Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Configuring Deep Discovery Inspector (DDI) 5.7 to integrate Connected Threat Defense (CTD) with Deep Discovery Director (DDD)

    • Updated:
    • 7 Mar 2021
    • Product/Version:
    • Deep Discovery Inspector 5.7
    • Platform:
    • N/A
Summary

Trend Micro Apex Central (On-Premise) and Deep Discovery Director (DDD) are centralized management platforms that can configure and monitor multiple instances of Trend Micro products or Deep Discovery products. The integration between Deep Discovery products and Apex Central or DDD is the key to completing the protection provided by the Trend Micro Connected Threat Defense (CTD) Strategy.

This makes it the best choice to combat potential targeted attacks.

 
For Apex Central, use On-Premise version. Apex Central SaaS version does not support CTD integration with DDI.
 

Several products can be integrated in CTD, but this article focuses on following 3 scenarios:

  • Scenario 1 - CTD integration with Apex Central

    In this scenario, DDI integrates with Apex Central, and then Virtual Analyzer-detected Suspicious Object (VASO) will be synchronized to Apex Central. This VASO will be deployed to the endpoints through an Office Scan Server or the Apex One server. It will also be deployed to the other DDI or DDEI products.

    Apex Central acts as the Central Suspicious Object Server.

    Apex Central as the Central SO Server

    With regards to the User-defined Suspicious Object (UDSO) defined in Apex Central, it will also be deployed to Endpoints, or other DDI or DDEI products.

     
    Deep Discovery Analyzer (DDAN) won't synchronize UDSO from Apex Central.
     
  • Scenario 2 - CTD integration with Deep Discovery Director

    In this scenario, DDI integrates with DDD, and then Virtual Analyzer-detected Suspicious Object (VASO) will be synchronized to DDD. From DDD, they will be deployed to the other DDI, or DDEI products.

    DDD acts as the Central Suspicious Object Server.

    DDD as the Central SO Server

    With regards to the User-defined Suspicious Object (UDSO) defined in DDD, other products such as DDI, DDAN or DDEI will synchronize them from DDD.

  • Scenario 3 - CTD integration with Apex Central and Deep Discovery Director

    In this scenario, DDI integrates with DDD and then DDD interacts with Apex Central. Virtual Analyzer-detected Suspicious Object (VASO) will be synced to the Apex Central Server through DDD. The Suspicious Objects will be deployed to the endpoints, and it will also be deployed to the other DDI or DDEI products.

    DDD acts as the Central SO Server for DD products.

    DD as the Central SO Server for DD products

This article will show you how to configure DDI for Scenario and Scenario 3.

For information about how to configure DDI for Scenario 1, refer to the KB article: Configuring Deep Discovery Inspector (DDI) 5.7 to integrate Connected Threat Defense with Apex Central.

Details
Public

Recommendation

Connected Threat Defense (CTD) is a layered security approach that gives you a better way to quickly protect, detect, and respond to new threats while simultaneously improving visibility and streamlining investigation. CTD allows you to block unknown malware or URLs on the endpoints or servers by using Suspicious Objects obtained from other Deep Discovery family products. Enabling CTD helps organization combat potential threats at an early stage.

 
Suspicious Objects are essential part for CTD. Look at what kinds of Suspicious Objects there are before configuration.
 

Deep Discovery Suspicious Objects are defined with 4 data types:

  • IP
  • URL
  • Domain
  • SHA1 (SHA1 hash of a file object)

According to the actors who generate Suspicious Objects, Suspicious Objects can be categorized into 2 groups:

  • User-defined Suspicious Object (UDSO)

    User-defined Suspicious Objects are defined by users via management console, pushed from TAXII clients, or downloaded from external threat feeds.

  • Virtual-Analyzer-detected Suspicious Object (VASO)

    Suspicious Objects collected from Virtual Analyzer detection during run-time sandbox simulation.

CTD product capability

With regards to what kind of integrated features are available, refer to the KB article: Connected Threat Defense (CTD) product support capabilities of Control Manager (TMCM) / Apex Central 2019.

System Requirements

Make sure that the versions of the products you use are supported by CTD. Please refer to the product's Administrator's Guide.

Configuration For Scenario 2

  1. Check the API key on DDD.

    To do this, on the DDD web console, go to Help. Product information page appears. Record API key for the succeeding steps.

    Check API key on DDD

  2. Register DDAN to DDD.

     
    If you use DDAN as an external virtual analyzer, perform this step. Otherwise, go to step 3.
     

    On the DDAN Web console, go to Administration > Integrated Products/Services. On the Deep Discovery Director tab, provide the necessary DDAN information under the Connection Settings section. Click Register.

    Register DDAN

  3. Register DDI to DDD.

    On the DDI web console, go to Administration > Integrated Products/Services > Deep Discovery Director. Provide the necessary DDD information on the required fields then click Register.

    Register DDD

  4. Move the appliance to the managed directory.

    1. On the DDD Web console, go to Appliances > Directory. DDI should be listed under the Unmanaged directory.
    2. Move the DDI appliance from the Unmanaged directory to the Managed directory or other customized directory. If DDAN is also listed, do the same operation.

      Move to another directory

Configuration For Scenario 3

  1. Integrate DDI with DDD.

    To do this, do all the steps described in Configuration For Scenario 2.

  2. Register DDD to Apex Central. Refer to the following KB article: Registering Deep Discovery Director (DDD) into Control Manager (TMCM) or Apex Central for suspicious objects synchronization.
Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000285864
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.