volume and vectors 090416

Volume & VectorsVolume & Vectors

a radical shift in thedigital threat landscape

Triple challenge to IT security

• Changing ITBEFORE:80%+ of daily info available inside the enterpriseNOW:80%+ of daily info comes from outside the enterprise

• Changing cybercrimeBEFORE:vandalism, simple fraud, opportunistic data theftNOW:high tech organized crime for huge profits

• Changing protectionBEFORE:latest threat info deployed to each computerNOW:computers query a cloud database about suspected threats

1





disappearing network boundaries

1






overwhelming volume of threat

1






overwhelming volume of threat

cloud-client protection networks

1

Threats now mostly from the Internet

INTERNETINTERNET

REMOVABLE MEDIA

92%

8%worms spyware

botnets

virusesTARGETTARGET

Top threat infection vectors(how threats arrive on PCs)

1. Visits to malicious websites( 42% )

2. Downloaded by other malware( 34% )

3. E-mail attachments & links( 9% )

4. Transfers from removable disks( 8% )

5. Other (mostly via Internet)( 7% )

source: Trend Micro

2

Delivering today’s malware to the unprotected user

WEBSITESWEBSITES

FILETRANSFERS

FILETRANSFERS

INTERNETINTERNET

REMOVABLE MEDIA

E-MAILspam

worms spyware

botnets

viruses

LINKS & ATTACHMENTS

LINKS & ATTACHMENTS

3

FILETRANSFERS

FILETRANSFERS

INTERNETINTERNET

E-MAILspam

threatsLINKS &

ATTACHMENTSLINKS &

ATTACHMENTS

threats threatsREMOVABLE MEDIA

TARGETTARGET

WEBSITESWEBSITES

“There is a desperate need for new standards for today’s anti-virus products. The dominant paradigm, scanning directories of files, is focused on old and known threats, and reveals little about product efficacy in the wild.”

Williamson & Gorelik (2007)

Traditional AVanti-malware at the gateway / endpoint

4

AV

FILETRANSFERS

FILETRANSFERS

INTERNETINTERNET

E-MAILspam

threatsLINKS &

ATTACHMENTSLINKS &

ATTACHMENTS


TARGETTARGET

WEBSITESWEBSITES

Traditional AVoverwhelmed by the volume of new threats

5

AV> 2000

new threats per

hour

> 2000new

threats per hour

FILETRANSFERS

FILETRANSFERS

INTERNETINTERNET

E-MAILspam

threatsLINKS & ATTACHMENTS

LINKS & ATTACHMENTS


TARGETTARGET

WEBSITESWEBSITES

AV protection networks have multiple layers of protection

Consider two layers:

Infection Layerblocking the transfer & execution of malware on target computers

Exposure Layerblocking access to/from sources capable of delivering malware

Web threats come from labeled sources

6

Infection Layerinspection based on file

content (code, hash)

Infection Layerinspection based on file

content (code, hash)

Exposure Layerinspection based on source (url, domain)

WEBREPUTATION

EMAILREPUTATION

FILEREPUTATION

FILETRANSFERS

FILETRANSFERS

INTERNETINTERNET

E-MAILspam

threatsLINKS &

ATTACHMENTSLINKS &

ATTACHMENTS


TARGETTARGET

WEBSITESWEBSITES

Block threats based on their sources, content & behavior

In addition to examining files for malicious content & behavior:

• Web reputation services identify and block bad web sites & URLs

• E-mail reputation services identify and block spam by sender IP address

• Correlation between layers enhances threat identification

Trend Micro Smart Protection Network

7

Deployed throughout Trend Micro products

Incoming ThreatsSoftware as a Services

InterScan™ Messaging

Hosted Security

Desktop & ServerGateway

Collaboration/Storage

Security Management

Threat Management (Network)

InternetOutgoing Threats

Remote/Off Network

InterScan™ Web Security


Security

ServerProtect™

OfficeScan™

ScanMail™

IM Security for OCS Solution

SharePoint Portal

Firewall/UTMIPS/IDSThreat

Management

IP

Smart Protection Network

8

Smart Protection Network – Email Reputation|



Hosted Security



Security Management



Remote/Off Network



Security

ServerProtect™

OfficeScan™

ScanMail™


SharePoint Portal


Management

EE

E

E

IP


E

Email Reputation

E

9

Smart Protection Network – Web Reputation|



Hosted Security



Security Management



Remote/Off Network



Security

ServerProtect™

OfficeScan™

ScanMail™


SharePoint Portal


Management

W

W

W

W

W

W

W

W

W


W

URL

Web Reputation

W

10

Smart Protection Network – File Reputation|

Slide #25



Hosted Security



Security Management



Remote/Off Network



Security

ServerProtect™

OfficeScan™

ScanMail™


SharePoint Portal


Management

F

F

FF

FileCachingServerF


F

File Reputation

Files

F

11

Threats use the Internet after the initial infection

http://trafficconverter.biz/4http://www.maxmind.com/http://www.getmyip.orghttp://getmyip.co.ukhttp://checkip.dyndns.org

Infected machines download their own malware piece parts


Many mechanisms for initial malware

infection


infection

12

Web reputation services block downloads by malware

http://trafficconverter.biz/4http://www.maxmind.com/http://www.getmyip.orghttp://getmyip.co.ukhttp://checkip.dyndns.org

WEBREPUTATION




infection


infection

12

It’s all interconnected in the cybercrime economy

worms spyware

botnets

viruses

known malicious domain

known malicious domain

WHOIS to know registrar’s e-mailWHOIS to know registrar’s e-mail

more suspiciousdomains found

more suspiciousdomains found

13

CorrelationCorrelationEngineEngine

CorrelationCorrelationEngineEngine

Log PoolLog Pool

ScheduledJobs

ScheduledJobs

Event Trigger

Content RetrieveContent Retrieve

Sniffer

Retrieve the content If relative content not found in content storage

Operation

So

lutio

n D

istribu

tion

Va

lida

tion

&

So

lutio

n C

rea

tion

So

lutio

n A

do

ptio

nS

olu

tion

Ad

op

tion

FRS

WRS

ERS

Black-list / White-listBlack-list / White-listBlack-list / White-listBlack-list / White-list

Alert Service Alert Service

AnalyzerAnalyzer

EmailEmailWebWebFileFile

IPIPDomainDomain

Relative content

Feedback(from End-point with ID)

Feedback(from End-point with ID)

Live FeedLive Feed

Clustering

Critical

Warning

( paired )Summary

Result

ReputationResult

Powerful leverage through correlation among layers

14

… resolve obscured network boundaries

15

… sort out confusing information transactions

16

… clarify disguised website identities

17

… and track cyber-criminal operations

18

Today’s malware is big business

worms spyware

botnets

viruses

The Cybercrime Economy*• payout per adware install $0.02 - $0.30• basic malware package $1,000 -

$2,000• exploit kit rental $1 per hr• undetected info-seeking trojan $80• distributed denial of service attack $100 per day• 10,000 compromised PCs (zombies) $1,000• 1 million freshly harvested e-mails $8 & up• stolen bank account credentials $50 & up• credit card + validation info $1 to $2• personal ID & their pet’s name $10

* prices may vary – find your local cybervandal-turned-entrepreneur

19

Spyware/TojanDownloader

Web Drive ByDownloader

Email Spam

Port ScanVulnerabilities

Infection Vector

Spam & Phishing

DDoS

Data Leakage

Adware/Clickware

Recruitment

Activities

Malicious URLMalware

WriterWait for Instructions

Get Updates from Command & Control

Fool the AV ZombieManagement

HostInfection

IRCDNS

BotHerder

Botnet

Command &Controller

Criminals

Botnets viewed from the cyber-criminal side

20

IRCDNS

BotHerder

Botnet

Command &Controller

Spyware/TojanDownloader

Web Drive ByDownloader

Email Spam

Port ScanVulnerabilities

Infection Vector

Spam & Phishing

DDoS

Data Leakage

Adware/Clickware

Recruitment

Malicious Activities

BreakBreak Break

Break

Break

Malicious URLMalware

WriterWait for Instructions

Get Updates from Command & Control

Fool the AV ZombieManagement

HostInfection

Criminals

Smart Protection Network blocks at each link in a botnet

21

Let’s remove the fear of exchanging digital information ...

’22

… and return to where websites are what they appear

O.K. to

23

Smart Protection Network: by the numbers

5 billionqueries handled daily

1.2 terabytedata processed daily

1,000dedicated content securityexperts at TrendLabs

24/7multiple data centers operatingaround the world

50 millionnew IP addresses / URLsprocessed daily

250 millionmalware samples processedeach year

24

Smart Protection NetworkSmart Protection Network

less complexitymore protection

volume and vectors 090416

Documents

domain threats threats

web threats

suspected threats

known threats

security changing

latest threat info

threat identification

email attachments links