© 2005 Trend Micro. All rights reserved. How to Prevent and Manage Unknown Security Threat Ralph Liu Nov. 17 , 2005
© 2005 Trend Micro. All rights reserved.
How to Prevent and Manage
Unknown Security Threat
Ralph Liu
Nov. 17 , 2005
2- Trend Micro Internal Confidential -
Agenda
Evolution of New Security Threat
Current Enterprise Situation
How We Can Prevent and Manage It
3- Trend Micro Internal Confidential -
The Trend of Network Security Threats
• ICSA : in year 2004 the malware attacks grew 50%, business loss
grew 25%.
• APWG (Anti-Phishing Working Group ): phishing through IM
(Instant Messaging) has been seen more frequently.
• FTC (U.S. Federal Tracy Committee): Internet fraudulence crime & ID
stealing grew 15% in 2004.
• SurfControl : 90 % of corporations do have network security
policies, but nearly 50% of them do not set regulations subject to the
use of Instant Messaging.
4- Trend Micro Internal Confidential -
Malicious Codes hit the record high in Q3/2005
Total Detections
0
1000
2000
3000
4000
5000
Q1 Q2 Q3
20042005
Malicious Codes hit the record high in Q3, 2005, which means the threat is growing bigger and bigger.
5- Trend Micro Internal Confidential -
Top3 Malware: Worm, Spyware and Backdoor
Quarterly MalwareDetections
0
200
400
600
800
1000
1200
1400
1600
1800
Q1 Q2 Q3
Backdoors
Worms
Trojans
TSPY
Scripts
Macros
Others
• Spyware becomes the mainstream from Q2, 2005
• According to IDC, 2004: Spyware exists in 67% computers
6- Trend Micro Internal Confidential -
Less Time for Enterprise to Cope with Attack
病毒名称 微软补丁程序公布日期 病毒爆发日期 补丁程序公布与病毒爆发距离
Worm_Zotob贼头病毒
(属于 bot 僵尸网络 )
MS05-03908/09/2005
08/13/2005 4天
Worm_Sasser震荡波病毒
MS04-01104/13/2004
05/01/2004 18 天
Worm_Blaster冲击波病毒
MS03-02607/16/2003
08/11/2003 26 天
Worm_Slammer速客一号病毒
MS02-03907/24/2002
01/25/2003 185 天
Worm_Nimda尼姆达病毒
MS00-07810/17/2000
09/18/2001 336 天
7- Trend Micro Internal Confidential -
What is the problem?
Top Threats to Enterprise Security
Source: IDC’s Enterprise Security Survey, 2005Source: IDC’s Enterprise Security Survey, 2005
Top Security Technologies Deployed
GAP!GAP!
8- Trend Micro Internal Confidential -
Next Enterprise Crisis
According to a survey conducted by U.S. Yankee Group, over six hundreds corporations in North America and West Europe, in year 2004, 50% of the security threats come from internal of corporation, a rate 20% higher than 2003.
“To corporation, origin of security threats have been shifted from External to Internal”, stated the Yankee Group.
9- Trend Micro Internal Confidential -
Agenda
Evolution of New Security Threat
Current Enterprise Situation
How We Can Prevent and Manage It
10- Trend Micro Internal Confidential -
Current Enterprise Situation
So far, no security vendors can answer following questions which
enterprise customers really care:
• What’s my return on investment for AV? (ROI)
• How can I measure the success on AV management ? (KPI)
• Where did these viruses come from? Why do I got re-infection again and again? (Root Cause Analysis)
• I got the suspicious file, and it becomes outbreak. How to discovery it when it first arrive in my network? (Early Warning / Prevention)
The Answer Is Up In The Air
11- Trend Micro Internal Confidential -
Agenda
Evolution of New Security Threat
Current External Situation
How We Can Prevent and Manage It
12- Trend Micro Internal Confidential -
Antivirus Capability Assessment
Antivirus practice is evaluated based on a framework consisting of technology, process/policy and organization components.
Technology Process & Policy Organization
Monitoring / Detecting
Device Tracking
Antivirus Software
Organization Compliance
Accountability & Capability
Employee AwarenessResponse and Recovery Procedure
Pattern Deployment
Vulnerability Management
Account Management
Application / Network Access Policy
Network Partition for Antivirus
14- Trend Micro Internal Confidential -
Expert Service Offering Conceptual Flow
Trend Micro Expert Service is an reiterative process to continuously improve customers’ antivirus security.
MonitorMonitor
Plan
Enable
Diagnose Review Survey Overall
Security Landscape Collect User Behavior Gather System Status
Define KPI Setup Target Create Action Plan
Improve Human Behavior
Refine Security Policy Improve System
Configuration
Provide Early Prevention Capability
Enable Response Capability
Understand Security Performance
Text
Plan
Enable
Monitor
Diagnose
Review
15- Trend Micro Internal Confidential -
ESO Value Proposition
Awareness is improved through Overall security analysis Periodic health review Antivirus drill
Processes enforcement to reduce the damage through Reaction procedures Security training
Effective response to attacks through
Infection warning notification Timely pattern release and
cleanup tools delivery
Vulnerability scanning Optimal product
configuration
Security of IT environment is improved through
Clients are real-time protected by 24 by 7 central monitoring
Business Continuity
Organization Awareness
Process Enforcement
Security Environment
Response Enablement
ESO Core Value
The ultimate value of ESO is to help our customers secure business continuity through improving organization awareness, process enforcement, response enablement and security environment.
16- Trend Micro Internal Confidential -
China MSO
Center
China
AV Consultant
Customers
Report and Alert
Service
Data collection
To Build Up A Robust Defense Line with Security Vendor
17- Trend Micro Internal Confidential -
Introduction of Monitoring Services
Monitoring Service Offering (MSO) is Trend Micro’s new service offering, providing 7X24 real time monitoring, virus prevention and damage clean up.
Central Dashboard
7x24 on duty monitoring
Customized Suggestion
Proactive Cleanup
Urgency Notification
Standard ResponseProcess
In MSO center, we have a central dashboard and 24x7 Trend Micro professionals to monitor virus outbreak situation
When we detect signs of a virus attack, we will notify you through various channels, including email, SMS and phone.
We will also provide you with response procedures and customized suggestions of actions to prevent virus attacks or outbreaks.
We can also execute automatic clean up procedures on your commend.
Report Generation
We provide monitoring data and analysis reports so that you can further improve overall antivirus protection.
18- Trend Micro Internal Confidential -
Whenever normal time or virus attacks, our monitoring center will take a series of actions to help customers control the damage and provide real time update.
Customer can check the real-time outbreak status from monitoring portal
Solution
Delivery
What Security Vendor Should Deliver
Customer
Portal
Antivirus
Analysis
Report
2
Help enterprise understand the AV result periodically
Customers
Real_time
Alert Service
1 Provide real-time alert service based on customers’ status
Deliver specific solution to customers
3
4
19- Trend Micro Internal Confidential -
People
Technology
Process TV internet access
Acc
ess
for
som
e Access fo
r all
WAP mobile phones
Hardware/Software Virus Scan
Anti-Spam
Anti-Spyware..
IDS/IDP/VPN
Network management
Remote Scan & management
Early warning
OPP/CPR/OPR DCS
Solution Delivery
CRM
Reporting
AV console
Diagnosis and
Proposal
Assessment Review
Security report and advices
Onsite support
Solution deployment
The nature of Services Business
20- Trend Micro Internal Confidential -
Sample Case: Real-Time Alert Service
21- Trend Micro Internal Confidential -
Sample Case: Antivirus Analysis Report
1 Please refer to Appendix 3 for detail definition
Average Outdated Spyware Pattern Ratio 1
(2005.6 – 2005.8)
Average Outdated Virus Pattern Ratio for Servers 1
(2005.6 – 2005.8)
Average Outdated Network Virus Pattern Ratio 1
(2005.6 – 2005.8)
Average Outdated Virus Pattern Ratio for SPNT 1
(2005.6 – 2005.8)
Average Outdated Virus Pattern Ratio for OSCE 1
(2005.6 – 2005.8)
51% 49%
0%
20%
40%
60%
80%
100%
2005.6 2005.7 2005.8
Monthly Average of Outdated SPNT PatternRatio After 12 Hours of Deployment
Low
Medium
High
0%
18%
52%
0%
20%
40%
60%
80%
100%
2005.6 2005.7 2005.8
Monthly Average of Outdated OSCE PatternRatio After 12 Hours of Deployment
Low
Medium
High
7%
33%
0%
20%
40%
60%
80%
100%
2005.6 2005.7 2005.8
Monthly Average of Outdated Product ServerPattern Ratio After 12 Hours of Deployment
Low
Medium
High
0% 0% 0%0%
5%
10%
15%
20%
2005.6 2005.7 2005.8
Monthly Average of Outdated Network VirusPattern Ratio After 12 Hours of Deployment
Low
Medium
High
0% 0%
4%
0%
5%
10%
15%
20%
2005.6 2005.7 2005.8
Monthly Average of Outdated SpywarePattern Ratio After 12 Hours of Deployment
Low
Medium
High
• This page shows average outdated virus pattern ratios for the last three months; this data gives us a better understanding of the internal distribution of the latest virus patterns. Unsuccessful upgrade may be due to problems with the products themselves, or may be due to client machines being offline. Please check this issue carefully.
22- Trend Micro Internal Confidential -
Providing Solution Instead of Providing Products
Then, what customers really care may have the answers -
• What’s my return on investment for AV? (ROI)
• How can I measure the success on AV management ? (KPI)
• Where did these viruses come from? Why I got re-infection again and again? (Root Cause Analysis)
• I got the suspicious file, and it becomes outbreak. How to discovery it when it first arrive in my network? (Early Warning / Prevention)
To Solve the Security Issues from the Management Aspect