© 2005 Trend Micro. All rights reserved. How to Prevent and Manage Unknown Security Threat Ralph Liu Nov. 17, 2005.

© 2005 Trend Micro. All rights reserved.

How to Prevent and Manage

Unknown Security Threat

Ralph Liu

Nov. 17 , 2005

2- Trend Micro Internal Confidential -

Agenda

Evolution of New Security Threat

Current Enterprise Situation

How We Can Prevent and Manage It


The Trend of Network Security Threats

• ICSA ： in year 2004 the malware attacks grew 50%, business loss

grew 25%.

• APWG (Anti-Phishing Working Group ): phishing through IM

(Instant Messaging) has been seen more frequently.

• FTC (U.S. Federal Tracy Committee): Internet fraudulence crime & ID

stealing grew 15% in 2004.

• SurfControl ： 90 ％ of corporations do have network security

policies, but nearly 50% of them do not set regulations subject to the

use of Instant Messaging.


Malicious Codes hit the record high in Q3/2005

Total Detections

0

1000

2000

3000

4000

5000

Q1 Q2 Q3

20042005

Malicious Codes hit the record high in Q3, 2005, which means the threat is growing bigger and bigger.


Top3 Malware: Worm, Spyware and Backdoor

Quarterly MalwareDetections

0

200

400

600

800

1000

1200

1400

1600

1800

Q1 Q2 Q3

Backdoors

Worms

Trojans

TSPY

Scripts

Macros

Others

• Spyware becomes the mainstream from Q2, 2005

• According to IDC, 2004: Spyware exists in 67% computers


Less Time for Enterprise to Cope with Attack

病毒名称微软补丁程序公布日期病毒爆发日期补丁程序公布与病毒爆发距离

Worm_Zotob贼头病毒

（属于 bot 僵尸网络 )

MS05-03908/09/2005

08/13/2005 4天

Worm_Sasser震荡波病毒

MS04-01104/13/2004

05/01/2004 18 天

Worm_Blaster冲击波病毒

MS03-02607/16/2003

08/11/2003 26 天

Worm_Slammer速客一号病毒

MS02-03907/24/2002

01/25/2003 185 天

Worm_Nimda尼姆达病毒

MS00-07810/17/2000

09/18/2001 336 天


What is the problem?

Top Threats to Enterprise Security

Source: IDC’s Enterprise Security Survey, 2005Source: IDC’s Enterprise Security Survey, 2005

Top Security Technologies Deployed

GAP!GAP!


Next Enterprise Crisis

According to a survey conducted by U.S. Yankee Group, over six hundreds corporations in North America and West Europe, in year 2004, 50% of the security threats come from internal of corporation, a rate 20% higher than 2003.

“To corporation, origin of security threats have been shifted from External to Internal”, stated the Yankee Group.


Agenda






So far, no security vendors can answer following questions which

enterprise customers really care:

• What’s my return on investment for AV? (ROI)

• How can I measure the success on AV management ? (KPI)

• Where did these viruses come from? Why do I got re-infection again and again? (Root Cause Analysis)

• I got the suspicious file, and it becomes outbreak. How to discovery it when it first arrive in my network? (Early Warning / Prevention)

The Answer Is Up In The Air


Agenda


Current External Situation



Antivirus Capability Assessment

Antivirus practice is evaluated based on a framework consisting of technology, process/policy and organization components.

Technology Process & Policy Organization

Monitoring / Detecting

Device Tracking

Antivirus Software

Organization Compliance

Accountability & Capability

Employee AwarenessResponse and Recovery Procedure

Pattern Deployment

Vulnerability Management

Account Management

Application / Network Access Policy

Network Partition for Antivirus


Expert Service Offering Conceptual Flow

Trend Micro Expert Service is an reiterative process to continuously improve customers’ antivirus security.

MonitorMonitor

Plan

Enable

Diagnose Review Survey Overall

Security Landscape Collect User Behavior Gather System Status

Define KPI Setup Target Create Action Plan

Improve Human Behavior

Refine Security Policy Improve System

Configuration

Provide Early Prevention Capability

Enable Response Capability

Understand Security Performance

Text

Plan

Enable

Monitor

Diagnose

Review


ESO Value Proposition

Awareness is improved through Overall security analysis Periodic health review Antivirus drill

Processes enforcement to reduce the damage through Reaction procedures Security training

Effective response to attacks through

Infection warning notification Timely pattern release and

cleanup tools delivery

Vulnerability scanning Optimal product

configuration

Security of IT environment is improved through

Clients are real-time protected by 24 by 7 central monitoring

Business Continuity

Organization Awareness

Process Enforcement

Security Environment

Response Enablement

ESO Core Value

The ultimate value of ESO is to help our customers secure business continuity through improving organization awareness, process enforcement, response enablement and security environment.


China MSO

Center

China

AV Consultant

Customers

Report and Alert

Service

Data collection

To Build Up A Robust Defense Line with Security Vendor


Introduction of Monitoring Services

Monitoring Service Offering (MSO) is Trend Micro’s new service offering, providing 7X24 real time monitoring, virus prevention and damage clean up.

Central Dashboard

7x24 on duty monitoring

Customized Suggestion

Proactive Cleanup

Urgency Notification

Standard ResponseProcess

In MSO center, we have a central dashboard and 24x7 Trend Micro professionals to monitor virus outbreak situation

When we detect signs of a virus attack, we will notify you through various channels, including email, SMS and phone.

We will also provide you with response procedures and customized suggestions of actions to prevent virus attacks or outbreaks.

We can also execute automatic clean up procedures on your commend.

Report Generation

We provide monitoring data and analysis reports so that you can further improve overall antivirus protection.


Whenever normal time or virus attacks, our monitoring center will take a series of actions to help customers control the damage and provide real time update.

Customer can check the real-time outbreak status from monitoring portal

Solution

Delivery

What Security Vendor Should Deliver

Customer

Portal

Antivirus

Analysis

Report

2

Help enterprise understand the AV result periodically

Customers

Real_time

Alert Service

1 Provide real-time alert service based on customers’ status

Deliver specific solution to customers

3

4


People

Technology

Process TV internet access

Acc

ess

for

som

e Access fo

r all

WAP mobile phones

Hardware/Software Virus Scan

Anti-Spam

Anti-Spyware..

IDS/IDP/VPN

Network management

Remote Scan & management

Early warning

OPP/CPR/OPR DCS

Solution Delivery

CRM

Reporting

AV console

Diagnosis and

Proposal

Assessment Review

Security report and advices

Onsite support

Solution deployment

The nature of Services Business


Sample Case: Real-Time Alert Service


Sample Case: Antivirus Analysis Report

1 Please refer to Appendix 3 for detail definition

Average Outdated Spyware Pattern Ratio 1

(2005.6 – 2005.8)

Average Outdated Virus Pattern Ratio for Servers 1

(2005.6 – 2005.8)

Average Outdated Network Virus Pattern Ratio 1

(2005.6 – 2005.8)

Average Outdated Virus Pattern Ratio for SPNT 1

(2005.6 – 2005.8)

Average Outdated Virus Pattern Ratio for OSCE 1

(2005.6 – 2005.8)

51% 49%

0%

20%

40%

60%

80%

100%

2005.6 2005.7 2005.8

Monthly Average of Outdated SPNT PatternRatio After 12 Hours of Deployment

Low

Medium

High

0%

18%

52%

0%

20%

40%

60%

80%

100%

2005.6 2005.7 2005.8

Monthly Average of Outdated OSCE PatternRatio After 12 Hours of Deployment

Low

Medium

High

7%

33%

0%

20%

40%

60%

80%

100%

2005.6 2005.7 2005.8

Monthly Average of Outdated Product ServerPattern Ratio After 12 Hours of Deployment

Low

Medium

High

0% 0% 0%0%

5%

10%

15%

20%

2005.6 2005.7 2005.8

Monthly Average of Outdated Network VirusPattern Ratio After 12 Hours of Deployment

Low

Medium

High

0% 0%

4%

0%

5%

10%

15%

20%

2005.6 2005.7 2005.8

Monthly Average of Outdated SpywarePattern Ratio After 12 Hours of Deployment

Low

Medium

High

• This page shows average outdated virus pattern ratios for the last three months; this data gives us a better understanding of the internal distribution of the latest virus patterns. Unsuccessful upgrade may be due to problems with the products themselves, or may be due to client machines being offline. Please check this issue carefully.


Providing Solution Instead of Providing Products

Then, what customers really care may have the answers -

• What’s my return on investment for AV? (ROI)

• How can I measure the success on AV management ? (KPI)

• Where did these viruses come from? Why I got re-infection again and again? (Root Cause Analysis)

• I got the suspicious file, and it becomes outbreak. How to discovery it when it first arrive in my network? (Early Warning / Prevention)

To Solve the Security Issues from the Management Aspect

© 2005 Trend Micro. All rights reserved. How to Prevent and Manage Unknown Security Threat Ralph Liu Nov. 17, 2005.

Documents