it-security-symposium 2019 it -security im fokus · die neue komplettlösung für den...
TRANSCRIPT
Die neue Komplettlösung für den EndpunktschutzÖzgür Isik – Channel Presales Engineer, ApexOne
IT-Security-Symposium 2019I T - S e c u r i t y i m F o k u s
Die neue Komplettlösung für den EndpunktschutzApexOne
Özgür Isik – Channel Presales Engineer
© 2019 Trend Micro Inc.3
Agenda• Architektur von Apex One und Apex One as a Service• Sicherheitsmodule & Services
– iProducts– Endpoint Detection & Response Funktionalitäten– Managed Detection and Response
• Migration und Upgrade– Hybrider Betrieb
• Q&A
© 2019 Trend Micro Inc.4
Apex One as a Service• Einstieg in das Thema
Copyright 2019 Trend Micro Inc.5
Trend Micro Apex One™
Copyright 2019 Trend Micro Inc.6
Trend Micro Apex One™
Apex = der höchste Punkt
einer Form[Beste Aussicht,
alles im Blick]
Copyright 2019 Trend Micro Inc.7
Trend Micro Apex One™“One” ist Teil des Produktnamens und nicht die Version
Apex = der höchste Punkt
einer Form[Beste Aussicht,
alles im Blick]
© 2019 Trend Micro Inc.8
Wie starte ich mit einer Testlizenz?Trial registrieren:https://www.trendmicro.com/product_trials/service/index/us/165
❹Provision Completed
❸Provision
Flow
❷Trial
Confirmation
❶Trial Form
© 2019 Trend Micro Inc.9
Testlizenz• Gültigkeit: 30 Tage• Bestandteile des Trials sind:
– Apex Central as a Service– Apex One as a Service
• Data Loss Prevention• Endpoint Application Control• Vulnerability Protection
– Apex One for Mac– Endpoint Sensor– Sandbox as a Service
© 2019 Trend Micro Inc.10
Start als mit SPE/SPC Lizenz
❺Provision Completed
❹Provision
Flow
❸ClickOpen
Console
❷select
Apex One as a
Service
❶CLP
console
© 2019 Trend Micro Inc.11
Start mit SPE/SPC Lizenz
Startet den Rollout des Dienstesfür den Kunden
© 2019 Trend Micro Inc.12
Lizenzinhalt bei SPE/SPC• Apex Central as a Service• Apex One as a Service
– Data Loss Prevention– Endpoint Application Control– Vulnerability Protection
• Apex One for Mac• Add-on:
– Endpoint Sensor– Sandbox as a Service
© 2019 Trend Micro Inc.13
Apex One as a Service• Architektur
© 2019 Trend Micro Inc.14
Westeuropa, Amsterdam (Primär)Central US, Iowa (Primär)
East US-2, Virginia (Backup)
Nordeuropa, Dublin (Backup)
1. Europäisches Datacenter für europäische Kunden2. US Datacenter für den Rest der Welt
© 2019 Trend Micro Inc.15
Management der Lösung• Zwei Server werden provisioniert
– Apex Central– Apex One
• Maximal 4 Datenbanken– Apex Central– Apex One– Endpoint Sensor– Apex One (Mac)
© 2019 Trend Micro Inc.16
Agent Platform SupportPlatform Support (Agents) XG XG SP1 Apex OneWindows XP (5.1)Windows 7 (6.1)Windows 8 (6.2)Windows 8.1 (6.3) Windows 10 (10.0)Windows Server 2003 (5.2)Windows Server 2008 (6.0)Windows Server 2008 R2 (6.1)Windows Server 2012 (6.2)Windows Server 2012 R2 (6.3) Windows Server 2016 R2 (10) Windows Server 2019
© 2019 Trend Micro Inc.17
Apex One (on Premise)
Optional:Edge Relay- Verwaltung externer Clients
- Policy- SO Handling- Updates- Logs & Status
Optional:Smart Protection Server Standalone- Webreputation- Filereputation
© 2019 Trend Micro Inc.18
Module & Neuerungen
© 2019 Trend Micro Inc.19
Runtime Exit PointEntry point Pre-Execution
© 2019 Trend Micro Inc.20
Malicious Site
OS Vulnerability Exploit
Browser Exploit
Malicious USB
Web ReputationBlocks connectionsat kernel level (not onlyin web browsers)
Virtual PatchingBlocks new exploits with industry’smost timely vulnerability research
Browser Exploit ProtectionDetects exploits based on scriptInspection & site behavior
Device ControlBlocks unknown removablemedia devices on Windows and Mac OS
Entry Point
Trend Micro ZDI detected 66% of all vulnerabilities in 2017. This powers unmatched timeliness for virtual patches.
!
!
© 2019 Trend Micro Inc.21
Pre-execution
Packer DetectionIdentifies packed malware in memory as it unpacks, prior to execution
File-based Threate.g. EXE, DLL, OfficeDocument w/ macros
On Disk
Application ControlBlocks execution of anything that isn’t on the (easily manageable) white list
Variant ProtectionDetects mutations of malicious samples by recognizing known fragments of malware code
File-based SignatureDetects known-bad files (with 3 billion detections globally in 1H/2018)
Predictive Machine LearningScores the file against a cloud-based or local/offline model to detect previously unknown threats
In Memory
!
!
© 2019 Trend Micro Inc.22
Run-timeRuntime Machine LearningScores real-time behavior against a cloud model to detect previously unknown threatsAnything Executing
EXE, DLL, PowerShell,Document behavior inside MS Office, etc. IOA Behavioral Analysis
Detects behavior that matches known indicators of attack (IOA), including ransomware encryption behaviors, script launching
In-memory runtime analysisMalicious script detection, malicious code injection, runtime un-pack detectionIn Memory
!
!
© 2019 Trend Micro Inc.23
Command andControl Server
Data Exfiltration
LateralMovement
Web ReputationBlocks connections at kernel level
(not only in web browsers)
Host Intrusion PreventionDetects and blocks
of lateral movement behavior
Exit Point
Data Exfiltration DetectionDLP Detects and blocks sensitive
data leaving the endpoint
Device ControlBlocks unknown removable
media devices
!
!
!
© 2019 Trend Micro Inc.24
IsolationQuarantineProcess killExecution blockDamage rollbackAPI capabilities Rapid response protection updates to other endpoints/products*
Automated Response
*manual
© 2019 Trend Micro Inc.25
iProducts im Detail
© 2019 Trend Micro Inc.26
Integrierte VulnerabilityProtection
© 2019 Trend Micro Inc.27
Begriffsdefinition
Einbruchsicheres Glas Einbruchsicheres Glas
Normales Glas entgegen Ihres WissensVulnerability / SchwachstelleZero Day
© 2019 Trend Micro Inc.28
Begriffsdefinition
Einbruchsicheres GlasEinbruchsicheres Glas
Normales Glas entgegen Ihres Wissens
Exploit
Vulnerability / SchwachstelleZero Day
© 2019 Trend Micro Inc.29
Begriffsdefinition
Exploit
Vulnerability / SchwachstelleZero Day
Payload
Einbruchsicheres Glas Einbruchsicheres Glas
Normales Glas entgegen Ihres Wissens
© 2019 Trend Micro Inc.30
Begriffsdefinition• Vulnerability oder Schwachstelle
– Anfälligkeit gegen Angriffe aufgrund von Mängeln in der Programmierung, Logik, etc.
• Exploit– Eine Methode, in das System einzubrechen, indem eine Schwachstelle
ausgenutzt wird
• Payload– Der Schadcode, der durch den Angriff in das System geschubst wird
© 2019 Trend Micro Inc.31
Positiv: Inbetriebnahme spielend & kein Risiko
© 2019 Trend Micro Inc.32
Integriertes ApplicationControl
© 2019 Trend Micro Inc.33
Applikationskontrolle• User- und Device-basierende Regeln• Allow & Block• Lockdown
© 2019 Trend Micro Inc.34
Best Practise
• Start with a Block (Assessment) criteria– E.g., Select all categories in Certified Safe Software list
• Assign policy to Apex OneTM Security Agents
© 2019 Trend Micro Inc.35
Best Practise• Review with the Application Control violation detections manually
– Widget provides an easy-to-filter entry point
© 2019 Trend Micro Inc.36
Best Practise• Refine criteria and approve recognized software
– Unselect the categories from Certificated Safe Software List– Create Allow Criteria to exempt from screening
© 2019 Trend Micro Inc.37
Was und wie wird definiert?
• Certified Safe Software List (von Trend Micro)
• Dateipfade• Zertifikate• Hash Werte• Gray Software List (von Trend Micro)• Suspicious Object List (generiert
durch Ihre Systeme wie Sandbox oder EDR)
© 2019 Trend Micro Inc.38
Regeln bauen
• Vorsicht bei der Regeldefinition!
© 2019 Trend Micro Inc.39
Integrierter Endpoint Sensor (EDR)
• Was ist der mehrwert?
Copyright 2019 Trend Micro Inc.40
POST DETECTION
“How did this happen?”
“Who else has been affected?”
“How do I respond?”
© 2019 Trend Micro Inc.41
Apex Central™ Management Console
• Single console/workflow • Seamless integration of EDR investigation and automated detection/response• Select any detection to investigate
© 2019 Trend Micro Inc.42
Wer ist noch betroffen???
• Endpoint protection shows detection (in this case there was one)• But were more users impacted before it was “known”?• Select Analyze Impact to sweep for more
© 2019 Trend Micro Inc.43
Impact Assessment
• Impact assessment found five more undetected instances• Root Cause Analysis begins for all detected users• Users can be isolated at any time
© 2019 Trend Micro Inc.44
Root Cause Analysis Results
© 2019 Trend Micro Inc.45
Response Options
Copyright 2019 Trend Micro Inc.46
PRE DETECTION
“Am I protected?”
“What if…”
© 2019 Trend Micro Inc.47
Multiple Ways to Hunt for Attacks:
• User Defined Suspicious Objects (UDSO) from Deep Discovery
Supports SHA-1, IP, Domain
© 2019 Trend Micro Inc.48
Sources of Intelligence to Hunt with:
• User Defined Suspicious Objects (UDSO)
• Open IOC (Indicator of Compromise) or STIXfrom threat feed.
• Customized Criteria:• Host (host name and IP
address are included)• Filename, path, and SHA-1
hash value• User account• Windows auto-run registry• Command lines
© 2019 Trend Micro Inc.49
Preliminary Assessment:
• Initial assessment based on single multiple search items
© 2019 Trend Micro Inc.50
• Initial assessment based on single multiple search items
• Results with threat intelligence and prevalence
Preliminary Assessment:
© 2019 Trend Micro Inc.51
• Initial assessment based on single multiple search items
• Results with threat intelligence and prevalence
• Generate Root Cause Analysis for further investigation
Preliminary Assessment:
© 2019 Trend Micro Inc.52
Root Cause Analysis:
• Initial assessment based on single multiple search items
• Results with threat intelligence and prevalence
• Generate Root Cause Analysis for further investigation
ManagedDetection and Response
© 2019 Trend Micro Inc.54
SENSORS
• Apex One™ with integrated Endpoint Sensor
• Deep Discovery Inspector
• Deep Security
• Delivered to management console
• Automated security updates
RESPONSE
Managed Detection and Response
SERVICE PLATFORM
TREND MICRO ANALYSTS
Expert Rules
Threat Intelligence
Machine Learning
© 2019 Trend Micro Inc.55
US SOCDallas, Texas, USA
EU SOCCork, Ireland
APAC SOCManila, Philippines
US MDR Node Oregon, USA
EU MDR NodeFrankfurt, Germany
MDR Infrastruktur
© 2019 Trend Micro Inc.56
Migration und Upgrade
© 2019 Trend Micro Inc.57
Einstellungen migrierenhttps://success.trendmicro.com/solution/1118375-migrating-on-prem-officescan-xg-sp1-or-higher-to-officescan-as-a-service
© 2019 Trend Micro Inc.58
Migrate to SaaS – Without Control Manager
Sign up forApex One SaaS
12 Export your Policies and import them into Apex One SaaS
OfficeScan XG Server
OfficeScan XGAgent 3 Move your agents to
Apex One SaaS
Apex One SaaS Agent
4 Decommission the OfficeScan XG Server
Apex Central SaaS
© 2019 Trend Micro Inc.59
Migrate to SaaS – Retiring Control Manager
Sign up forApex One SaaS
1OfficeScan XG Server
OfficeScan XGAgent 3 Move your agents to
Apex One SaaS
Apex One SaaS Agent
4 Decommission the OfficeScan XG and Control Manager Servers
Control ManagerServer
2 Export policies and import them into Apex One SaaS
On-premise Control Manager needed for Connected Threat Defense with other Trend Micro software, hardware or services.
Apex Central SaaS
© 2019 Trend Micro Inc.60
Migrate to SaaS – Keeping Control Manager
Sign up forApex One SaaS
1OfficeScan XG Server
OfficeScan XGAgent 3 Move your agents to
Apex One SaaS
Apex One SaaS Agent
4 Decommission the OfficeScan XG Server
Control ManagerServer -> Inplace
Upgrade Apex Central
2 Connect Apex One SaaS to On-Premise Control Manager
On-premise Control Manager needed for Connected Threat Defense with other Trend Micro software, hardware or services.
Apex One SaaS
© 2019 Trend Micro Inc.61
On-Premise Upgrades
© 2019 Trend Micro Inc.62
On-Premise Upgrades – In Place
OfficeScan ServerOn-Premise
Control Manager On-Premise
Apex One ServerOn-Premise
Apex CentralOn-Premise
Apex One Agent
Upgrade to Apex Central Server1
It’s always recommended to take backups before performing upgrades.
Upgrade to Apex One Server2 The agent will automatically upgrade*3
*Unless disabled in the configurations. You can use this to slowly roll out agent updates.
© 2019 Trend Micro Inc.63
On-Premise Upgrades – New Server
InstallApex One Server
12 Export your Policies and import them into Apex One
OfficeScan XG Server
OfficeScan XGAgent 3 Move your agents to
the new server
Apex One Agent
4 Decommission the OfficeScan XG Server
Apex One ServerOn-Premise
© 2019 Trend Micro Inc.64
TMVP bereits vorhanden? Kein Problem
Apex One AgentEndpoint Sensor AgentVulnerability Protection Agent
Apex OneSaaS
Endpoint Sensor Server
Vulnerability Protection Server
Enable the Feature in Policies
The existing Vulnerability Protection Agent is automatically uninstalled.