Trend Micro Augments Network-Based Malware Detection, Releases Threat Intelligence Tool

The latest version of Trend Micro’s Threat Management System (TMS) adds sandboxing technology to its set of its network-based malware detection engines. Trend Micro has also introduced a threat intelligence product to correlate and analyze log information from its endpoint and network security tools to improve threat detection and incident response.

TMS provides network-based detection to complement Trend’s endpoint products: OfficeScan, its flagship endpoint antimalware product, and DeepSecurity, which provides server-based host intrusion prevention. Contemporary malware has become increasingly difficult to detect at the endpoint because of technologies such as sophisticated obfuscation techniques, automated updating and the sheer volume of variants designed to frustrate signature-based detection. Trend says 90% of initial TMS customers found active malware on their networks, despite their other security measures.

Enterprises often fail to detect breaches for weeks, even months, according to Verizon Business in its Data Breach Investigations reports. Verizon also reports that some sort of malware is involved in almost every breach. This is not a new phenomenon. Verizon has been reporting similar findings from investigations going back to 2004.

The new product, Threat Intelligence Manager, brings the products together, correlating data from OfficeScan, DeepSecurity and TMS, to produce actionable security intelligence for rapid incident response. The Threat Intelligence Manager is a sort of focused Security Information and Event Management (SIEM) product, designed to work with Trend Micro log data to assess enterprise threat posture.

"That’s the right attitude today,” says Jon Oltsik, principal analyst at Enterprise Strategy Group. “It says, 'We’ll do everything we can for prevention, but assume we’ll be attacked, so how do we detect, remediate quickly?'"Threat Intelligence Manager provides detailed and flexible dashboarding and network threat visualization and impact tools. It provides reporting to complement reports from the individual products.

TMS comprises two appliances: the Threat Discovery Appliance, which sits offline and inspects inbound, outbound and internal network traffic; and the Threat Mitigator, which provides automated remediation, cleaning up infections on compromised endpoints. The Threat Discovery Appliance uses a combination of signature-, behavior- and reputation-based inspection of files and network behavior to identify malware and malware activity.

The new component, the Dynamic Threat Analysis System (DTAS), uses sandbox technology to perform malware analysis by allowing executables to run in a protected network environment. The analysis shows everything the malware does, such as changing registry keys and which servers it contacts. Enterprises can also submit their own malware samples for analysis and export information for auditing, law enforcement, and so on.

"You can execute code in network as a single proxy for thousands of users," says Oltsik. You can’t track what every user is downloading and executing, nor the behavior of the machine after the execution. But the network can act as a proxy or broker for every user."

TMS pricing starts at $20,000 for 1,000 users. Threat Intelligence Manager is $10.08 per user.

See more on this topic by subscribing to Network Computing Pro Reports Strategy: Cloud Security Monitoring (subscription required).