trend micro cybersecurity reference architecture...
TRANSCRIPT
1
TrendMicroCybersecurityReferenceArchitectureforOperationalTechnology2017November
2
Thispageintentionallyleftblank
3
ContentsSection1:ExecutiveSummary.....................................................................................................................4
Section2:Real-worldcyberattacks.............................................................................................................5
Section3:ReferenceArchitecture...............................................................................................................6
Section3.1:OTSecurityReferenceArchitecture.....................................................................................6
Section3.2:OTSecurityDomains............................................................................................................8
Section3.3:OTCybersecurityControls...................................................................................................9
Section4:Solutions.....................................................................................................................................9
Section4.1:TrendMicroIoTSecurity....................................................................................................10
Section4.2:TrendMicroSafeLock........................................................................................................10
Section4.3:TrendMicroPortableSecurity2........................................................................................11
Section4.4:TrendMicroTippingPoint..................................................................................................11
Section4.5:TrendMicroDeepDiscoveryInspector..............................................................................12
Section4.6:TrendMicroDeepSecurity................................................................................................12
Section5:Summary...................................................................................................................................13
Figure1:CybersecurityFence......................................................................................................................4Figure2:ICSSecurityReferenceArchitecture.............................................................................................7Figure3:TrendMicroOTCybersecurityReferenceArchitecure.................................................................9
4
Section1:ExecutiveSummaryTherearetwosidestothecybersecurityfencewhenaddressingthreatsandotherconcerns.Thefirstsideiswhatwe'remostfamiliarwithincorporateITorInformationTechnology(IT):Internetaccess,emailservers,Intranetcontentresourcessuchasdatabaseapplications,webcontent,FTP,RemoteAccess,etc.,andmostimportantly,endpoints.CorporateITsecurityisusuallyfacilitatedbyalayeredprotectionthatstartsatthecloud,externaltotheenterprise,thenmovesintothecorporatenetworkstartingatthegateway,proceedingfurtherwithinprotectingmiddlewareresources.DeepwithinthecorporatenetworkaretheusersandtheirendpointdevicessuchasdesktopPC,laptops,andmobiledevices.
Figure1:CybersecurityFence
TheothersideofthecybersecurityfenceistheOperationalTechnology(OT).Typically,thesearetheindustrialplants,auxiliarybuildings,andremoteinstallationunits.Withinthesefacilitiesaretheindustrialcontrolsystems(ICS)whicharemadeupofsupervisorcontrolanddataacquisition(SCADA)systems,distributedcontrolsystems(DCS)andothercontrolsystemconfigurationssuchasprogrammablelogiccontrollers(PLC)andremoteterminalunits(RTU)foundintheindustrialcontrolsectors.ICSaretypicallyfoundinindustriessuchasretail,manufacturing,utilities(electric,hydroelectric,andnuclear).SCADAsystemsaregenerallyusedtocontrolassetsdistributedthroughoutafacilityusingcentralizeddataacquisitionandsupervisorycontrol.DCSaregenerallyusedtocontrolproductionsystemswithinaspecificallylocalizedareawithinthefacilityusingsupervisoryandregulatorycontrol.PLCsandRTUsaregenerallyusedtocontrolspecificapplicationsordiscretefunctionswithinthefacilityandgenerallyprovideregulatorycontrol.Typically,theseICS’shadnoconnectivity,andthehumanmachineinterfaces(HMI),programmablelogiccontrollers,remoteterminalunit(RTU)wereallconnectedbyeitherserial,parallelorspecializedinterfaces.
Note:Industrialcontrolsystem(ICS)isageneraltermthatreferstoseveraltypesofcontrolsystems,includingsupervisorycontrolanddataacquisition(SCADA)systems,distributedcontrolsystems(DCS),andothercontrolsystemconfigurationssuchasprogrammablelogiccontrollers(PLC)andremoteterminalunits(RTU)mostoftenfoundintheindustrialsectorsandtheircriticalinfrastructures.AnICSconsistsofcombinationsofcontrolcomponents(e.g.,electrical,mechanical,hydraulic,pneumatic)thatacttogethertoachieveanindustrialobjective(e.g.,manufacturing,transportationofmatterorgenerationofelectricity).
Initially,ICSenvironmentswithinOThadlittleresemblancetotheITsystems;ICSwereisolatedsystemsrunningproprietarycontrolprotocolsusingspecializedhardwareandsoftware.ManyICScomponentswereinphysicallysecuredareasandthecomponentswerenotconnectedtoITnetworksorsystems.
5
However,theneedtolowercost,havebetterperformanceandefficiencyalongwithwidelyavailable,low-costnetworkdevices,hardware,andsoftwareapplicationshavereplacedtheseproprietaryICSsolutions.TheInformationTechnologysideofthecybersecurityfencewasgettingconnectedasnetworkdevicesbecamemorereadilyavailableandwerelessexpensiveandfastertoimplement.TheOTsideeventuallydecidedthattheirfacilitiescouldfurtherincreaseoperationalefficienciesbyleveragingthesameresourcesusedbyIT.Theseincludesolutionstopromotecorporatesystemsconnectivity,suchasremoteaccess,alongwithusingindustry-standardcomputers,operatingsystemsandnetworkprotocols.
AsICSadoptssolutionsusedwithinIT,OTenvironmentsarestartingtoresembletheirITcounterparts.Thisadoptionsupportsnewcapabilities,butprovidessignificantlylessisolationfromtheoutsideworldthanpredecessorICSconfigurations,creatingagreaterneedtosecurethesesystems.
WhilesecuritysolutionshavebeendesignedandproventodealwithsecurityissuesintypicalITenvironments,specialprecautionsmustbetakenwhenintroducingthesesamesolutionstoICSenvironments.Insomecases,newsecuritysolutionsareneededthataretailoredtotheICSenvironment.ICSenvironmentscontroltheattributesinthephysicalworldandanITenvironmentmanagesdata.ICShavemanycharacteristicsthatdifferfromtraditionalITsystems,includingdifferentrisksandpriorities.Someoftheseincludesignificantrisktothehealthandsafetyofhumanlives,seriousdamagetotheenvironment,andfinancialissuessuchasproductionlossesandnegativeimpacttoanation’seconomy.Securityprotectionsmustbeimplementedinawaythatmaintainssystemintegrityduringnormaloperationsaswellasduringtimesofacyber-attack.RevolutionarychangestoICSenvironmentshaveincreasedthepossibilityofcybersecurityvulnerabilitiesandincidentsthatwereonceoflittleconcern.
AfterthefirstIBMPCcompatiblevirus,theBrainbootsectorvirus,wasreleasedinJanuary1986,cybersecuritybecameamandatorydisciplinewithintheIT.However,itwasn'tamandatorydisciplineintheOTenvironments,andOTreliedonITfortheircybersecurityconcerns.Now,however,cyber-attacksonOTarecommonplace,andincreasingeveryyear
AneffectivecybersecurityprogramforanICSisastrategyknownaslayeredprotection,or“defense-in-depth,”layeringsecuritycontrolmechanismssuchthattheimpactofafailureinanyonelayerisminimizedthroughouttheICSenvironment.
Section2:Real-worldcyberattacksCyberattackershavesentphishingemailstoanumberofindustrialorganizationsintheMiddleEast,gainedunauthorizedaccesstoadaminupstateNewYork,leveragedBlackEnergymalwaretocauseapoweroutageandattackanairportinUkraine,inflicted“massive”damageataGermansteelmillbymanipulatingsomeofitsICSsystems,andcaused“somedisruption”atanunnamednuclearpowerplant.Andin2010,StuxnetattackedtheIranianICSnetworkforcontrollingcentrifuges.
AllOTindustrialorganizationsmustnowconfrontthepossiblethreatofadigitalinitiatedcyberattack.Tohelpdefendagainstthesebadactors,manyenterpriseshavetakenuponthemselvestoprotecttheirOTdomainswithlessrelianceontheirITdomaincounterparts.
6
NolongercansecurityintheOTdomainrelyonsecurityfromtheITdomainforitsprotectionandisolation.IthasalreadybeenshownthatcompromisingtheITdomaineventuallyleaksovertotheOTdomain.ThefirstknownsuccessfulcyberattackonapowergridoccurredonDecember23,2015.HackerscompromisedtheUkrainepowergridandwereabletosuccessfullycompromiseinformationsystemsofthreeenergydistributioncompaniesandtemporarilydisruptelectricitysupplytocustomers.Thirtysubstationswereswitchedoffandabout230,000peoplewereleftwithoutelectricityforaperiodfrom1to6hours.
Atthesametimeconsumersoftwootherenergydistributioncompanieswerealsoaffectedbyacyberattack,butatasmallerscale.Thecyberattackwascomplex,beginningwithapriorcompromiseofITcorporatenetworksusingphishingemailswithBlackEnergymalware.LateralmovementwithintheITnetworkfoundasystemdedicatedtoaccessingtheOTdomain.Failuretouse2-factorauthenticationallowedthehackersaccesstoICSnetworksystem.TheyseizedSCADAcontrols,remotelyswitchedsubstationsoff,anddisabledordestroyedITinfrastructurecomponents(uninterruptiblepowersupplies,modems,RTUs,commutators).ThehackersalsousedtheKillDiskmalwaretodestroyfilesstoredonserversandworkstationsandlauncheddenial-of-serviceattacksonacall-centertodenyconsumersup-to-dateinformationontheblackout.Intotal,upto73MWhofelectricitywasnotsupplied,or0.015%ofdailyelectricityconsumptioninUkraine.
Section3:ReferenceArchitectureSection1discussedthattheOTrealmislookingmoreandmorelikeitsITcounterpartusingthesamehardware,operatingsystem,softwareandapplications.Therefore,OTrealmwillbesubjecttosimilarifnotthesamecybersecuritythreatsandincidents.WhilesecuritysolutionshavebeendesignedtodealwiththecybersecurityincidentsintheITnetworks,precautionsmustbetakenwhenintroducingsomeofthesesamesolutionsintotheOTnetworks.Insomeincidents,alternativesecuritysolutionsmustbeappliedtotheOTnetworks.
ItisbeyondthescopeofthisdocumenttodiscussalloftheCybersecurityrecommendationsandcybersecuritycontrolmechanisms.TherearepublishedguidelinesfromIndustrialControlSystemsCyberEmergencyResponseTeam(ICS-CERT),DepartmentofHomelandSecurity(DHS),NationalInstituteofStandardsandTechnology(NIST),andSANS.orgthatprovidesdetailsandrecommendations.AneffectivecybersecuritystrategyforanICSenvironmentshouldapplyalayeredprotection/defense-in-depth,atechniqueoflayeringcybersecuritycontrolsmechanismssothattheimpactofacompromisewithinasecuritydomainislocalizedandminimized.TheremainderofthedocumentwillfocusontheICSsecurityarchitecture,securitydomains,andcybersecuritycontrolsfromtheabovementionedorganizationsanditsgeneralrecommendapplication.
Section3.1:OTSecurityReferenceArchitectureDHS,ICS-CERT,NIST,andSANSallhavethesamerecommendationwhendesigningandimplementinganetworkarchitectureforanOTdeployment,thatitishighlyrecommendedtoseparatetheOTnetworkfromthecorporateITnetwork.Thenatureofnetworktrafficonthesetwonetworksisdifferent.Internetaccess,FTP,email,web,andremoteaccesswilltypicallybepermittedonthecorporateIT
7
networkbutshouldnotbeallowedontheOTnetwork.Rigorouschangecontrolproceduresfornetworkequipment,configuration,andsoftwarechangesthatmaynotbeinplaceonthecorporateITnetwork,however,aretypicalforOTnetworks.Byhavingseparatenetworks,securityandperformanceproblemsonthecorporateITnetworkshouldnotbeabletoaffecttheOTnetworkandvice-versa.
TheaforementionedrecognizedinstitutionshaveallcreatedanOTreferencearchitecturespecificallyaddressingtheconcernsforICSnetworks,showninFigure2.ThisarchitectureindicatesthegeneralfunctionalrequirementstypicalforexistingICSnetworks(althoughactualimplementationsarehighlyvariable).Thisexampleonlyattemptstoidentifynotionaltopologyconcepts.ActualimplementationsofICSsegmentsmaybehybridsthatblurthelinesbetweenDCS,SCADA,PLC,andRTUssystemsdeployed.
Figure2:ICSSecurityReferenceArchitecture
Practicalconsiderations,suchascost-of-ownershipandresourcesrequiredtoinstallandmaintainanOTnetworkwithinthecorporateITinfrastructure,oftenmeanthataconnectionisrequiredbetweentheOTandcorporateITnetworks.Thisconnectionisasignificantsecurityriskandshouldbeprotectedbyboundaryprotectiondevices.TherecommendedboundaryprotectiondevicesarethroughaDMZandfirewallwithadditionalcybersecuritycontrolmechanisms,showninFigure2.
Note:ADMZisaseparatenetworksegmentthatisolatestheOTandITnetworkconnectionsdirectlythroughafirewall.
NetworkisolationviasegmentationandsegregationaddressestherequirementsoffurtherpartitioningtheICSnetworksdeploymentintodiscretesecuritydomains.OperationalriskanalysisshouldbeperformedtodeterminecriticalpartsofeachICSenvironmentsanditsoperations.Forexample,a
8
separatesecuritydomaincouldbestructuredfortheHMI,SCADA/DCS,andinstrumentationssystemsdeployed,asinFigure2.Thebasicrequirementforsegmentationandsegregationistominimizeaccesstosystemsandresourcesacrosssecuritydomainsintheeventofacybersecurityattackorincident.
Traditionally,networksegmentationandsegregationisimplementedatthegatewaybetweendomains.WithintheOTnetwork,ICSenvironmentsoftenhavemultiplewell-definedsecuritydomains,suchasoperationalLANs,controlLANs,andinstrumentationLANs,forexample.Gatewaysconnecttonon-OTandlesstrustworthydomainssuchastheInternetandthecorporateLANs,showninFigure2.
Whenimplementingnetworksegmentationandsegregationcorrectlyyouareminimizingthemethodandlevelofaccesstosensitiveinformationandsystemresources.Thiscanbeachievedbyusingavarietyoftechnologiesandsecuritymethods,themostcommonofwhicharelistedbelow.Thisisonlyasubsetofthefullcomponentsavailable.Seethedocumentsfromtheaforementionedinstitutionsforamorecomprehensivelist.
• Networktrafficfiltering,whichcanuseavarietyoftechnologiesatvariousnetworklayerstoenforcesecurityrequirementsanddomains.
• NetworklayerfilteringthatrestrictswhichsystemsareabletocommunicatewithothersonthenetworkbasedonIPandroutinginformation.
• State-basedfilteringthatrestrictswhichsystemsareabletocommunicatewithothersonthenetworkbasedontheirintendedfunctionorcurrentstateofoperation.
• Portand/orprotocollevelfilteringthatrestrictsthenumberandtypeofservicesthateachsystemcanusetocommunicatewithothersonthenetwork.
• Applicationfilteringthatcommonlyfiltersthecontentofcommunicationsbetweensystemsattheapplicationlayer.Thisincludesapplication-levelfirewalls,proxies,andcontent-basedfilter.
Boundaryprotectionsecuritycontrolsshouldincludegateways,routers,firewalls,network-basedmaliciouscodeanalysis(sandboxing),virtualizationsystems,intrusiondetection/preventionsystems,VPNencryptedtunnels,forexample.
Section3.2:OTSecurityDomainsFromthesecurityreferencearchitecturethebasicrecommendationsisforfoursecuritydomainswithintheICSenvironments.Asmentioned,thisisonlyarecommendationandactualimplementationdependsonthephysicalnationoftheplantorfacility.AddingadditionalsecuritydomainsandsegmentationorsegregationoftheICSenvironmentswithfirewallsandDMZwillcomplicatethenetworkdesignandincreasethecostandmanagementoftoocomplexofanetwork.Thefourdomains:
1. SiteManufacturingOperationsandControls:Generalbusinessoperationsinthesupportoffacilityoperations.TraditionalusingthesamesecuritycontrolsdeployedwithintheCorporateITnetwork.
2. AreaControls:HMI,SCADA,DCS3. BasicControls:PLC,RTU4. Instrumentation:Sensors,actuators,meters,etc.
9
Section3.3:OTCybersecurityControlsSection3.1discussesthehardwaresecuritycontrolmechanisms.Thissectiondiscussesthesoftwareandapplicationsecuritycontrols.Cybersecuritycontrols,includingmonitoringofsensorsandlogs,IntrusionDetections,antivirus,patchmanagement,policymanagementsoftware,andothercybersecuritycontrolmechanisms,shouldbedoneonareal-timebasiswherefeasible.
Itisinterestingtonotethattheaforementionedinstitutions'recommendationisthatanantivirusproductchosenforICSenvironmentforprotectingsystemsshouldnotbethesameastheantivirusproductusedforwithinthecorporateITnetwork.Asaresult,theinstitutionssuggestimplementingwhitelistinginsteadofblacklistingsoftware(typicallyantivirussoftwareusesblacklistingtechnology);thatis,grantaccesstotheknowngoodapplicationsandservices,ratherthandenyingaccesstoexecuteknownbadentities.Typically,thesetorsetsofapplicationsthatrunwithinICSenvironmentsisessentiallystaticandfew,makingwhitelistingmorepracticalandfeasibletomaintain.Thiswillalsoimproveanorganization’scapacitytoanalyzelogfilesandmaintenanceactivities.
ForisolatedordisconnectedsystemswithintheICSenvironment,itisrecommendedtoperiodicallyrunareal-timescanwithexternalsoftware.ThatissoftwarenotinstalledonthesystemswithintheICSenvironmentsbutratherusedbyattachinganexternaldeviceviaUSB,CD/DVD,etc.withup-to-datesoftwareforthescanningoperations.Theresultingoperationscanbeanalyzedatalaterdateifmalwareisnotdetectedimmediately.
Section4:Solutions
Figure3:TrendMicroOTCybersecurityReferenceArchitecure
10
ThefollowingdescribesTrendMicro'sIoTcybersecuritysoftware.
Section4.1:TrendMicroIoTSecurityTheevolutionoftheInternetofThings(IoT)hasmadelifealotmoreconvenientandproductiveforbothconsumersandbusinessesalikeoverpastfewyears.Forexample,withasmartcamera,Consumerscancheckthestatusoftheirchildrenusingtheirmobiledevices,whileawayfromhomeandonbusiness.Butbecausesecurityisn'talwaysdesignedintothesedevices,theInternetofThingspresentslotsofsecuritychallengesforindividuals,businesses,andsecurityprofessionalsalike.
TheBusinessenvironment,suchastheautomobileindustry,facesanemergingchallengeintheareaofcybersecurity.Forautomobileoriginalequipmentmanufacturers(OEMs),Tier1suppliers,cardealers,serviceproviders,carownersanddrivers,cyberattacksarenowarealitythattheyhavetograpplewith.
IntheeraoftheInternetofThings(IoT),moreandmorekeydevicefunctionsrelyonsoftwareratherthanhardware.Thisisalsotruewithvehicles.Unfortunately,asvehiclesbecomeincreasinglyautomatedandconnectedwiththeoutsideworld,theytendtofacegrowingsecuritythreats.Vulnerabilitiesariseparticularlywhenjust-in-timemanufacturingandafasterspeedtomarketleavelesstimeforproductsafetytesting.Thesevulnerabilitiesmightnotbeuncovereduntilmillionsofvehicleshavebeenreleased,inwhichcasethenecessarypatchingprocedureisallbutcertaintoproveevenmorecostly—notonlytotheaffectedcarmaker’sfinancesbutalsotoitsreputation.It’simportant,then,forsecuritymeasurestobeproperlyappliedrightfromtheoutsetofthecarmanufacturingprocess,startinginthedesignphase.
Thatiswhyitisimportantfordevicemanufacturertointegratesecurityintothedeviceitself,toensureconsumersandbusinessesareprotectedfromthesechallenges,theminutetheyinstallyourIoTdevice.Becauseofthesechallenges,TrendMicrohavedevelopedacybersecuritysolutioncalledTrendMicroInternetofThing(IoT)SecurityconsistingofFileIntegritychecking,ApplicationWhitelisting,HostedIntrusionPreventionServices(HIPS),NetworkAnomalyScanningandDetection,SystemVulnerabilityScanning,andVirtualPatching.
TrendMicroIoTSecurity(TMIS)isbuilt-inIoTsecuritysoftwarethatmonitors,detectsandprotectsIoTdevicesfrompotentialrisks,includingdatatheftandransomwareattacks.Thisensuresfirmwareintegrityandreducestheattacksurface,whichnotonlypreventsharmtoyourIoTdevices,butalsominimizesdevicemaintenancecostsandprotectsyourreputation.
Section4.2:TrendMicroSafeLockSystemLockdownSoftwareforFixed-FunctionDevices
TrendMicroSafeLockforIoTTM
Protectfixed-functiondevicessuchasindustrialcontrolsystemsandembeddeddevices,terminalsinaclosedsystem,andlegacyOSterminalsagainstmalwareinfectionandunauthorizeduse.
Don’tgiveuponsecuritysoftwarebecauseoftheimpactonperformanceandtheneedtoupdate.TrendMicroSafeLockforIoTTMpreventstheexecutionofmalwarewithlockdown.
11
Lockdownisatechniquethatlimitsasystemtorunningonlyday-to-dayoperationswhilecontrollingsystemresourcesandaccess.Wheremostanti-virussoftwareusesblacklistingtoforbidknownmalwarefromrunning,SafeLockuseswhitelistingtoallowonlyknownandapprovedprocessestorun.Thesetofapplicationsthatruninfixedfunctiondevicesisessentiallystatic,makingwhitelistingpracticalandeliminatingtheneedtoregularlyupdateablacklist.SafeLock'sapproachhasalimitedimpactonsystemperformanceandcanimproveanorganization’scapacitytoanalyzelogfiles.
TrendMicroSafeLockforIoTcanprotectterminalsreservedforcriticalcontrolsystems,embeddeddevices,andlegacyOSterminals.Also,itseasyuserinterfaceandcooperationwithTrendMicroPortableSecurityenablesrapiddeploymentandahighdegreeofoperability.
Section4.3:TrendMicroPortableSecurity2MalwareScanningandCleanupToolforStandalonePC&ClosedSystems;NoInternetconnectiondoesnotmeansafeandsecure.
TheInternetisnottheonlywaythatmalwarecaninfectPC.ATrendMicrosurveyofcompaniesinJapanfoundthat20%ofstand-alonecomputersandPCsinclosednetworkswereinfectedwithmalware.Devicesbroughtinfromoutsidethesystembyusers,aswellastheuseofUSBflashdrives,caninfectstand-alonePCsandthoseinclosesystems.
OrganizationalrestrictionsoninstallingsoftwareonthesePCsmeansthatvirusprotectionsoftwareeithercan’tbeinstalledatallorcan’tbeupdatedtocoverthelatestgenerationofmalware.WithoutaccesstotheInternet,PCsthatdohaveanti-virussoftwareinstalledaredifficulttoscanwiththelatestmalwarepatternfile.
TrendMicroPortableSecurityforIoTsolvestheproblem.
ThePortableSecurityforIoThand-heldtoolplugsintoaUSBporttodetectandeliminatemalware,withouttheneedtoinstallsoftwareonthePC.Thetoolchangescolortoindicatewhetherornotitdetectsmalwareandwhetheritiseliminatedorneedsfurtherintervention.ForPCsonanetwork,PortableSecurityforIoThasacentralizedmanagementprogramthatcanmanagemalwarepatternfilesandconfigurations.Itcanalsocompilethescanlogsofthescanningtoolsinmultiplelocationsinanintegratedfashion.Moreover,theeventlogofthesystemlockdownsecuritysoftware“TrendMicroSafeLock”(separatelycharged)canbeobtainedwiththePortableSecuritymanagementprogram.
Section4.4:TrendMicroTippingPointThethreatlandscapecontinuestoevolvebothinsophisticationandintechnology.Thismeansanewsecuritysystemthatisbotheffectiveandflexibleisneededduetothedynamicnatureofthelandscape—onethatallowsyoutotailoryoursecuritytomeettheneedsofyournetwork.Selectinganetworksecurityplatformisacriticaldecisionbecauseitservesasthefoundationforadvancednetworksecuritycapabilitiesnowandinthefuture.And,giventhebackdropofthechangingthreatlandscape,theimportanceofnetworksecuritycontinuestoincrease,makingitadifficulttask.TrendMicroTippingPointThreatProtectionSystem(TPS)isanetworksecurityplatformpoweredbyXGen™security,atechnologythatofferscomprehensivethreatprotectionshieldingagainst
12
vulnerabilities,blockingexploitsanddefendingagainstknownandzero-dayattackswithhighaccuracy.Itprovidesindustry-leadingcoveragefromadvancedthreats,malware,andphishing,andotherthreatvectorswithextremeflexibilityandhighperformance.TheTPSusesacombinationoftechnologies,includingdeeppacketinspection,threatreputation,andadvancedmalwareanalysisonaflow-by-flowbasis—todetectandpreventattacksonthenetwork.TheTPSenablesenterprisestotakeaproactiveapproachtosecuritytoprovidecomprehensivecontextualawarenessanddeeperanalysisofnetworktraffic.Thiscompletecontextualawareness,combinedwiththethreatintelligencefromDigitalVaccineLabs(DVLabs),providesthevisibilityandagilitynecessarytokeeppacewithtoday’sdynamic,evolvingenterprisenetworks.
Section4.5:TrendMicroDeepDiscoveryInspectorHackersoftencustomizetargetedattacksandadvancedthreatstoevadeyourconventionalsecuritydefensesandtoremainhiddenwhilestealingyourcorporatedata,intellectualproperty,andcommunications,andsometimestoencryptcriticaldatauntilransomdemandsaremet.Todetecttargetedattacksandadvancedthreats,analystsandsecurityexpertsagreethatorganizationsshouldutilizeadvanceddetectiontechnologyaspartofanexpandedstrategy.DeepDiscoveryInspectorisaphysicalorvirtualnetworkappliancethatmonitors360degreesofyournetworktocreatecompletevisibilityintoallaspectsoftargetedattacks,advancedthreats,andransomware.Byusingspecializeddetectionenginesandcustomsandboxanalysis,DeepDiscoveryInspectoridentifiesadvancedandunknownmalware,ransomware,zero-dayexploits,commandandcontrol(C&C)communicationsandevasiveattackeractivitiesthatareinvisibletostandardsecuritydefenses.Detectionisenhancedbymonitoringallphysical,virtual,north-south,andeast-westtraffic.ThiscapabilityhasearnedTrendMicrotherankofmosteffectiverecommendedbreachdetectionsystemfortwoyearsrunningbyNSSLabs.
Section4.6:TrendMicroDeepSecurityVirtualizationandhybridcloudcomputingcanhelpyourorganizationachievesignificantsavingsindatacenterhardwarecosts,operationalexpenditures,andenergydemands—whileachievingimprovementsinqualityofserviceandbusinessagility.However,asdatacenterscontinuetotransitionfromphysicaltovirtualandnowincreasingly,cloudenvironments,traditionalsecuritycanslowdownprovisioning,becomedifficulttomanage,andcauseperformancelag.Asyouscaleyourvirtualenvironmentandadoptsoftware-definednetworking,evolvingyourapproachtosecuritycanreducetime,effort,andimpactonCPU,network,andstorage.TrendMicro’smoderndatacentersecurityisoptimizedtohelpyousafelyreapthefullbenefitsofyourvirtualizedorhybridcloudenvironment.Ourvirtualization-awaresecurityoffersmanyadvantagesincludingperformancepreservation,increasedVMdensities,andacceleratedROI.TrendMicro™DeepSecurity™offersacompletesetofsecuritycapabilitieswiththefeaturesyouneedtobenefitfromtheefficienciesofvirtualizedenvironmentsandhelpmeetcompliance.Thisintegratedsolutionprotectsphysical,virtual,cloud,andhybridenvironments.
13
Section5:SummaryThepurposeofthiswhitepaperistopresentsomeofthechallengesfacingcybersecurityprofessionalsmanagingandmaintainingOperationalTechnologydomainsandtheIndustrialControlSystemsandNetworkswithinthesenetworks.ByadheringtoareferencearchitecturebasedontheiSA95referencemodel,thecybersecurityprofessionalcandeploytime-provenandappropriatecybersecuritysolutionsthatareeasytodeploy,manage,andmaintain,andthatcaneasilyreachalevelofsecurityforanyOperationalTechnologyandIndustrialControlSystemwheresecuritymatters.