smart protection network

Smart Protection Network

Kelvin Liu

AVP, Core Tech Development

Copyright 2008 - Trend Micro Inc.

Malware ismultiplying

Malware issophisticated

Malware is profit driven

SpamSpyware

Botnets

Complexity

Worms

Web

Evolving Threat Landscape

Malware is getting increasingly dangerousand harder to detect.

http://images.google.com/imgres?imgurl=http://gladstone.uoregon.edu/~schamp/passport.jpg&imgrefurl=http://gladstone.uoregon.edu/~schamp/&h=744&w=520&sz=449&tbnid=sL0QfQAf2XMJ:&tbnh=139&tbnw=97&start=8&prev=/images?q=passport+picture&hl=en&lr=&sa=N

http://images.google.com/imgres?imgurl=http://www.davidgagne.net/images/me/passport.gif&imgrefurl=http://www.davidgagne.net/archives/cat_images.shtml&h=330&w=490&sz=136&tbnid=0cVlhKL7AYkJ:&tbnh=85&tbnw=126&start=13&prev=/images?q=passport+picture&hl=en&lr=&sa=N

http://www.software4advisors.com/demo2/demo/img/accounts.gif


Internal -

Confidential

Example : Conficker / Downadup

InternetUser receive

a spam mailUser open the

mail then

automatically

download a file

The file register

itself as a

system service Monitor the Internet

browser’s address bar

Block access to

certain websites

Connect to various

websites, download

other malicious files

Copyright 2009 - Trend Micro Inc.Feb 2009Internal -

Confidential

Smart Protection Network against Conficker

Incident

Trigger

Email

Reputation

Web

Reputation

File

Reputation

Monitor

Many clients’ processes are dropping

similar filenames in a short time

Many clients access or modify the

same system file in a short time

Many clients accessed similar/same

registry keys in a short time

Community Intelligence


Correlate to figure

out where the threat

come from & where

it would connect to

File Score From Connect to

Crypt.NS.Gen X 129.24.11.3/aexjiire/ Euwl.tsst.com:88/e34jg/

Dropper.Gen X Ndj.sexadult.com/ssr/ee 112.42.5.112:80/

Nqe.exe V www.xyz.com www.abc.com

Conflicker_D X qd.wqwwor.com/om nadasm0.info:80/bugsy

Conflicker_D X Fdjhg.wopqfe.com 7f7fewf.cn:80/sina/

Correlation

Customer

Feedback Log

Immediate

Protection


Incident

Trigger

Email

Reputation

Web

Reputation

File

Reputation

Monitor

Correlation

Feb 2009


Domain / Name Server

/ IP / Register’s Email

Correlation

to build up a Spider

Network

Threat Intelligence

Correlation

Immediate

Protection


Email

Reputation

Web

Reputation

File

Reputation

Incident

Trigger

Monitor

Correlation

Feb 2009


Domain / Name Server

/ IP / Register’s Email

Correlation

to build up a Spider

Network

Threat Intelligence

Correlation

Immediate

Protection


What & How Trend Micro use Cloud Computing

Feb 2009Internal -

Confidential

OS

Server Farm


Tracking System Hadoop ( HBASE / Meta Data )

Virtualization

Hadoop (HDFS)Message Routing framework

MapReduceClustering ClawerAnalyzer

Monitor Incident Trigger Correlation

HTTP DNS FTP

Operating system

Infrastructure

Data Archive

Data Processing

Correlation

Copyright 2009 - Trend Micro Inc.Feb 2009Internal -

Confidential

Why Smart Protection Network

Time to Protect

Less Complexity

Threat Intelligence

Reduce Cost

Immediate Protection

Early Warning

Lightweight Clients

Less Memory Usage

Reduce Downtime Costs

Reduce Hardware Costs

Threat Lifecycle

Management

Thank You

業務專線 : (02) 2378-2666

smart protection network

Education