Gordon Tredgold, SVP Global IT at Henkel - Fast Leadership - Accelerating Pro...
Trend micro - Your journey to the cloud, where are you
1. TREND MICRO: SECURING YOUR
JOURNEY TO THE CLOUD
www.trendmicro.com
Copyright 2011 Trend Micro Inc.
1
11/02/12
2. The Journey to Cloud
Nick Black
Trend Micro
Copyright 2011 Trend Micro Inc.
3. Unique Set of Security Challenges in Cloud Era
The Four Pillars of the Cloud Revolution
Cloud Infrastructure Cloud Application
Hybrid Cloud
Management
• Physical
• Virtual
• Cloud
Cloud Data Consumerization
Mobile Device
and Mobility
Management
Cloud Data Protection
Infrastructure
Cyber Attacks
Copyright 2011 Trend Micro Inc.
4. Consumerization of IT
“Consumerization will
be the most significant
trend affecting IT during
the next 10 years”
Gartner
• Popular new consumer technology spreads into business organizations
• IT and consumer electronics converge as the same devices are used for work
and play
• Power shifts from corporate IT and enterprise vendors (IBM, HP) to end users
and innovative consumer vendors (Apple, Google)
Copyright 2011 Trend Micro Inc.
5. Consumerization: why now?
• Affordable products and services
• Simple, intuitive, easy to use
• Pervasive fast network connectivity
• Abundance of content & applications
Copyright 2011 Trend Micro Inc.
5 Copyright 2011 Trend Micro Inc.
6. 30K Android Malware
http://blog.trendmicro.com/how-big-will-the-android-malware-threat-be-in-2012 /
• 10K: Middle of 2012!
• 100K: End of 2012!
Copyright 2011 Trend Micro Inc.
7. Traditional Security
Trend Micro evaluations find over 90%
Advanced Empowered Elastic
of enterprise networks contain active
Persistent Threats Employees Perimeter
malicious malware!
Copyright 2012 Trend Micro Inc.
Copyright 2011 Trend Micro Inc.
8. Integrated Security Across Platforms
Inside-out Security : smart context aware security
Endpoints Datacenters
• Self-Secured Workload
• Local Threat Intelligence
• When-Timeline Aware
• Who-Identity Aware
• Where-Location Aware
Inside-Out Data Security
• What-Content Aware
Data Protection • User-defined Access Policies
• Encryption
All network-connected data
must be able to defend itself
from attacks
Copyright 2011 Trend Micro Inc. 8
9. Cloud Security
Cloud Models: Who Has Control?
Servers Virtualization & Public Cloud Public Cloud Public Cloud
Private Cloud IaaS PaaS SaaS
End-User (Enterprise) Service Provider
Who is responsible for security?
• With IaaS the customer is responsible for VM-level security
• With SaaS or PaaS the service provider is responsible for security
Copyright 2011 Trend Micro Inc.
9
11/02/12
10. Journey to the Cloud
Where is Your Data?
Safe Harbour
Hybrid Cloud
Public
Cloud
BYOPC
Server
Virtualization
USA Patriot Act Physical
Desktops & Servers
Desktop
Virtualization Private
Cloud
Mobile
Copyright 2011 Trend Micro Inc.
10
11/02/12
13. APTs -- The Challenges
Sophisticated Social Engineering
1.People is the weakest link
2.Spear phishing
3.Employee training
Stealthy Behavior
1.Low profile – may be dormant for months
2.Leverage employee credentials and privileges
3.Noise from network IDS/IPS technology
Zero-day Vulnerabilities
1.Patch management
2.Thousands of endpoints
3.Servers in datacenters can’t be patched…right away
Copyright 2011 Trend Micro Inc.
13
14. Deep Discovery: APT Hunter
Specialized Threat Detection
Across the Attack Sequence
Malicious Content
•Emails containing embedded
document exploits
• Visualization
•Drive-by Downloads
• Analysis Network Visibility, •Zero-day and known malware
• Alarms Analysis & Control
• Reporting
Suspect Communication
Threat Virtual Watch Threat SIEM •C&C communication for any
Detection Analyzer List Connect Connect
type of malware & bots
•Backdoor activity by attacker
Network Inspection Platform
Network Inspection Platform
Attack Behavior
Deep Discovery •Malware activity: propagation,
downloading, spamming . . .
•Attacker activity: scan, brute
force, service exploitation . . .
•Data exfiltration communication
Copyright 2011 Trend Micro Inc. 14
15. GLOBAL SENSORNET
(via agents, community, customers, threat
researchers and more)
URLS
FILES THREAT-ACTORS
VULNERABILITIES MOBILE/APPS
DOMAINS IP ADDRESSES
NETWORK EXPLOIT KITS
TRAFFIC
Copyright 2011 Trend Micro Inc.
16. EMAIL VULNERABILITIES/
REPUTATION EXPLOITS
MOBILE APP
expanded WEB
REPUTATION
REPUTATION
expanded NETWORK TRAFFIC RULES
FILE
REPUTATION
WHITELISTING
GLOBAL THREAT
INTELLIGENCE
Copyright 2011 Trend Micro Inc.
17. Virtualization and Cloud Security
One Security Model
VMware Virtualization Private Cloud
Security Security
Virtual VM VM VM VM Virtual VM VM VM VM
Appliance Appliance
• Agentless security • Agentless security • Encryption for vCloud
• Layered server security • Layered server security • Compliance support
• Encryption for vSphere (FIM, Encryption, etc.)
Public Cloud
Server security console
VM VM VM VM
• Shared policy profile
• Virtual patching
Encryption console • Agent-based security
• Shared policy profile • Layered server security
• Key ownership • Encryption for leading cloud providers
• Compliance support
(FIM, Encryption, etc.)
Copyright 2011 Trend Micro Inc.
17
11/02/12
Copyright 2012 Trend Micro
18. Why is Trend Micro an Expert?
Trend Micro is No.1 in Server, Virtualization, & Cloud Security
Trend
Micro #1 in Cloud Security
#1 in Server
Security
Trend
Micro
Source: 2012 Technavio – Global Cloud
Security Software Market
Worldwide Endpoint Security
Revenue Share by Vendor, 2010
#1 in Virtualization Source: IDC, 2011
Trend Micro
Security
Trend
Micro
Source: 2011 Technavio – Global Virtualization
Security Management Solutions Trend Micro Inc.
Copyright 2011
19. TREND MICRO: SECURING YOUR
JOURNEY TO THE CLOUD
www.trendmicro.com
Copyright 2011 Trend Micro Inc.
19
11/02/12
Notas do Editor
The IT landscape is changing drastically. We live in a far more tech savvy world than ever before, and now that “consumerization” is becoming recognized throughout the industry and enterprise employees are opting to use their own devices, applications and data plans it’s clear that this is not just a passing trend, and enterprise must quickly transform how they conduct business as well as how they protect their endpoints and secure data. The fact is, consumerization is blurring lines between corporate and personal IT, as social networking applications such as Facebook, YouTube and Twitter are now part of everyone’s everyday lives. Think about it: We are now living among a generation of people who have never known a world without the Internet…or a world without immediate connectivity and access. And businesses are going to have to make some real adjustments to lure this new wave of talent, and that’s going to require offering them more choices than the traditional standard-issue laptop on which to work. This new wave of tech-savvy user now read their email – both private and business – on smart phones and mobile devices that access the corporate CRM on tablets, and store corporate data on their non-PC laptops. In fact, in a recent survey conducted by Trend Micro, almost 45% of the surveyed consumers responded they expect to be using their private smart phone for work too. As Gartner puts it, consumerization will be “the single most influential trend affecting the technology sector for the next ten years”. If there’s any doubt that the consumerization trend is real, consider this: Sales studies show that in the fourth quarter of 2010, for the first time ever, smart phones have outsold traditional computers and this trend is projected to only increase through 2011. These estimates also show that while a record-breaking 92 million computers were shipped in the fourth quarter of 2010, Smart phones achieved nearly 101 million shipments over that same period of time.
It’s an exciting but challenging time we’re currently seeing unfold in IT. We now see that the emergence of consumerization has reached a TIPPING POINT, or a point of no return. This tipping point is the result of three key factors : 1. AFFORDABILITY: As new technology becomes increasingly more affordable, it is adopted by more and more of the masses. This affordability puts these smart devices in the hands of virtually everyone today. 2. EASE OF USE: Because these smart gadgets are so incredibly easy to use, technologies being utilized in mass-fashion by the current workforce as well as the emerging Millennial Generation, who use this technology almost like second-nature. 3. AVAILABILITY OF ONLINE CONTENT: Due to the easy exchange and accessibility of data via apps and social media, we see consumerization as a blurring of the lines between work and personal life. Convergence: If we take a more expansive view of the IT landscape, we see a vast shift in how IT must operate. This is the result of yet another three unique factors converging at once. They include: 1. Consumerization . 2. The emergence of the extremely tech-savvy “ Millennial Generation ” into the workforce. 3. The vast proliferation of Cloud Technology . So, while consumerization changes how IT approaches business practices, there is an enormous IT revolution underway . The entire game is changing right before our eyes. Moving at customer speed: Technology has increased the speed at which customers do business. For example: Mobile phones existed for years before Apple introduced the iPhone. But by making it so amazingly SIMPLE, they have raised the bar for other tech companies while making this technology accessible and affordable to the general public. To make it even more appealing there are also social psychologies at play here. Consumers today are often driven by “gadget envy” or the “cool factor”. Gadgets like iPads and Droids are seen as items that people “can’t live without”. This is having an impact on the IT landscape unlike anything since the initial desktop revolution in the early 1980s. So now businesses must quickly transform how they conduct their operations as well as how they protect their endpoints and secure themselves and their data in light of this radical change. Some Facts about Consumerization : Smart phones are now outselling traditional computers and this trend is projected to increase through 2011. Recent estimates tell us that a record-breaking 92 million laptops were shipped in the fourth quarter of 2010, yet smart phones achieved nearly 101 million shipments over that same period of time. In fact, Gartner was recently quoted as saying that consumerization will be “the single most influential trend affecting the technology sector in the coming decade”. Consumerization is here to stay, so how can IT embrace it for business advantage?
With Advanced Persistent Threats and targeted attacks, cybercriminals have clearly proven their ability to evade conventional security defenses, remain undetected for extended periods, and exfiltrate corporate data and intellectual property. Traditional security defenses are not equipped to detect these attacks. Either being blind to the clues, or burying telltale events among 1000s of routine daily logs. And the seriousness of this gap is compounded by technology trends such as consumerization and cloud computing, which further open the network to attacks by weakening the value of perimeter security. ----- NGFWs typically take a more application-centric approach to traffic classification, but they do not detect nor block the new breed of advanced attacks such as zero-day, targeted attacks or advanced persistent threat (APT) attacks. At their core, NGFWs' anti-malware technologies rely on traditional antivirus and IPS signatures, reputation analysis, and URL blacklists. These approaches are reactive and have proven incapable of stopping advanced threats. NGFW vendors have tacitly conceded this point and are now augmenting their products with cloud-based analysis of binaries and DLLs and "rapid" hourly updates of the firewall signature set. Fundamentally, cloud-based analysis does not provide advanced malware protection. Does not stop Web page attacks NGFW cloud-based analysis does not analyze document formats (PDFs, Microsoft documents, image formats) used to exploit application vulnerabilities. Does not stop email-based attacks NGFW cloud-based analysis does not analyze emails, so cannot stop spear phishing attacks. Spear phishing is a primary mechanism used in targeted APT attacks. IPS vendors claim that their solutions can prevent unknown, or zero-day attacks. In reality, however, these claims have not proven to be true . These claims are based on the shift from IDS detection of an individual attack based on an exploit signature to IPS detection of a class of attacks based on a vulnerability signature. This basic improvement provided the basis for vendors' zero-day protection claims, specifically that attacks against a particular vulnerability would be stopped whether a known or unknown exploit was being used. The critical part IPS vendors fail to mention is that this unknown exploit prevention is based on having a rich understanding of the vulnerability universe. In other words, IPS vendors have moved the network signature problem from one of having to know about all exploits to that of having to know about all vulnerabilities. The challenge is that vendors must account for both the exponentially increasing number of known vulnerabilities, as well as all the unknown vulnerabilities in today's threat landscape. It simply proves to be impossible given how IPS technology was originally designed. So today, we find that the most severe and successful attacks against organizations are those that exploit unknown vulnerabilities. It is only after these attacks eventually become public, thus prompting a vulnerability disclosure, that IPS vendors are able to reactively update their products to look for exploits targeting these previously unknown vulnerabilities. The other major limitation of IPS offerings is that these systems were originally built to detect and analyze network services-based attacks on the OS and server applications, rather than the client-side application attacks that dominate the landscape today. The everyday client applications being used by consumers and business users, such as browsers, PDF readers and Flash plug-ins, are the number one target for attackers. The ability for attackers to encapsulate and obfuscate these application-based attacks within layer upon layer of application and network protocols makes it nearly impossible for IPS systems to find the needle in the haystack. Not to mention, even if they could identify these attacks, it is only for attacks against known vulnerabilities, while most attacks target the unknown. Gartner identifies IPS failings: Network IPS has not made major advances for more than three years, and attacks are taking advantage of that. Although signature quality and accuracy have improved, network IPS is mostly based on detecting and blocking attacks that exploit known vulnerabilities, using deep inspection of the traffic stream. Network intrusion prevention products must add advanced threat detection and blocking capabilities to address the changing threats (see "Network Security Monitoring Tools for 'Lean Forward' Security Programs"). If existing network intrusion prevention vendors do not make these changes, … enterprise customers will focus on other security solutions to deal with the new threat environment.
Following and protecting the data outside of traditional perimeters turns security “inside-out” and shifts focus from defense inside a perimeter to smart, context-aware data protection. [click] Security solutions must evolve towards an integrated security approach that follows the data from physical to virtual to cloud environments. And whether the data is in data centers or on endpoints. [click] We have to go to the core and protect the data and workload itself, wherever it is stored or processed! [click] To achieve this data-centric protection, we need local threat intelligence that is context aware. This context is determined by the 4 “W’s”. Security must allow businesses to control data access around these 4 elements. [click] When is the data being accessed? The time of access can be an indicator of threat behavior if outside the time of normal usage. [click] Who is accessing the information can be critical to ensuring only authorized data use. [click] Where the data is accessed should be another element that is controlled by the business. [click] And what is being accessed is the final element. Business can limit the types of data that are accessed. [click] Security should allow businesses to set user-defined data access policies based around these 4 elements. [click] One example is encryption. Policy-based key management can be set to limit issuance of decryption keys based on when the data can be accessed, who can access it, where it can be retrieved, and what type of data can be used. If the criteria are not met, the data cannot be decrypted and remains secure. [click] All network-connected data must be able to defend itself from attacks. “4W”-aware security engines can correlate these criteria to assess threat behavior that is inconsistent with the acceptable data access behavior of the particular company, providing protection against Advanced Persistent Threats. Together outside-in and inside-out protection provide holistic security whether the data is inside the perimeter of the network or being accessed through external sources. [ Note : Inside-out security is our Smart Protection Network 2.0. Many of the 4Ws are part of our products today and more of this data-centric security will be implemented in our products moving forward.]
When planning to deploy your data to the cloud, you must assess your security requirements and select a cloud model that is going to meet your business needs and objectives. Visibility and control decrease as you move from on-site virtualization and private cloud environments to public cloud models. With a private cloud, you control your assets, but with a public cloud, the service provider controls the underlying infrastructure, ultimately controlling access to your IT assets. This raises particular security concerns for a public cloud environment. [click] The degree to which you control and are responsible for security in the public cloud varies by public cloud model. [click] With an Infrastructure as a Service cloud, the service provider is responsible for securing the underlying hardware, but businesses are expected to secure their virtual infrastructure and their applications and data built on top of it. [click] With Software as a Service and Platform as a Service clouds, the service provider is responsible for most of the security. However, businesses should not assume that service providers offer sufficient security and should ask about the types of protection provided. In addition, you need to secure your endpoints that connect to the service to ensure that the cloud service does not compromise endpoint resources and data. [Interactive Opportunity : Tie this into the customer’s cloud computing plans. Note that here you’ll be covering private clouds and IaaS public clouds, which pertains to their X projects. But not their SaaS and PaaS projects, as the security for those is mainly in the hands of their service providers.] For this presentation, when discussing the public cloud, we’ll focus on Infrastructure as a Service cloud because businesses are responsible for most of the security, including protecting their virtual infrastructure and their applications and data built on top of it. [Interactive Opportunity : If the customer mentioned particular security concerns for cloud environments (e.g. when discussed on slide 19), tie these into the threat discussions on slides 21-23.]
[Interactive Opportunity: Ask the customer where they have deployed their applications and data (e.g., which of the slide categories they have implemented). Right now, you can keep it at a higher level—have they started virtualizing? Are they using cloud computing? You’ll ask more details later in the presentation. Use the responses to customize the rest of this presentation—comment on security for their current deployments and how the right security can help them implement additional platforms sooner.] The order in which these elements are deployed and to what degree will vary depending on business needs and resources.
Deep Discovery provides continuous network-wide monitoring and visibility, using specialized detection engines and correlation rules to discover threats that have evaded traditional standard network, perimeter and endpoint security. It plays a key role in enabling an effective Continuous Monitoring program as defined by NIST as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” Deep Discovery provides continuous visibility into network and asset security posture by detecting and identifying threats invisible to standard security defenses, and providing the in-depth analysis and actionable intelligence needed to assess and respond to attacks. Deep Discovery’s proven approach provides the best detection with the fewest false positives, and the most expansive coverage by identifying malicious content, communications, and behavior across every stage of the attack sequence. Through detection and in-depth analysis of both advanced malware and evasive attacker behavior, Deep Discovery provides enterprises and governmental organizations with a new level of visibility and intelligence to combat APTs and targeted attacks across the evolving computing environment. Both technologies allow for the seamless sharing of threat intelligence to other standard Security Information and Event Management (SIEM) tools as well as CyberScope through standard syslog and Common Event Format (CEF) protocols. Deep Discovery specialized threat detection focuses on 3 key areas to discovery attacks during every phase of activity Malicious Content (steps 2,3): Deep Discovery detects zero-day and advanced malware – including document exploits and drive-by downloads – used during the initial compromise or later C&C downloads Suspect Communications (step 3): Deep Discovery detects the C&C communications used by modern malware, as well as backdoor manipulations by remote attackers Attack Behavior (steps 4,5,6): Deep Discovery detects both malware and hacker network behaviors that indicate propagation, scanning, irregular activity, and suspect data access and transmission Today you hear of products that find malware by sandboxing executables or detecting some botnet traffic, but only Deep Discovery indentifies the malicious content, communications and behaviors of malware and human attacker activity across all phases of the attack cycle.
To identify new threats, you must first start out by collecting threats. In today’s threat landscape, criminals are everywhere and they launch attacks against users in every region of the globe. They also use many means to hide themselves from security researchers to ensure their threats remain undetected. This requires a vendor to have an extensive network to gather the threat intelligence needed to keep up with the increasing volume of threats. Also, the variety of threats is increasing as criminals launch their attacks against specific individuals or organizations who use a variety of computing devices, operating systems and languages. Since 2008, Trend Micro has been building a global sensornet that allows us to collect the increasing volume and variety of threats being propagated today. We look in more places today than ever before as cybercriminals use exploits, C&C communications, DNS changers, mobile apps, and many more tools and techniques to infect and steal data. Our global sensornet now obtains over a billion new threat samples daily, including 7 million new files and we process over 6 Terabytes of data daily to ensure our customers are protected from the threats affecting them.
Parts of the Smart Protection Network have been around since 2005 and our foundational protection comprised of: Email Reputation Web Reputation File Reputation Because of the new threat landscape dominated by consumerization and cyber-attacks we’ve expanded and enhanced what comprises our Smart Protection Network with the following technologies: Mobile App Reputation: Analyzes and rates Android apps for maliciousness, privacy, and resource utilization including battery life. Being integrated within mobile solutions. Consumer has battery optimizer app available today. Sold to Android mobile app stores and Android mobile providers. Ensures customers are protected from malicious apps, and allows them to use apps that don’t compromise their privacy or consume too many device resources. Vulnerabilities/Exploits: Delivers protection against exploits found to be affecting known vulnerabilities within Operating Systems and Applications used within customer environments. Patching takes time and blocking exploits from infecting systems before a patch is provided minimizes the risk of infection and narrows the window of infection the criminals take advantage of. Smart rules allow us to block zero-hour vulnerabilities many times. Whitelisting: In-the-cloud whitelist database of known good files used to quickly identify false positives as well as eliminate need to analyze known good files and applications. Used within data centers and within products like Titanium and Deep Security. Network Traffic Rules: Identifies the reputation of network traffic within a corporate environment to identify malicious traffic used by criminals. Currently within Deep Discovery. Enhanced Web Reputation: We’ve advanced how we apply web reputation to keep pace with new types of criminal attacks that can come and go very quickly, or try to stay hidden. 1 st Generation Web Reputation Centralized downloading Download content and test it 2 nd Generation Web Reputation Requires multiple components to work in collaboration; one is not enough Smart Feedback (feedback from real-world sensors) Sandboxing /emulation (threat intelligence coming from live analysis of web pages) Cybercriminal monitoring/detective work (TrendLabs threat researchers investigate tools and techniques of cybercriminals) Enhanced File Reputation: We continually enhance file reputation to improve malware detection. Smart Feedback allows Trend Micro to use community feedback of files from millions of users to identify pertinent information such as to the prevalence of a file, geo-location, age, first seen, last seen and other data that helps determine the likelihood that a file is malicious. Used in conjunction with our in-the-cloud whitelisting ensures few false positives occur. This new technology is used today in our backend infrastructure and is making its way into our solutions in the future. These expansions and enhancements now allow us to block 200 million threats daily for our customers. This includes 50M URLs, 80M malicious files, and we’re now getting almost 1.5B checks against our whitelist to ensure we have minimized false positives. But what all this mean for our customers?
[Interactive Opportunity : Tie in their current business goals and/or IT projects in the example where possible. For example, when saying they start with virtualization, tie in the business reasons why they did this. Same for private and public cloud, “Then you turn to using the public cloud for X project.” And if they are not using VMware adjust the story to cover their virtualization platform and the applicable agent-based approach.] Let’s take a look at how this one security model can protect you as your data center evolves. We’ll use a VMware environment as an example. So maybe you start by using this security to protect your physical machines. But then you introduce VMware virtual machines into your data center. The dedicated security virtual appliance provides agentless security options and layered protection. And encryption secures your data in your vSphere environment. [click] Then you decide to offer a private cloud with automated provisioning of resources. The same virtualization security extends into your private cloud with agentless security and layered protection. And encryption protects vCloud environments, helping to ensure compliance while using the cloud. [click] At some point maybe you find that you need additional scalability—maybe for development and testing, or additional capacity during a peak time. Instead of building out your own infrastructure, you decide to leverage the public cloud. Now you don’t have sole use of the hypervisor to be able to use agentless security, so you deploy the agent-based options. And this gives you the same layered security as the agent-less options in your virtual data center and private cloud. The encryption supports your service provider’s environment and helps you to achieve compliance while using the public cloud. [click] And your server security and encryption solutions both provide integrated management across all of these deployments—virtual data center, private cloud, public cloud, and hybrid cloud, allowing you to create a shared policy profile across these deployments. Ultimately you receive better security with simplified management.
Why should you listen to Trend Micro as an expert in virtualization and cloud security? We’ve been very successful in our approach to server security, achieving #1 in cloud computing… [click] #1 in virtualization security… [click] And #1 in server security. [Citation details: IDC: 23.7% (Trend Micro market share) Technavio Virtualization: 13% (Trend Micro market share) Technavio Cloud: 13–17% (Trend Micro market share) Q&A Q: Technavio isn’t well know. Why are we promoting our standing in their research? A: It’s true, they are not well known. Larger research houses like Gartner/Dataquest and IDC are often slow to recognize new markets like these let alone size them. So more “boutique” market research firms often provide the early indicators for these emerging markets. Their research is still valid and can be respected.]