CTD integration with Apex Central - Deep Discovery Inspector 5.7

Summary

Trend Micro Apex Central (On-Premise) and Deep Discovery Director (DDD) are centralized management platforms that can configure and monitor multiple instances of Trend Micro products or Deep Discovery products. The integration between Deep Discovery products and Apex Central or DDD is the key to completing the protection provided by the Connected Threat Defense (CTD) Strategy.

This makes it the best choice to combat potential targeted attacks.

For Apex Central, use On-Premise version. Apex Central SaaS version does not support CTD integration with DDI.

Several products can be integrated in CTD, but this article focuses on following 3 scenarios:

Scenario 1 - CTD integration with Apex Central
In this scenario, DDI integrates with Apex Central, and then Virtual Analyzer-detected Suspicious Object (VASO) will be synchronized to Apex Central. This VASO will be deployed to the endpoints through an Office Scan Server or the Apex One server. It will also be deployed to the other DDI or DDEI products.

Apex Central acts as the Central Suspicious Object Server.

With regards to the User-defined Suspicious Object (UDSO) defined in Apex Central, it will also be deployed to Endpoints, or other DDI or DDEI products.

Deep Discovery Analyzer (DDAN) won't synchronize UDSO from Apex Central.
Scenario 2 - CTD integration with DDD
In this scenario, DDI integrates with DDD, and then Virtual Analyzer-detected Suspicious Object (VASO) will be synchronized to DDD. From DDD, they will be deployed to the other DDI, or DDEI products.

DDD acts as the Central Suspicious Object Server.

With regards to the User-defined Suspicious Object (UDSO) defined in DDD, other products such as DDI, DDAN or DDEI will synchronize them from DDD.
Scenario 3 - CTD integration with Apex Central and DDD
In this scenario, DDI integrates with DDD and then DDD interacts with Apex Central. Virtual Analyzer-detected Suspicious Object (VASO) will be synced to the Apex Central Server through DDD. The Suspicious Objects will be deployed to the endpoints, and it will also be deployed to the other DDI or DDEI products.

DDD acts as the Central SO Server for Deep Discovery products.

This article will show you how to configure DDI for Scenario 1.

For information about how to configure DDI for Scenario 2 and Scenario 3, refer to the KB article: Configuring Deep Discovery Inspector (DDI) 5.7 to integrate Connected Threat Defense (CTD) with Deep Discovery Director (DDD).

Details

Recommendation

Connected Threat Defense (CTD) is a layered security approach that gives you a better way to quickly protect, detect, and respond to new threats while simultaneously improving visibility and streamlining investigation. CTD allows you to block unknown malware or URLs on the endpoints or servers by using Suspicious Objects obtained from other Deep Discovery family products. Enabling CTD helps organization combat potential threats at an early stage.

Suspicious Objects are essential part for CTD. Look at what kinds of Suspicious Objects there are before configuration.

Deep Discovery Suspicious Objects are defined with 4 data types:

IP
URL
Domain
SHA1 (SHA1 hash of a file object)

According to the actors who generate Suspicious Objects, Suspicious Objects can be categorized into 2 groups:

User-defined Suspicious Object (UDSO)

User-defined Suspicious Objects are defined by users via management console, pushed from TAXII clients, or downloaded from external threat feeds.
Virtual-Analyzer-detected Suspicious Object (VASO)

Suspicious Objects collected from Virtual Analyzer detection during run-time sandbox simulation.

CTD product capability

With regards to what kind of integrated features are available, refer to the KB article: Connected Threat Defense (CTD) product support capabilities of Control Manager (TMCM) / Apex Central 2019.

System Requirements

Make sure that the versions of the products you use are supported by CTD. Please refer to the product's Administrator's Guide.

Configuration For Scenario 1

If you use DDAN as an external virtual analyzer, register DDAN to Apex Central.
1. On the Apex Central web console, go to Administration > Managed Servers > Server Registration. then Click Add.
2. The Add Server screen appears. Provide the necessary DDAN information on each field. Note to select DDAN on the Product: field. After that, click Save.
3. DDAN will be listed on the Server Registration Page.
Check API key on the Apex Central.
1. On the Apex Central web console, go to Threat Intel > Distribution Settings.
2. On the Managed Products tab, make sure that Send suspicious objects to managed products is enabled, and record the Service URL and API key.
Register DDI to the Apex Central
1. On the DDI web console, go to Administration > Integrated Products/Services > Apex Central.
2. On Connection Settings, provide the necessary Apex Central information on each field.
  
  Under the Suspicious Object Synchronization section, enable Synchronize suspicious objects with Apex Central, and type the API key of the Apex Central Server you recorded in the previous step.
3. Click Test Connection to check the connection status between DDI and Apex Central. If it was successful, click Register.
After this operation, DDI will synchronize suspicious objects from Apex Central only.
Check that DDI was registered to the Apex Central successfully.
On the Apex Central web console, go to Administration > Managed Servers > Server Registration. DDI should be listed on this page.
Integrate other products such as Apex One or DDEI with Apex Central. Refer to the product's Administrator Guide for details.
Using the Apex Central web console, administrators can configure scan actions.

For the detailed instructions on how to configure the scan actions on Apex Central, refer to the Apex Central Administrator's Guide.