First Look: Trend Micro Deep Discovery Inspector

By looking for correlations in attack patterns, Trend Micro’s Deep Discovery Inspector has the ability to protect networks against customised attacks and new threats

The impressive web interface shows the origins of attacks, giving insight into the attacks.

The Inspector is an offline discovery tool, taking a network feed from a mirror port on a switch, and examining traffic for patterns matching suspicious behaviour. Trend Micro identifies this “listen-only inspection of all network traffic” as a key feature of its system as it reduces strain on devices, which can occur with in-line products and end-point security programs.

It features seven 1Gpbs network ports and an extra port solely for management. This gives a considerable amount of throughput for such a complex device, but larger networks may need to consider several device for more complete coverage, including separating the devices into different parts of the network. Multiple devices can be connected when combined with Trend Micro’s management products, and results can be aggregated using the Trend Micro Deep Discovery Advisor.

The appliance itself is well stocked with standard components including redundant power supply, USB, a serial port for management and dual VGA slots for a monitor. There is space for up to six hard drives, coming with two 500Gb SATA drives running at 7200rpm. In addition, the device comes with 8GB of ram. A small LCD screen on the front displays the current IP address of the device, as well as providing access to a limited amount of configuration options.

The appliance is available for a wide set of hardware, providing the ability for the Inspector to be used in anything from small networks through to very large corporate network backbones. This also provides an option for growing networks, which would be able to connect more devices as they grown without over-covering the network or needing to dispose of smaller devices.

The Inspector focuses on three layers of analysis to perform threat discovery and analysis. The three layers are initial network level detection, sandbox simulation and finally a cross-correlation focusing on latent and evasive attacks. Together, this reflects Trend Micro's methodology—identifying suspicious activity and then honing in to discover more information as needed.

The detection component initially analyses network traffic looking for malicious behaviour. Pattern matching is performed against a researched set of threats maintained by Trend Micro through the Smart Protection Network. This is a continuously updated set of patterns, much like a traditional anti-virus product however, the patterns are designed for network level, rather than end-point level security. This allows for attacks that are spreading to be discovered instead of simply relying on endpoint protection products to pick them up. in OEM environments, if one endpoint fails to stop a threat, it can often propagate quickly as all devices are protected using the same program and configuration.

This attack visualisation shows how an attack is linked across several locations.

In contrast, at the network layer these fast moving threats are often easier to discover, even if they are zero-day attacks. Ultimately, a combination of the two; end-point security and network level detection, provides a robust option.

The next layer of analysis is sandbox simulation and correlation. At this level, a sandbox simulation is used to perform forensic analysis on identified threats. This level is used to reduce false positives, as well as providing more detail on the threats. These include customer-centric profiles of threats. Sandboxing is a critical task in zero-day analysis, as unknown malware cannot be easily understood without running it.

Finally, we have the cross-correlation layer, focusing on discovery of latent and evasive attacks, such as Advanced Persistent Threats (APTs) and other persistent malicious behaviour. This form of analysis looks for long term malicious trends, indicative of more passive monitoring and attacking used by APTs. The appliance also performs threat tracking, including being able to analyse specific threats in more detail.

The Inspector has the ability to perform per-device risk assessments, through its “Watch List” feature, increasing the level of monitoring for some devices. This can be used if, for example, a device has been acting weirdly; the Inspector can monitor this device more closely, with a higher degree of analysis. Additionally, more sensitive areas of the network can be analysed with a higher priority level than other parts.

The Inspector can show which devices are the most attacks, providing useful reporting on key weaknesses in a network.

The Inspector's main role is to collect data and perform analysis, with another product in the line, the Trend Micro Advisor, responsible for in-depth reporting. That said, the Inspector contains a number of reporting tools, including integration with Threat Connect, a service providing more intelligence on attacks through Trend Micro’s intelligence portal. The information gathered through here includes strategies to contain the malware, as well as providing remediation advice specific to any threats discovered. This also links with signature updates for the threats, for end-point protection. In addition, the threat console provides a number of tools for visualising threats and attack behaviours. Another visualisation tool, GeoTrack, identifies the origins of malicious communication but is naturally limited to the attacking computer and not the origin of the attack. Enterprise level management of the device is available. All important events can be reported to a nominated SIEM.

The amount of reported information is quite substantive, and provides both the “at a glance” information and the detailed information to manage security.

The device is relatively easy to configure, with a text-based menu option available straight from the device as well as SSH and serial port options. The text based menu has some quirks, like lacking a number lock and a relatively short time-out period, which can be annoying if the administrator is reviewing documents during the set-up phase. That said, its web-based interface is well laid out and intuitive.

There are a number of widgets that display graphs of infections and exploits, allowing for a quick analysis of the health of a network. In addition, there are other widgets for graphing the geographic location of incoming attacks. Overall, this gives a great interface for showing the overall status of the network. This doesn't mean that details are lacking from the reports; comprehensive details of attacks are available, and the reporting tools contain both manager level summary style reports and low level technical information.

There is an impressive array of visualisations and reporting information available in many forms.

As mentioned earlier, this can be focused on a particular computer or network if, for example, there is a higher risk of infection in these areas. The aim of the Trend Micro Deep Discovery Inspector is data collation and attack analysis, in-depth analysis of the attacks is left to the Advisor application.

Overall, this system provides an intuitive and easy to understand method for setting up and running a sandboxing system. The three layered approach offers good coverage for testing infections. The device aggregates a substantial amount of information and the reporting options allow for a quick understanding of the health of the network.

Attacks can come from anywhere. Inline attack recording allows for the analysis of attacks after it happens, even if evidence is removed as part of the attack.

Join the CSO newsletter!

Error: Please check your email address.

Tags trend microDeep Discovery Inspector

More about SmartSSHTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Layton

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts