IBM Security Systems presents the latest risks and trends from X-Force 2011 Full Year report, and how you can protect your infrastructure from these new evolving threats using Security Intelligence from Q1 Labs and IBM's recently announced Advanced Threat Protection Platform.
Talare: Mikael Andersson, Client Technical Professional, IBM
Besök http://smarterbusiness.se för mer information.
2. IBM Security: Threat Landscape
Michael Andersson
Client Technical Professional
IBM Security Systems
3. Please note:
• IBM’s statements regarding its plans, directions, and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
• Information regarding potential future products is intended to outline
our general product direction and it should not be relied on in making a purchasing decision.
• The information mentioned regarding potential future products is not a commitment, promise,
or legal obligation to deliver any material, code or functionality. Information about potential
future products may not be incorporated into any contract. The development, release, and
timing of any future features or functionality described for our products remains at our sole
discretion.
• Performance is based on measurements and projections using standard IBM benchmarks in a
controlled environment. The actual throughput or performance that any user will experience
will vary depending upon many factors, including considerations such as the amount of
multiprogramming in the user's job stream, the I/O configuration, the storage configuration,
and the workload processed. Therefore, no assurance can be given that an individual user
will achieve results similar to those stated here.
4. Agenda
• X-Force overview
• Highlights from the 1H 2012 IBM X-Force Trend and Risk Report
– Vulnerabilities
– Exploits
– Attacks
• IBM Security Advanced Threat Protection Platform
5. X-Force Research
X-Force Research
The mission of the 17B analyzed Web pages & images
IBM X-Force® research and 40M spam & phishing attacks
development team is to: 68K documented vulnerabilities
Research and evaluate threat and protection issues
13B security events daily
Deliver security protection for today’s security problems
Develop new technology for tomorrow’s security challenges
Educate the media and user communities Provides Specific Analysis of:
• Vulnerabilities & exploits
• Malicious/Unwanted websites
• Spam and phishing
• Malware
• Other emerging trends
6. Vulnerability disclosures up in 2012
• Total number of vulnerabilities grew (4,400 in 1H 2012)
– the projection could reach all time high in 2012
7. Web Application Vulnerabilities Rise Again
• At mid-year 2012, 47% of security vulnerabilities affected web applications
• Up from 41% in 2011
• XSS reaches high of 51%
9. Public Exploit Disclosures
• Decrease in
percentage of
vulnerabilities
• Slightly up in actual
numbers compared
to 2011
10. Some categories stays the same
• Number of browser and multi-media exploits are about the same
11. Things are looking better for mobile platforms
• Better at discovering vulnerabilities
• Harder to exploit
12. MSS – Top 10 high volume signatures
• Not much change since last year
• SQL Injection is still the most common attack
13. SQL Injection Attacks against Web Servers
• Very often automated processes of finding victims
14. XSS reaching new highs in 1H 2011
• More than 6,000 variants of this vulnerability, with uses ranging from
hijacking a browser session to a total system web-server-based takeover.
19. Techniques used by attackers are bypassing traditional defenses
Advanced
• Using exploits for unreported vulnerabilities, aka a “zero day”
• Advanced, custom malware that is not detected by antivirus products
Persistent
• Attacks lasting for months or years
• Attackers are dedicated to the target – they will get in
• Resistant to remediation attempts
Threat
• Targeted at specific individuals and
groups within an organization
• Not random attacks – they are actually “out to get you”
These methods have eroded the effectiveness of traditional defenses including firewalls, intrusion
prevention systems and antivirus - leaving holes in the network
20. Closer look at the attack vectors of today’s threats
1. User Attacks (Client-side)
• Drive-by Downloads: User browses to a malicious website
and/or downloads an infected file using an unpatched
browser or application
• Targeted Emails: Email containing an exploit or malicious
attachment is sent to an individual with the right level of
access at the company 1 2
2. Infrastructure Attacks (Server-side) Users Infrastructure
• SQL Injection: Attacker sends a specially crafted message
to a web application, allowing them to view, modify, or delete
DB table entries
• General Exploitation: Attacker identifies and exploits a
vulnerability in unpatched or poorly written software to gain
privileges on the system
21. IBM Advanced Threat Protection
3
Our strategy is to protect our customers with advanced threat
protection at the network layer - by strengthening and integrating
network security, analytics and threat Intelligence capabilities
1
1. Advanced Threat Protection Platform
Evolve our Intrusion Prevention System to become a Threat Protection
Platform – providing packet, content, file and session inspection to stop
threats from entering the corporate network
Users Infrastructure
2. QRadar Security Intelligence Platform
Build tight integration between the Network Security products,
X-Force intelligence feeds and QRadar Platform product with purpose-built
analytics and reporting for threat detection and remediation
3. X-Force Threat Intelligence
Increase investment in threat intelligence feeds and feedback loops for our
products. Leverage the existing Cobion web and email filtering data, but
2
expand into botnet, IP reputation and Managed Security Services data sets
24. IBM Security Network IPS:
Addressing Today’s Evolving Threats with Hybrid Protection
>300
Custom Signatures (SNORT)
24
25. Why Vulnerability-based Research = Preemptive
Security Approach
• Protecting against exploits is reactive
– Too late for many
– Variants undo previous updates
• Protecting against vulnerabilities and
malicious behaviors is preemptive
– Stops threat at source
– Requires advanced R&D
• Why X-Force?
– One of the best-known commercial security research groups in the world
– IBM X-Force maintains one of the most comprehensive vulnerability
database in the world—dating back to the 1990s.
– X-Force constantly updates IBM’s Protocol Analysis Module, the engine
inside IBM’s security solutions
26. Ahead of the Threat
IBM’s Preemptive Approach vs.
Reactive Approach to address Threats
IBM Clients have typically been provided protection
guidance prior to or within 24 hours of a vendor
vulnerability disclosure being announced
# of days IBM clients were provided
protection guidance ―Ahead of the
Threat‖
Source: IBM X-Force
27. 2
7
IBM IPS Zero Day (Vuln/Exploit) Web App Protection
• IBM IPS Injection Logic Engine has stopped every large scale SQL injection or XSS
attack day-zero.
• Asprox – reported 12/11/2008 – stopped 6/7/2007
• Lizamoon – reported 3/29/2011 – stopped 6/7/2007
• SONY (published) – reported May/June/2011 – stopped 6/7/2007
• Apple Dev Network – reported July/2011 – stopped 6/7/2007
New Vulnerability or Exploit Reported Date Ahead of the Threat Since
Nagios expand cross-site scripting 5/1/2011 6/7/2007
Easy Media Script go parameter XSS 5/26/2011 6/7/2007
N-13 News XSS 5/25/2011 6/7/2007
I GiveTest 2.1.0 SQL Injection 6/21/2011 6/7/2007
RG Board SDQL Injection Published: 6/28/2011 6/7/2007
BlogiT PHP Injection 6/28/2011 6/7/2007
IdevSpot SQL Injection (iSupport) 2011-05-23 6/7/2007
2Point Solutions SQL Injection 6/24/2011 6/7/2007
PHPFusion SQL Injection 1/17/2011 6/7/2007
ToursManager PhP Script Blind SQli 2011-07-xx 6/7/2007
Oracle Database SQL Injection 2011-07-xx 6/7/2007
LuxCal Web Calendar 7/7/2011 6/7/2007
Apple Web Developer Website SQL 2011-07-xx 6/7/2007
MySQLDriverCS Cross-Param SQLi 6/27/2011 6/7/2007
28. Complete Control: Overcoming a Simple Block-Only Approach
• Network Control by users,
groups, systems, protocols,
applications & application actions
• Block evolving, high-risk sites
such as Phishing and Malware with
constantly updated categories
• Comprehensive up-to-date web
site coverage with industry-
leading 15 Billion+ URLs
• Rich application support with
1000+ applications and individual
actions
“We had a case in Europe where workers went
on strike for 3 days after Facebook was
completely blocked…so granularity is key.”
– IBM Business Partner
29. Network Security Product Line up
Product Description
The core of any Intrusion Prevention strategy, IBM Security Network IPS appliances help
IBM Security Network Intrusion
to protect the network infrastructure from a wide range of attacks, up to 23 Gbps inspected
Prevention System throughput
Focused on protecting individual assets on the network including servers and desktops
IBM Security Endpoint Defence from both internal and external threats
IBM Security Virtual Server Virtual Server Protection is integrated with the hypervisor and provides visibility into intra-
Protection VM network traffic. Supports ESX 4.1 and 5.0 and 10Gb Ethernet
IBM Security SiteProtector Centralized management for IBM Security intrusion prevention solutions that provides a
System single management point to control security policy, analysis, alerting and reporting
31. Solving Customer Challenges
Major
• Discovered 500 hosts with “Here You Have”
Electric Detecting threats virus, which other solutions missed
Utility
Fortune 5
• 2 Billion logs and events per day reduced to
Energy Consolidating data silos 25 high priority offenses
Company
Branded
• Trusted insider stealing and destroying key
Apparel Detecting insider fraud data
Maker
$100B • Automating the policy monitoring and
Predicting risks against evaluation process for configuration change
Diversified
your business in the infrastructure
Corporation
Industrial Addressing regulatory • Real-time extensive monitoring of network
Distributor mandates activity, in addition to PCI mandates
33. Solutions for the Full Compliance and Security
Intelligence Timeline
34. Fully Integrated Security Intelligence
• Turnkey log management
Log Management
• SME to Enterprise
• Upgradeable to enterprise SIEM
One Console Security & compliance
• Integrated log, threat, risk
SIEM mgmt.
• Sophisticated event analytics
• Asset profiling and flow analytics
• Offense management and workflow
Risk • Predictive threat modeling & simulation
Management • Scalable configuration monitoring and audit
• Advanced threat visualization and impact
analysis
Network Activity
& Anomaly • Network analytics
Detection • Behavior and anomaly detection
• Fully integrated with SIEM
Network and
• Layer 7 application monitoring
Application
• Content capture
Visibility
• Physical and virtual environments
35. IBM Security Framework
Enterprise Governance, Risk and Compliance Management
IBM OpenPages Algorithmics (recent acquisition) i2 Corporation (recent acquisition)
IBM Security Portfolio
IT GRC Analytics & Reporting
QRadar QRadar Log QRadar IBM Privacy, Audit and
SIEM Manager Risk Manager Compliance Assessment Services
Security
Consulting
IT Infrastructure – Operational Security Domains
People Data Applications Infrastructure
Network Endpoint
Identity & Access Guardium AppScan Network Endpoint Managed
Management Suite Database Security Source/Std. Edition Intrusion Prevention Manager (BigFix)
Services
Federated Optim DataPower Server and
zSecure suite
Identity Manager Data Masking Security Gateway Virtualization Security
Enterprise Key Lifecycle Security QRadar Anomaly Native Server Security
Single Sign-On Manager Policy Manager Detection / QFlow (RACF, IBM systems) X-Force
Data Security Application Managed Firewall, and IBM
Identity Assessment, Assessment Service Assessment Service Unified Threat and Penetration Research
Deployment and
Encryption and AppScan OnDemand Intrusion Prevention Testing Services
Hosting Services
DLP Deployment Software as a Service Services
36. Summary
• More vulnerability disclosures and exploits in 2012 compared to 2011
• We see more attack activity, with high profile security incidents
• Attacks are getting more sophisticated
• Need for proactive research driven security
• Security Intelligence makes it possible to manage more data, with log and
network flow correlation, configuration monitoring and risk and compliance
management
Over 51% of all web application vulnerabilities reported so far in 2012 are now categorized as cross-site scripting.
– in 2012 the trend continues
make it clear that this our strategy for Infrastructure..we also cover apps/People/Data..in case they don't grock the Framework.."Today, we are talking about our vision for infrastructure/network..complementing our comprehensive..."ing our comprehensive...
Once you are aware – then you are ready to controlUsers can create network access control policies in addition to application control policies Suitable customer: where organizations are looking for application and policy Control network access controlVLAN, IP, application, portApplications and individual application actionsRich support300+ network protocols300+ web & non-web applications700+ individual website “actions”3M+ web sites15B+ URLs