Sources of Intelligence to Hunt with:

• User Defined Suspicious Objects (UDSO)

• Open IOC (Indicator of Compromise) or STIXfrom threat feed.

• Customized Criteria:• Host (host name and IP

address are included)• Filename, path, and SHA-1

hash value• User account• Windows auto-run registry• Command lines

Preliminary Assessment:

• Initial assessment based on single multiple search items

• Results with threat intelligence and prevalence

• Generate Root Cause Analysis for further investigation

Root Cause Analysis:

• Generate Root Cause Analysis for further investigation

ManagedDetection and Response

SENSORS

• Apex One™ with integrated Endpoint Sensor

• Deep Discovery Inspector

• Deep Security

• Delivered to management console

• Automated security updates

RESPONSE

Managed Detection and Response

SERVICE PLATFORM

TREND MICRO ANALYSTS

Expert Rules

Threat Intelligence

Machine Learning

US SOCDallas, Texas, USA

EU SOCCork, Ireland

APAC SOCManila, Philippines

US MDR Node Oregon, USA

EU MDR NodeFrankfurt, Germany

MDR Infrastruktur

Migration und Upgrade

Einstellungen migrierenhttps://success.trendmicro.com/solution/1118375-migrating-on-prem-officescan-xg-sp1-or-higher-to-officescan-as-a-service

Migrate to SaaS – Without Control Manager

Sign up forApex One SaaS

12 Export your Policies and import them into Apex One SaaS

OfficeScan XG Server

OfficeScan XGAgent 3 Move your agents to

Apex One SaaS

Apex One SaaS Agent

4 Decommission the OfficeScan XG Server

Apex Central SaaS

Migrate to SaaS – Retiring Control Manager

1OfficeScan XG Server

Apex One SaaS

Apex One SaaS Agent

4 Decommission the OfficeScan XG and Control Manager Servers

Control ManagerServer

2 Export policies and import them into Apex One SaaS

On-premise Control Manager needed for Connected Threat Defense with other Trend Micro software, hardware or services.

Apex Central SaaS

Migrate to SaaS – Keeping Control Manager

1OfficeScan XG Server

Apex One SaaS

Apex One SaaS Agent

Control ManagerServer -> Inplace

Upgrade Apex Central

2 Connect Apex One SaaS to On-Premise Control Manager

On-premise Control Manager needed for Connected Threat Defense with other Trend Micro software, hardware or services.

Apex One SaaS

On-Premise Upgrades

On-Premise Upgrades – In Place

OfficeScan ServerOn-Premise

Control Manager On-Premise

Apex One ServerOn-Premise

Apex CentralOn-Premise

Apex One Agent

Upgrade to Apex Central Server1

It’s always recommended to take backups before performing upgrades.

Upgrade to Apex One Server2 The agent will automatically upgrade*3

*Unless disabled in the configurations. You can use this to slowly roll out agent updates.

On-Premise Upgrades – New Server

InstallApex One Server

12 Export your Policies and import them into Apex One

OfficeScan XG Server

the new server

Apex One Agent

Apex One ServerOn-Premise

TMVP bereits vorhanden? Kein Problem

Apex One AgentEndpoint Sensor AgentVulnerability Protection Agent

Apex OneSaaS

Endpoint Sensor Server

Vulnerability Protection Server

Enable the Feature in Policies

The existing Vulnerability Protection Agent is automatically uninstalled.

it-security-symposium 2019 it -security im fokus · die neue komplettlösung für den...

Documents

cornell institute for african development’s symposium...

2021 ce-it symposium

proceedings of the 10th usenix security symposium

security symposium€¦ · containers security symposium...

fostering next generation security - chicago payments...

indiana it symposium 2015 - it managers & balance

icao symposium security overview - international civil...

it-symposium 2004 bonn oracle identity managment ·...

it-security symposium 2018...it-security. symposium 2018....

symposium on visitor safety and security in the caribbean

ku-jica joint symposium on human security...

safety & security symposium

security symposium how to register · 2019. 1. 27. · iasd...

it-security-symposium 2019 it -security im fokus ·...

network and distributed system security symposium...network...

public diplomacy symposium: meeting emerging security...

fbi symposium on cloud computing and security v2

norman sibbingoracle fusion middleware data hubs enterprise...

eu asia%security and networks symposium - ieee...

14th usenix security symposium, august...