trend micro vision one
TRANSCRIPT
Trend Micro Vision OneMikhail [email protected]
2
Branch Office
Today, the SOC gets siloed insight into endpoints (EDR)…
…limited visibility to threats affecting cloud
workloads
…a separate siloed view into network
events,
SecurityAnalyst
…and little visibility into email traffic and
mailboxes
3
SecurityAnalyst
Branch Office
Generating incomplete, noisy SIEM alerts without
any context
4
Branch Office
SecurityAnalyst
Attacks don’t stay in silos! Security teams
need to piece together what happened
© 2021 Trend Micro Inc.5
Branch Office
XDR
XDR breaks down the silos and instead of noise, tells a story
6
Organizations with XDR…
Suffered half as many successful attacks over
the last 12 months
2.2X more likely to detect a data breach
/successful attack in a few days or less
60% less likely to report that attack re-
propagation has been an issue.
Are better protected Detect quicker Respond completely
Source: The XDR Payoff: Better Security Posture, ESG Research, Sep 2020
7
See more.Respond Faster.
© 2021 Trend Micro Inc.8
Manual review/response
LEG
END
RawActivity Known
BadSuspicious
Activity
Raw activity telemetry & detection alerts
Filtered activity via machine learning, data stacking, and expert rules
High QualityAlert
Automated response
Correlated detections
Extended Detection& Response (XDR)
Alerts to XDR console and/or SIEM
© 2021 Trend Micro Inc.9
Carbanak & FIN7Tradecraft and operational flows in two
simulated breaches
ü Top 3 for visibility & telemetryü 100% of Linux attacks detectedü Highly enriched telemetry for
better investigations
Data Source: MITRE, 2021
Sentinel One
Palo Alto NetworksTrend Micro
Symantec
CrowdStrike
Microsoft
McAfee
80.00%
90.00%
100.00%
80.00% 85.00% 90.00% 95.00% 100.00%
Visib
ility
Telemetry
A complete attack story with visibility and telemetry
Trend Micro is Top 3 - for visibility and telemetry across 29 vendors
Organizations want high confidence detection without alert fatigue:
10
Sentinel One
Palo Alto NetworksTrend Micro
Symantec
CrowdStrike
Microsoft
McAfee
80,00%
90,00%
100,00%
80,00% 85,00% 90,00% 95,00% 100,00%
Visib
ility
Telemetry
A complete attack story with visibility and telemetry
Trend Micro is Top 3 - for visibility and telemetry across 29 vendors
11
Each Layer Adds Value
• Correlates data from more security controls than typical EDR to solutions tell a more complete story.
• What happened within the workload?
• Who else received this email or a similar threat?
• API integration for inside view• Are there compromised
accounts sending internal phishing emails?
• How is the attacker moving across the organization?
• How is a threat communicating?
Network - sees EDR blind spots (unmanaged; legacy, IoT, IIoT)
Email - 94% of malware
Cloud/Workloads/Containers -critical to business operations
• Find threats hidden amongst endpoint telemetry
• What happened within the endpoint? How did it propagate?
Endpoint – most attacks involve users devices
© 2021 Trend Micro Inc.12
Let’s see it!https://www.youtube.com/watch?v=qyIPJ-BaSHg
https://www.youtube.com/watch?v=odGDYzQbe80
© 2021 Trend Micro Inc.13
Managed XDR MDR service
14
Managed XDR: MDR Service by Trend Experts
Expert Threat HuntingCutting-edge techniques with verification and enrichment by threat experts
24x7 Monitoring & DetectionContinuous monitoring and routine sweeping of endpoint, server, network, and email
Rapid Investigation and MitigationDetailed response plan and remote actions through Trend Micro products
© 2021 Trend Micro Inc.15
Events generated by Trend Micro products (which are not actionable but needed for compliance / visibility when investigating)
Standard managed service: distills and prioritizes 50 high severity events which require further investigation by the customer’s Level II/III security analyst
Advanced managed service: Trend Micro security experts investigate each of the 50 events. Through manual and automated means, they were able to run 242 investigations and declared one incident. For that security incident, the service provides threat response and a detailed remediation plan and incident report.
What it Means for the Customer
© 2021 Trend Micro Inc.16
Zero Trust Secure Access
© 2021 Trend Micro Inc.17
Multiple Aspects for Precise Access Control
Identity• User• Device• App
Context• Schedule• Geolocation• Device posture
• Browser version• Firewall Status• Anti-malware Status
Risk• Account compromise• Vulnerability detection• Anomaly detection• Cloud app activity• XDR detection• Threat detection
© 2021 Trend Micro Inc.18
Zero Trust Secure Access
Replay Points
Vision One – Zero Trust
Relay Service
How Private Access Works
1 Connector Registration
2 Tunnel Registration
3 User Authentication
4 External IdP Authentication
6 Authorized APP list
5 Access rule deployment
7 Agent outgoing connection 8 Connector outgoing connection
9 Cloud Stitched virtual connection
Controller
Zero Trust Secure Access Cloud
© 2021 Trend Micro Inc.19
Why Trend Micro Vision One?
20
How it is different than other approaches?Trend Micro
XDRVendor-to-Vendor
partnershipSOAR / SIEM
Sharing of IOCs between layers for sweeping
Yes Yes Yes
Corelated detection of low confidence events across layers
Yes No partial
Deep understanding of all data generated by layers
Yes No No
Integrated investigations in one console
Yes No partial
Integrated response actions across layers
Yes No Yes
Copyright 2021 Trend Micro Inc.21
Customers Experience with XDR
“The way XDR allows me to drill down is amazing. It literally paints a picture in front of you.”
“It is easier for my team to explain the attack and go through the sequence of events; We aren’t breaking things down in all the different tools; It’s like reading a book. Easier to digest.””ROI is huge.”
22
ESG Economic Validation ReportAnalyzing the Economic Benefits of Trend Micro Vision One
“I estimate it would be 5x to 6x more expensive if we tried to use our own employees and less effective at the same time.” ― Cybersecurity Administrator, local government agency re: Trend Managed XDR service
“Our overall product spend has gone down almost 50% when you look at all of the products that Trend Micro has replaced.” ― CISO, hospitality industry
https://resources.trendmicro.com/ESG-Economic-Validation-Report.htmlESG created an economic model -
organizations save 63% when comparing ad-hoc systems with Trend Micro Vision One.
The Power of XDR: Company with 1000 devices in a 24-hr period
Raw logs processed by the engine 137 M40 M95 K33 K3
Logs identified as valuable to analyze
Detection logsSimilar to what is typically sent to a SIEM
Filter hits 1st round of analytics identifying suspicious activity
XDR detection model hits – high confidence workbenches(includes multiple alerts correlated to a single detection & view)
What would it mean to you to…
go from searching through 95k detection logs in 24 hours to investigating 3 high confidence alerts ?
Copyright 2021 Trend Micro Inc.24
Correlation is critical, but not possible without XDR
Source: The XDR Payoff: Better Security Posture, ESG Research, Sep 2020
© 2021 Trend Micro Inc.25
A Leader in the Forrester™Wave
“Trend Micro delivers XDR functionality that can be impactful today.”–The Forrester Wave™: Enterprise Detection and Response, Q1 2020
26
A Leader in 4 Key XDR Building BlocksCloudEndpoint EmailDetection & Response
The Forrester Wave™: Enterprise Detection and Response, Q1 2020
The Forrester Wave™: Endpoint Security Suites, Q2 2021
The Forrester Wave™: Enterprise Email Security, Q2 2021
The Forrester Wave™: Cloud Workload Security, Q4 2019
“The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.”
27
Why Trend Micro Vision One?Purpose-built solution with deep integration into native sensors
Trend Micro Threat Research powered threat analytics and automatic IoCsweeping
1
2
3
Distinctive data sources
Email - visibility + response by integrating at the application layer
Cloud - breadth and timeliness of Linux support
CentOS Red HatOracle
CloudLinux SUSE Amazon debian
ubuntu
4 Additional Risk Insights
Trend Micro discovered over half the disclosed vulnerabilities in 2019
See more. Respond Faster.
© 2021 Trend Micro Inc.29
Thank you!
© 2021 Trend Micro Inc.30
Q&AMikhail [email protected]
© 2021 Trend Micro Inc.31
How is XDR different from SIEM? EDR?
32
SIEM (Security Information and Event Management)
Security alerts, (but not all events)
Email opened
Phishing Worddoc
opened
PowerShelllaunched
Command& Controlcheck-in
AWS CredentialsAccessed
New containercreated
Lateralmovement
to container
33
SIEM (Security Information and Event Management)
EDR (Endpoint Detection & Response)
Collecting all endpoint activity, not just alerts
Email opened
Phishing Worddoc
opened
PowerShelllaunched
Command& Controlcheck-in
AWS CredentialsAccessed
New containercreated
Lateralmovement
to container
34
SIEM (Security Information and Event Management)
Fewer, higher-fidelity alert that tells a story
Email opened
Phishing Worddoc
opened
PowerShelllaunched
Command& Controlcheck-in
AWS Credentials
Compromised
New containercreated
Lateralmovement
to container
XDR (with cloud data lake collecting all activity)
35
Splunk Add-on – Connector pulls Trend Micro XDR logs and writes it into Splunkdatabase
Splunk pulls detection alerts from Trend Micro Vision One as detections occur.
36
Splunk add on UI
Click this zone and you get in the log view Click Open XDR Consoleto access a Workbench
37
Splunk Log View with Workbench Data
The affected entitiesWill help the SplunkAnalyst to correlateXDR Alerts with otherSplunk Data
38
Click on a Trend alert within Splunkconsole and go directly to associated workbench in Trend Micro Vision One for further visibility, investigation and response.
Triage alerts from Splunk, and examine further within XDR workbench
© 2021 Trend Micro Inc.39
Complimentary Value: • Fits in within existing
SIEM workflow
• Receive correlated, high-fidelity alerts
• Helps with triaging and narrowing down to the events that need attention and escalating
• Enables analyst to be more efficient
https://automation.trendmicro.com/xdr/home
© 2021 Trend Micro Inc.40
Additional information on each XDR layer
41
Detect: Security analytics finds threats hidden amongst endpoint telemetry. IOC sweepingInvestigate: What happened within the endpoint? How did it propagate? What tactics/techniques are usedRespond: Isolate, stop process, delete/restore files
Why add XDR to your EndpointsActivity Data:• Processes• Executed Commands• Network Connections• Files Created/Accessed• Registry Modifications
Going further with other XDR layers:• Where did the threat originate?• Where else is this threat in my network, workloads, email?
Most attacks cross endpoints during their lifecycle
42
Detect: Are there compromised accounts sending internal phishing emails? IOC sweeping of mailboxes.Investigate: Who else received this email / threat?Respond: Quarantine email, delete email
Why Extend XDR to Email?Activity Data:• Message Metadata
(external + internal email)
• Attachment Metadata• External Links• User Activity (i.e. logins)
Malware Infection Source
94% Email Source: Verizon Data Breach Investigations Report, May 2019
43
Log Inspection AlertPossible attack on the SSH Server (or version gathering)Source: 3.211.84.114
SIEM
Why XDR for Cloud/Server Workloads
Detect: high-fidelity detections correlated from different security controls and activities to tell a whole story. IOC sweepingInvestigate: Full visibility of activities help answer; What happened within the workload? How did it propagate?
Alerts don’t tell whole storyThis is likely one step of many…What’s the bigger picture?Was the attacker successful?
Activity Data:• User Account Activity• Processes• Executed Commands• Network Connections• Files Created/Accessed• Registry Modifications
Copyright 2021 Trend Micro Inc.44
Cloud One – Workload Security Sensing Investigation & Response
Workloads - Broader detection
Virtual Data CenterContainers Cloud
Environments
Platforms
AnalysisTelemetry Data
XDR Managed XDR
Host activities
Process, File, Network, User Account, Container
Application level logs
OS Platform System/Audit event logs
Windows service logs (PowerShellservice/Remote desktop/Terminal Service)
Web Server/FTP/Database/ Mail servers logs
Security Events/Anomalies/Changes
Newly Installed software/changes
Application components changes
Indicators of attack (IOAs)
Known attack footprints
Copyright 2021 Trend Micro Inc.45
Detecting Container Platform Attacks• Auto-detect Docker and Kubernetes• Detect SW changes
– Upgrades, Downgrades, Removal
• Monitor Binaries for attribute changes• Monitor running Processes
– Dockerd, etcd, Kubelet, Kube-apiserver, etc..
• Detect changes to critical files– Config, certs, keys, yaml files, etc..
• Monitor for changes to iptables rules– Protect against unauthorized port changes
• Detect changes to permissions in key directories• Inspects key events
– Eg. Errors from forbidden actions
Docker and Kubernetes
ApplicationContainer(e.g.NGINX)
DockerEngine
OperatingSystemDeepSecurityAgent
Kubernetes
ApplicationContainer
(e.g.Webapp)
ApplicationContainer
(e.g.MySQL)
46
Detect: See across the network including EDR blind spots. Analytics discover complex threats. IOC sweeping.Investigate: How is a threat communicating? How is the attacker moving across the organization? Respond: Where do I need to focus? Which systems/devices are under attack?
Why Extend XDR to your Network?
IoT IIoTLegacyManaged Devices Unmanaged
Activity Data:• Traffic Flow• Perimeter and Lateral
Connections• Suspicious Traffic
BehaviorsEDR blind spotsEDR