protecting your endpoints and datacenter › app › webroot › content_files › 13... ·...

Protecting Your Endpoints and Datacenter

Stop Bad People Allow Good People

Deal with

tiny bit of

Anti Malware Blacklisting

Content FilteringEncryption

WhitelistingApplication

Control

Dealing with Just Black is not working

Zero Day

Discovered Vulnerabilities

Over1000In 2017

New Ransomware Variants

Monthly average

Is getting Popular

Ransomware

as a service

Dealing with Just White is not Working

Good Apps gone bad

Insider Threats

Stolen Credentials

Business Email

Compromise

and that little bit of Grey!

Average cost of Breach

$4,000,000

of attacks discovered

externally

53%Before targeted attacks

Are detected

99days

Fifty Shades of Grey

fileless malwares

Pre-disclosed and unpatched vulnerabilities

Attacks using native scripts

Cloud and Virtualization

Consumerization(Devices, WFH, Apps…)

Complex Networks

Cloud and Virtualization

Consumerization(Devices, WFH, Apps…)

Complex Networks

All of our solutions are powered by XGen™ security, which leverages a cross-generational blend of

threat-defense techniques

Application Control

BehavioralAnalysis

Response & Containment

Intrusion Prevention

Machine Learning

Sandbox Analysis

Integrity Monitoring

Anti-Malware & Content Filtering

SMARTMaximizes protection

Application Control

BehavioralAnalysis

Machine Learning

Sandbox Analysis

Application Control

BehavioralAnalysis

Machine Learning

Sandbox Analysis

Application Control

BehavioralAnalysis

Machine Learning

Sandbox Analysis

OPTIMIZEDMinimizes IT impact

Software

Appliance Software

Software

CONNECTEDSpeeds time to protect, detect and respond

New Trends in Endpoint Protection

Web & File ReputationExploit PreventionApplication ControlVariant Protection

Behavioral AnalysisRuntime Machine Learning

Safe files allowed

Malicious files blocked

Pre-execution Machine Learning

Known Good Data

Known Bad Data

Unknown Data

Noise Cancellation

Custom Sandbox Analysis

Smart: The Right Technique At The Right Time

Investigation & Response

Endpoint Detection and Response (EDR)

• Network, event, process, files, commands, operations, etc.

• Tons of telemetry data points

• Stored on endpoints or in server, or a hybrid approach

1. Endpoint Data Recording 2. Investigation of Data & Responding

Sweep (search) for Indicators of Compromise to understand the impact of detections

Hunt for Indicators of Attack based on behavior rules or threat intelligence. Automatic (detection) or manual

Find the root cause of a detection and remediate/prevent/investigate again

Powerful Investigative Capabilities (EDR)

Investigation:IOC Sweeping(server-side metadata sweep)Patient Zero ID / Root Cause AnalysisIOA Behavior Hunting/Detection

API’s for query / automationMDR Service Support (Win/Mac)Modern UX w/prioritized guidanceUnknown file guidance

POST DETECTION

“How did this happen?”

“Who else has been affected?”

“How do I respond?”

Apex Central™ Management Console

• Single console/workflow

• Seamless integration of EDR investigation and automated detection/response

• Select any detection to investigate

Determine what other users may have been impacted

• Endpoint protection shows detection (in this case there was one)

• But were more users impacted before it was “known”?

• Select Analyze Impact to sweep for more

Impact Assessment

• Impact assessment found five more undetected instances

• Root Cause Analysis begins for all detected users

• Users can be isolated at any time (without firewalls)

Root Cause Analysis Results

• Simplified or full graphical “kill chain” diagram (can also be tabular)

• Enhanced with Trend intelligence and guidance

• Selecting an object provides more details

• Options for termination, creating a detection pattern, or further investigation

Response Options

PRE DETECTION

“Am I protected?”

“What if…”

Multiple Ways to Hunt for Attacks:

• User Defined Suspicious Objects (UDSO) from Deep Discovery

Sources of Intelligence to Hunt with:

• User Defined Suspicious Objects (UDSO)

• Open IOC (Indicator of Compromise) or STIXfrom threat feed.

• Customized Criteria:

• Host (host name and IP address are included)

• Filename, path, and SHA-1 hash value

• User account• Windows auto-run registry• Command lines

Preliminary Assessment:

• Initial assessment based on single multiple search items

• Results with threat intelligence and prevalence

• Generate Root Cause Analysis for further investigation

Root Cause Analysis:

• Generate Root Cause Analysis for further investigation

POST DETECTIONPRE DETECTION

“How did this happen?”

“Who else has been affected?”

“How do I respond?”

“Am I protected?”

“What if…”

SENSORS

• Apex One™ with integrated Endpoint Sensor

• Deep Discovery Inspector

• Deep Security

• Delivered to management console

• Automated security updates

RESPONSE

Managed Detection and Response

SERVICE PLATFORM

TREND MICRO ANALYSTS

Expert Rules

Threat Intelligence

Machine Learning

Datacenter Protection

Hybrid Cloud Security Solution

Network Security

Firewall Vulnerability Scanning

Stop network attacks,

shield vulnerable

applications & servers

Anti-Malware

Sandbox Analysis

Malware Prevention

Stop malware &

targeted attacks

Behavioral Analysis & Machine Learning

(2H/17)

System Security

Lock down systems &

detect suspicious activity

Application Control

Log Inspection

New Technologies…

Detecting Credential Phishing with Computer Vision

Patent pending

[username]

Email Account Takeover Attacks

Fake URL, sometimes with valid SSL sign, sometimes within a legitimate domain

Favicon is identical or similar to the real website

Login form looks similar to the real website

Credential Phishing Sites Look Convincing

Displays user’s email address in form

[username]

Detecting Credential Phishing Attacks

with Computer Vision + AI

▪ After pre-filtering, computer vision image analysis

and machine learning analyze branded elements,

login form, other site content

▪ Combines with site reputation elements and OCR to

recognize fake sites while reducing false positives

URL reputation checkCAS blocked 2.8M additional

malicious URLs in 2017

Computer Vision + Aireal-time detection of fake credential sites

AI based Business Email

Compromise (BEC) Detection

Routing behavior

Cousin domain

High-profile user similarity

…Beh

Financial impact

Urgency

…Inte

Behavior + Intention analysis New! Authorship analysis

WRITING STYLE DNA

What Is Writing Style DNA?

• Everyone has a unique style of writing when viewed across hundreds of email

• Writing Style DNA detects email forgeries by comparing to a trained AI model of a users’ writing style

Three Enron execs with different styles

Simplified Graphical Representation

of Training the AI Model

Workflow of Writing Style DNA

Imposter sends email to ”Max” impersonating “Eva”

Recipient “Max”

How are you doing? There is something that I need your assistance with, let me know if you are less busy so I can give you the details

Regards,Eva

WarningConfirmation

Doesn’t match AI model of “Eva’s” Writing Style DNA

Trend Micro Cloud App Security / ScanMail

Impersonated User, “Eva”

Writing Style DNA demo

Thank You!

protecting your endpoints and datacenter › app › webroot › content_files › 13... ·...

Documents

stix version 2.0. part 1: stix core concepts - oasis ·...

stix version 2.0. part 1: stix core concepts · web...

stix version 2.0. part 1: stix core concepts -...

stix n stones menu

the stix package - ibiblio

flx stix hdpro

stix™ version 2.0. part 5: stix...

stix x-ray microflare observations

stix version 1.2.1. part 11:...

stix version 2.0. part 1: stix core...

stix version 1.2.1. part 14:...

stix™ version 2.0. part 5: stix...

stix version 2.0. part 1: stix core...

arcsight stix/taxii python client

core stix exercise chart

stix recap #1

stix digital corporate profile 2013

stix™ version 2.0. part 4: cyber observable...

recoat - stix

stix version 2.0. part 5: stix...