PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson

1. X-Force 2011 Trend and Risk Report & Advanced Threat Protection Platform Optimizing the World’s Infrastructure May 2012 © 2012 IBM Corporation
2. Please note: • IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. • Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. • The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. • Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. 2
3. Agenda • X-Force overview • Highlights from the 2011 IBM X-Force Trend and Risk Report – New attack activity – Progress in internet security – New challenges from mobile and cloud 3
4. X-Force research X-Force Research IBMThe missionteam isand development of the to: X-Force® research 14B analyzed Web pages & images 40M spam & phishing attacks 54K documented vulnerabilities 13B security events daily  Research and evaluate threat and protection issues  Deliver security protection for today’s security problems Provides Specific Analysis of:  Develop new technology for tomorrow’s security challenges  Educate the media and user communities • Vulnerabilities & exploits • Malicious/Unwanted websites 4
5. 2011: Year of the security breach 5
6. Key Messages from the 2011 Trend Report • New Attack Activity – Rise in Shell Command Injection attacks – Spikes in SSH Brute Forcing – Rise in phishing based malware distribution and click fraud • Progress in Internet Security – Fewer exploit releases – Fewer web application vulnerabilities 6
7. SQL injection attacks against web servers 7
8. Shell Command Injection attacks 8
9. SSH brute force activity 9
10. Explosion of phishing based malware distribution and click fraud 10
11. MAC malware • 2011 has seen the most activity in the Mac malware world. – Not only in volume compared to previous years, but also in functionality. • In 2011, we started seeing Mac malware with functionalities that we’ve only seen before in Windows® malware. 11
12. Key Messages from the 2011 Trend Report • New Attack Activity –Rise in Shell Command Injection attacks – Spikes in SSH Brute Forcing – Rise in phishing based malware distribution and click fraud • Progress in Internet Security – Fewer exploit releases – Fewer web application vulnerabilities 12
13. Public exploit disclosures • Total number of exploit releases down to a number not seen since 2006 – Also down as a percentage of vulnerabilities 13
14. Public exploits 14
15. Decline in web application vulnerabilities • In 2011, 41% of security vulnerabilities affected web applications – Down from 49% in 2010 – Lowest percentage seen since 2005 15
16. Key Messages from the 2011 Trend Report • New Attack Activity –Rise in Shell Command Injection attacks – Spikes in SSH Brute Forcing – Rise in phishing based malware distribution and click fraud • Progress in Internet Security – Fewer exploit releases – Fewer web application vulnerabilities 16
17. Mobile OS vulnerabilities & exploits • Continued interest in Mobile vulnerabilities as enterprise users request a “bring your own device” (BYOD) strategy for the workplace • Attackers finding these devices represent lucrative new attack opportunities 17
18. Social Networking – no longer a fringe pastime • Attackers finding social networks ripe with valuable informaiton they can mine to build intelligence about organizations and its staff: – Scan corporate websites, Google, Google News – Who works there? What are their titles? 18 18
19. Introducing IBM’s Advanced Threat Protection Platform
20. IBM Security Framework Enterprise Governance, Risk and Compliance Management IBM OpenPages Algorithmics (recent acquisition) i2 Corporation (recent acquisition) IBM Security Portfolio IT GRC Analytics & Reporting QRadar QRadar Log QRadar IBM Privacy, Audit and SIEM Manager Risk Manager Compliance Assessment Services Security Consulting IT Infrastructure – Operational Security Domains People Data Applications Infrastructure Network Endpoint Identity & Access Guardium AppScan Network Endpoint Management Suite Database Security Source/Std. Edition Intrusion Prevention Manager (BigFix) Managed Services Federated Optim DataPower Server and zSecure suite Identity Manager Data Masking Security Gateway Virtualization Security Enterprise Key Lifecycle Security QRadar Anomaly Native Server Security Single Sign-On Manager Policy Manager Detection / QFlow (RACF, IBM systems) X-Force Data Security Application and IBM Managed Firewall, Identity Assessment, Assessment Service Assessment Service Research Unified Threat and Penetration Deployment and Intrusion Prevention Testing Services Hosting Services Encryption and AppScan OnDemand Services DLP Deployment Software as a Service 20
21. Advanced Threats: The sophistication of Cyber threats, attackers and motives is rapidly escalating 1995 – 2005 2005 – 2015 1 Decade of the Commercial Internet st 2 Decade of the Commercial Internet nd Motive Nation-state Actors; National Security Targeted Attacks / Advanced Persistent Threat Espionage, Competitors, Hacktivists Political Activism Monetary Gain Organized Crime, using sophisticated tools Revenge Insiders, using inside information Curiosity Script-kiddies or hackers using tools, web-based “how-to’s” Adversary 21
22. IT Security is a board room discussion Business Brand image Supply chain Legal Impact of Audit risk results exposure hacktivism Sony estimates HSBC data Epsilon breach TJX estimates Lulzsec 50-day Zurich potential $1B breach impacts 100 $150M class hack-at-will Insurance PLc long term discloses 24K national brands action spree impacts fined £2.275M impact – private banking settlement in Nintendo, CIA, ($3.8M) for the $171M / 100 customers release of PBS, UK NHS, loss and customers* credit / debit UK SOCA, exposure of card info Sony … 46K customer records 22
23. QRadar Security Intelligence Enterprise Governance, Risk and Compliance Management IBM OpenPages Algorithmics (recent acquisition) i2 Corporation (recent acquisition) IBM Security Portfolio IT GRC Analytics & Reporting QRadar QRadar Log QRadar IBM Privacy, Audit and SIEM Manager Risk Manager Compliance Assessment Services Security Consulting IT Infrastructure – Operational Security Domains People Data Applications Infrastructure Network Endpoint Identity & Access Guardium AppScan Network Endpoint Management Suite Database Security Source/Std. Edition Intrusion Prevention Manager (BigFix) Managed Services Federated Optim DataPower Server and zSecure suite Identity Manager Data Masking Security Gateway Virtualization Security Enterprise Key Lifecycle Security QRadar Anomaly Native Server Security Single Sign-On Manager Policy Manager Detection / QFlow (RACF, IBM systems) X-Force Data Security Application and IBM Managed Firewall, Identity Assessment, Assessment Service Assessment Service Research Unified Threat and Penetration Deployment and Intrusion Prevention Testing Services Hosting Services Encryption and AppScan OnDemand Services DLP Deployment Software as a Service 23
24. Solutions for the Full Compliance and Security Intelligence Timeline 24
25. Context & Correlation Drive Deepest Insight 25
26. Solving Customer Challenges 26
27. Fully Integrated Security Intelligence • Turnkey log management Log Management One Console Security • SME to Enterprise • Integrated log, threat, risk & compliance mgmt. SIEM • Upgradeable to enterprise SIEM • Sophisticated event analytics • Predictive threat modeling & simulation Risk Management • Asset profiling and flow analytics • Scalable configuration monitoring and audit Network • • Offense management and workflow Network analytics Activity & Anomaly • Advanced threat visualization and impact analysis Detection • Behavior and anomaly detection Network and • Layer 7 application monitoring Application Visibility Built on a Single Data Architecture • Fully integrated with SIEM • Content capture 27
28. IBM Security Threat Platform Enterprise Governance, Risk and Compliance Management IBM OpenPages Algorithmics (recent acquisition) i2 Corporation (recent acquisition) IBM Security Portfolio IT GRC Analytics & Reporting QRadar QRadar Log QRadar IBM Privacy, Audit and SIEM Manager Risk Manager Compliance Assessment Services Security Consulting IT Infrastructure – Operational Security Domains People Data Applications Infrastructure Network Endpoint Identity & Access Guardium AppScan Network Endpoint Management Suite Database Security Source/Std. Edition Intrusion Prevention Manager (BigFix) Managed Services Federated Optim DataPower Server and zSecure suite Identity Manager Data Masking Security Gateway Virtualization Security Enterprise Key Lifecycle Security QRadar Anomaly Native Server Security Single Sign-On Manager Policy Manager Detection / QFlow (RACF, IBM systems) X-Force Data Security Application and IBM Managed Firewall, Identity Assessment, Assessment Service Assessment Service Research Unified Threat and Penetration Deployment and Intrusion Prevention Testing Services Hosting Services Encryption and AppScan OnDemand Services DLP Deployment Software as a Service 28
29. IBM Security Network IPS: Addressing Today’s Evolving Threats >260 29 29
30. Why Vulnerability-based Research = Preemptive Security Approach • Protecting against exploits is reactive – Too late for many – Variants undo previous updates 30
31. 31 IBM IPS Zero Day (Vuln/Exploit) Web App Protection ■ IBM IPS Injection Logic Engine has stopped every large scale SQL injection or XSS attack day-zero. • Asprox – reported 12/11/2008 – stopped 6/7/2007 New Vulnerability or Exploit Reported Date Ahead of the Threat Since Nagios expand cross-site scripting 5/1/2011 6/7/2007 Easy Media Script go parameter XSS 5/26/2011 6/7/2007 N-13 News XSS 5/25/2011 6/7/2007 I GiveTest 2.1.0 SQL Injection 6/21/2011 6/7/2007 RG Board SDQL Injection Published: 6/28/2011 6/7/2007 • Lizamoon – reported 3/29/2011 – stopped 6/7/2007 BlogiT PHP Injection 6/28/2011 6/7/2007 IdevSpot SQL Injection (iSupport) 2011-05-23 6/7/2007 2Point Solutions SQL Injection 6/24/2011 6/7/2007 PHPFusion SQL Injection 1/17/2011 6/7/2007 ToursManager PhP Script Blind SQli 2011-07-xx 6/7/2007 Oracle Database SQL Injection 2011-07-xx 6/7/2007 • SONY (published) LuxCal Web Calendar – reported May/June/2011 7/7/2011 – stopped 6/7/2007 6/7/2007 Apple Web Developer Website SQL 2011-07-xx 6/7/2007 MySQLDriverCS Cross-Param SQLi 6/27/2011 6/7/2007 31
32. Ahead of the Threat IBM’s Preemptive Approach vs. Reactive Approach to address Threats IBM Clients have typically been provided protection guidance prior to or within 24 hours of a vendor vulnerability disclosure being announced (89% of the time in 2010) # of days IBM clients were provided protection guidance “Ahead of the Threat” Source: IBM X-Force 32 32
33. Network Security Product Line up Product Description The core of any Intrusion Prevention strategy, IBM IBM Security Network Security Network IPS appliances help to protect the Intrusion Prevention network infrastructure from a wide range of attacks, up to System 23 Gbps inspected throughput Focused on protecting individual assets on the network IBM Security Endpoint including servers and desktops from both internal and Defence external threats Virtual Server Protection is integrated with the hypervisor IBM Security Virtual and provides visibility into intra-VM network traffic. Server Protection Supports ESX 4.1 and 5.0 and 10Gb Ethernet Centralized management for IBM Security intrusion IBM Security prevention solutions that provides a single management SiteProtector System point to control security policy, analysis, alerting and reporting 33
34. IBM’s Vision for Infrastructure Threat Protection – Roadmap 34
35. 1 1Q12: Launched IBM Security Network IPS Powered by X-Force • Meet signature sharing mandates (i.e. Core Capabilities Government & Financial Institutions) Unmatched Performance delivering 20Gbps+ of inspected throughput and 10GbE connectivity without compromising breadth and depth of • IBM Hybrid protection security Evolving protection powered by world renowned – Using X-Force Protocol Analysis with the X-Force research to stay “ahead of the threat” ability to write or import custom Snort rules Reduced cost and complexity through consolidation of point solutions and integrations with other security tools Make the move to IBM Security Network IPS • IBM Network IPS and Protocol Analysis Modules (PAM) Core tenant for the Advanced Threat Protection Platform Custom Rules Locked in to Signature-only IPS? Custom Rules 35
36. 1 Extensible Protection with Protocol Analysis Module Ahead of the Threat extensible protection backed by the power of X-Force Client-Side Application Web Application Threat Detection & Virtual Patch Protection Data Security Application Control Protection Prevention What It Does: What It Does: What It Does: What It Does: What It Does: What It Does: Mitigates vulnerability Protects end users Protects web applications Detects and prevents Monitors, identifies, and Manages control of exploitation independent against attacks targeting against sophisticated entire classes of threats provides control over unauthorized applications of a software patch, and applications used every application-level attacks as opposed to a specific unencrypted personally and risks within defined enables a responsible day such as Microsoft such as SQL Injection, exploit or vulnerability. identifiable information segments of the network, patch management Office, Adobe PDF, XSS (Cross-site (PII) and other such as ActiveX process that can be Multimedia files and scripting), PHP file- Why Important: confidential information fingerprinting, Peer To adhered to without fear of Web browsers. includes, CSRF (Cross- Eliminates need of for data awareness. Also Peer, Instant Messaging, a breach. site request forgery), and constant signature provides capability to and tunnelling. Why Important: Directory Traversals. updates. Protection explore data flow through Why Important: In 2011, vulnerabilities includes the proprietary the network to help Why Important: At the end of which affect client-side Why Important: technology such as Java determine if any potential Enforces network 2011, 36% of all applications represent Expands security bytecode exploit risks exist. application and service vulnerabilities disclosed one of the largest capabilities to meet both detection, Flash exploit access based on during the year had no category of all compliance requirements detection, and Shell Code Why Important: corporate policy and vendor-supplied patches vulnerability disclosures. and threat evolution. Heuristics (SCH) Flexible and scalable governance. available to remedy the technology, which has an customized data search vulnerability. unbeatable track record of criteria; serves as a protecting against zero complement to data day vulnerabilities. security strategy. 36
37. 2 2Q12: Launch the X-Force IP Reputation Feed for QRadar • 2Q12: IBM X-Force powers QRadar with the X-Force IP Reputation Feed – Providing insight into suspect entities on the internet • 15+ Billion URLs Monitored and Classified on a continuous basis • Information about Malicious IPs, Malware hosts, SPAM sources, Dynamic IPs & Anonymous Proxies • Enhances QRadar correlation intelligence 37
38. 3 2Q12: Launch QRadar Network Anomaly Detection Optimized for the Advanced Threat Protection Platform • QRadar Network Anomaly Detection  SiteProtector as core for command & control  QRadar Network Anomaly Detection for – An optimized version of QRadar which complements enhanced analytics SiteProtector  QRadar QFlow and VFlow collectors provide Network Awareness via deep packet inspection  Integrated policy management & workflows within SiteProtector facilitate a rapid • Greater visiblity for SiteProtector/IPS customers response to threat and more proactive visibility. • Network flow capture with behavioral analysis AppScan and anomaly detection provides greater security intelligence: SiteProtector QRadar NI QRadar NIPS Scanner Server Desktop – Traffic profiling for added protection from Low and Slow Visibility Protection and zero-day threats Suspicious Behavior  Proactive Prevention 38
39. Summary • Fever public vulnerabilities disclosures and exploits in 2011 compared to 2010, but… • We see more attack activity, with high profile breaches 39
40. Acknowledgements, disclaimers and trademarks © Copyright IBM Corporation 2012. All rights reserved. The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this publication to IBM products, programs or services do not imply that they will be made available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth, savings or other results. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Information concerning non-IBM products and services was obtained from a supplier of those products and services. IBM has not tested these products or services and cannot confirm the accuracy of performance, compatibility, or any other claims related to non-IBM products and services. Questions on the capabilities of non-IBM products and services should be addressed to the supplier of those products and services. All customer examples cited or described are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer and will vary depending on individual customer configurations and conditions. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. Prices are suggested U.S. list prices and are subject to change without notice. Starting price may not include a hard drive, operating system or other features. Contact your IBM representative or Business Partner for the most current pricing in your geography. IBM, the IBM logo, ibm.com, Tivoli, the Tivoli logo, Tivoli Enterprise Console, Tivoli Storage Manager FastBack, and other IBM products and services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml 40
41. Thank You- Q&A 41

Hinweis der Redaktion

We leverage numerous intelligence source -- including a database of more than 50,000 computer security vulnerabilities, a global Web crawler and international spam collectors, as well as the real-time monitoring of 13-billion events every day for nearly 4,000 clients in more than 130 countries to stay ahead of these emerging threats for our customers. All of this comes from work done in IBM's nine, global Security Operations Centers.
This chart demonstrates some of the publically recorded breaches that have happened over the course of 2011. In the Mid Year report, which is represented about half way through this chart, IBM XForce decided to declare 2011 the “Year of the security breach”. When you look at this chart, it becomes quite evident why we came to that conclusion. The color of each circle represents the technical means that was used to breach these organizations based on what has been pubically made available. We made a rough estimate of the financial impact of each breach which is represented by the size of the circle. You’ll notice in the latter half of the year, many of the circles are grey which means we don’t know how that particular entity was breached. This leads to an important point. There are a lot of things that motivate organizations to publically disclose that their security has been breached. But usually those things have to do with the privacy of personal information, and often the organizations don’t take the time to disclose the technical problem that was exploited by the attacker. Having access to that information is valuable because it enables other organizations to prioritize the security work they are doing to make sure they address threats that have actually been used against other organizations. Many of these breaches were disclosed with out that information so unfortunately the information is less actionable for security professionals. We’d like to see more of that technical information brought to the forefront when possible. All of these breaches – this activity – has been driving a lot of conversation about computer security in 2011.
Three main themes began to emerge as we were pulling together this 2011 annual report. First, we saw some new attack activity begin to emerge, especially in the latter months of 2011. But also, we saw some improvements in computer security – especially in the area of application security and we’ll dive into that in more detail a bit later in this presentation. Finally, we’ll cover new security challenges that are emerging as organizations look to adopt technologies like cloud and with the proliferation of social media individuals looking to use their personal mobile devices in the enterprise.
Lets start with some of the new attack activity we are seeing. For a long time we have seen a lot of SQL attack activity. This is an attack that targets the database behind a web server. Attackers often engage in this activity in an automated fashion by using bots that scan the internet for looking for websites with SQL injection vulnerabilities. What the attacker attempts to do is hijack the legitimate users who are visiting these sites. The attacker then redirects them unknowingling to malware and exploit tookits that will infect their machines. This is a pretty big problem. 2011 was a banner year for exploiting SQL weaknesses and several high profile and newsworthy episodes of successful SQL injection attacks were made public. The hacktivist groups Anonymous and Lulzsec were major players in SQL injection tactics and continue to hone their skills with new injection attack vectors.
This year, we have seen an uptake in a different kind of web application attack activity and this called Shell Command Injections. Instead of injecting database commands through the web application, attackers inject command line commands that run on the operating system that the web application is running on. You can see in this chart a pretty significant increase in this activity at the end of 2011 – so we are starting to see some automated Shell Command Inject attacks that work largely the same way as the SQL injection attack activity worked but this is a vulnerability that has probably received less focus over that last few years although as a consequence of the increased activity we’ve seen, we think organizations should start paying more attention to it.
We also saw this spike in volume at the end of the year in SSH brute forcing. This is one of the most common types of attacks we see on the internet where people are scanning for computers running SSH and they will try to brute-force user names and passwords on those computers. We’re not sure if this huge spike is an anomaly or if this will continue to be a problem in 2012 but it certainly is alarming and again, if you have SSH running on a computer it is important to be sure you have good passwords because if you don’t those passwords will quickly be automatically compromised.
We also saw another big increase in activity around phishing. In 2008 and 2009 we saw a large amount of phishing activity and we started to get excited in our mid year 2011 report because as you can see here through 2010 there was a relatively small amount of phishing activity and in early 2011 this activity was pretty low as well. It seemed as though the phishing problem has been solved. We still thought there were as many phishing attacks happening in 2010 as there were in 2009 and 2008 but the people sending these emails could not generate as many of them as they used to because if they did, people monitoring for phishing emails would notice them and react by shutting down the server that they were using to collect credentials. So really, the community of people who were working to fight phishing had really made a big dent in 2010. So what happened in the later part of 2011? We’ve seen a new type of phishing-like emails that link to websites which do not necessarily perform a phishing attack. These emails use the good name of a well-known brand – perhaps it looks like it is coming from your bank, or a parcel service you are probably quite familiar with --to click on a malware link or in some cases a link to an otherwise innocuous site such as a retail site. One possible explanation for the latter type of emails might be click-fraud, wherein spammers drive traffic to these sites in exchange for advertising fees. Regardless of the explanation, this nuisance contributed to a large increase in phishing-like emails seen in the later months of the year.
More than in any previous year, 2011 has seen the most activity in the Mac malware world.6 This applies not only to volume, but also in functionality. In 2011, we started seeing Mac malware with functionalities that we’ve only seen before in Windows malware. This may indicate that cyber criminals are now becoming aware of how profitable targeting OS X might be. A couple of note included: MacDefender : What makes MacDefender interesting is that it is the type of malware with a spreading mechanism that has been rampant in the Windows world in the last couple of years. MacDefender belongs to the category of malware called “Rogue Antivirus,” which disguise themselves as legitimate antivirus programs. Once installed, it pretends to scan your system, flagging random files as malicious to make it look like your system is heavily infected. The user interface is professional looking and well made to make it more believable to the user that it is a legitimate app. Register button that will take the user to a website where they can supposedly purchase a license for MacDefender using a credit card. MacDefender displays a message that says to remove the detected malware, you should pay for the licensed version, so a user may feel forced to register. The user’s credit card will then be charged for the amount and on top of that, his credit card number may be used for other purposes as well. Flashback : Flashback disguises itself as a Flash Player installer that can be downloaded when visiting malicious websites, showing a download or install Flash player icon. When installed, Flashback injects code into the application launched by the user. The injected code is responsible for contacting a remote server to download updates or to send data from the infected machine. Flashback also tries to prevent future updates to XProtect by overwriting some relevant files. XProtect is Apple’s built-in basic malware protection system that uses string matching to detect malware. Apple updates XProtect whenever a high-profile Mac malware is discovered. Flashback also tries to thwart analysis by researchers by detecting if it is running on a VMWare virtual machine. Using this detection evasion mechanism is common in Windows malware but this is the first Mac malware we’ve seen that employs this technique. This demonstrates that Mac malware technology is catching up to Windows malware technology. Devilrobber : DevilRobber was discovered inside Mac applications that were illegally shared in BitTorrent, such as GraphicConverter, Flux, CorelPainter, and Pixelmator. DevilRobber is the most sophisticated Mac malware we’ve seen so far and contains several components. It is primarily a backdoor that opens a port in the infected machine to receive commands from a remote attacker but one interesting functionality it has is BitCoin mining, where it installs the BitCoin mining application DiabloMiner to use the computing power of the CPU and GPU (for users with high performance graphics cards) of the infected machine to mine for Bitcoins. It also attempts to steal the Bitcoin wallet if found. DevilRobber also steals the Keychain of the user along with other information from the infected machine and uploads them to a remote FTP server. DevilRobber also has the ability to detect if the infected machine is behind a gateway device, and then enable port-forwarding via UPnP. This enables the attacker to remotely access the infected machine using the port opened by DevilRobber, even if the infected machine is behind a gateway device.
Now we will spend a little time talking about progress we have seen. We are doing a lot of work to make the internet safer, to improve software design – and really, that work is having an impact, and we are seeing it in our statistics.
Another thing that we took note of this year is that there have been few exploits released on the internet that can be used to target publically disclosed vulnerabilities. Typically in the past few years you can see that about 15% of the vulnerabilities that were publically disclosed ended up having exploits released that could be used for malicious intent. This year that number is down to around 11%. This is a big change and we think it is a consequence of the fact that software is getting more resilient to attack. Certain programs have adopted things like sandboxes – so when you exploit a vulnerability its harder to gain control over the surrounding machine – as well as other technologies that are making exploitation more difficult. Over time, we are still see a lot of vulnerabilities get but, but people aren't able to actually leverage them. This is great news and means that computes are getting more secure.
These charts show you particular categories of exploit. You can see that browser exploits are down significantly from where they were a few year ago and that is really importance since a lot of attack activity targets the browser, and the browser environment. We’ve also seen significantly fewer exploits targeting document readers and editors this year – which is also a significant bit of progress. One place were we have yet to see progress is with multimedia players. We saw just as many exploits here this year as we did last year, but we do expect to see some improvements in this area coming in 2012. The fact is, we still see a lot of attack activity out there on the internet, but the software that we use is getting stronger – more secure – and we can see a future were some of this attack activity will be significantly mitigated.
We also saw few web application vulnerabilities in 2011. As I mentioned earlier, the most common type of attack activity we see on the internet targets SQL injection activity. Well, it used to be for the past few years that web application vulnerabilities were about 50% of the vulnerabilities that were being publically disclosed. But this year, that number is down to about 40%. That’s a big change – and again, means that web application developers are getting a bit smarter about how they develop their applications. Maybe they are using tools scan and test for vulnerabilities earlier in the development process, and that will contribute to a safer internet. We still have a lot fo work to do here though! 40% of vulnerabilities disclosed is still a lot of vulnerabilities – and we are seeing the attack types pivoting. We are seeing more Shell Command Attack activity than SQL injection activity because SQL injection is harder to find than it used to be. But the fact is, this is progress – it is moving in the right direction and moving us toward a safer internet.
As I mentioned below, we do continue to create new technologies that we put in our IT environments that create potential new surface areas for attack.
Mobile devices are certainly one of those areas. People want to ‘bring their own device’ into the enterprise and they want to access work through their personal tablet or smart phone – and they want to decide what phone they can use! This is a real IT management challenge. These charts represent vulnerabilities and exploits that have been released that target mobile devices. We saw slightly fewer mobile vulnerabilities this year than we saw last year but it was still a pretty large number. And we saw an increase in the number of exploits that were released on the internet that could be used to target mobile devices. We aren’t seeing that much attack activity – we are still seeing less attack activity that targets the mobile device than traditional desktops however a year ago we were seeing almost no activity of that sort and now it is definitely happening. There have been some significant incidents - in fact a few weeks ago someone reported a 100,000 node botnet that infect mobile devices. That is a significant number of infections – and something to definitely pay attention to – but it is not yet rivaling the scope of the problem targeting traditional desktops.
These guys spend a lot of time researching on Twitter and Facebook and the like in order to try to come up with an organization structure for the organization that they’re targeting. And so that they know who to send these emails to and how to make them compelling. And often they’ll send the email from an account that appears to be an acquaintance or co-worker of the victim.
There is a period of time before every technology is applied for purposes of national security, e.g. the first manned flight by the Wright brothers in 1903 lasted 12 seconds. Within 10 years, the sky became another battlefield no less important than the battlefields on land and sea. What we are witnessing, in many ways, is the weaponization of cyber space for a range of purposes. And we are just seeing the tip of the ice berg. Clearly, there has been an evolution of players (and motives) involve well-funded and resourced actors -- insiders, organized crime, espionage, political activists and nation states which is only matched with an escalation in the high value of the assets being targeted and the sophistication of attack vectors. In many ways, this escalation in the threat is challenging and exposing the weaknesses of the current generation of security controls. Bigger firewalls and better locks are no longer sufficient to protect against sophisticated attacks conducted by nation state level actors. Some statistics: 52% -- Private-sector statistics show that the insider threat is up more than 52% in the past year. $226 Billion -- Economic impact of cyber-attacks on businesses has grown to over $226 billion annually. Source: Congressional Research Service study 158% increase -- Security breaches are on the increase: cyber-attacks have i n creased 158% since 2006, and worldwide cyber-attacks increased 30% over the second half of 2008. Sources: 1US Department of Homeland Security, 2IBM Internet Security Systems X-Force
Sources Sony breach: http://www.search.sony.net/result/net/search.x?ie=utf8&site=&pid=ACsW7rd0W_Zt_QIz-sORfA..&qid=rOX1wPP0JvM.&q=security+breach&msk=1#5 HSBC breach: http://news.bbc.co.uk/2/hi/business/8562381.stm Epsilon breach: http://www.securityweek.com/massive-breach-epsilon-compromises-customer-lists-major-brands TJX breach: TJX Companies, Inc. press release, 8/14/2007, http://www.businesswire.com/news/tjx/20070814005701/en Lulzec breach: http://www.reuters.com/article/2011/08/01/us-britain-hacking-lulzsec-idUSTRE7702IL20110801 Zurich Insurance breach: (Financial Services Authority of Britain) http://www.fsa.gov.uk/pubs/final/zurich_plc.pdf
The X-force approach to protecting against vulnerabilities means IBM solutions can help to stop threats at their source This is a far different approach then reactive measures that “chase” exploits and are negated as soon as an exploit evolves
One of the toughest challenges in security today is keeping pace with the increasing diversity and sheer number of attacks IBM’s preemptive protection approach helps our clients well ahead of major vendor vulnerability disclosures This is far superior to the reactive approach used by many vendors. Our clients are not left unprotected while a reactive measure if developed. In many cases, IBM clients are provided protection guidance before (in many cases 100+ days ahead of time) or within 24 hours of a vendor vulnerability disclosure
Highly accurate stateful inspection algorithms through IBM’s PAM module for resilient protection against network vulnerabilities. Advanced heuristic and deep content analysis engines to protect against advanced threat classes such as browser attacks, data leakage, and web app attacks. The ability to leverage publically available signature sources for known threats. The ability to share custom rules with other security teams to enhance and tune protection for the customer’s network. Helps monitor and control applications in the corporate enterprise to reduce risk of data theft and save money on network bandwidth costs Enables centrally managed protection against known and unknown attacks, included those targeted at web applications Helps protect against targeted and broad based attacks that are designed to evade most security technologies Helps companies meet today’s regulatory compliance requirements, including GLBA, Sarbanes Oxley and PCI-DSS With Firmware 4.4, adds the ability to write or import custom open source signatures and monitor network capacity Many Network IPS Devices only support SNORT – an open source, signature based intrusion detection method with drawbacks SNORT signatures are easy to share, but lack the behavioral intelligence needed for more sophisticated attacks Only IBM Security Network IPS has the leading behavioral-based X-Force Protocol Analysis engine Today IBM announces technology that allows: Customers to dump their SNORT based devices Migrate to IBM’s PAM-based Network IPS Take the customized SNORT rules with them to ease transition Run SNORT in parallel to PAM Hybrid protection using market leading X-Force Protocol Analysis with the ability to write or import custom Snort rules Advanced heuristic and deep content analysis engines provide protection of advanced threats such as browser attacks, data leakage, and malicious web applications designed to evade most security technologies Facilitate adherence to today’s regulatory and compliance mandates, including GLBA, Sarbanes Oxley and PCI-DSS Enables customers to address the changing threat landscape with limited expertise and resources IBM reduces the TCO of IPS by enabling customers easy migration from snort-only alternatives to IBM NIPS Hybrid protection using market leading X-Force Protocol Analysis Users can write or import custom Snort rules Advanced Behavioral Analysis and Deep Content Analysis Engines provide protection from advanced threats such as browser attacks, data leakage, and malicious web applications designed to evade most security technologies Facilitate adherence to today’s regulatory and compliance mandates, including GLBA, Sarbanes Oxley and PCI-DSS IBM Network Protection enables customers to: Dump their SNORT based devices Migrate to IBM’s PAM-based Network IPS Take custom SNORT rules with them
Performs deep packet inspection Performs deep protocol and content analysis Detects protocol and content anomalies Simulates the protocol/content stacks in vulnerable systems Normalizes at each protocol and content layer Provides the ability to add new security functionality within the existing solution

PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson

Du liest eine Vorschau.

Hier ansehen

PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson (20)

Weitere von IBM Danmark (20)

Aktuellste (20)

PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson

Hinweis der Redaktion

PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson

Du liest eine Vorschau.

PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson

Empfohlen

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson (20)

Weitere von IBM Danmark (20)

Aktuellste (20)

PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson

Hinweis der Redaktion