- WFBS provides automatic threat protection for small-medium businesses through its client-server architecture and integration with the Smart Protection Network.
- Key features include centralized management, web/email reputation filtering, behavior monitoring, and location-aware security policies.
- Version 6 additions include simplified dashboard, USB threat protection, variable scanning, and enhanced quarantine tool.
- Service Pack 3 is the last update for version 6 and includes SMTP authentication, UNC path exclusions, and tools to reset passwords and recreate databases.
7. Some definitions Virus – Autonomous, malicious code, infects boot sector or files but cannot spread itself to another computer. Spreads manually via floppy disks, later by email or web download. Worm – Autonomous, malicious code, spreads across the network via email, via network vulnerabilities Trojan – Malicious code that poses as legitimate code to get the user to execute it. Remote Access Trojan – Malicious code which poses as legitimate code to gain access, then permits the operator to gain remote control of the victim’s computer BotClients/Zombies – Malicious code which permits a victim’s computer to be controlled by an agent. The agent makes is easy for the operator (called a bot herder) to manage and operate Tens and Hundreds of Thousands of clients Army of Darkness – Collectively all of the zombies controlled by botherders
8.
9. Copyright 2008 - Trend Micro Inc. 04/27/08 5 Crimeware is Driving Malware
11. Today‘s Infection Chain Infection Vector Malware Writer Criminals Spyware/Trojan Downloader Web Drive By Downloader Email Spam Port Scan Vulnerabilities Spam & Phishing Dedicated Denial of Service Data Leakage Adware/Clickware Recruitment Activities Wait for Instructions Get Updates from Command & Control Fool the AV Host Management Host Infection HTTP IRC DNS Bot Herder Botnet Command & Controller
42. Next generation architecture Threat Protection Databases PAST Past Small Pattern DB Slowly Updating Patterns < 50 Per Day Patterns Threat Protection Databases TODAY Today Large Pattern DB Rapidly Updating Patterns > 50,000/day Some Dynamic Reputation Threat Protection Databases NEXT GENERATION Full Dynamic Reputation Next Generation Small Cache Plus Mobile Pattern DB Multi-Threat Correlation
45. Smart Protection Network Correlation A compromised web site One click in a link. Fake news by email. TROJ_CHOST.E A fake video A lot can happen in a minute EMAIL REPUTATION WEB REPUTATION FILE REPUTATION
52. Standard vs. Advanced Small and medium businesses with Microsoft desktops, laptops, file servers, and SMTP / Exchange Mail servers or Small Business Servers, who also want extra in-the-cloud protection from spam using IMHS WFBS Advanced Small and medium businesses with Microsoft desktops, laptops, and file servers WFBS Standard Protection Edition
Control Manager 3.5 2006 Trend Micro Incorporated
Control Manager 3.5 2006 Trend Micro Incorporated This portion of today’s training will focus on Worry Free Business Security. We’ll highlight some of the new features of version 6, which was just released last June. Worry Free Business Security is made up of different parts: the Security Server, the Security Dashboard, the Client/Server Security Agents, and the Messaging Security Agent. We’ll talk about the different ways to deploy and install these parts, both the Security Server and the CSA. To get a better understanding of each component, we’ll perform an installation. First we’ll install the Security Server, and then install a CSA client that we can use as an example in our discussion. We’ll go over the major features of WFBS, and point out some of the Best Practices or settings that we recommend. We’ll go over a lot of the common tasks and questions you might face when you’re out in the field using WFBS.
Zero-day Exploits Malware writers
It is the web threats that are increasing rapidly. Just a few years ago, the prevalent threats arrived in the form of email. Users would unknowingly click on malicious attachments and execute a virus on their system. Now phishing attempts are more common. People are clicking on links in emails and downloading malware which opens a backdoor on a user PC for a bot to be isntalled. Nowadays, web threats are the most common.
Traditionally hackers created malware for notoriety. They wanted the press to write about how good their code propagated and infected. Many of the threats weren’t done for malicious intent, but solely to see how good their code was. Today cybercrime is driving the creation of malware mainly because of the amount of money that is being made from it. Organized crime and regional cybergangs are turning this into an industry with an underground economy that is in the billions of dollars.
The operation was launched in May 2009 after FBI agents in Omaha, Nebraska, began investigating a computer fraud case that involved 46 unauthorized payments made to different bank accounts across the country. This type of fraud is the trademark of the Zeus network. In a typical Zeus theft, the criminals hack into the victim's online bank account and then move money out using the banking system's automated clearing house (ACH) money transfer system. &quot;The cyber thieves targeted small- to medium-sized companies, and individuals, infecting their computers using a version of the Zeus Botnet,&quot; the FBI said Friday in a press release. &quot;The malware captured passwords, account numbers, and other data used to log into online banking accounts.&quot; According to the FBI, the scammers tried to steal $220 million in total, and actually managed to move $70 million offshore from the U.S. There were about 390 victims in the U.S., the FBI said.
Zero-day Exploits Malware writers
Zero-day Exploits Malware writers
1. Safer—Stops more threats from the web • Blocks increasing web threats and spam before they reach the business • URL filtering keeps employees safer and helps productivity by blocking risky or inappropriate websites 2. Smarter—Scans faster, provides more effective protection, with less impact on computers • Powered by the Trend Micro™ Smart Protection Network™, hosted technologies provide more effective protection with no maintenance or configuration needed • Using file reputation, Smart Scan stores detection technologies centrally, resulting in quicker updates and minimizing impact to PCs 3. Simpler—Easy-to-use, all-in-one solution protects small businesses • Single solution protects business assets and customer information from web threats and more • Easily manage security with an improved web-based “traffic light” console, or can also choose to manage via Microsoft Windows Essential Server consoles
Trend Micro is already ahead of the competition today, we will move further ahead over the next few months Past – little malware, not strongly financially motivated, slowly changing pattern files Today – most vendors still running with pattern file architecture Networks becoming overloaded Machines slow to boot due to need to load pattern files into memory from disk Too much PC memory being consumed Next generation Trend Micro already has been building out/investing in this infrastructure for more than 3 years now Email reputation, web reputation, file reputation in the cloud Trend Micro has had ER and WR operational for several years FR infrastructure is already in place with End-Point functionality being beta tested for the past 6 months with commercially available solutions this Spring Cloud rapidly updated with new information End-Points will hold a small database of Cache of recent patterns (recent apps for instance) to reduce network traffic/latency Store of critical and recent patterns for offline protection
Trend Micro’s approach is to use the power of the cloud. [Click to bring up Threat Collection] Trend Micro has a unique position in the security industry – having millions of sensors globally distributed feeding threat information back to our large network of threat collection systems. [Click to bring up ER, WR & FR] Global Multi-Threat Detection Network Trend Micro maintains the world’s largest, most reliable email, file and web reputation databases with over a billion dynamically rated websites, files and spam sources used to block malicious emails, files and web threats. By combining messaging, file and web security businesses get the benefit of integrated threat intelligence across all three threat vectors. And these reputation services are based on in-the-cloud technologies not static on-site updates. Thus, allowing users to always have access to the latest protection instantly – without having to wait for a signature update. [Click to start arrows spinning] How Correlation Works Cybercriminals often use multiple threat vectors to propagate and manage their attacks. The Smart Protection Network correlates all three reputation databases, allowing us to source, analyze and provide protection against multiple components of an attack. Trend Micro is unique in owning all the security technology used in this collaboration process allowing us to effectively integrate feedback from our own anti-spam, anti-malware, webcrawlers, honeypots and other technologies. [Click to bring up lower half] Smart Protection Network is working already to protect customers from data theft and infection today with our endpoint, messaging and gateway products. Whether a user is on or off the network, they are protected immediately from new threats. We also secure some of our Alliance Partner products and finally we support easy management of all of our solutions. The result is real-time protection against the largest possible number of threats in the fastest possible time. Today we process over 5B requests through our 5 Global data centers daily.
One of Trend Micro’s unique advantages is that we own all of the threat protection available with the smart protection network and our ability to correlate all threat information we receive. Let me explain how this works. [Click to bring up TrendLabs image] TrendLabs is host to over 1000 researchers and automated systems that analyze all the different threat information we receive. [Click 3x to bring up the 3 reputation images] The solutions to these threats are added to our multiple reputation databases. [Click to bring up rotating arrows] All of the threat information is correlated together since most threats today have multiple components to make up an entire threat. Let me give you an example of how this correlation works. [Click to bring up email message] Many threats first start out as a spam message from a botnet controlled by a cybercriminal. [Click to send email message to Email Reputation] Trend Micro’s first line of defense is to check our Email Reputation database to determine if this email is coming from a spam source and if so we will block it. But we don’t stop there. [Click to bring up embedded links] The email you may have noticed had some embedded links. Most spam today use embedded links to entice the user into clicking. [Click to show URLs] [Click to send links to Web Reputation database] We extract those embedded links and check them against our Web Reputation database to see if they are malicious or not. But we don’t just stop there. If we have not seen these links before we automatically start a web crawling process that analyzes every new URL we see. [Click to bring up file image] From this process we are able to source many new files that are downloaded from these web pages. [Click to send file image to File Reputation database] Anytime we detect a new file we check it against our File Reputation database to determine if it is malicious or not. If we have not seen a file before TrendLabs will analyze it to determine if it is good or bad and add it to our whitelist or blacklist (virus pattern) [Click to show Trojan image] In this example you’ll see we detected a Trojan. [Click to bring up notepad image] You’ll see that in analyzing this trojan file we are able to find new IPs and domains that the cybercriminal will be using in their attack. [Click to send image to web reputation] We extract this threat information and add them to our Web Reputation database to block any new attempts to access these IPs and domains that we know are malicious. [Click to bring up red circle] So as you can see, we are able through our analysis of each threat we can provide protection for all aspects of a threat, from email, to web to file and add protection for our customers using any of our solutions that support the Smart Protection Network. In today’s threat landscape, the attack process does not take long. Even one minute of being unprotected can compromise security and infect the user. [Click to start build process] Users today can be infected by a number of methods. One click on a link in an email, falling for a phishing email, clicking on a legitimate site that’s been compromised or even clicking on a video link can provide an avenue for cybercrimals to steal data. But with Trend Micro Smart Protection Network and our correlation process we’re able to identify and analyze all components of an attack and provide immediate protection to our customers wherever they connect. It’s security made smarter.
Transaction Protector Browser plug-in tool that protects users against malicious hijacking activities when doing online transactions. Wireless Protection Wi-Fi Advisor plug-in protects against Evil Twin attacks and wireless access points being hacked maliciously. It provides security-level settings to support different encryption modes of on-corporate or off-corporate Wi-Fi users. TrendProtect When users browse the Web, plug-in warns users about potentially malicious and Phishing Web sites. Instant Messaging (IM) Protection Provides outbound content filtering protection and restriction of sensitive corporate data in the form of words or phrases being sent out through chat sessions. Plug-in Manager Facilitates the installation, deployment, and management of plug-in programs that enhance performance, add new features, and improve security. POP3 Anti-Spam protection Filters anti-spam emails for POP3 clients. This feature comes in a form of client toolbar plug-in and is compatible with the Outlook client. Worry-Free Remote Manager 1.6 5.1: Integrated install link for Worry-Free Remote Manager Agent 1.6, for multi-site management.
The difference with the Advanced version of WFBS is that it comes with messaging protection. There is a messaging agent that protects the Exchange server, and a license to implement InterScan Messaging Hosted Security (IMHS) Standard version. IMHS Standard is a hosted messaging solution that will scan your inbound emails before they reach your network. This is done by redirecting your MX Record so that all email will first be intercepted by IMHS, scanned for viruses and spam, before they are forwarded to your network.
[HIGHLIGHT WF SOLUTONS AND WHAT THEY PROTECT]
Security Settings Import/Export Allows administrators to export settings for desktops and servers and then later import them for new desktops and servers. This feature helps automate and migrate network security settings between subnets on the LAN. USB Device Control A function of WFBS’s Behavior Monitoring feature, USB Device Control protects against malware that could potentially auto-install from a R/W USB device. Autorun files are intercepted and blocked and a popup warns the user the autorun has been denied. Users can choose to continue or prevent the install. Streamlined Dashboard WFBS 6.0’s Dashboard is now streamlined, for simpler oversight and management. Threat, System, and License Status panels can now be expanded or contracted, and a View Mode lets you filter the Live Status view by the type of status displayed. Administrators can also customize email notifications for the various types of Threat Events. Improved Quarantine Tool asier display and recovery of quarantined files. CSA backs up encrypted files into a CSA folder before the quarantined file is sent to Security Server. The VSEncrypt tool provides a GUI mode to restore the encrypted files to original file paths. Integrated Install for WFRM 2.1 Integrated install is provided for the Worry-Free Remote Manager Agent 2.1, for multi-site reseller management of WFBS and IMHS customers.