Trend Micro: Deep Discovery

The Trend Micro Deep Discovery platform for protection against threats allows to detect, analyze and neutralize the modern hidden directed attacks in real time.

The solution Deep Discovery is unrolled in the form of separate components or the full-fledged platform of information security. The Deep Discovery platform which is the cornerstone of the solution Trend Micro Network Defense allows to integrate the existing security infrastructure into an end-to-end adaptable system which will protect the organization from the directed attacks.

2018

Certification of Analyzer, Inspector and Email Inspector in Belarus

The company Trend Micro announced on November 7, 2018 passing of certification in the republic Belarus of five products of the company at once — Deep Security Trend Micro Deep Discovery Analyzer 6.1, Deep Discovery Inspector 5.1, Deep Discovery Email Inspector 3.1, 11.0 and Enterprise Security for Endpoint Light.

Results of the tests which are carried out by ITTAS LLC laboratory confirmed compliance of Trend Micro Deep Discovery Analyzer to 6.1 requirements of regulations of TP 2013/027/BY. Deep Discovery Analyzer are a part of the Advanced Threat Protection complex which creates the special isolated environment (so-called "sandbox") for the analysis and detection of the target attacks and protection of endpoints, web gateways and networks of the companies using web reputation and the behavioural analysis. In a program work progress all suspicious objects and the URL addresses go for manual analysis or in the automatic mode to help with detection and protection against programs racketeers and the malware, including also so-called "zero day attacks". The product can be used as the independent solution or in a complex with other software of Deep Discovery.

Certification provides wide use of software of Trend Micro in public authorities and other structures where there is a requirement for application of strictly certified products — Roman Chernenky, the area manager of Trend Micro in Ukraine, Belarus and Moldova noted. — Trend Micro understands importance of this aspect for our clients and does everything possible to provide compliance of products of the company to requirements of the existing technical regulations.

Features and Components

Features of Deep Discovery for August, 2018:

• High rates of detection thanks to specialized modules and the configured isolated environment
• The profound analysis with comparison of local and global data on threats
• Rapid response using expanded means of the analysis of incidents on end devices and the general data on signs of cracking or infection

As of August, 2018 the solution includes the following components:

• Deep Discovery Inspector
• Deep Discovery Email Inspector
• Deep Discovery Endpoint Sensor
• Deep Discovery Analyzer

Deep Discovery Inspector

Deep Discovery Inspector is the network solution providing full control of traffic and allowing to detect all manifestations of the directed attacks. Deep Discovery Inspector traces traffic on all network ports for more than 100 protocols thanks to what the greatest possible degree of protection is guaranteed.

Specialized modules of detection and the configured isolated environments allow to reveal and analyze malware, data exchange sessions with the command centers and also the hidden actions of malefactors which are not fixed by standard security protections. The profound analysis of threats helps to react quickly to a situation, and data retrieveds are automatically transferred to other protective programs that allows to create the customized system of protection against malefactors functioning in real time.

Main Features

• End-to-end system of network security
  • Traffic is traced on all ports for more than 100 protocols that allows to detect the attacks in any point of network.

• Detection of malware, communication sessions with the command centers and also actions of malefactors
  • Using specialized modules of detection, rules of correlation and the configured isolated environment it is possible to estimate all aspects of the directed attack (and not just malware).

• The configured isolated environments
  • For detection of the attacks directed to the organization virtual images, in accuracy corresponding to configurations of manual operating systems are used.

• The global warning system about threats
  • Trend Micro Smart Protection Network is used by detection systems and the Threat Connect portal for the analysis of the attacks.

• Broad spectrum of the protected systems
  • Detection of the attacks in OS Windows Mac OS X Android, Linux and other systems.

• Simplicity and flexibility thanks to one solution
  • Infrastructure of security becomes simpler thanks to single solution which is expected different scales of application and is unrolled in a hardware or virtual configuration.

• Optimization of the existing systems of protection
  • Provides data exchange about signs of cracking and infection and also automatic update of the products Trend Micro and other producers for protection against the further attacks.

Deep Discovery Email Inspector

Deep Discovery Email Inspector is the solution for protection of e-mail on the basis of advanced technologies of detection of the threats and creation of the isolated environment capable to reveal and block target e-mails with the phishing contents which are harbingers of the majority of the directed attacks. It reduces risk of the attacks, adding the transparent level of additional checks at which are detected harmful content, investments and URL links which are not revealed by standard solutions for protection of e-mail.

Email Inspector functions in network, interacting with existing solutions for protection of mail gateways and servers. This product can work in the MTA modes (blocking) and BCC (only tracking), and for its use it is not necessary to make changes in policy or the control circuit existing solutions.

Main Features

• Analysis of mail investments
  • Investments in e-mail messages are checked using different modules of detection and the isolated environment. Among the analyzed investments — different executable files Windows, documents Microsoft Office, PDF- and ZIP files, web content and various archives.

• Detection of vulnerabilities in documents
  • Specialized technologies of detection and the analysis allow to find malware and vulnerabilities in standard office documents in the isolated environments.

• The configured isolated environments
  • For creation of the isolated environment and data analysis models, in accuracy corresponding to program configurations of manual operating systems are used.

• The analysis of the enclosed URL addresses
  • Monitoring of links in e-mail messages is performed using means of check of reputation, the analysis of contents and the isolated environment.

• Verification of passwords
  • Different heuristic methods and a key word offered by the client are applied to an unblocking of the password-protected files and archives.

• Flexibility of management and deployment
  • Detailed politicians of check and message handling of e-mail allow to protect any environment.

• Integration and data exchange

Information on the detected threats (communication channels with the command centers, other signs of cracking and infection) is transferred to other solutions for security.

Deep Discovery Endpoint Sensor

Deep Discovery Endpoint Sensor is means for monitoring of security on end devices taking into account a context. It fixes actions at the level of a system and makes detailed reports using which analysts of threats can quickly estimate character and scale of the attack. The analytical data on the attacks received using Deep Discovery and other signs of cracking and infection allow to compare data of monitoring of end devices for detection of penetrations and determination of all context and the course of the attack.

Separate parameters, the OpenIOC and YARA files or information on threats obtained from other products Trend Micro can be applied to the analysis. They can be caused from the special console or the manager Control Manager.

Main Features

• Registration of events on end devices
  • The Endpoint Sensor system uses the client, undemanding to resources, who fixes important actions on end devices and data exchange events at the kernel level. It monitors these incidents in a context and dynamics that allows to create the detailed history available to analysts in real time.

• Different search options
  • On end devices it is possible to control certain sessions of data exchange, specific malware, transactions with the register and accounts, the started processes and other parameters.

• Different levels of contextual analysis and results
  • On interactive panels of monitoring it is possible to control dynamics of incidents in the mode of the isolated environment, dispersion of events on time on different end devices, detailing of results and also to export analysis results.

• Search and the analysis in a standalone mode and using the manager Trend Micro
  • Search queries can be executed using the Endpoint Sensor console or the manager Control Manager, using data on signs of cracking and infection and also information on events from other products.

• Locally, far off and in a cloud environment
  • Endpoint Sensor creates detailed reports about incidents at the level of a system on all servers, workstations and notebooks based on Windows OS, irrespective of their arrangement.

Deep Discovery Analyzer

Deep Discovery Analyzer is a server for data analysis in the configured isolated environment. It increases degree of protection against the directed attacks, provided with the products Trend Micro and solutions of other suppliers. Deep Discovery Analyzer is integrated with the solutions Trend Micro for protection of e-mail and work on the Internet at once. This product also allows to expand or centralize the processes of the analysis in the isolated environment implemented in other solutions Deep Discovery.

Besides, it supports API of web services for integration with any products and also function of manual sending data on threats. The configured isolated environments created using this solution in accuracy correspond to program configurations of target computers that helps to reveal threats and reduces number of false detection.

Main Features

• Scalable services of the isolated environment
  • Performance is optimized due to use of a scalable solution which services e-mail, network, end devices and any other sources of harmful samples. Technologies of a clustering of the high level of availability provide scalability and reliability.

• The configured isolated environments
  • Settings of the isolated environment during the modeling and the analysis in accuracy correspond to program system configuration of the client that provides optimal indicators of detection and the small number of false operations. Scanning is performed on the basis of the rules IOC or YARA.

• Analysis of various files and URL addresses
  • The solution analyzes different executable files of Windows, the documents Microsoft Office, the PDF files, web content and compressed files using several modules of detection and the configured isolated environment.

• Detection of vulnerabilities in documents
  • The solution reveals malware and vulnerabilities which often occur in office documents of widespread formats, using for this purpose specialized sensors and the isolated environment.

• Analysis of the URL addresses
  • A system executes scanning of pages and the analysis of the URL addresses set by the user or entered automatically using Web API in the isolated environment.

• Detailed reporting
  • Complete analysis results, including detailed data on actions of harmful samples and data exchange with the command centers, are provided to the user through a centralized system of dashboards and the reporting.

• Integration with the products Trend Micro
  • Easy integration with the solution Deep Discovery and the products Trend Micro for protection of e-mail and work on the Internet is supported.

• API of web services and sending data manually
  • The solution accepts models of threats from any system of security or the authorized researcher of threats. Setup of priorities for the data sent manually is possible.

• Integration into the Network Defense system
  • New data on the detected signs of threats and penetration are automatically transferred to other solutions Trend Micro and third-party products for security.

2014: Description of Deep Discovery

As of April, 2014, Deep Discovery is the specialized system of network protection.

Description

The solution has unique opportunities for detection and identification of the hidden threats, the deep analysis and obtaining operational data which are necessary for protection of the organization against the attack:

• Decrease in a risk degree and reduction of damage from difficult permanent threats
• Protection against modern threats
• Increased security and control of network
• Counteraction to the attacks using the full-function adaptable system of protection

Deep Discovery is a principal component of the solution Trend Micro for the configured protection which is capable not only to reveal and analyze modern permanent threats, but also to adapt quickly and also to react quickly to such attacks. Deep Discovery carries out monitoring of all network using the configured isolated environment and relevant operational data that allows to reveal the attacks at early stages, quickly to localize them and as appropriate to update a security system for increase in level of protection in the subsequent phases of the attack. The solution belongs to the class Anti-APT – sensors of the purposeful attacks – and is involved by increasing number of the state and private organizations caring for safety of data and efficiency of IT infrastructure.

The checked technique used in the solution Deep Discovery guarantees the most effective detection at the minimum quantity of false operations and also the widest scope of threats thanks to detection of harmful contents, transactions of data exchange and other malicious actions at each stage of the attack. Thanks to the useful Deep Discovery functions, such as detection and detailed analysis of malware and the hidden actions of malefactors, commercial enterprises and public institutions obtain more information for fight against difficult permanent threats and the directed attacks in continuously evolving computer environments.

• Tracking of harmful contents, actions and suspicious transactions of data exchange in conditions, characteristic of your IT environment.
• Use of the methods of detection developed especially for your configuration of nodes.
• Formation of individual updates for security systems of the protected objects based on the detailed analysis of threats.
• Providing relevant information for rapid response.

Structure of the solution

Deep Discovery consists of two components:

• Deep Discovery Inspector checks network traffic, reveals difficult threats, carries out the analysis in real time and issues data in a report form.
• Deep Discovery Advisor combines analytic functions which allow to make the open scalable analysis of threats in the isolated environment, to receive data on security events on all network and to create files of export of updates for a security system.

Specific Features

Unlike the solutions protecting a certain vulnerable area (for example, e-mail), Deep Discovery provides control of all network, provides necessary data and supports the control functions necessary for effective counteraction to modern permanent threats and the directed attacks. A system allows to integrate all infrastructure of security and to receive a unique adaptable end-to-end system of protection. This customized system of protection detects and identifies the hidden threats in real time, supports functions of the deep analysis and provides the relevant operational data necessary for data protection, network and users.

Modules of detection and technology of the isolated Deep Discovery environment provide detection of modern malware, data exchange sessions with the command server and also actions of the malefactors directed to any device in networks including devices on platforms Android, Mac and Windows.

Deep Discovery works based on the global platform of data analysis about threats of Trend Micro Smart Protection Network which is used in the international investigations by the Interpol. Having detected the attack, a system provides you degrees of danger and response, these, necessary for operational assessment.

Deep Discovery is the single platform controlling Internet traffic, e-mail and practically any channels of data exchange in network. The typical Deep Discovery system which can be unrolled flexibly on the basis of hardware or virtual devices provides security blanket at the price approximately twice smaller, than at competitive (at the same time less effective) solutions.

Characteristics

Deep Discovery Inspector

• Model 1000: hardware device of 1 Gbps
• Model 500: hardware device of 500 Mbps
• Model VM: program structure of VMware

Deep Discovery Advisor hardware device

• Integrates in a cluster from 5 copies