Virus Outbreak Management and Service

1
Virus Outbreak Management and Service

• Global Security Response Team

2
Nimda Biggest Damage

• Happen in 9/18/2001
• Over 100,000 computers infected within 3 hours
• Over 1.2 M infected within 24
• Numeric corporate networks were shut down

3
Why so powerful
Multi-spreading channels
Client -gt Client Client -gt Web Server Web
Server-gtclient
Difficult to block
Multiple payloads
Spam to email servers, Spam to web Servers,
Attack file servers and desktop, Remove system
file, Modify system ini files, Drop virus files,
infected other files, modify web pages, Open
shared drive, Change guests account privilege
Difficult to Clean
Spam to email servers, web Servers, file servers
and desktop.
Fastest spreading speed
Difficult to isolate
Different infected targets
email servers, web Servers, file servers and
desktop.
Difficult to locate
4
Protection magic from Anti-virus is broken

• Heuristic Scan/Rule Base solution can predict the
  virus
• July 1997 Melissa virus
• May 2000 Loveletter virus
• July 2001 Sircam and CodeRedvirus
• Sep 2001 Nimda
• None of them blocked by Heuristic scan by any AV
  vendors
• Integration of firewall and intrusion detection
• Most of US fortune 500 companies installed
  firewall and intrusion detection software when
  Nimda attack
• Majority of companies are infected.
• Firewall and Intrusion detection can not provide
  solution

5
Security Action of Enterprise
(source Nikkei market access,Nikkei BP
publishing Apr/May 2002)
7
6
Enterprise Security Damage Experience
(source Nikkei market access,Nikkei BP
publishing Apr/May 2002)
7
What is the problem?
Anti-virus vendor to protect you or Virus
fighter to put out the damage
8
Virus Outbreak Cycle
Virus Response/Updates
Outbreak Prevention
Damage Assessment and Cleanup
9
Outbreak Prevention Service

• Detailed information on threats
• Policy actions tailored to the threat
• Ability to approve and deploy policy
• Instant notification to critical parties
• Real-time reporting on policy deployment

10
Virus Response/Updates

• Virus Response SLA
• Threat-based scanning
• Deploy and report on deployment

11
Damage Assessment and Cleanup Services

• Tailored made cleaning templates service
• Deploy and clean servers and desktops
• Agent-based or agent-less cleaning options
• Post-clean reporting

12
Outbreak Prevention Service
Outbreak Commander Centralized Management of
the outbreak lifecycle
Restore and Post-mortem
Assess And cleanup
Notification and Assurance

• Outbreak Prevention Services
• Detailed information on threats
• Policy actions tailored to the threat
• Ability to approve and deploy policy
• Instant notification to critical parties
• Real-time reporting on policy deployment

• Damage Assessment and Cleanup Services
• Cleaning templates from TrendLabs
• Deploy and clean servers and desktops
• Agent-based or agent-less cleaning options
• Post-clean reporting

• Virus Response/Updates
• Virus Response SLA
• Threat-based scanning
• Deploy and report on deployment

13
Beyond Virus Outbreak
Pre-Outbreak and Routine Maintenance
Environment Audit
AV Installation and Upgrades
AV Education and Training
Virus Outbreak
Outbreak Damage Analysis
AV Design Optimization
Post-Outbreak Assessment