Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trend Micro XDR.

Published byErlin Salim Modified over 5 years ago

Similar presentations

Presentation on theme: "Trend Micro XDR."— Presentation transcript:

1 Trend Micro XDR

2 Why is Detection and Response needed and across multiple layers?

3 What We Hear From Customers
Too long to detect Incomplete investigations Inadequate response Overloaded teams Alert overload Correlation difficulties Piecemeal investigation We hear a lot of pain points and challenges from our customers, the mains ones being they've got alert overload, It's really difficult to correlate the data that's coming from all of their different solutions. And as a result, they're doing piecemeal investigation - they may get an alert on the endpoint, and they only investigate that threat factor. They don't see how it pours over to the network side of things and the steps that they can do to improve their security posture. It takes too long to detect threats. investigations are incomplete. They don't feel like they're able to respond adequately, and their teams are really overloaded. NOTE TO SALES: So we don't want to go into a customer and tell them what their problems his problems are. But we do want to understand what their problems are. So this slide is a great opportunity to ask some probing questions so that you can understand where the pain points are to any individual customer that you're talking to, and you can customize how you position Trend Micro and our solutions to them. Too many alerts -  27% IT professionals receive >1 million security alerts daily1 Too many siloed products - Average 80 security vendors in enterprise!2, Each product has its perspective No correlated or consolidated view of an entire chain of events Imperva, May 28, 2018, We know that the IT team is stressed with alert overload, so many alerts getting triggered in multiple places. Its hard to correlate all the various alerts you get, and gain a complete and clear picture of everything that is happening on your endpoints and network. we know our customer want more insights, and they need it to be as automatic as possible

4 Endpoint Activity Recording
Endpoint Detection & Response (EDR) A Good First Step Threat Hunting (Query for IOA) Root-cause Analysis IOC Sweeping Automated Correlation & Detection Detections Telemetry Metadata Detect Threats Contain Threats Investigate Threats Endpoint Activity Recording Endpoint detection and response has been a fantastic first step in the industry to help solve the problem of alert overload and under resourced teams, that leads to threats getting in to your organization that you may not detect for nine months. Trend Micro has a very full features and effective ER solution that is integrated directly into our EPP solution. Quick refresh of what EDR does: EDR essentially records all the activity that's happening on your endpoint. And it takes that data, things like detection, telemetry, information on the processes that are running, and metadata, And it puts it into a database that then applies artificial intelligence and data analytics, to enable users to do things like automated correlation of alert activity and in depth investigation. You can do things like sweeping for indicators of compromise throughout your organization. So you might have an indicator of compromise you know of, you can take that IOC and go look to see what other endpoints that compromise is on so, and response accordingly. It allows you to do threat hunting. And it allows you to do root cause analysis to determine who patient zero was, how a threat spread throughout your organization, and what would be the impact in your organization. And a main point here is that our EDR is not only about those 3 things listed at the bottom – it absolutely is, but our EDR also does a lot of these actions automatically. It allows you it automatically correlates data from all of your endpoints, so that you can do more audits. It allows for automated detection that doesn’t require any kind of human intervention. And This allows you to detect threats, contain threats and investigate. Much more effectively.

5 Endpoint Detection & Response (EDR) A Good First Step
Servers & Workloads But it focuses only on endpoints Endpoints So EDR has been a fantastic first step to solving this problem. But It focuses only on endpoint.

6 Can You Really See All Your Endpoints?
IoT There are many endpoints you may not have visibility of or manage Servers & Workloads Endpoints In your organization, can you effectively see all your endpoints? There are so many endpoints, and some you just don’t have visibility into, or can’t manage them with endpoint protection and detection alone. These could be things like IoT devices, like printers in your environment, or rogue laptops or mobile devices that employees and contractors bring onto your network.

7 Can You Really See All Your Endpoints?
Containers Serverless IoT Servers & Workloads New cloud models are are making protection different than traditional endpoints Endpoints And think about new cloud models that are making protection different than traditional endpoints, and more difficult to protect like containers and service environments, that EDR is just not doing a good job of addressing?

8 What if You Could See More?
Servers & Workloads is #1 threat vector and vital to determine the scope and impact of a threat Endpoints Nearly all endpoint threats come from . You want to know – Who else received this ? Is this threat in other mailboxes? Threats contained in mailboxes may not be visible yet on the endpoint.

9 What if You Could Detect Earlier?
Servers & Workloads Networks show anomalous behavior as threats spread Network Endpoints Network is a great way to find targeted attacks as they spread laterally or communicate with Command and Control servers.

10 EDR is Necessary, but Not Enough
Containers Serverless IoT Needed: detection and response beyond the endpoint Servers & Workloads Network Endpoints EDR is a good first step but what is really needed is detection and response across all of these areas.

11 Threats Avoid Detection Because Data is Collected & Analyzed in Silos
Today Endpoints IOT Network Servers Cloud So customers often have security and visibility at each of these layers but they are treated in silos, which often allow threats to avoid detection. For example, an endpoint might be showing powershell activity, which on its own is not indicative of an attack. ​‌Public‌​

12 A+B+C=D Today Needed Correlation & Analytics Across Security Layers
Endpoints IOT Network Servers Cloud But if you can break down these silos across security layers, and bring the data from all the layers together so that you can correlate and apply analytics across layers, suddenly that benign endpoint powershell activity becomes important. ​‌Public‌​

13 A+B+C=D Needed Today Correlation & Analytics Across Security Layers
Endpoints IOT Network Servers Cloud When you correlate the endpoint data with network data you see that there is unusual lateral spread from the endpoint, with data laterally spreading to multiple endpoints and servers. Beyond that you also see that the servers are communicating with an IP address in a country they’ve never communicated with before, which could be indicative of command and control traffic. Correlating all this data together suddenly something that seemed benign at just the endpoint layer becomes a high priority alert. When you investigate you can see the where the threat came from. threats often don’t impact endpoints until a user clicks on something in the . So the reality is an undetonated threat could be sitting in multiple inboxes. And with this information you’ve obtained on the threat you can now and look for the in all your inboxes, so you can quarantine the , and stop it from impacting other endpoints, to limit the blast radius of the . ​‌Public‌​

14 High Priority, Actionable Alert With Context
Today Needed Correlation & Analytics Across Security Layers Endpoints IOT Network High Priority, Actionable Alert With Context Servers Cloud So correlating data across multiple layers you are able to detect more threats, and have actionable alerts with more context. ​‌Public‌​

15 XDR delivers on the promise of centralized, connected visibility and investigation!
Trend Micro XDR delivers on the promise of centralized and connect visibility across all three of these solution areas

16 Trend Micro XDR vision, 1H 2020

17 Trend Micro Managed XDR
Trend Micro XDR Vision Trend Micro Managed XDR Threat Experts Deliver: Detection Reporting, Sweeping, Hunting, Root Cause Analysis, Remediation Plan Trend Micro XDR Automated Detection, Sweeping, Hunting, Root-cause Analysis SIEM/SOAR Trend Micro XDR Data Lake Activity Data & Detections Intelligent Sensors FUTURE Trend Micro offers threat protection products for Network, , Endpoint, and Server and Cloud Workloads. <click> These products can also act as intelligent sensors <click> They can send detection data and activity to a secure data lake in the cloud. Activity data includes telemetry from endpoints and servers, metadata from , and netflow for network data. The Trend Micro XDR plaform uses this data for automatic detection, sweeping for IoC, hunting for unknown threats, and root cause analysis when something is found. Managed detection and response services help customers get the most out of their products. Trend Micro threat experts provide 24x7 monitoring, IoC sweeping, threat hunting and investigation and response. [Note: MDR has been renamed to Managed XDR] Protection Network Deep Discovery, TippingPoint Cloud App Security Endpoint Apex One Server/Cloud Deep Security

18 See What You’ve Been Missing Trend Micro XDR
Complete Visibility AI & Expert Security Analytics Beyond the Endpoint The three main benefits of XDR are: AI & Expert analytics – to detect more sooner Beyond the endpoint – threats are not limited to endpoints and neither should your detection and response! Complete visibility – one console, one alert schema, one investigation and coordinate response

19 Detection & Response Beyond the Endpoint
Network Endpoints Traditional Servers Cloud Workloads Containers With more context, events that seem benign on their own suddenly become meaningful indicators of compromise, so you can detect threats earlier

20 Native, Intelligent Sensors
The most effective AI and data analytics design requires a deep understanding of activity and detection data from sensors The Right AI & Analytics Techniques for example: Data Stacking Machine Learning Native, intelligent sensors result in more effective analytics than can be achieved via APIs to a 3rd party product Although its possible to detection and response tools to collect data from 3rd parties, these tools will never have the deep understanding of the original vendor's data. Every vendor has their own definition of important and critical alerts and their own way of talking. Understand how a detection method rule works is key to making the most use of the data it generates. Analogy: if you travel to China you can use Google Translate to order a meal. But if you’re an executive negotating a multi-million dollar deal in China, you would make sure to bring a native Chinese speaker to understand the nuances of the language. Security is the same – analytic tools are more effectives when they understand the nuances of the data.

21 Prevention is Still Important
Network Endpoints Traditional Servers Cloud Workloads Containers The more threats you prevent, the fewer you need to investigate and respond to “An ounce of prevention is worth more than a pound of detection” The more threats you can prevent automatically, the lower the impact of poential threat and the less time is needed to investigate and respond. Detection and response is needed to discover undetected stealthy threats but its always better to detect more up front. Trend Micro excels are threat prevention. Or internationally, "a gram of prevention is worth more than a kilogram of detection"

22 Complete Visibility Detection & Activity Data from Your Environment
Artificial Intelligence, Big Data Analytics, Expert Rules Correlation Complete Visibility Detection & Activity Data from Your Environment Fewer, higher fidelity, actionable alerts Guided investigation One Console One Alert Schema Detection rules by our Security Experts targeting new, high priority threats in the wild Smart Protection Network Detection and activity data from your environment is correlated with threat intelligence from the Smart Protection Network. AI, big data analytics, and expert rules find hidden threats and parse logs down to the few events which matter. There is also a human element. Trend Micro threat experts write detection rules targeting current high-priority threats in the wild. One console for detection and response across multiple layers. If a policy change is needed in a product, SSO allows you to switch to a product's console while providing a seamless experience for the user. Instead of alert overload, you are presented with fewer alerts which are high fidelity with context, and are actionable. Guided investigation playbooks simplify the process for your team.

23 Available now: Managed XDR services for all layers
Managed XDR detection and response services are available for endpoint, , servers, cloud, and networks. (formerly called MDR services)

24 Trend Micro Managed XDR Helps You Deal with Resource Challenges
Managed XDR delivered by Trend Incident Response Experts 24x7 critical alerting and monitoring Root cause and impact analysis Incident prioritization and investigation Recommendations on remediation and preventative measures Incident reporting and executive reporting on security posture Lack Detection & Response skills and/or enough resources? Many customers want to do more with detection response but lack the time and resources. Customers who have already built a SOC may only be staffed for 8am-5pm and in order to increase their employee satisfaction/retention they use Trend Micro for night/weekend coverage. Other customers want to do regular IoC sweeping but subscribing to threat feeds, validating IoCs, formatting and de-duping data takes time. Managed XDR sweeps your environment on a regular basis and investigates any discovered events. You can start with one service and as you add more you get more benefits of cross-layer detection and response. Question that may be asked: What's the difference between XDR and Managed XDR? Analogy: Your car is making a weird nose XDR – we give you the tools to diagnose and fix a strange sound in your car Managed XDR – we offer you a service to diagnose and fix a strange sound in your car Network Deep Discovery Cloud App Security Endpoint Apex One Server / Cloud Workloads Deep Security

25 Save Time and Resources with Managed XDR
Events generated by Trend Micro products (includes 1K high priority events and 16K events which are not actionable but needed for compliance / visibility when investigating) Standard managed service: prioritizes 36 events which require further investigation Advanced managed service: Trend Micro security experts investigate each of the 36 events to determine if there is a security incident and provide a detailed response plan. (will not be 0 incidents every month!) Monthly report from a customer subscribing to the advanced Managed XDR services for endpoint and network This sample monthly report shows the value of the Managed XDR services. This is the executive summary for a customer who with Trend endpoint security and network security (Deep Discovery Inspector). The top row shows the logs generated by the Trend products. 17K total and 1K high severity. The other 16K events are not actionable, but these events are still needed for compliance and can be useful for cross-layer detection analytics and as context during investigations. Events are prioritized using automation and analytics (i.e. a high severity malware detection which was fully cleaned does not need further investigation). In this case, the total events were distilled down to 36 events which need further investigation by a human. Subscribers to the Standard Managed XDR services would see these 36 events and continue the investigation with their own team. For Subscribers to our Advanced Managed XDR services, Trend Micro security experts would investigate each of the 36 events and determine if a security incident occurred and if so provide a step-by-step response plan on actions needed to remediate.

26 Available now: XDR for endpoint and email

27 Start with XDR for Users
2 Trend Micro Managed XDR Threat Experts Deliver: Detection Reporting, Sweeping, Hunting, Root Cause Analysis, Remediation Plan XDR for Users or Endpoint Sensor SaaS, XDR Edition (Apex Central) Network Deep Discovery Cloud Workloads Deep Security 1 XDR Data Lake Endpoint Apex One In addition to Managed XDR services available for all layers, we have integrated into our existing SaaS EDR solution. A new package is available which includes the protection for endpoint and along with integrated detection and response capabilities. Cloud App Security

28 Trend Micro XDR for Users: Your Place to Start
Extending detection and response across Endpoints, Servers and Trend Micro XDR for Users: Your Place to Start Extending detection and response across Endpoints, Servers and A complete SaaS Offering providing: Single View, Single Console Consolidated Endpoint, and Server investigation capabilities Advanced Endpoint and Messaging Protection Layers XDR for Users brings user context to the problem of EDR.

29 Quick, automated prevention Less impact, less investigations
Security Entry Point Virtual Patching Device Control Web Reputations Exploit protection Endpoint Entry Machine Learning Application Control Variant Protection File Based Signatures Pre-Execution Run-Time Machine learning Behavioral analysis In-Memory detection Time= milliseconds It’s imperative for organizations to have a solid defense against threats hitting your systems, when you look at the endpoint having solution that takes a cross generational approach to endpoint protection is a huge advantage against newer advanced threats. But even this number of protection layers and capabilities, there is no silver bullet when it comes to protecting against threats.

30 Consolidated Endpoint/Email Investigations
COMPROMISE Most attacks start with a phishing One user opened the attachment Admin PowerShell on a remote PC Spreads to server Let’s look at a typical advanced threat and how it would be mitigated by MDR: In this example the threat came in on a phishing . That’s usually the case. If a user clicks on the compromised attachment, it’s not difficult for them to be compromised. Using powershell on the compromised PC the attacker is able to move around the company network. What’s notable here is that it doesn’t take much to move beyond protected endpoints to hide. We’ve seen examples where malware can hide in unprotected IoT devices such as printer servers or point of sale devices.

31 XDR Example: Consolidated Investigations
COMPROMISE DETECTION Lateral movement detected between endpoint and server Endpoint software detects privilege escalation as well as how it came, from where, and all details There could be many detections in this particular case, but none of them considered critical. Lateral communications would be seen as the attacker moving through the network, but that is often a “grey” alert because it’s not unusual for there to be “East West” traffic. The endpoint software would likely provide some sort of ”grey” alert such as privilege escalation. Taken on their own, these two alerts would not be considered critical, but when correlated together it paints a broader picture Incidentally, beyond detection of alerts, the service also offers regular sweeping and hunting of customer environments for newly discovered IOCs or for indicators of Attack.

32 XDR Example: Consolidated Investigations
COMPROMISE DETECTION ANALYSIS Identify/correlate activity related to specific threat Determine risk/impact Understand what else was downloaded Determine what the target is Who received the , who forwarded, who deleted? What s exist with the same attachment/IOA? During the analysis phase a full picture of the attack is generated across the entire enterprise. You can analyze the attack to get the full impact analysis including the patient zero or person that was first infected. A full root cause analysis is performed across all the vectors. Since this attack came from , you want to know who else received it. It’s important to note that as the analysis is performed, protection for discovered malware is immediate. Identified threats are fed to the SPN so that all Trend security gets a rapid update. Pink = Value add beyond EDR

33 XDR for Users: Endpoint +Email RCA Enrichment
Who else received this ? Is this malicious file in other mailboxes? According to the Verizon Data Breach Investigations Report published in 2019, 94% of malware incidents came from . So almost every time there is a malware on the endpoint you need to search through your system. How do you do this today - do you have a another tool or do you ask your admin to search for you? Now when a Root Cause Analysis finds an attack came from , it automatically sweeps user mailboxes to tells you who else received this and if the same IoC exists in other mailboxes ----ticking time bombs waiting for another user to click on them. This brings user context to the problem of EDR. EDR tools from other vendors cannot do this integration. 94% of malware incidents came from – Verizon 2019

34 XDR Example: Consolidated Investigations
COMPROMISE DETECTION ANALYSIS RESPONSE Generate report for management on event Quarantine devices Kill process Quarantine (via API) Automatically generate pattern and share During the response, Cloud App Security API's can be used to quarantine/delete the suspicious s. [this will be automated in the full XDR platform coming in 1H 2020] Pink = Value add beyond EDR

35 XDR Use Case: Consolidated Investigations
COMPROMISE DETECTION ANALYSIS RESPONSE POST INCIDENT Prevent future incidents with IOC’s shared with other layers Send phishing awareness training to user (via Phish Insight) Since this was an incident, additional training can be sent to the user who clicked on the phishing via Phish Insight - Trend Micro's free phishing simulation and user training tool. Pink = Value add beyond EDR

36 XDR for Users: Endpoint Single View, Single Console
Bringing user context to the problem of EDR

37 Trend Micro XDR for Users
Extending detection and response across Endpoints, Servers and Trend Micro XDR for Users: Your Place to Start Extending detection and response across Endpoints, Servers and Single View, Single Console Consolidated Endpoint, and Server investigation capabilities Advanced Endpoint and Messaging Protection Layers

Download ppt "Trend Micro XDR."

Similar presentations

XProtect ® Professional Efficient solutions for mid-sized installations.

XProtect ® Professional Efficient solutions for mid-sized installations.
Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.

1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
Alert Logic Security and Compliance Solutions for vCloud Air High-level Overview.

Alert Logic Security and Compliance Solutions for vCloud Air High-level Overview.
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
Microsoft ® Windows ® Small Business Server 2003 R2 Sales Cycle.

Microsoft ® Windows ® Small Business Server 2003 R2 Sales Cycle.
Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.

Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.
Network security Product Group 2 McAfee Network Security Platform.

Network security Product Group 2 McAfee Network Security Platform.
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.

Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.

Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.

©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.
ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.

ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
©2012 Bit9. All Rights Reserved Peter Llorens, PERegional Sales Manager, FL, Caribbean & Latin America Julio GutierrezSales Engineer, FL, Caribbean & Latin.

©2012 Bit9. All Rights Reserved Peter Llorens, PERegional Sales Manager, FL, Caribbean & Latin America Julio GutierrezSales Engineer, FL, Caribbean & Latin.

Similar presentations

Ads by Google