Smart Protection Network

Kelvin Liu

AVP, Core Tech Development

Copyright 2008 - Trend Micro Inc.

Malware ismultiplying

Malware issophisticated

Malware is profit driven

SpamSpyware

Botnets

Complexity

Worms

Web

Evolving Threat Landscape

Malware is getting increasingly dangerousand harder to detect.

Copyright 2009 - Trend Micro Inc.

Internal - Confidential

Example : Conficker / Downadup

InternetUser receive a spam mail User open the mail

then automatically download a file

The file register itself as a

system service Monitor the Internet browser’s address bar

Block access to certain websites

Connect to various websites, download other malicious files

Copyright 2009 - Trend Micro Inc.Feb 2009Internal - Confidential

Smart Protection Network against Conficker

IncidentTrigger

Email Reputation

WebReputation

FileReputation

Monitor

Many clients’ processes are dropping similar filenames in a short time

Many clients access or modify the same system file in a short time

Many clients accessed similar/same registry keys in a short time

Community Intelligence

Smart Protection Network

Correlate to figure out where the threat come from & whereit would connect to

File Score From Connect to

Crypt.NS.Gen X 129.24.11.3/aexjiire/ Euwl.tsst.com:88/e34jg/

Dropper.Gen X Ndj.sexadult.com/ssr/ee 112.42.5.112:80/

Nqe.exe V www.xyz.com www.abc.com

Conflicker_D X qd.wqwwor.com/om nadasm0.info:80/bugsy

Conflicker_D X Fdjhg.wopqfe.com 7f7fewf.cn:80/sina/

Correlation

Customer Feedback Log

ImmediateProtection

Copyright 2009 - Trend Micro Inc.

IncidentTrigger

Email Reputation

WebReputation

FileReputation

Monitor

Correlation

Feb 2009

Smart Protection Network against Conficker

Domain / Name Server / IP / Register’s Email

Correlationto build up a Spider

Network

Threat Intelligence

Correlation

ImmediateProtection

Copyright 2009 - Trend Micro Inc.

Email Reputation

WebReputation

FileReputation

IncidentTrigger

Monitor

Correlation

Feb 2009

Smart Protection Network against Conficker

Domain / Name Server / IP / Register’s Email

Correlationto build up a Spider

Network

Threat Intelligence

Correlation

ImmediateProtection

Copyright 2009 - Trend Micro Inc.

What & How Trend Micro use Cloud Computing

Feb 2009Internal - Confidential

OS

Server Farm

Smart Protection Network

Tracking System Hadoop ( HBASE / Meta Data )

Virtualization

Hadoop (HDFS)Message Routing framework

MapReduceClustering ClawerAnalyzer

Monitor Incident Trigger Correlation

HTTP DNS FTP

User traffic logProactive sourcing Customer

Customer

Operating system

Infrastructure

Data Archive

Data Processing

Correlation

Copyright 2009 - Trend Micro Inc.Feb 2009Internal - Confidential

Why Smart Protection Network

Time to Protect

Less Complexity

Threat Intelligence

Reduce Cost

Immediate Protection

Early Warning

Lightweight Clients

Less Memory Usage

Reduce Downtime Costs

Reduce Hardware Costs

Threat Lifecycle Management

Copyright 2009 - Trend Micro Inc.

Thank You

業務專線 : (02) 2378-2666