© 2012 IBM Corporation

IBM Security Systems

1© 2014 IBM Corporation

IBM Security Network Protection (XGS)Advanced Threat Protection Integration Framework

http://ibm.biz/ISNP_ATP_API

© 2014 IBM Corporation

IBM Security Systems

2

Advanced Threat Protection (ATP) Overview

ATP Integration Framework is generic mechanism for IBM Security Network Protection (ISNP) to receive external alerts and act on these alerts using Quarantine

© 2014 IBM Corporation

IBM Security Systems

3

Advanced Threat Protection Policy

An alert will be mapped to one of five types

Compromise a successful breach of security, currently active within the environment. This could range from subversive human behavior to automated command and control exploits.

Reputation describes characteristics tied to an address or web URI and related to geography or observed content behavior.

Intrusion an instance of an in progress network attack attempt

Malware represents malicious software in flight on the network or at risk on a disk.

© 2014 IBM Corporation

IBM Security Systems

4

Advanced Threat Protection Policy (cont.)

Exposure/vulnerability represents an identified network weaknesses which, if successfully exploited, could result in compromises

• The classification of the alert into one of 3 severities–High–Medium–Low

© 2014 IBM Corporation

IBM Security Systems

5

Advanced Threat Protection Policy (cont.)

© 2014 IBM Corporation

IBM Security Systems

6

Web Security Appliance Uses enterprise based sandboxing to execute and profile files to identify C&C hosts Can monitor traffic and identify internal hosts that are compromised (through calls to known C&C sites)

Although Malware Detection systems can raise alerts, they are not enforcement devices

ISNP can provide the enforcement for Malware Detection

i

Sandbox Malware Detection Integration

© 2014 IBM Corporation

IBM Security Systems

7

Malware Detection / ISNP Network Topology

© 2014 IBM Corporation

IBM Security Systems

8

Typical Use Cases

• There are three supported Quarantine use cases:

• Compromise: A machine infected with malware, transmitting data to a Command & Control Server represents a Compromised Host in an enterprise network.

• Reputation: A Command & Control Server contacted by a Compromised Host or a Web Server Hosting A Web Exploit represents a Malicious Server with a poor reputation.

• Malware: A Malware Object being transmitted over the network to a Target Host from a Hosting Server represents a Threat-In-Flight.

© 2014 IBM Corporation

IBM Security Systems

9

Event Log: Advanced Threat Events

© 2014 IBM Corporation

IBM Security Systems

10

Active Quarantines

© 2014 IBM Corporation

IBM Security Systems

11

Backup

© 2014 IBM Corporation

IBM Security Systems

12

Menu - Advanced Threat Policy

© 2014 IBM Corporation

IBM Security Systems

13

Advanced Threat Policy

© 2014 IBM Corporation

IBM Security Systems

14

Menu - Advanced Threat Protection Agents

© 2014 IBM Corporation

IBM Security Systems

15

Advanced Threat Protection Agents

© 2014 IBM Corporation

IBM Security Systems

16

Menu - Active Quarantines

© 2014 IBM Corporation

IBM Security Systems

17

Active Quarantines

© 2014 IBM Corporation

IBM Security Systems

18

Menu – Event Log

© 2014 IBM Corporation

IBM Security Systems

19

Event Log: Advanced Threat Events

© 2012 IBM Corporation

IBM Security Systems

20© 2014 IBM Corporation

Qradar 7.2 MR1

IBM Security Network Protection (XGS)Advanced Threat Protection Integration Framework

QRadar based integration

© 2014 IBM Corporation

IBM Security Systems

21

QRadar

• There are four supported cases:

– Compromise: If the source IP is "right clicked" this IP address is sent to the XGS. This might be used in the case when the host has been infected with malware.

– Reputation: If the destination IP is “right-clicked” this IP address is sent to the XGS. This represents a malicious server such as a C&C server or one hosting Malware.

– Intrusion: If a source port is “right-clicked” this IP address and port combination is sent to the XGS. This can result from that client system attacking a server.

– Exposure: If the destination port is "right clicked" this IP address and port combination is sent to the XGS. This might be used in the case where the service has a vulnerability.

© 2014 IBM Corporation

IBM Security Systems

22

QRadar “right click” Integration (source address)

“on the glass” integration

© 2014 IBM Corporation

IBM Security Systems

23

QRadar “right click” Integration (source address)

© 2014 IBM Corporation

IBM Security Systems

24

QRadar Advanced Threat Events

© 2014 IBM Corporation

IBM Security Systems

25

QRadar 'right click' Integration (destination port)

“on the glass” integration

© 2014 IBM Corporation

IBM Security Systems

26

QRadar 'right click' Integration (destination port)

© 2014 IBM Corporation

IBM Security Systems

27

QRadar Advanced Threat Events

© 2014 IBM Corporation

IBM Security Systems

28

ibm.com/security