Threats beyond Imagination Cutting the Juggernaut

1
Threats beyond Imagination - Cutting the
Juggernaut

• Goh Chee Hoh
• Managing Director
• Asia South Region
• May, 2005

Vu Quoc Thanh CEO MISOFT
2
Agenda

• Security Evolution Challenges on unpredictable
  threat
• Digital Operation Continuity Strategy and
  Solution
• The Technology Winning Path RoadMap
• The Pioneer Trend Micro Profile Overview

3
The Problem
Malwares Growth

• Malware More Than Just Viruses and Worms
• New threats detected daily
• New vulnerabilities (Mobile, IM, images, etc.)
• Variants active for years

4
Malware / Threat Tree
5
BOT Versus Worm

• Do not spread uncontrollably like worms, worms
  spread faster
• BOTs are programs that can be covertly installed
  on systems
• Usually idle until it is called upon to perform a
  particular function
• Hackers or the BOT Master have remote control
  over systems installed with BOTs, through
  intermediary
• BOT Master have motive - malicious intend with
  profitable gain

6
BOT Net

• A Botnet is a network of systems installed with
  BOTs, remotely controlled by BOT Master
• Can consist of several thousands of systems
• Combined bandwidth of 1000 home PCs with an
  average upstream of 128KBit/s can offer more than
  100MBit/s Higher than the Internet connection of
  most organizations
• Can be used for DDoS attacks, Spamming, spreading
  BOTs, Phishing

7
Do we have BOT inside?

• During the Blaster and Sasser worms outbreak,
  there were BOTs using the same exploits. Zotob is
  newer BOT example.
• Customers didnt realize they had BOT infections,
  because BOT Master tell their BOTs to go quiet
  after awhile
• Corporations only cleaned their worm-infected
  systems, ignored BOT-infected systems
• Many corporations may be harboring BOTS for a
  couple of years
• BOTs get exploit upgrades for later
  vulnerability ?New method to infect vulnerable
  systems!

8
Review

• File Viruses Projected Decline.
• Worms Remain Stable at 150 per month.
• Spam Projected Increase
• Phishing 14,000-15,000 per month with Projected
  Increase.
• - Spear Phishing Projected Increase
• PhishWare Remain Stable at 500-700 per month.
• GrayWare 1500-1600 per month with Projected
  Increase.
• Bots 250-300 per month with Potential for
  Increase.
• Mobile Threats 15 per quarter with Projected
  Increase

9
Reported Infections and Growth Projections
Reported Infections 9.5 Million in Q1, 12.1
Million in Q2, and 29.5 Million in Q3. 70
percent of all infections occurred in North
America.
Projected
10
The Problem
Malwares Growth
Infection Count In Asia is Rising, Asia is facing
significant threat on cyber attack
Source Trend Micro, Inc.
11
The Problem
Malwares Impact
Global Attacks Cost Billions Each Year
12
Mobile Threats 2004-2005
20June04
4Apr
7Mar
17Jul04
21Sep
8Jul
29Dec04
8Mar
6Apr
2Oct
5Aug04
1Feb
15Apr
4Jul
19Jul
18Mar
12Aug04
21Nov04
Mabir
Cardtrp
Doomed
Comwar
Cardblk
Vlasco
Fontal
Cabir
Boottoon
Skulls
Dampig
Qdial
Hobbes
Skudoo
Locknut (Gavno)
Drever
Win CE DUTS
Camdesk
Symbian OS (Nokia, etc) Windows CE (HP, etc)
Win CE BRADOR
13
IT SECURITY TRENDS FOR 2006InformationRiskManagem
ent Plc, London

• No 1 new Threat in 2006 Crossover Viruses
• Crossover viruses are a product of the mobile
  age.
• Operating systems such as Symbian are extremely
  powerful and this can be leveraged to write a
  virus (or act as a means of storing code) that is
  capable of transferring between a PDA or mobile
  phone and a laptop or PC or in opposite
  direction.
• Given the lack of anti virus software on the vast
  majority of mobile devices, this would appear to
  be a bigger threat.
• The first crossover virus was detected in
  September 2005. Cardtrp spreads via Bluetooth
  and MMS (Multimedia Messaging Service). If the
  phone has a memory card it sends a copy of a
  Windows virus known as Wukill onto the card.
  When the card is inserted into a PC the virus
  appears as a legitimate file icon. Once opened
  the code installs a backdoor and begins to
  collect passwords to sent out.
• Cardtrp was fairly simple by modern virus
  standards. Many anti virus vendors considered it
  a proof-of-concept exercise. We must see much
  more sophisticated level throughout 2006.

14
Spear Phishing Corporate Attacks
15
Social Engineering and Phishing

• How about this email from Citibank asking for
  recipient to provide personal information?

16
Spam can kill businesses
17
4th Generation Network Virus

• Network Viruss Characteristics
• Using MS OS Vulnerability to attack
• Virus outspread speed fast
• No need for users to perform any behavior, users
  are attacked

SASSER
MSBLAST
NACHI
Enterprise
VA
NIMDA
Security Mgt
Intrusion Detection
CodeRed
SQLP
Fire Wall
DoS Protection
Exiting AV products
VPN
The time from patch availability to outbreak
diminishes
Internet
Security Threats of Network Virus Combined and
automatic attacking behaviors The broaden range
of potential infected devices POS, ATM, Kiosks,
etc special end-point devices are infected by
just link to Internet
Patch MS03-026 Jul 16, 2003
18
Network Virus case study
19
The Pain
Medical Devices
ATM
20
The Pain

• New ATMs moving to Microsoft Windows, but
  Windows is a popular platform for virus authors.
• Microsoft issued 77 patches for Windows OS in
  2003
• 42 of them are for Windows XP.
• 7 of them resulted from network virus
  vulnerabilities.
• Supposedly isolated ATM networks have been
  exposed to network virus attacks
• 1/2003 Slammer (SQL database attack)
• Bank of America 13,000 ATMs shut down because
  of attack.
• Canadian Imperial Bank of Commerce (CIBC) also
  impacted.
• 8/2003 Nachi worm (Welchia)
• Infected two unnamed ATM banking networks

Network worms can inhibit business and stop
transactions.
21
Agenda

• Security Evolution Challenges on unpredictable
  threat
• Digital Operation Continuity Strategy and
  Solution
• The Technology Winning Path RoadMap
• The Pioneer Trend Micro Profile Overview

22
The Strategy
AV security cannot be achieved alone, so you
shouldnt be left alone

• Understand the principles
• Outbreaks are series of stages so address them
  that way
• Protecting perimeter is insufficient
• Must protect where information is flowing
• All network layers
• Gateway
• Servers
• Applications (e.g. email, messaging)
• Remote sites
• Wireless/mobile devices (e.g. laptops, PDAs,
  cellphones)

23
The Strategy

• Change the focus
• From Prevention only (firewall, IPS) to Threat
  Lifecycle Management
• Requires timely updates
• More than just a virus pattern update
• Information update and solution suggestions
• Change the approach
• Secure network information flow
• Solution must be dynamic
• Approach must address Outbreak Management
  Lifecycle

Assessment and Restoration
Vulnerability Prevention
Outbreak Prevention
Virus Response
24
The Strategy
Trend Micro Enterprise Protection Strategy
Outbreak Management
Application Layer
Network Layer
25
The Value of EPS
Cost and Effort EPS can save
26
Architectural Evolution - From the Server to
the Network Access Point
Outbreak Prevention
Virus Response
Assessment and Restoration
Vulnerability Prevention
Manage and Coordinate Outbreak Security Actions
Mass Mailer Worms
Policy Management Reporting
Spam
Office Scan
TMCM
PC-cillin
Web/MMC
L3 Switch
NVW
NVW
Internet/ISP
Firewall VPN
WANRouter
Web Site
ISVW
eMailServers
FileServers
Network Worms
SMEX
SP
L3 Switch
Spyware
Appliance
IMSS SPS NRS
Trojan
IWSS
27
Trend Micro Neatsuite bundles
28
Comprehensive Antivirus and Content Security
29
Trend Micro Control Manager 3.0

• Centralized Management (Web- based)
• Supports 3000 managed servers on Windows, UNIX
  and Linux
• Log collection and reporting
• Service update and delivery platform
• Outbreak Prevention Service
• Damage Cleanup Service
• Vulnerability Assessment Service
• Centralized Management and configuration for
  Network Viruswall 1200
• Cascaded Console for greater scalability

30
OfficeScan Corporate Edition v7.0

• Comprehensive security solution designed for
  the corporate desktop environment.
• Robust security protection against multiple types
  of threats that threaten corporate desktops users
• Powerful web based management console to
  coordinate effective security policies and deploy
  rapidly
• Accepts and implements Outbreak Policies and
  Damage Cleanup Templates from Control Manager
• Supports security policy enforcement via Cisco
  NAC

31
InterScan Messaging Security Suite

• Comprehensive messaging security at the
  Enterprise and ISP gateway.
• Virus scanning for SMTP / POP-3
• Special mass-mailing virus handling
• Policy-based management enforces corporate email
  policies
• Integrated Anti-spam database and Content
  Filtering
• Implements Outbreak Policies for email virus
  outbreaks
• Supports Heuristic Spam Prevention Solution

32
InterScan Web Security Suite

• HTTP/FTP/ICAP 1.0 Antivirus scanning
• Web site (URL) filtering (optional)
• Controls access to unproductive sites(raise
  employee productivity)
• Controls access to restricted sites(reduce legal
  liabilities)
• Allows use of pre-approved and/orcustomizable
  list of sites
• Manage internet usage
• Displays employee patterns of web usage
• Alerts administrators of unusual activitybased
  on historical current Web usage
• Allows administrators to implement individual
  surfing quotas

33
ScanMail for Microsoft Exchange

• Server-based e-mail virus protection
• Administrator controls and monitors virus
  activities
• Transparent virus scanning at the server mailbox
• Stops viruses, malicious code, sensitive content
  and spam in email and shared folders, before they
  can reach desktop and spread
• Emergency Attachment Blocking for outbreak
  situations like Sircam, Nimda, Netsky,
  Bagle...etc.
• Alerts sender, recipients and administrator when
  a virus is found
• Microsoft certified for new Exchange Virus Scan
  API (Microsoft Exchange 2003)

34
ScanMail eManager Content Filtering

• eManager Plug-in for ScanMail for Exchange
• Content Filter - allows administrator to filter
  out offensive and inappropriate email from
  entering Exchange Server
• Anti-Spam- Filters out spam or unsolicited junk
  email coming to the Exchange server
• Improves mail server efficiency and ensures that
  only valid messages are received by the end-user
  
• Frees up valuable disk space on the server

ScanMail eManager ScanMail Suite
35
ServerProtect

• ServerProtect efficiently safeguards
  multiple servers, domains and NAS from virus
  attack with next-generation antivirus software
  that can be installed and managed from a single
  secure console.
• Network OS supported - NT, Win2000, Novell
  Netware, Linux, Win2003
• Network Attached Storage Supported Platform -
  EMC, Network appliances

36
Spam Prevention Solution

• Heuristic Spam filtering engine
• 90 95 Accuracy with 1/80,000 false positive
  rate
• Automatic updates for Heuristic engine from
  Trends Active Update servers
• Integrated with IMSS 5.5 for ease of
  implementation
• Increases Spam catch rate over just fingerprint
  matching
• IMSS Policy- based framework allows highly
  granular Spam sensitivity settings

37
Anti-Spam Building Blocks
Spam Caught Today
Spam Caught Future
Quarantine
Probability of Being Good or Bad
Are you Good?
Who Are You?
Heuristic Signature Filters
Reputation
Mail Servers
Authorization Authentication
End Users
SPF Domain Keys DKIM CSV
38
Email Reputation Flow

• IP Reputation clears out the obvious spam
• Sender Authorization confirms the senders
  domain
• Domain Reputation applies knowledge to the
  sender
• Can decide to block, filter or pass
• Content Filtering removes the gray/questionable
  messages

39
Architectural Evolution
CUSTOMER VALUE
Future
Past
ANALYSIS
EXPERTISE
Traditional Antivirus Domain
POLICY CREATION
Application
Application
Presentation
RAPID RESPONSE
Presentation
Session
Session
Transport
Transport
Network
Network
Data link
Data link
INFRASTRUCTURE
Physical
POLICY ENFORCEMENT
Physical
Collaborative Domain
TRAFFIC ANALYSIS/MGMT.
Traditional Networking Domain
TRANSACTION
40
Network VirusWall ch?ng worm bùng n? và t?n công
m?ng

• Trong tháng 8/2005 ZOTOB worm t?n công khai thác
  l? h?ng b?o m?t MS05-039 c?a Microsoft (sau khi
  vulnerability này dã du?c công b? tìm ra ch? 5
  ngày tru?c dó).
• UTStarcom là m?t trong r?t nhi?u công ty b? Zotob
  t?n công, (UTStarcom là 1 công ty hàng d?u chuyên
  v? các gi?i pháp m?ng IP và vi?n thông). H? th?ng
  c?a UTStarcom dòi h?i ho?t d?ng online 24x7.
• Khi ZOTOB t?n công m?ng c?a UTStarcom t?i Trung
  Qu?c, chúng nhanh chóng tìm cách gây bùng n?
  chi?m bang thông làm down h? th?ng.
• Ð?i ngu admin cung dã nhanh chóng phát hi?n ra l?
  h?ng và các thi?t b? dã b? t?n công nhung không
  th? cách ly d? cài d?t b?t l? h?ng.

41
CÁC HÀNH VI C?A ZOTOB
42
UTStarcom dã tri?n khai Trend Micro Network
VirusWall t?i 40 di?m trong Trung Qu?c
43
Trend Micro Network VirusWall Family
Network VirusWall 1200 Interface 10/100 Base-T
Ethernet Ports 2 Inline segments per unit
1 Redundancy fail open Performance
180Mbps/256 users Trend Micro Software
Control Manager 3.0, Outbreak Prevention Services,
Damage Cleanup Services
Network VirusWall 2500 Interface 10/100/1000
Gigabit Ethernet-Copper plus Fiber (Q104)
Ports 5 plus fiber card Inline segments per
unit 4 Redundancy fail open, redundant ports,
and high availability pair deployment
Performance 1.2 Gbps/4096 users Trend Micro
Software Control Manager 3.0, Outbreak
Prevention Services, Damage Cleanup Services
44
Outbreak Response

• UTStarcom nhanh chóng c?p nh?t cho thi?t b? Trend
  Micro Network VirusWall và s? d?ng h? th?ng
  Control Manager qu?n tr? t?p trung các thi?t b?
  Network VirusWall d? c?u hình, th?c hi?n các gi?i
  pháp d?i phó v?i ZOTOB
• Deploy Automatic Updates to all Network VirusWall
  appliances network-wide every five minutes,
  rather than once a day
• Run Trend Micro Vulnerability Assessment to scan
  the entire network and identify vulnerable
  network segments and PCs without the MS05-039
  Service Pack installed
• Quarantine PCs without MS05-039 and block them
  from accessing the Internet
• Sau dó UTStarcom th?c hi?n vá các l? h?ng c?a h?
  th?ng (cài d?t mi?ng vá MS05-039 c?a Microsoft)
  và s? d?ng s?n ph?m Trend Micro Damage CleanUp
  Services (m?t thành ph?n c?a Trend Micro Network
  VirusWall) d? quét và làm s?ch các máy dã b? lây
  nhi?m ZOTOB cùng rác do nó d? l?i trong h?
  th?ng.gt k?t qu? h? th?ng dã du?c an toàn

45
Agenda

• Security Evolution Challenges on unpredictable
  threat
• Digital Operation Continuity Strategy and
  Solution
• The Technology Winning Path RoadMap
• The Pioneer Trend Micro Profile Overview

46
Our Approach The Whole Threat Lifecycle
Management
Antivirus Consultation Service
Plan
Plan
Antivirus Review Audit Service
Knowledge And Expertise
Knowledge And Expertise
Review
Review
Deploy
Antivirus Deployment Service
Deploy
Monitor
Monitor
Respond
Respond
Outbreak Prevention Damage Cleanup
47
Where does the Value comes from
In the short term, the benefit reflects on the
number of virus outbreak , user downtime and
damage severity.
No. of Outbreaks

• The benefit is the product of reduced outbreaks,
  range of impact and downtime
• If each dimension is reduced by 30, total damage
  will reduce by 65

Baseline Damage
Damage after adopting ESO
Range of Impact
Average Downtime
48
Long-Term Value Proposition
In the long term, benefit comes from the
improvement of overall company security.
Illustrative
Total Damage
Damage for Clients Without Any Protection

• When the clients organization awareness,
  reaction process and security environment are
  improved through adopting ESC, the benefit will
  reflect in the accelerative decrease of damage
  caused by malware

Damage for Clients Using AV Products
Damage for Clients Using Products and ESC
Time
49
The Building Blocks
Security Infrastructure
Organizational Security Awareness/Behavior
Customer
24 x 7 monitoring and service
Today AV Silver Service
Trend Micro Partner
Trend Micro
Provider
Technical Account Manager
Online real-time monitoring mechanism
Service Mechanism
Premium Support Program
Monitoring Service Offerings
Products
Consulting Service
Service packaging
Trend Micro Security Expertise
Customer Service Experience
Knowledge
50
Agenda

• Security Evolution Challenges on unpredictable
  threat
• Digital Operation Continuity Strategy and
  Solution
• The Technology Winning Path RoadMap
• The Pioneer Trend Micro Profile Overview

51
Corporate Fact Sheet
Trend Micro Incorporated Address Shinjyuku
MAYNDS Tower 27F 2-1-1 Yoyogi, Shibuya-ku Tokyo
151-0053 Japan Founded 1989, CA, US Founder
Steve Chang, honored Innovator of the Year
award from 2004 Asia Business Leader Awards
(ABLA). Capital 7,396 million yen (as of Dec.
2003) Traded Tokyo Stock Exchange (4704), NASDAQ
(TMIC) Business Nature Antivirus and content
security software and services Number of
Employees 2,496 (as of Dec. 2004) 2004 Revenue
62.5 Billion yen (Year 2004) which increase of
29 from Year 2003 Q1/2005 Revenue 17.3 Billion
yen which increase of 27 from Q1/2004 Market
Value 620 billion yen (as of Jan 25, 2005)
52
Trend Micros Leadership in server-based market
Trend Micro has been the global leader in 3
market segments of Internet Gateway, Mail Server,
and File Server-based Virus Protection.

• 1 in the Internet gateway antivirus market for
  fifth consecutive year
• 1 in the mail server antivirus market for four
  years
• 1 in the file server antivirus market

• Trend Micro has for several years now proven
  themselves to be a substantial player in the
  antivirus market, having created a niche at the
  gateway and servers that are now a requirement
  for other vendors.
• Brian Burke
• Senior Research Analyst, IDC

based on results in IDC Market Analysis
Worldwide Antivirus 2004-2008 Forecast and 2003
Competitive Shares (August 2004)
53
The Growing Trend
US587.4m
US454m
US364m
Million Yen
US241m
US208m
54
Era of Focus Created Continuous Growth
m
55
TREND MICRO ADVANTAGE
TrendLabs Delivering the Value of EPS the
Benefits of Protection

• ISO9001 2000 Certification
• COPC-2000 Standards Certification
• BS7799 Certification
• Support-Center Practices (SCP) Certification
• Service Excellence Award Accenture and
  Commonwealth Magazine
• Frost and Sullivan Customer Development Award
• Best Helpdesk of the Year Japan Institute of
  Office Automation
• Helpdesk Institute Team Excellence Award
• Contact Center Awards 2004 Gold Prize

Mini TrendLab?
56
(No Transcript)
57
Thank you!More information, please
visit/contactwww.trendmicro.comgoh_chee_hoh_at_tre
ndmicro.comMisoft Vietnam Distributorwww.miso
ft.com.vn844-9331613