IBM Security Systems presents the latest risks and trends from X-Force 2011 Full Year report, and how you can protect your infrastructure from these new evolving threats using Security Intelligence from Q1 Labs and IBM's recently announced Advanced Threat Protection Platform. Talare: Mikael Andersson, Client Technical Professional, IBM Besök http://smarterbusiness.se för mer information.

1. IBM Security: Threat Landscape

2. IBM Security: Threat Landscape
Michael Andersson
Client Technical Professional
IBM Security Systems

3. Please note:
• IBM’s statements regarding its plans, directions, and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
• Information regarding potential future products is intended to outline
our general product direction and it should not be relied on in making a purchasing decision.
• The information mentioned regarding potential future products is not a commitment, promise,
or legal obligation to deliver any material, code or functionality. Information about potential
future products may not be incorporated into any contract. The development, release, and
timing of any future features or functionality described for our products remains at our sole
discretion.
• Performance is based on measurements and projections using standard IBM benchmarks in a
controlled environment. The actual throughput or performance that any user will experience
will vary depending upon many factors, including considerations such as the amount of
multiprogramming in the user's job stream, the I/O configuration, the storage configuration,
and the workload processed. Therefore, no assurance can be given that an individual user
will achieve results similar to those stated here.

4. Agenda
• X-Force overview
• Highlights from the 1H 2012 IBM X-Force Trend and Risk Report
– Vulnerabilities
– Exploits
– Attacks
• IBM Security Advanced Threat Protection Platform

5. X-Force Research
X-Force Research
The mission of the 17B analyzed Web pages & images
IBM X-Force® research and 40M spam & phishing attacks
development team is to: 68K documented vulnerabilities
 Research and evaluate threat and protection issues
13B security events daily
 Deliver security protection for today’s security problems
 Develop new technology for tomorrow’s security challenges
 Educate the media and user communities Provides Specific Analysis of:
• Vulnerabilities & exploits
• Malicious/Unwanted websites
• Spam and phishing
• Malware
• Other emerging trends

6. Vulnerability disclosures up in 2012
• Total number of vulnerabilities grew (4,400 in 1H 2012)
– the projection could reach all time high in 2012

7. Web Application Vulnerabilities Rise Again
• At mid-year 2012, 47% of security vulnerabilities affected web applications
• Up from 41% in 2011
• XSS reaches high of 51%

8. Vulnerabilities without patches
• Unpatched vulnerabilities, highest numbers in years

9. Public Exploit Disclosures
• Decrease in
percentage of
vulnerabilities
• Slightly up in actual
numbers compared
to 2011

10. Some categories stays the same
• Number of browser and multi-media exploits are about the same

11. Things are looking better for mobile platforms
• Better at discovering vulnerabilities
• Harder to exploit

12. MSS – Top 10 high volume signatures
• Not much change since last year
• SQL Injection is still the most common attack

13. SQL Injection Attacks against Web Servers
• Very often automated processes of finding victims

14. XSS reaching new highs in 1H 2011
• More than 6,000 variants of this vulnerability, with uses ranging from
hijacking a browser session to a total system web-server-based takeover.

15. Web browser explotation

16. SQL Slammer continues to drop

17. 2011: “The year of the targeted attack”

18. Who is attacking our networks?

19. Techniques used by attackers are bypassing traditional defenses
Advanced
• Using exploits for unreported vulnerabilities, aka a “zero day”
• Advanced, custom malware that is not detected by antivirus products
Persistent
• Attacks lasting for months or years
• Attackers are dedicated to the target – they will get in
• Resistant to remediation attempts
Threat
• Targeted at specific individuals and
groups within an organization
• Not random attacks – they are actually “out to get you”
These methods have eroded the effectiveness of traditional defenses including firewalls, intrusion
prevention systems and antivirus - leaving holes in the network

20. Closer look at the attack vectors of today’s threats
1. User Attacks (Client-side)
• Drive-by Downloads: User browses to a malicious website
and/or downloads an infected file using an unpatched
browser or application
• Targeted Emails: Email containing an exploit or malicious
attachment is sent to an individual with the right level of
access at the company 1 2
2. Infrastructure Attacks (Server-side) Users Infrastructure
• SQL Injection: Attacker sends a specially crafted message
to a web application, allowing them to view, modify, or delete
DB table entries
• General Exploitation: Attacker identifies and exploits a
vulnerability in unpatched or poorly written software to gain
privileges on the system

21. IBM Advanced Threat Protection
3
Our strategy is to protect our customers with advanced threat
protection at the network layer - by strengthening and integrating
network security, analytics and threat Intelligence capabilities
1
1. Advanced Threat Protection Platform
Evolve our Intrusion Prevention System to become a Threat Protection
Platform – providing packet, content, file and session inspection to stop
threats from entering the corporate network
Users Infrastructure
2. QRadar Security Intelligence Platform
Build tight integration between the Network Security products,
X-Force intelligence feeds and QRadar Platform product with purpose-built
analytics and reporting for threat detection and remediation
3. X-Force Threat Intelligence
Increase investment in threat intelligence feeds and feedback loops for our
products. Leverage the existing Cobion web and email filtering data, but
2
expand into botnet, IP reputation and Managed Security Services data sets

22. IBM’s Infrastructure Threat Protection

23. Advanced Threat Protection Platform

24. IBM Security Network IPS:
Addressing Today’s Evolving Threats with Hybrid Protection
>300
Custom Signatures (SNORT)
24

25. Why Vulnerability-based Research = Preemptive
Security Approach
• Protecting against exploits is reactive
– Too late for many
– Variants undo previous updates
• Protecting against vulnerabilities and
malicious behaviors is preemptive
– Stops threat at source
– Requires advanced R&D
• Why X-Force?
– One of the best-known commercial security research groups in the world
– IBM X-Force maintains one of the most comprehensive vulnerability
database in the world—dating back to the 1990s.
– X-Force constantly updates IBM’s Protocol Analysis Module, the engine
inside IBM’s security solutions

26. Ahead of the Threat
IBM’s Preemptive Approach vs.
Reactive Approach to address Threats
IBM Clients have typically been provided protection
guidance prior to or within 24 hours of a vendor
vulnerability disclosure being announced
# of days IBM clients were provided
protection guidance ―Ahead of the
Threat‖
Source: IBM X-Force

27. 2
7
IBM IPS Zero Day (Vuln/Exploit) Web App Protection
• IBM IPS Injection Logic Engine has stopped every large scale SQL injection or XSS
attack day-zero.
• Asprox – reported 12/11/2008 – stopped 6/7/2007
• Lizamoon – reported 3/29/2011 – stopped 6/7/2007
• SONY (published) – reported May/June/2011 – stopped 6/7/2007
• Apple Dev Network – reported July/2011 – stopped 6/7/2007
New Vulnerability or Exploit Reported Date Ahead of the Threat Since
Nagios expand cross-site scripting 5/1/2011 6/7/2007
Easy Media Script go parameter XSS 5/26/2011 6/7/2007
N-13 News XSS 5/25/2011 6/7/2007
I GiveTest 2.1.0 SQL Injection 6/21/2011 6/7/2007
RG Board SDQL Injection Published: 6/28/2011 6/7/2007
BlogiT PHP Injection 6/28/2011 6/7/2007
IdevSpot SQL Injection (iSupport) 2011-05-23 6/7/2007
2Point Solutions SQL Injection 6/24/2011 6/7/2007
PHPFusion SQL Injection 1/17/2011 6/7/2007
ToursManager PhP Script Blind SQli 2011-07-xx 6/7/2007
Oracle Database SQL Injection 2011-07-xx 6/7/2007
LuxCal Web Calendar 7/7/2011 6/7/2007
Apple Web Developer Website SQL 2011-07-xx 6/7/2007
MySQLDriverCS Cross-Param SQLi 6/27/2011 6/7/2007

28. Complete Control: Overcoming a Simple Block-Only Approach
• Network Control by users,
groups, systems, protocols,
applications & application actions
• Block evolving, high-risk sites
such as Phishing and Malware with
constantly updated categories
• Comprehensive up-to-date web
site coverage with industry-
leading 15 Billion+ URLs
• Rich application support with
1000+ applications and individual
actions
“We had a case in Europe where workers went
on strike for 3 days after Facebook was
completely blocked…so granularity is key.”
– IBM Business Partner

29. Network Security Product Line up
Product Description
The core of any Intrusion Prevention strategy, IBM Security Network IPS appliances help
IBM Security Network Intrusion
to protect the network infrastructure from a wide range of attacks, up to 23 Gbps inspected
Prevention System throughput
Focused on protecting individual assets on the network including servers and desktops
IBM Security Endpoint Defence from both internal and external threats
IBM Security Virtual Server Virtual Server Protection is integrated with the hypervisor and provides visibility into intra-
Protection VM network traffic. Supports ESX 4.1 and 5.0 and 10Gb Ethernet
IBM Security SiteProtector Centralized management for IBM Security intrusion prevention solutions that provides a
System single management point to control security policy, analysis, alerting and reporting

30. Security Intelligence Platform

31. Solving Customer Challenges
Major
• Discovered 500 hosts with “Here You Have”
Electric Detecting threats virus, which other solutions missed
Utility
Fortune 5
• 2 Billion logs and events per day reduced to
Energy Consolidating data silos 25 high priority offenses
Company
Branded
• Trusted insider stealing and destroying key
Apparel Detecting insider fraud data
Maker
$100B • Automating the policy monitoring and
Predicting risks against evaluation process for configuration change
Diversified
your business in the infrastructure
Corporation
Industrial Addressing regulatory • Real-time extensive monitoring of network
Distributor mandates activity, in addition to PCI mandates

32. Context & Correlation Drive Deepest Insight

33. Solutions for the Full Compliance and Security
Intelligence Timeline

34. Fully Integrated Security Intelligence
• Turnkey log management
Log Management
• SME to Enterprise
• Upgradeable to enterprise SIEM
One Console Security & compliance
• Integrated log, threat, risk
SIEM mgmt.
• Sophisticated event analytics
• Asset profiling and flow analytics
• Offense management and workflow
Risk • Predictive threat modeling & simulation
Management • Scalable configuration monitoring and audit
• Advanced threat visualization and impact
analysis
Network Activity
& Anomaly • Network analytics
Detection • Behavior and anomaly detection
• Fully integrated with SIEM
Network and
• Layer 7 application monitoring
Application
• Content capture
Visibility
• Physical and virtual environments

35. IBM Security Framework
Enterprise Governance, Risk and Compliance Management
IBM OpenPages Algorithmics (recent acquisition) i2 Corporation (recent acquisition)
IBM Security Portfolio
IT GRC Analytics & Reporting
QRadar QRadar Log QRadar IBM Privacy, Audit and
SIEM Manager Risk Manager Compliance Assessment Services
Security
Consulting
IT Infrastructure – Operational Security Domains
People Data Applications Infrastructure
Network Endpoint
Identity & Access Guardium AppScan Network Endpoint Managed
Management Suite Database Security Source/Std. Edition Intrusion Prevention Manager (BigFix)
Services
Federated Optim DataPower Server and
zSecure suite
Identity Manager Data Masking Security Gateway Virtualization Security
Enterprise Key Lifecycle Security QRadar Anomaly Native Server Security
Single Sign-On Manager Policy Manager Detection / QFlow (RACF, IBM systems) X-Force
Data Security Application Managed Firewall, and IBM
Identity Assessment, Assessment Service Assessment Service Unified Threat and Penetration Research
Deployment and
Encryption and AppScan OnDemand Intrusion Prevention Testing Services
Hosting Services
DLP Deployment Software as a Service Services

36. Summary
• More vulnerability disclosures and exploits in 2012 compared to 2011
• We see more attack activity, with high profile security incidents
• Attacks are getting more sophisticated
• Need for proactive research driven security
• Security Intelligence makes it possible to manage more data, with log and
network flow correlation, configuration monitoring and risk and compliance
management

37. Acknowledgements, disclaimers
and trademarks
© Copyright IBM Corporation 2012. All rights reserved.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information
contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and
strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or
any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or
licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
References in this publication to IBM products, programs or services do not imply that they will be made available in all countries in which IBM operates. Product release dates
and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a
commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any
activities undertaken by you will result in any specific sales, revenue growth, savings or other results. All statements regarding IBM future direction and intent are subject to
change or withdrawal without notice, and represent goals and objectives only.
Information concerning non-IBM products and services was obtained from a supplier of those products and services. IBM has not tested these products or services and cannot
confirm the accuracy of performance, compatibility, or any other claims related to non-IBM products and services. Questions on the capabilities of non-IBM products and
services should be addressed to the supplier of those products and services.
All customer examples cited or described are presented as illustrations of the manner in which some customers have used IBM products and the results they may have
achieved. Actual environmental costs and performance characteristics may vary by customer and will vary depending on individual customer configurations and conditions.
Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue
growth or other results.
Prices are suggested U.S. list prices and are subject to change without notice. Starting price may not include a hard drive, operating system or other features. Contact your
IBM representative or Business Partner for the most current pricing in your geography.
IBM, the IBM logo, ibm.com, Tivoli, the Tivoli logo, Tivoli Enterprise Console, Tivoli Storage Manager FastBack, and other IBM products and services are trademarks or
registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on
their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this
information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information" at ibm.com/legal/copytrade.shtml

38. Thank You- Q&A
Contact:
michael.andersson@se.ibm.com