volume and vectors 090416
TRANSCRIPT
Volume & VectorsVolume & Vectors
a radical shift in thedigital threat landscape
Triple challenge to IT security
• Changing ITBEFORE:80%+ of daily info available inside the enterpriseNOW:80%+ of daily info comes from outside the enterprise
• Changing cybercrimeBEFORE:vandalism, simple fraud, opportunistic data theftNOW:high tech organized crime for huge profits
• Changing protectionBEFORE:latest threat info deployed to each computerNOW:computers query a cloud database about suspected threats
1
Triple challenge to IT security
• Changing ITBEFORE:80%+ of daily info available inside the enterpriseNOW:80%+ of daily info comes from outside the enterprise
• Changing cybercrimeBEFORE:vandalism, simple fraud, opportunistic data theftNOW:high tech organized crime for huge profits
• Changing protectionBEFORE:latest threat info deployed to each computerNOW:computers query a cloud database about suspected threats
disappearing network boundaries
1
Triple challenge to IT security
• Changing ITBEFORE:80%+ of daily info available inside the enterpriseNOW:80%+ of daily info comes from outside the enterprise
• Changing cybercrimeBEFORE:vandalism, simple fraud, opportunistic data theftNOW:high tech organized crime for huge profits
• Changing protectionBEFORE:latest threat info deployed to each computerNOW:computers query a cloud database about suspected threats
disappearing network boundaries
overwhelming volume of threat
1
Triple challenge to IT security
• Changing ITBEFORE:80%+ of daily info available inside the enterpriseNOW:80%+ of daily info comes from outside the enterprise
• Changing cybercrimeBEFORE:vandalism, simple fraud, opportunistic data theftNOW:high tech organized crime for huge profits
• Changing protectionBEFORE:latest threat info deployed to each computerNOW:computers query a cloud database about suspected threats
disappearing network boundaries
overwhelming volume of threat
cloud-client protection networks
1
Threats now mostly from the Internet
INTERNETINTERNET
REMOVABLE MEDIA
92%
8%worms spyware
botnets
virusesTARGETTARGET
Top threat infection vectors(how threats arrive on PCs)
1. Visits to malicious websites( 42% )
2. Downloaded by other malware( 34% )
3. E-mail attachments & links( 9% )
4. Transfers from removable disks( 8% )
5. Other (mostly via Internet)( 7% )
source: Trend Micro
2
Delivering today’s malware to the unprotected user
WEBSITESWEBSITES
FILETRANSFERS
FILETRANSFERS
INTERNETINTERNET
REMOVABLE MEDIA
E-MAILspam
worms spyware
botnets
viruses
LINKS & ATTACHMENTS
LINKS & ATTACHMENTS
3
FILETRANSFERS
FILETRANSFERS
INTERNETINTERNET
E-MAILspam
threatsLINKS &
ATTACHMENTSLINKS &
ATTACHMENTS
threats threatsREMOVABLE MEDIA
TARGETTARGET
WEBSITESWEBSITES
“There is a desperate need for new standards for today’s anti-virus products. The dominant paradigm, scanning directories of files, is focused on old and known threats, and reveals little about product efficacy in the wild.”
Williamson & Gorelik (2007)
Traditional AVanti-malware at the gateway / endpoint
4
AV
FILETRANSFERS
FILETRANSFERS
INTERNETINTERNET
E-MAILspam
threatsLINKS &
ATTACHMENTSLINKS &
ATTACHMENTS
threats threatsREMOVABLE MEDIA
TARGETTARGET
WEBSITESWEBSITES
Traditional AVoverwhelmed by the volume of new threats
5
AV> 2000
new threats per
hour
> 2000new
threats per hour
FILETRANSFERS
FILETRANSFERS
INTERNETINTERNET
E-MAILspam
threatsLINKS & ATTACHMENTS
LINKS & ATTACHMENTS
threats threatsREMOVABLE MEDIA
TARGETTARGET
WEBSITESWEBSITES
AV protection networks have multiple layers of protection
Consider two layers:
Infection Layerblocking the transfer & execution of malware on target computers
Exposure Layerblocking access to/from sources capable of delivering malware
Web threats come from labeled sources
6
Infection Layerinspection based on file
content (code, hash)
Infection Layerinspection based on file
content (code, hash)
Exposure Layerinspection based on source (url, domain)
WEBREPUTATION
EMAILREPUTATION
FILEREPUTATION
FILETRANSFERS
FILETRANSFERS
INTERNETINTERNET
E-MAILspam
threatsLINKS &
ATTACHMENTSLINKS &
ATTACHMENTS
threats threatsREMOVABLE MEDIA
TARGETTARGET
WEBSITESWEBSITES
Block threats based on their sources, content & behavior
In addition to examining files for malicious content & behavior:
• Web reputation services identify and block bad web sites & URLs
• E-mail reputation services identify and block spam by sender IP address
• Correlation between layers enhances threat identification
Trend Micro Smart Protection Network
7
Deployed throughout Trend Micro products
Incoming ThreatsSoftware as a Services
InterScan™ Messaging
Hosted Security
Desktop & ServerGateway
Collaboration/Storage
Security Management
Threat Management (Network)
InternetOutgoing Threats
Remote/Off Network
InterScan™ Web Security
InterScan™ Messaging
Security
ServerProtect™
OfficeScan™
ScanMail™
IM Security for OCS Solution
SharePoint Portal
Firewall/UTMIPS/IDSThreat
Management
IP
Smart Protection Network
8
Smart Protection Network – Email Reputation|
Incoming ThreatsSoftware as a Services
InterScan™ Messaging
Hosted Security
Desktop & ServerGateway
Collaboration/Storage
Security Management
Threat Management (Network)
InternetOutgoing Threats
Remote/Off Network
InterScan™ Web Security
InterScan™ Messaging
Security
ServerProtect™
OfficeScan™
ScanMail™
IM Security for OCS Solution
SharePoint Portal
Firewall/UTMIPS/IDSThreat
Management
EE
E
E
IP
Smart Protection Network
E
Email Reputation
E
9
Smart Protection Network – Web Reputation|
Incoming ThreatsSoftware as a Services
InterScan™ Messaging
Hosted Security
Desktop & ServerGateway
Collaboration/Storage
Security Management
Threat Management (Network)
InternetOutgoing Threats
Remote/Off Network
InterScan™ Web Security
InterScan™ Messaging
Security
ServerProtect™
OfficeScan™
ScanMail™
IM Security for OCS Solution
SharePoint Portal
Firewall/UTMIPS/IDSThreat
Management
W
W
W
W
W
W
W
W
W
Smart Protection Network
W
URL
Web Reputation
W
10
Smart Protection Network – File Reputation|
Slide #25
Incoming ThreatsSoftware as a Services
InterScan™ Messaging
Hosted Security
Desktop & ServerGateway
Collaboration/Storage
Security Management
Threat Management (Network)
InternetOutgoing Threats
Remote/Off Network
InterScan™ Web Security
InterScan™ Messaging
Security
ServerProtect™
OfficeScan™
ScanMail™
IM Security for OCS Solution
SharePoint Portal
Firewall/UTMIPS/IDSThreat
Management
F
F
FF
FileCachingServerF
Smart Protection Network
F
File Reputation
Files
F
11
Threats use the Internet after the initial infection
http://trafficconverter.biz/4http://www.maxmind.com/http://www.getmyip.orghttp://getmyip.co.ukhttp://checkip.dyndns.org
Infected machines download their own malware piece parts
Infected machines download their own malware piece parts
Many mechanisms for initial malware
infection
Many mechanisms for initial malware
infection
12
Web reputation services block downloads by malware
http://trafficconverter.biz/4http://www.maxmind.com/http://www.getmyip.orghttp://getmyip.co.ukhttp://checkip.dyndns.org
WEBREPUTATION
Infected machines download their own malware piece parts
Infected machines download their own malware piece parts
Many mechanisms for initial malware
infection
Many mechanisms for initial malware
infection
12
It’s all interconnected in the cybercrime economy
worms spyware
botnets
viruses
known malicious domain
known malicious domain
WHOIS to know registrar’s e-mailWHOIS to know registrar’s e-mail
more suspiciousdomains found
more suspiciousdomains found
13
CorrelationCorrelationEngineEngine
CorrelationCorrelationEngineEngine
Log PoolLog Pool
ScheduledJobs
ScheduledJobs
Event Trigger
Content RetrieveContent Retrieve
Sniffer
Retrieve the content If relative content not found in content storage
Operation
So
lutio
n D
istribu
tion
Va
lida
tion
&
So
lutio
n C
rea
tion
So
lutio
n A
do
ptio
nS
olu
tion
Ad
op
tion
FRS
WRS
ERS
Black-list / White-listBlack-list / White-listBlack-list / White-listBlack-list / White-list
Alert Service Alert Service
AnalyzerAnalyzer
EmailEmailWebWebFileFile
IPIPDomainDomain
Relative content
Feedback(from End-point with ID)
Feedback(from End-point with ID)
Live FeedLive Feed
Clustering
Critical
Warning
( paired )Summary
Result
ReputationResult
Powerful leverage through correlation among layers
14
… resolve obscured network boundaries
15
… sort out confusing information transactions
16
… clarify disguised website identities
17
… and track cyber-criminal operations
18
Today’s malware is big business
worms spyware
botnets
viruses
The Cybercrime Economy*• payout per adware install $0.02 - $0.30• basic malware package $1,000 -
$2,000• exploit kit rental $1 per hr• undetected info-seeking trojan $80• distributed denial of service attack $100 per day• 10,000 compromised PCs (zombies) $1,000• 1 million freshly harvested e-mails $8 & up• stolen bank account credentials $50 & up• credit card + validation info $1 to $2• personal ID & their pet’s name $10
* prices may vary – find your local cybervandal-turned-entrepreneur
19
Spyware/TojanDownloader
Web Drive ByDownloader
Email Spam
Port ScanVulnerabilities
Infection Vector
Spam & Phishing
DDoS
Data Leakage
Adware/Clickware
Recruitment
Activities
Malicious URLMalware
WriterWait for Instructions
Get Updates from Command & Control
Fool the AV ZombieManagement
HostInfection
IRCDNS
BotHerder
Botnet
Command &Controller
Criminals
Botnets viewed from the cyber-criminal side
20
IRCDNS
BotHerder
Botnet
Command &Controller
Spyware/TojanDownloader
Web Drive ByDownloader
Email Spam
Port ScanVulnerabilities
Infection Vector
Spam & Phishing
DDoS
Data Leakage
Adware/Clickware
Recruitment
Malicious Activities
BreakBreak Break
Break
Break
Malicious URLMalware
WriterWait for Instructions
Get Updates from Command & Control
Fool the AV ZombieManagement
HostInfection
Criminals
Smart Protection Network blocks at each link in a botnet
21
Let’s remove the fear of exchanging digital information ...
’22
… and return to where websites are what they appear
O.K. to
23
Smart Protection Network: by the numbers
5 billionqueries handled daily
1.2 terabytedata processed daily
1,000dedicated content securityexperts at TrendLabs
24/7multiple data centers operatingaround the world
50 millionnew IP addresses / URLsprocessed daily
250 millionmalware samples processedeach year
24
Smart Protection NetworkSmart Protection Network
less complexitymore protection