First Look: Trend Micro Deep Discovery Inspector
- 23 September, 2013 09:15
The impressive web interface shows the origins of attacks, giving insight into the attacks.
The Inspector is an offline discovery tool, taking a network feed from a mirror port on a switch, and examining traffic for patterns matching suspicious behaviour. Trend Micro identifies this “listen-only inspection of all network traffic” as a key feature of its system as it reduces strain on devices, which can occur with in-line products and end-point security programs.
It features seven 1Gpbs network ports and an extra port solely for management. This gives a considerable amount of throughput for such a complex device, but larger networks may need to consider several device for more complete coverage, including separating the devices into different parts of the network. Multiple devices can be connected when combined with Trend Micro’s management products, and results can be aggregated using the Trend Micro Deep Discovery Advisor.
The appliance itself is well stocked with standard components including redundant power supply, USB, a serial port for management and dual VGA slots for a monitor. There is space for up to six hard drives, coming with two 500Gb SATA drives running at 7200rpm. In addition, the device comes with 8GB of ram. A small LCD screen on the front displays the current IP address of the device, as well as providing access to a limited amount of configuration options.
The appliance is available for a wide set of hardware, providing the ability for the Inspector to be used in anything from small networks through to very large corporate network backbones. This also provides an option for growing networks, which would be able to connect more devices as they grown without over-covering the network or needing to dispose of smaller devices.
The Inspector focuses on three layers of analysis to perform threat discovery and analysis. The three layers are initial network level detection, sandbox simulation and finally a cross-correlation focusing on latent and evasive attacks. Together, this reflects Trend Micro's methodology—identifying suspicious activity and then honing in to discover more information as needed.
The detection component initially analyses network traffic looking for malicious behaviour. Pattern matching is performed against a researched set of threats maintained by Trend Micro through the Smart Protection Network. This is a continuously updated set of patterns, much like a traditional anti-virus product however, the patterns are designed for network level, rather than end-point level security. This allows for attacks that are spreading to be discovered instead of simply relying on endpoint protection products to pick them up. in OEM environments, if one endpoint fails to stop a threat, it can often propagate quickly as all devices are protected using the same program and configuration.
This attack visualisation shows how an attack is linked across several locations.
In contrast, at the network layer these fast moving threats are often easier to discover, even if they are zero-day attacks. Ultimately, a combination of the two; end-point security and network level detection, provides a robust option.
The next layer of analysis is sandbox simulation and correlation. At this level, a sandbox simulation is used to perform forensic analysis on identified threats. This level is used to reduce false positives, as well as providing more detail on the threats. These include customer-centric profiles of threats. Sandboxing is a critical task in zero-day analysis, as unknown malware cannot be easily understood without running it.
Finally, we have the cross-correlation layer, focusing on discovery of latent and evasive attacks, such as Advanced Persistent Threats (APTs) and other persistent malicious behaviour. This form of analysis looks for long term malicious trends, indicative of more passive monitoring and attacking used by APTs. The appliance also performs threat tracking, including being able to analyse specific threats in more detail.
The Inspector has the ability to perform per-device risk assessments, through its “Watch List” feature, increasing the level of monitoring for some devices. This can be used if, for example, a device has been acting weirdly; the Inspector can monitor this device more closely, with a higher degree of analysis. Additionally, more sensitive areas of the network can be analysed with a higher priority level than other parts.
The Inspector can show which devices are the most attacks, providing useful reporting on key weaknesses in a network.
The Inspector's main role is to collect data and perform analysis, with another product in the line, the Trend Micro Advisor, responsible for in-depth reporting. That said, the Inspector contains a number of reporting tools, including integration with Threat Connect, a service providing more intelligence on attacks through Trend Micro’s intelligence portal. The information gathered through here includes strategies to contain the malware, as well as providing remediation advice specific to any threats discovered. This also links with signature updates for the threats, for end-point protection. In addition, the threat console provides a number of tools for visualising threats and attack behaviours. Another visualisation tool, GeoTrack, identifies the origins of malicious communication but is naturally limited to the attacking computer and not the origin of the attack. Enterprise level management of the device is available. All important events can be reported to a nominated SIEM.
The amount of reported information is quite substantive, and provides both the “at a glance” information and the detailed information to manage security.
The device is relatively easy to configure, with a text-based menu option available straight from the device as well as SSH and serial port options. The text based menu has some quirks, like lacking a number lock and a relatively short time-out period, which can be annoying if the administrator is reviewing documents during the set-up phase. That said, its web-based interface is well laid out and intuitive.
There are a number of widgets that display graphs of infections and exploits, allowing for a quick analysis of the health of a network. In addition, there are other widgets for graphing the geographic location of incoming attacks. Overall, this gives a great interface for showing the overall status of the network. This doesn't mean that details are lacking from the reports; comprehensive details of attacks are available, and the reporting tools contain both manager level summary style reports and low level technical information.
There is an impressive array of visualisations and reporting information available in many forms.
As mentioned earlier, this can be focused on a particular computer or network if, for example, there is a higher risk of infection in these areas. The aim of the Trend Micro Deep Discovery Inspector is data collation and attack analysis, in-depth analysis of the attacks is left to the Advisor application.
Overall, this system provides an intuitive and easy to understand method for setting up and running a sandboxing system. The three layered approach offers good coverage for testing infections. The device aggregates a substantial amount of information and the reporting options allow for a quick understanding of the health of the network.
Attacks can come from anywhere. Inline attack recording allows for the analysis of attacks after it happens, even if evidence is removed as part of the attack.