www.cloudsec.com | #CLOUDSEC

클라우드환경에서능동적다중벡터공격대응

Chris Jang

Trend Micro Korea

chris_jang@trendmicro.co.kr

#CLOUDSEC

Agenda

1. Multi-vector Attack

2. Multi-vector Attack Response

3. Connected Threat Defense

4. Advanced Threat Appliance

5. Active Response against Multi-vector Attack

#CLOUDSEC

Multi-vector Attack

“Attack vectors are or used to get into computer

systems, usually for nefarious purposes. They take advantage of known

weak spots to gain entry. Many attack vectors take advantage

of the human element in the system, because that’s often

the weakest link”

공격벡터(Attack Vector)

routes methods

#CLOUDSEC

Multi-vector Attack

Targeted Malware Mobile App. Social networking

Invalid Policy

Botnet

Network threats

Unpatched S/W

Insider attack Organized cyber crime Hactivism

#CLOUDSEC

Multi-vector Attack

Pyramid of Pain – David Bianco

Tactics, Techniques, and Procedures

#CLOUDSEC

Multi-vector Attack Response

파일의뢰(패턴생성의뢰)

Sandboxing

• Suspicious files• Suspicious network behavior• Suspicious IP, URLs, Domains

Timeline

AV Vendors

패턴 업데이트검증/치료/격리??

위협정보관리??

위협차단/제거완료??

차단의뢰룰생성/룰적용

FW/ IPS

• 실시간위협대응??• 위협정보가시성확보??• 위협라이프사이클관리?

#CLOUDSEC

Connected Threat Defense

Deep DiscoveryInspector

Deep Discovery Analyzer

Deep Discovery Email Inspector

TMES

SPS

OfficeScanDeep Security

・File・IP・URL

Suspicious Object(SO)

SO

SO

SO

SO

Sandbox 분석 요청 Control Manager(TMCM)

Sandbox 분석 요청

탐지/분석 관리 대응

#CLOUDSEC

Connected Threat Defense

- DDI

Suspicious Object 리스트 및 TMCM 연결 설정

#CLOUDSEC

Connected Threat Defense

- DDAN

Suspicious Object 리스트

#CLOUDSEC

Connected Threat Defense

- DDEI

Suspicious Object 에 대한 설정 및 관리

#CLOUDSEC

Connected Threat Defense

- DDEI

Suspicious Object 에 대한 리스트 관리

#CLOUDSEC

Connected Threat Defense

– Deep Security

Suspicious Object 관리 및 DDAN 샌드박스 분석 요청

#CLOUDSEC

Connected Threat Defense

- TMCM

Suspicious Object 확인 (IP/URL/Domain/File)

#CLOUDSEC

Connected Threat Defense

- TMCM

Suspicious Object 에 대한 샌드박스 분석 결과 확인

#CLOUDSEC

Advanced Threat Appliance

Management System Deep DiscoveryInspector / ATA

TippingPoint NGFW

TippingPoint IPS

DDI의위협정보연동을이용한실시간위협차단

Control Manager(TMCM)

• Suspicious files• Suspicious network behavior• Suspicious IP, URLs, Domains

#CLOUDSEC

Advanced Threat Appliance

#CLOUDSEC

Advanced Threat Appliance

#CLOUDSEC

Active Response against

Multi-vector Attack

실시간 치료/삭제/격리

Detection/Analysis

• Suspicious files• Suspicious network behavior• Suspicious IP, URLs, Domains

실시간 룰생성/룰적용실시간 차단

FW/ IPS 실시간위협통합대응!!!위협정보에대한가시성확보!!!위협정보라이프사이클관리!!!

위협정보라이프사이클통합관리

Endpoints

#CLOUDSEC

Active Response against

Multi-vector Attack

Total Visibility for Threat Life CycleTotal Visibility

Chris Jang

Trend Micro Korea