Views:

Recommendation

Connected Threat Defense (CTD) is a layered security approach that gives you a better way to quickly protect, detect, and respond to new threats while simultaneously improving visibility and streamlining investigation.

CTD allows you to block unknown malwares or URLs on the endpoints or servers by using Suspicious Objects from Deep Discovery family products. Enabling CTD helps organization combat potential threats at an early stage.

 
Suspicious Objects are essential part for CTD. Look at what kinds of Suspicious Objects there are before configuration.
 

Deep Discovery Suspicious Objects are defined with 4 data types listed below:

  • IP
  • URL
  • Domain
  • SHA1 (SHA1 hash of a file object)

 

In the Connected Threat Defense strategy, Suspicious Objects can be categorized into 2 groups:

  • User-defined Suspicious Object (UDSO)

    User-defined Suspicious Objects are defined by users via management console, pushed from TAXII clients, or downloaded from external threat feeds.

    (For Deep Discovery Inspector, user is not allowed to define it in the management console)

  • Virtual-Analyzer-detected Suspicious Object (VASO)

    Suspicious Objects collected from Virtual Analyzer detection during run-time sandbox simulation.

 

Configuration

Several products can be integrated in CTD, but this chapter focuses on following 2 scenarios:

In this scenario, Deep Discovery Inspector (DDI) integrates with Apex Central, and then Virtual-Analyzer-detected Suspicious Object (VASO) will be synchronized to Apex Central. This VASO will be deployed to the endpoints through Apex One server. It will be also deployed to the other DDI or Deep Discovery Email Inspector (DDEI) products.

Apex Central acts as the central hub for the suspicious objects.

APEXCentralweb

 

Regarding the User-defined Suspicious Object (UDSO) defined in Apex Central, it will also be deployed to Endpoints, or other DDI or DDEI products.

 
Deep Discovery Analyzer (DDAN) won’t synchronize UDSO from Apex Central.
 

 

Configuration for Scenario 1

  1. If you use Deep Discovery Analyzer (DDAN) as an external virtual analyzer, register DDAN to Apex central.
    1. On the Apex Central web console, go to Administration > Managed Servers > Server Registration > click Add.

      ServerRegistration

    2. Add Server screen appears. Provide the necessary Deep Discovery Analyzer (DDAN) information on each field. Select Deep Discovery Analyzer on the Product: Field. After that, click Save.

      ProductFieldDDAN

    3. DDAN will be listed on Server Registration page.

      ServiceRegistrationPage

  2. Check API key on the Apex Central.
    1. On the Apex Central web console, go to Threat Intel > Distribution Settings. On the Managed Products tab, check that “Send suspicious objects to managed products” is enabled, and record the Service URL and API key.

      SuspiciousObjectManaged

  3. Register DDI to the Apex Central.
    1. On the DDI web console, go to Administration > Integrated Products/Services > Apex Central.

      On Connection Settings, provide the necessary Apex Central information on each field. Under the Suspicious Object Synchronization section, enable Synchronize suspicious objects with Apex Central, and type API key of the Apex Central you recorded in the previous step.

      ApexCentral

       

    2. Click Test Connection to check the connection status between DDI and Apex Central. If this was successful, click Register.
       
      After this operation, DDI will synchronize suspicious objects from Apex Central only.
       
  4. Check that DDI was registered to the Apex Central successfully.
    1. On the Apex Central web console, go to Administration > Managed Servers > Server Registration. DDI is listed in this page.

      ServerReg

  5. Integrate other products such as Apex One, or Deep Discovery Email Inspector (DDEI) with Apex Central. Refer to the product’s Administrator Guide for details.
  6. Using the Apex Central web console, administrators can configure scan actions.
     
    For the detailed instructions on how to configure the scan actions on Apex Central, refer to the Apex Central Administrator’s Guide.
     

In this scenario, DDI integrates with the Service Gateway in Trend Micro Vision One (Vision One), and then Virtual-Analyzer-detected Suspicious Object (VASO) will be synchronized to Suspicious Object Management App through Service Gateway where they will be deployed to other DDIs, Trend Micro TippingPoint or other 3rd party products.

Suspicious Object Management App in Vision One acts as the central hub for suspicious objects.

V1Gateway

 

Regarding the User-defined Suspicious Object (UDSO) defined in Suspicious Object Management app in the Trend Micro Vision One, it will also be deployed to Endpoints, or other DDI.

 
TippingPoint and Palo Alto synchronizes IP, URL, Domain, while Proxy SG synchronizes URL only.
 

 

Configuration for Scenario 2

  1. Make sure Deep Discovery Inspector (DDI) has valid Activation Code. To integrate with Trend Micro Vision One and Service Gateway, DDI version must be higher than 5.8 SP1.
  2. To integrate with Trend Micro Vision One for this scenario, DDI needs to connect to Trend Micro Vision One as a network sensor, and would also need to connect to the Service Gateway enabling Suspicious Object List synchronization. For the detailed instructions on how to connect and configure DDI and Service Gateway, refer to the knowledge article: Integration with Trend Micro Vision One Backup in Deep Discovery Inspector (DDI) 6.0.
  3. Check that Suspicious Object List synchronization is enabled in the Service Gateway.
    1. Logon to the Trend Micro Vision One console, go to INVENTORY MANAGEMENT > Service Gateway Management, click the name of the Service Gateway.

      INVENTORY MANAGEMENT

    2. Detail information appears. Check that Suspicious Object List synchronization is enabled. If not, click Configure Service Gateway, and enable it.

      SuspiciousObjectSync

  4. If you want to connect Deep Discovery Analyzer (DDAN) to Trend Micro Vision One, follow the steps below:
    1. Prepare DDAN 7.1 or higher version.
    2. Logon to the Trend Micro Vision One console, go to INVENTORY MANAGEMENT > Service Gateway Management, click Manage API Key.

      ManageKPI

    3. API Key screen appears. Copy the key for the next step.

      APIKeycopy

    4. Logon to the DDAN web console, go to Administration > Integrated Products/Services > Trend Micro Vision One tab.
    5. Select the Enable service gateway option, type the IP address of the Service Gateway in the Server address field, copy API key which is obtained from the Vision One console in the API key field. Also specify Proxy setting and Certificate setting if necessary.

      DDASettings

    6. Click Save.
    7. Several minutes later, DDAN is listed in the end of the detail page of the Service Gateway Management.

      TMV1ServiceGatewayInventory

  5. If you want to connect TippingPoint Security Management System to the Trend Micro Vision One through the Service Gateway, refer to the knowledge base article: Integrating TippingPoint Security Management System to Vision One Service Gateway. TippingPoint Security Management System 5.5 or higher version is required.
  6. If you want to connect other Trend Micro products such as Apec One as a Service, refer to Trend Micro Vision One Online Help: Product Connector for the detailed instruction.
  7. If you want third-party applications or services to integrate with Trend Micro Vision One, refer to Trend Micro Vision One Online Help: Third-Party Integration for the detailed instruction.