Trend Micro Apex Central (On-Premise) and Deep Discovery Director (DDD) are centralized management platforms that can configure and monitor multiple instances of Trend Micro products or Deep Discovery products. The integration between Deep Discovery products and Apex Central or DDD is the key to completing the protection provided by the Trend Micro Connected Threat Defense (CTD) Strategy.
This makes it the best choice to combat potential targeted attacks.
Several products can be integrated in CTD, but this article focuses on following 3 scenarios:
- Scenario 1 - CTD integration with Apex Central
In this scenario, DDI integrates with Apex Central, and then Virtual Analyzer-detected Suspicious Object (VASO) will be synchronized to Apex Central. This VASO will be deployed to the endpoints through an Office Scan Server or the Apex One server. It will also be deployed to the other DDI or DDEI products.
Apex Central acts as the Central Suspicious Object Server.
With regards to the User-defined Suspicious Object (UDSO) defined in Apex Central, it will also be deployed to Endpoints, or other DDI or DDEI products.Deep Discovery Analyzer (DDAN) won't synchronize UDSO from Apex Central.
- Scenario 2 - CTD integration with Deep Discovery Director
In this scenario, DDI integrates with DDD, and then Virtual Analyzer-detected Suspicious Object (VASO) will be synchronized to DDD. From DDD, they will be deployed to the other DDI, or DDEI products.
DDD acts as the Central Suspicious Object Server.
With regards to the User-defined Suspicious Object (UDSO) defined in DDD, other products such as DDI, DDAN or DDEI will synchronize them from DDD.
- Scenario 3 - CTD integration with Apex Central and Deep Discovery Director
In this scenario, DDI integrates with DDD and then DDD interacts with Apex Central. Virtual Analyzer-detected Suspicious Object (VASO) will be synced to the Apex Central Server through DDD. The Suspicious Objects will be deployed to the endpoints, and it will also be deployed to the other DDI or DDEI products.
DDD acts as the Central SO Server for DD products.
This article will show you how to configure DDI for Scenario and Scenario 3.
For information about how to configure DDI for Scenario 1, refer to the KB article: Configuring Deep Discovery Inspector (DDI) 5.7 to integrate Connected Threat Defense with Apex Central.
Connected Threat Defense (CTD) is a layered security approach that gives you a better way to quickly protect, detect, and respond to new threats while simultaneously improving visibility and streamlining investigation. CTD allows you to block unknown malware or URLs on the endpoints or servers by using Suspicious Objects obtained from other Deep Discovery family products. Enabling CTD helps organization combat potential threats at an early stage.
Deep Discovery Suspicious Objects are defined with 4 data types:
- SHA1 (SHA1 hash of a file object)
According to the actors who generate Suspicious Objects, Suspicious Objects can be categorized into 2 groups:
User-defined Suspicious Object (UDSO)
User-defined Suspicious Objects are defined by users via management console, pushed from TAXII clients, or downloaded from external threat feeds.
Virtual-Analyzer-detected Suspicious Object (VASO)
Suspicious Objects collected from Virtual Analyzer detection during run-time sandbox simulation.
CTD product capability
With regards to what kind of integrated features are available, refer to the KB article: Connected Threat Defense (CTD) product support capabilities of Control Manager (TMCM) / Apex Central 2019.
Make sure that the versions of the products you use are supported by CTD. Please refer to the product's Administrator's Guide.
Configuration For Scenario 2
Check the API key on DDD.
To do this, on the DDD web console, go to Help. Product information page appears. Record API key for the succeeding steps.
Register DDAN to DDD.If you use DDAN as an external virtual analyzer, perform this step. Otherwise, go to step 3.
On the DDAN Web console, go to Administration > Integrated Products/Services. On the Deep Discovery Director tab, provide the necessary DDAN information under the Connection Settings section. Click Register.
Register DDI to DDD.
On the DDI web console, go to Administration > Integrated Products/Services > Deep Discovery Director. Provide the necessary DDD information on the required fields then click Register.
Move the appliance to the managed directory.
Configuration For Scenario 3
Integrate DDI with DDD.
To do this, do all the steps described in Configuration For Scenario 2.
- Register DDD to Apex Central. Refer to the following KB article: Registering Deep Discovery Director (DDD) into Control Manager (TMCM) or Apex Central for suspicious objects synchronization.