IT-Security-Symposium 2019 IT-Security im Fokus Die neue Komplettlösung für den Endpunktschutz - Özgür Isik - Channel Presales Engineer, ApexOne ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
IT-Security-Symposium 2019 I T- S e c u r i t y i m F o k u s Die neue Komplettlösung für den Endpunktschutz Özgür Isik – Channel Presales Engineer, ApexOne
Die neue Komplettlösung für den Endpunktschutz ApexOne Özgür Isik – Channel Presales Engineer
Agenda
• Architektur von Apex One und Apex One as a Service
• Sicherheitsmodule & Services
– iProducts
– Endpoint Detection & Response Funktionalitäten
– Managed Detection and Response
• Migration und Upgrade
– Hybrider Betrieb
• Q&A
3 © 2019 Trend Micro Inc.
• Einstieg in das Thema Apex One as a Service 4 © 2019 Trend Micro Inc.
Trend Micro Apex One™ 5 Copyright 2019 Trend Micro Inc.
Apex = der
höchste Punkt
einer Form
[Beste Aussicht,
alles im Blick]
Trend Micro Apex One™
6 Copyright 2019 Trend Micro Inc.
Apex = der
höchste Punkt
einer Form
[Beste Aussicht,
alles im Blick]
Trend Micro Apex One™
“One” ist Teil des Produktnamens und nicht die Version
7 Copyright 2019 Trend Micro Inc.
Wie starte ich mit einer Testlizenz?
Trial registrieren:
https://www.trendmicro.com/product_trials/service/index/us/165
❶ ❷ ❸ ❹
Trial Provision Provision
Trial Form Confirmation Completed
Flow
8 © 2019 Trend Micro Inc.
Testlizenz
• Gültigkeit: 30 Tage
• Bestandteile des Trials sind:
– Apex Central as a Service
– Apex One as a Service
• Data Loss Prevention
• Endpoint Application Control
• Vulnerability Protection
– Apex One for Mac
– Endpoint Sensor
– Sandbox as a Service
9 © 2019 Trend Micro Inc.
Start als mit SPE/SPC Lizenz
❷ ❸
❶ select ❹ ❺
Click Provision
CLP Apex One Open Provision
console as a Flow Completed
Console
Service
10 © 2019 Trend Micro Inc.Start mit SPE/SPC Lizenz
Startet den Rollout des Dienstes
für den Kunden
11 © 2019 Trend Micro Inc.Lizenzinhalt bei SPE/SPC
• Apex Central as a Service
• Apex One as a Service
– Data Loss Prevention
– Endpoint Application Control
– Vulnerability Protection
• Apex One for Mac
• Add-on:
– Endpoint Sensor
– Sandbox as a Service
12 © 2019 Trend Micro Inc.• Architektur Apex One as a Service 13 © 2019 Trend Micro Inc.
Nordeuropa, Dublin (Backup)
Central US, Iowa (Primär)
Westeuropa, Amsterdam (Primär)
East US-2, Virginia (Backup)
1. Europäisches Datacenter für europäische Kunden
2. US Datacenter für den Rest der Welt
14 © 2019 Trend Micro Inc.Management der Lösung
• Zwei Server werden provisioniert
– Apex Central
– Apex One
• Maximal 4 Datenbanken
– Apex Central
– Apex One
– Endpoint Sensor
– Apex One (Mac)
15 © 2019 Trend Micro Inc.Agent Platform Support
Platform Support (Agents) XG XG SP1 Apex One
Windows XP (5.1)
Windows 7 (6.1)
Windows 8 (6.2)
Windows 8.1 (6.3)
Windows 10 (10.0)
Windows Server 2003 (5.2)
Windows Server 2008 (6.0)
Windows Server 2008 R2 (6.1)
Windows Server 2012 (6.2)
Windows Server 2012 R2 (6.3)
Windows Server 2016 R2 (10)
Windows Server 2019
16 © 2019 Trend Micro Inc.Apex One (on Premise)
Optional:
Edge Relay
- Verwaltung externer Clients
- Policy
- SO Handling
- Updates
- Logs & Status
Optional:
Smart Protection Server Standalone
- Webreputation
- Filereputation
17 © 2019 Trend Micro Inc.Module & Neuerungen 18 © 2019 Trend Micro Inc.
Entry point Pre-Execution Runtime Exit Point 19 © 2019 Trend Micro Inc.
Entry Point
Web Reputation
Malicious Site Blocks connections Trend Micro ZDI detected 66%
at kernel level (not only of all vulnerabilities in 2017.
in web browsers) This powers unmatched
timeliness for virtual patches.
Virtual Patching!
OS Vulnerability Exploit Blocks new exploits with industry’s
most timely vulnerability research
Browser Exploit Protection
Browser Exploit Detects exploits based on script
Inspection & site behavior
Device Control !
Malicious USB Blocks unknown removable
media devices on Windows and Mac OS
20 © 2019 Trend Micro Inc.Pre-execution
In Memory
Packer Detection
Identifies packed malware in memory as it unpacks,
prior to execution
Predictive Machine Learning !
Scores the file against a cloud-based
or local/offline model to detect
On Disk previously unknown threats
Application Control !
Blocks execution of anything that isn’t
on the (easily manageable) white list
File-based Threat
e.g. EXE, DLL, Office Variant Protection
Document w/ macros Detects mutations of malicious samples by
recognizing known fragments of malware code
File-based Signature
Detects known-bad files (with 3 billion
21 © 2019 Trend Micro Inc.
detections globally in 1H/2018)Run-time
Runtime Machine Learning
Scores real-time behavior against
a cloud model to detect
Anything Executing previously unknown threats
EXE, DLL, PowerShell,
Document behavior
inside MS Office, etc. IOA Behavioral Analysis !
Detects behavior that matches
known indicators of attack (IOA),
including ransomware
encryption behaviors,
script launching
In-memory runtime analysis !
Malicious script detection,
malicious code injection,
In Memory runtime un-pack detection
22 © 2019 Trend Micro Inc.Exit Point
Web Reputation Command and
Blocks connections at kernel level Control Server
(not only in web browsers)
! Host Intrusion Prevention Lateral
Detects and blocks Movement
of lateral movement behavior
! Data Exfiltration Detection
DLP Detects and blocks sensitive
data leaving the endpoint
Data
! Device Control Exfiltration
Blocks unknown removable
media devices
23 © 2019 Trend Micro Inc.Automated Response
Isolation
Quarantine
Process kill
Execution block
Damage rollback
API capabilities
Rapid response protection updates to other endpoints/products*
24 © 2019 Trend Micro Inc.
*manualiProducts im Detail 25 © 2019 Trend Micro Inc.
Integrierte Vulnerability Protection 26 © 2019 Trend Micro Inc.
Begriffsdefinition
Einbruchsicheres Glas Einbruchsicheres Glas
Normales Glas entgegen Ihres Wissens
Vulnerability / Schwachstelle
Zero Day
27 © 2019 Trend Micro Inc.Begriffsdefinition
Einbruchsicheres Glas
Einbruchsicheres Glas
Exploit
Normales Glas entgegen Ihres Wissens
Vulnerability / Schwachstelle
Zero Day
28 © 2019 Trend Micro Inc.Begriffsdefinition
Payload
Einbruchsicheres Glas Einbruchsicheres Glas
Exploit
Normales Glas entgegen Ihres Wissens
Vulnerability / Schwachstelle
Zero Day
29 © 2019 Trend Micro Inc.Begriffsdefinition
• Vulnerability oder Schwachstelle
– Anfälligkeit gegen Angriffe aufgrund von Mängeln in der Programmierung,
Logik, etc.
• Exploit
– Eine Methode, in das System einzubrechen, indem eine Schwachstelle
ausgenutzt wird
• Payload
– Der Schadcode, der durch den Angriff in das System geschubst wird
30 © 2019 Trend Micro Inc.Positiv: Inbetriebnahme spielend & kein Risiko 31 © 2019 Trend Micro Inc.
Integriertes Application Control 32 © 2019 Trend Micro Inc.
Applikationskontrolle
• User- und Device-basierende Regeln
• Allow & Block
• Lockdown
33 © 2019 Trend Micro Inc.Best Practise
• Start with a Block (Assessment) criteria
– E.g., Select all categories in Certified Safe Software list
• Assign policy to Apex OneTM Security Agents
34 © 2019 Trend Micro Inc.Best Practise
• Review with the Application Control violation detections manually
– Widget provides an easy-to-filter entry point
35 © 2019 Trend Micro Inc.Best Practise
• Refine criteria and approve recognized software
– Unselect the categories from Certificated Safe Software List
– Create Allow Criteria to exempt from screening
36 © 2019 Trend Micro Inc.Was und wie wird definiert?
• Certified Safe Software List (von
Trend Micro)
• Dateipfade
• Zertifikate
• Hash Werte
• Gray Software List (von Trend Micro)
• Suspicious Object List (generiert
durch Ihre Systeme wie Sandbox oder
EDR)
37 © 2019 Trend Micro Inc.Regeln bauen
• Vorsicht bei der Regeldefinition!
38 © 2019 Trend Micro Inc.• Was ist der mehrwert? Integrierter Endpoint Sensor (EDR) 39 © 2019 Trend Micro Inc.
POST DETECTION
“How did this happen?”
“Who else has been affected?”
“How do I respond?”
40 Copyright 2019 Trend Micro Inc.Apex Central™ Management Console
• Single console/workflow
• Seamless integration of EDR investigation and automated detection/response
41
• Select any detection to investigate
© 2019 Trend Micro Inc.Wer ist noch betroffen???
• Endpoint protection shows detection (in this case there was one)
• But were more users impacted before it was “known”?
• Select Analyze Impact to sweep for more
42 © 2019 Trend Micro Inc.Impact Assessment
• Impact assessment found five more undetected instances
• Root Cause Analysis begins for all detected users
43 • Users can be isolated at any time
© 2019 Trend Micro Inc.Root Cause Analysis Results 44 © 2019 Trend Micro Inc.
Response Options 45 © 2019 Trend Micro Inc.
PRE DETECTION
“Am I protected?”
“What if…”
46 Copyright 2019 Trend Micro Inc.Multiple Ways to Hunt for Attacks:
• User Defined
Suspicious Objects
(UDSO) from Deep
Discovery
Supports SHA-1, IP, Domain
47 © 2019 Trend Micro Inc.Sources of Intelligence to Hunt with:
• User Defined Suspicious
Objects (UDSO)
• Open IOC (Indicator of
Compromise) or STIX
from threat feed.
• Customized Criteria:
• Host (host name and IP
address are included)
• Filename, path, and SHA-1
hash value
• User account
• Windows auto-run registry
• Command lines
48 © 2019 Trend Micro Inc.Preliminary Assessment: • Initial assessment based on single multiple search items 49 © 2019 Trend Micro Inc.
Preliminary Assessment: • Initial assessment based on single multiple search items • Results with threat intelligence and prevalence 50 © 2019 Trend Micro Inc.
Preliminary Assessment: • Initial assessment based on single multiple search items • Results with threat intelligence and prevalence • Generate Root Cause Analysis for further investigation 51 © 2019 Trend Micro Inc.
Root Cause Analysis: • Initial assessment based on single multiple search items • Results with threat intelligence and prevalence • Generate Root Cause Analysis for further investigation 52 © 2019 Trend Micro Inc.
Managed Detection and Response
Managed Detection and Response
SENSORS SERVICE PLATFORM RESPONSE
• Apex One™ with • Delivered to
integrated Endpoint management console
Sensor Threat Expert Machine • Automated security
• Deep Discovery Intelligence Rules Learning updates
Inspector
• Deep Security
TREND MICRO ANALYSTS
54 © 2019 Trend Micro Inc.MDR Infrastruktur
EU SOC
US MDR Node Cork, Ireland
Oregon, USA
EU MDR Node
Frankfurt, Germany
US SOC
Dallas, Texas, USA
APAC SOC
Manila, Philippines
55 © 2019 Trend Micro Inc.Migration und Upgrade 56 © 2019 Trend Micro Inc.
Einstellungen migrieren
https://success.trendmicro.com/solution/1118375-migrating-on-prem-officescan-xg-sp1-or-higher-to-officescan-as-a-service
57 © 2019 Trend Micro Inc.Migrate to SaaS – Without Control Manager
Sign up for
OfficeScan XG 2 Export your Policies and import 1
Apex One SaaS
Server them into Apex One SaaS
Apex Central SaaS
Decommission the
4
OfficeScan XG Server
OfficeScan XG Move your agents to
Agent 3
Apex One SaaS
Apex One SaaS
Agent
58 © 2019 Trend Micro Inc.Migrate to SaaS – Retiring Control Manager
Control Manager 2 Export policies and import them
Server into Apex One SaaS
1 Sign up for
OfficeScan XG Apex One SaaS
Server
Apex Central SaaS
Decommission the OfficeScan XG
4
and Control Manager Servers
OfficeScan XG Move your agents to
Agent 3
Apex One SaaS
Apex One SaaS
Agent
On-premise Control Manager needed for Connected Threat Defense
59 © 2019 Trend Micro Inc.
with other Trend Micro software, hardware or services.Migrate to SaaS – Keeping Control Manager
Control Manager 2 Connect Apex One SaaS to
Server -> Inplace On-Premise Control Manager
Upgrade Apex Central
1 Sign up for
OfficeScan XG Apex One SaaS
Server
Apex One SaaS
Decommission the
4
OfficeScan XG Server
OfficeScan XG Move your agents to
Agent 3
Apex One SaaS
Apex One SaaS
Agent
On-premise Control Manager needed for Connected Threat Defense
60 © 2019 Trend Micro Inc.
with other Trend Micro software, hardware or services.On-Premise Upgrades 61 © 2019 Trend Micro Inc.
On-Premise Upgrades – In Place
1 Upgrade to Apex Central Server
Control Manager Apex Central
On-Premise On-Premise
2 Upgrade to Apex One Server 3 The agent will automatically upgrade*
Apex One Agent
OfficeScan Server Apex One Server
On-Premise On-Premise
It’s always recommended to take backups before performing upgrades.
62 © 2019 Trend Micro Inc.
*Unless disabled in the configurations. You can use this to slowly roll out agent updates.On-Premise Upgrades – New Server
Install
OfficeScan XG 2 Export your Policies and import 1
Apex One Server
Server them into Apex One
Apex One Server
On-Premise
Decommission the
4
OfficeScan XG Server
OfficeScan XG Move your agents to
Agent 3
the new server
Apex One
Agent
63 © 2019 Trend Micro Inc.TMVP bereits vorhanden? Kein Problem
Apex One
SaaS Enable the Feature in Policies
Apex One Agent
Endpoint
Endpoint Sensor Agent
Sensor Server
Vulnerability Protection Agent
The existing
Vulnerability Vulnerability Protection
Protection Server
Agent is automatically
uninstalled.
64 © 2019 Trend Micro Inc.You can also read
