First Look Trend Micro Deep Discovery Inspector

Similar documents
The Hillstone and Trend Micro Joint Solution

Cisco Advanced Malware Protection for Endpoints

Unified Security, ATP and more

QRadar SIEM and FireEye MPS Integration

How Lastline Has Better Breach Detection Capabilities. By David Strom December 2014

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

WildFire. Preparing for Modern Network Attacks

RAVEN, Network Security and Health for the Enterprise

ForeScout CounterACT Edge

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

IBM Security IBM Corporation IBM Corporation

Proactive Rootkit Protection Comparison Test

Cisco Advanced Malware Protection for Endpoints

Benefits. Product Overview. There is nothing more important than our customers. DATASHEET

FROM PRODUCT TO PLATFORM

Cloud App Security. Tiberio Molino Sales Engineer

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

STEALTHWATCH MANAGEMENT CONSOLE

The SIEM Evaluator s Guide

RETHINK SECURITY FOR UNKNOWN ATTACKS

Symantec Advanced Threat Protection: Network

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

SPEAR PHISHING AN ENTRY POINT FOR APTS

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Fighting Advanced Threats

Bio-inspired cyber security for your enterprise

Cloud Based Secure Web Gateway

Symantec Advanced Threat Protection: Network

SourceFireNext-Generation IPS

Extreme Networks Security Analytics G2 Risk Manager

Uncover security risks on your enterprise network

Benefits. Product Overview. There is nothing more important than our customers. DATASHEET

End-user Security Analytics Strengthens Protection with ArcSight

The Importance of Cybersecurity Monitoring for Utilities

Check Point: Sandblast Zero-Day protection

What is Windows Intune? The Windows Intune Administrator Console. System Overview

Extreme Networks Security Analytics G2 Vulnerability Manager

Connected Threat Defense Strategy. Eva Chen, Co-Founder and CEO

Review: McAfee Vulnerability Manager

The Value of QRadar QFlow and QRadar VFlow for Security Intelligence

Analyzing HTTP/HTTPS Traffic Logs

Cyb T er h Threat D f e ense S l o uti tion Moritz Wenz, Lancope 1

User Documentation Web Traffic Security. University of Stavanger

LANGuardian for Healthcare Networks

COORDINATED THREAT CONTROL

POLIWALL: AHEAD OF THE FIREWALL

STEALTHWATCH MANAGEMENT CONSOLE

Bridging the gap between COTS tool alerting and raw data analysis

Incident Response. Six Best Practices for Managing Cyber Breaches.

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

REVOLUTIONIZING ADVANCED THREAT PROTECTION

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Radware s Attack Mitigation Solution On-line Business Protection


IBM Security QRadar QFlow Collector appliances for security intelligence

Ovation Security Center Data Sheet

Endpoint Business Products Testing Report. Performed by AV-Test GmbH

QRadar SIEM and Zscaler Nanolog Streaming Service

SP Monitor. nfx One gives MSPs the agility and power they need to confidently grow their security services business. NFX FOR MSP SOLUTION BRIEF

CA Host-Based Intrusion Prevention System r8.1

Requirements When Considering a Next- Generation Firewall

Next Generation IPS and Reputation Services

Integrating MSS, SEP and NGFW to catch targeted APTs

Defending Against Cyber Attacks with SessionLevel Network Security

Total Defense Endpoint Premium r12

Unified Threat Management Throughput Performance

Breach Found. Did It Hurt?

The 2014 Next Generation Firewall Challenge

Security Intelligence Services.

Superior protection from Internet threats and control over unsafe web usage

On-Premises DDoS Mitigation for the Enterprise

WHAT S NEW IN WEBSENSE TRITON RELEASE 7.8

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

You ll learn about our roadmap across the Symantec and gateway security offerings.

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

Active Response: Automated Risk Reduction or Manual Action?

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

CALNET 3 Category 7 Network Based Management Security. Table of Contents

Technical Note. ForeScout CounterACT: Virtual Firewall

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

POLIWALL: AHEAD OF THE FIREWALL

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

IBM SECURITY QRADAR INCIDENT FORENSICS

Intelligent. Data Sheet

IBM QRadar Security Intelligence April 2013

Unified Security Management and Open Threat Exchange

The Symantec Approach to Defeating Advanced Threats

Reduce Your Network's Attack Surface

ENTERPRISE EPP COMPARATIVE ANALYSIS

Cisco Advanced Malware Protection

Huawei Eudemon200E-N Next-Generation Firewall

Cisco Security Manager 4.2: Integrated Security Management for Cisco Firewall, IPS, and VPN Solutions

Benefits. Product Overview. There is nothing more important than our customers. DATASHEET

Product Roadmap Symantec Endpoint Protection Suzanne Konvicka & Paul Murgatroyd

Transcription:

First Look Trend Micro Deep Discovery Inspector By looking for correlations in attack patterns, Trend Micro s Deep Discovery Inspector has the ability to protect networks against customised attacks and new threats IT needs to understand that since threats are changing, if you re using materials and defences that are based on plans from four years ago, you re behind the times and unprotected The impressive web interface shows the origins of attacks, giving insight into the attacks. The Inspector is an offline discovery tool, taking a network feed from a mirror port on a switch, and examining traffic for patterns matching suspicious behaviour. Trend Micro identifies this listen-only inspection of all network traffic as a key feature of its system as it reduces strain on devices, which can occur with in-line products and endpoint security programs. It features seven 1Gpbs network ports and an extra port solely for management. This gives a considerable amount of throughput for such a complex device, but larger networks may need to consider several device for more complete coverage, including separating the devices into different parts of the network. Multiple devices can be connected when combined with Trend Micro s management products, and results can be aggregated using the Trend Micro Deep Discovery Advisor. The appliance itself is well stocked with standard components including redundant power supply, USB, a serial port for management and dual VGA slots for a monitor. There is space for up to six hard drives, coming with two 500Gb SATA drives running at 7200rpm. In addition, the device comes with 8GB of ram. A small LCD screen on the front displays the current IP address of the device, as well as providing access to a limited amount of configuration options.

2 The appliance is available for a wide set of hardware, providing the ability for the Inspector to be used in anything from small networks through to very large corporate network backbones. This also provides an option for growing networks, which would be able to connect more devices as they grow without over-covering the network or needing to dispose of smaller devices. The Inspector focuses on three layers of analysis to perform threat discovery and analysis. The three layers are initial network level detection, sandbox simulation and finally a cross-correlation focusing on latent and evasive attacks. Together, this reflects Trend Micro s methodology identifying suspicious activity and then honing in to discover more information as needed. The detection component initially analyses network traffic looking for malicious behaviour. Pattern matching is performed against a researched set of threats maintained by Trend Micro through the Smart Protection Network. This is a continuously updated set of patterns, much like a traditional anti-virus product however, the patterns are designed for network level, rather than end-point level security. This allows for attacks that are spreading to be discovered instead of simply relying on endpoint protection products to pick them up. In OEM environments, if one endpoint fails to stop a threat, it can often propagate quickly as all devices are protected using the same program and configuration. In contrast, at the network layer these fast moving threats are often easier to discover, even if they are zero- day attacks. Ultimately, a combination of the two; endpoint security and network level detection, provides a robust option. The next layer of analysis is sandbox simulation and correlation. At this level, a sandbox simulation is used to perform forensic analysis on identified threats. This level is used to reduce false positives, as well as providing more detail on the threats. These include customer-centric profiles of threats. Sandboxing is a critical task in zero-day analysis, as unknown malware cannot be easily understood without running it. Finally, we have the cross-correlation layer, focusing on discovery of latent and evasive attacks, such as Advanced Persistent Threats (APTs) and other persistent malicious behaviour. This form of analysis looks for long term malicious trends, indicative of more passive monitoring and attacking used by APTs. The appliance also performs threat tracking, including being able to analyse specific threats in more detail. The Inspector has the ability to perform per-device risk assessments, through its Watch List feature, increasing the level of monitoring for some devices. This can be used if, for example, a device has been acting weirdly; the Inspector can monitor this device more closely, with a higher degree of analysis. Additionally, more sensitive areas of the network can be analysed with a higher priority level than other parts. This attack visualisation shows how an attack is linked across several locations.

3 The Inspector can show which devices are the most attacks, providing useful reporting on key weaknesses in a network. The Inspector s main role is to collect data and perform analysis, with another product in the line, the Trend Micro Advisor, responsible for in-depth reporting. That said, the Inspector contains a number of reporting tools, including integration with Threat Connect, a service providing more intelligence on attacks through Trend Micro s intelligence portal. The information gathered through here includes strategies to contain the malware, as well as providing remediation advice specific to any threats discovered. This also links with signature updates for the threats, for end-point protection. In addition, the threat console provides a number of tools for visualising threats and attack behaviours. Another visualisation tool, GeoTrack, identifies the origins of malicious communication but is naturally limited to the attacking computer and not the origin of the attack. Enterprise level management of the device is available. All important events can be reported to a nominated SIEM. The device is relatively easy to configure, with a textbased menu option available straight from the device as well as SSH and serial port options. The text based menu has some quirks, like lacking a number lock and a relatively short time-out period, which can be annoying if the administrator is reviewing documents during the set-up phase. That said, its web-based interface is well laid out and intuitive. There are a number of widgets that display graphs of infections and exploits, allowing for a quick analysis of the health of a network. In addition, there are other widgets for graphing the geographic location of incoming attacks. Overall, this gives a great interface for showing the overall status of the network. This doesn t mean that details are lacking from the reports; comprehensive details of attacks are available, and the reporting tools contain both manager level summary style reports and low level technical information.

4 As mentioned earlier, this can be focused on a particular computer or network if, for example, there is a higher risk of infection in these areas. The aim of the Trend Micro Deep Discovery Inspector is data collation and attack analysis, in-depth analysis of the attacks is left to the Advisor application. Overall, this system provides an intuitive and easy to understand method for setting up and running a sandboxing system. The three layered approach offers good coverage for testing infections. The device aggregates a substantial amount of information and the reporting options allow for a quick understanding of the health of the network. The amount of reported information is quite substantive, and provides both the at a glance information and the detailed information to manage security. There is an impressive array of visualisations and reporting information available in many forms.

5 Attacks can come from anywhere. Inline attack recording allows for the analysis of attacks after it happens, even if evidence is removed as part of the attack.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information