Protect Against the Known, the Unknown and …...2015 Successful Exploit Traffic2 Top 10 Vulnerabilities 900+ CVEs 1 “ yber Risk Report 2016.” Hewlett Packard Enterprise. February

Protect Against the Known, the Unknown and “Known Unknown” Threats in Your Network Elisa Lippincott

Trend Micro TippingPoint

Copyright 2016 Trend Micro Inc. 2

The Current Security Landscape


The Story Behind The Headlines…

The problem is exacerbated by a shortage of resources and security expertise

Your organization’s data, communications, intellectual property and other intangible assets can be monetized by unwanted third parties

Your organization will be exposed to strategic risks, financially material costs, and potential damage to its reputation

Criminals and adversaries engineer and execute attacks across an exploding attack surface that bypass traditional security controls


The Known Vulnerabilities are Still in Vogue

• 29% of all exploit samples discovered in 2015 continued to use a 2010 Stuxnet infection vector that has been patched twice.

• All of the top 10 vulnerabilities exploited overall in 2015 continue to be those that are more than a year old

• 48% are five or more years old.

• In 2015, the top 10 vulnerabilities accounted for 85% of successful exploit traffic. The other 15% consisted of over 900 CVEs, which are also being actively exploited in the wild.

29%

13%

6% 5% 5%

4%

4%

4%

3% 2%

24%

Top 10 Vulnerabilities Exploited in 20151

CVE-2010-2568(Microsoft Windows)CVE-2012-6422(Samsung)CVE-2014-6332(Microsoft Windows)CVE-2010-0188(Adobe Reader/Acrobat)CVE-2009-3129(Microsoft Excel)CVE-2012-1723(Oracle Java)CVE-2010-1297(Adobe Flash Player)CVE-2012-0158(Flyspray)CVE-2010-3301(Linux)CVE-2014-0503(Adobe Flash Player)Others

85%

15%

2015 Successful Exploit Traffic2

Top 10 Vulnerabilities

900+ CVEs

1 “Cyber Risk Report 2016.” Hewlett Packard Enterprise. February 2016. 2 “2016 Data Breach Investigations Report.” Verizon. April 2016.


Next-Generation Intrusion Prevention System Requirements

Out-of-the-Box Protection

Recommended settings out-of-the-box with security intelligence from respected research and development team

Centralized Management

Complete network security management with integrated security policy, visibility and responses

Real-Time Protection

In-line, bump in the wire with high performance and low latency

Third Party Integration

Integration with complementary security solutions to enforce a “defense-in-depth” security approach


Breach Detection/Advanced Threat Protection Requirements

Detection Across All Network Traffic

Detect malware, C&C, attacker activity across 100+ protocols and all ports

Anti-evasion Techniques Against Several Methods

• Multi-language and keyboard emulation

• Mimics human interaction • Prevents virtual device look

ups

Custom Sandboxing Analysis

Accurate detection of your attackers

Policy Management

Quarantine, deletion, forward-with-tag are configurable by detection severity. Sandbox analysis can be controlled by attachment type


The “Known Unknown”



Zero Day Initiative

• Largest vendor-agnostic player in the zero-day vulnerability marketplace

• Recognized by Frost & Sullivan as the leader in Vulnerability Research and Discovery since 2010

• Feeds directly into protection for Trend Micro customers

3,000+

• Registered external researchers

$14M+

• Paid to researchers in return for vulnerability submissions

#1

• Source for critical Microsoft and Adobe vulnerabilities

3,000+

• Vulnerabilities discovered and disclosed since inception


Business of Bugs

SECURITY RESEARCHERS and HACKERS have a multitude of options available to sell their BUGS

BLACK MARKET Flaws can be sold to the highest bidder, used to disrupt private or public individuals and groups.

GREY MARKET Some legitimate companies operate in a legal grey zone within the zero-day market, selling exploits to governments and law enforcement agencies in countries across the world.

WHITE MARKET Bug bounty programs, hacking contests and direct vendor communication provide opportunities for responsible disclosure.


Grey Market

Unclear where the flaw will end up and what it will be used for… Some grey market brokers have policies which will only sell to

ethical and approved sources

Used to spy on private citizens suspected of crimes Used to shut down suspected terrorist operations

Implications Sell vulnerability to private broker

Examples of what can happen


Lucrative business


Lucrative business


Option 1: Consultancy services


Option 2: Vulnerability brokers


Bullish marketplace


ZDI Impact on the Industry

Killing Hacking Team Exploits Is the Grey Market Better at Exploitation? Killing VUPEN Exploits


ZDI Competitive Analysis and Customer Ecosystem Impact (1H2016)

0 20 40 60 80 100 120 140 160 180

Cisco Talos

FireEye

Fortinet

IBM

Intel Security

Kaspersky

Palo Alto Networks

Symantec

Tenable

Trend Micro

Vectra Networks

Venustech ADLAB

Zero Day Initiative

Microsoft Acknowledgements

2016 2015 2014

0 20 40 60 80 100 120 140 160 180

Cisco Talos

FireEye

Fortinet

Kaspersky Lab

McAfee

Palo Alto Networks

Tencent

Trend Micro

Vectra Networks

Venustech ADLAB

Zero Day Initiative

Adobe Acknowledgements

2016 2015

0 5 10 15 20 25 30 35 40

Cisco Talos

IBM

Intel Security

IOActive

Kaspersky

Mandiant

Positive Technologies

Qualys

Tenable Network

Versa Networks

Zero Day Initiative

ICS-CERT Acknowledgements

2016 2015


Zero Day Initiative: Preemptive Protection for “Known Unknown” Vulnerabilities

CUSTOMERS PROTECTED AHEAD OF PATCH

CUSTOMERS AT RISK

92 DAYS Average days of zero-day

filter coverage from date of DV filter shipped to ZDI public

disclosure in 2015.

Other Network Security Vendors


Case Studies


Case Study – Stuxnet (2015)

• 2010 vulnerability designed to compromise SCADA systems was not patched

• Vulnerability reported to Zero Day Initiative

• Digital Vaccine filter was available for customers almost two months prior to new Stuxnet disclosure


Case Study – Heartbleed/OpenSSL Heartbleed • OpenSSL vulnerability affecting 2/3 of the world’s web servers • TippingPoint customers were protected on Day 1 via Digital

Vaccine • “Virtual patch” stops attack and theft of critical customer data Second OpenSSL Vulnerability • Second OpenSSL vulnerability similar to Heartbleed appears • Vulnerability reported to Zero Day Initiative • Digital Vaccine provided 43 days of coverage before OpenSSL

Group released a patch


Case Study – QuickTime for Windows • The Zero Day Initiative reported finding two "critical

vulnerabilities" in QuickTime for Windows • The Department of Homeland Security issued a warning that

recommended removing QuickTime for Windows • Apple advised that the product would be out of support on

Windows and published removal instructions for users. • These advisories were released in accordance with the Zero Day

Initiative’s Disclosure Policy for when a vendor does not issue a security patch for a disclosed vulnerability.

• TippingPoint customers were protected for almost five months!


Addressing the Known, Unknown and “Known Unknown” Vulnerabilities in Your Network

INLINE | LOW LATENCY | HIGH THROUGHPUT | NO FALSE POSITIVES

Detect, analyze and respond to unknown malware and advanced threats across all network traffic, all ports and over 100 protocols

KNOWN KNOWN UNKNOWN UNKNOWN

Exclusive insight into undisclosed vulnerability data results in pre-emptive coverage between the discovery of a vulnerability and patch availability

Real-time, accurate threat prevention for known vulnerabilities and all potential attack permutations


For More Information

• www.trendmicro.com

• www.zerodayinitiative.com

• www.trendmicro.com/tippingpoint

• www.trendmicro.com/dvlabs

• blog.trendmicro.com

• blog.trendmicro.com/trendlabs-security-intelligence/

http://www.trendmicro.com/

http://www.zerodayinitiative.com/

http://www.trendmicro.com/tippingpoint

http://www.trendmicro.com/dvlabs

http://blog.trendmicro.com/

http://blog.trendmicro.com/trendlabs-security-intelligence/






Thank You Elisa Lippincott ([email protected])

Twitter: @elisal

Protect Against the Known, the Unknown and …...2015 Successful Exploit Traffic2 Top 10 Vulnerabilities 900+ CVEs 1 “ yber Risk Report 2016.” Hewlett Packard Enterprise. February

Documents