IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework
-
Upload
josette-roux -
Category
Documents
-
view
81 -
download
0
description
Transcript of IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework
![Page 1: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/1.jpg)
© 2012 IBM Corporation
IBM Security Systems
1© 2014 IBM Corporation
IBM Security Network Protection (XGS)Advanced Threat Protection Integration Framework
http://ibm.biz/ISNP_ATP_API
![Page 2: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/2.jpg)
© 2014 IBM Corporation
IBM Security Systems
2
Advanced Threat Protection (ATP) Overview
ATP Integration Framework is generic mechanism for IBM Security Network Protection (ISNP) to receive external alerts and act on these alerts using Quarantine
![Page 3: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/3.jpg)
© 2014 IBM Corporation
IBM Security Systems
3
Advanced Threat Protection Policy
An alert will be mapped to one of five types
Compromise a successful breach of security, currently active within the environment. This could range from subversive human behavior to automated command and control exploits.
Reputation describes characteristics tied to an address or web URI and related to geography or observed content behavior.
Intrusion an instance of an in progress network attack attempt
Malware represents malicious software in flight on the network or at risk on a disk.
![Page 4: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/4.jpg)
© 2014 IBM Corporation
IBM Security Systems
4
Advanced Threat Protection Policy (cont.)
Exposure/vulnerability represents an identified network weaknesses which, if successfully exploited, could result in compromises
• The classification of the alert into one of 3 severities–High–Medium–Low
![Page 5: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/5.jpg)
© 2014 IBM Corporation
IBM Security Systems
5
Advanced Threat Protection Policy (cont.)
![Page 6: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/6.jpg)
© 2014 IBM Corporation
IBM Security Systems
6
Web Security Appliance Uses enterprise based sandboxing to execute and profile files to identify C&C hosts Can monitor traffic and identify internal hosts that are compromised (through calls to known C&C sites)
Although Malware Detection systems can raise alerts, they are not enforcement devices
ISNP can provide the enforcement for Malware Detection
i
Sandbox Malware Detection Integration
![Page 7: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/7.jpg)
© 2014 IBM Corporation
IBM Security Systems
7
Malware Detection / ISNP Network Topology
![Page 8: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/8.jpg)
© 2014 IBM Corporation
IBM Security Systems
8
Typical Use Cases
• There are three supported Quarantine use cases:
• Compromise: A machine infected with malware, transmitting data to a Command & Control Server represents a Compromised Host in an enterprise network.
• Reputation: A Command & Control Server contacted by a Compromised Host or a Web Server Hosting A Web Exploit represents a Malicious Server with a poor reputation.
• Malware: A Malware Object being transmitted over the network to a Target Host from a Hosting Server represents a Threat-In-Flight.
![Page 9: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/9.jpg)
© 2014 IBM Corporation
IBM Security Systems
9
Event Log: Advanced Threat Events
![Page 10: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/10.jpg)
© 2014 IBM Corporation
IBM Security Systems
10
Active Quarantines
![Page 11: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/11.jpg)
© 2014 IBM Corporation
IBM Security Systems
11
Backup
![Page 12: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/12.jpg)
© 2014 IBM Corporation
IBM Security Systems
12
Menu - Advanced Threat Policy
![Page 13: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/13.jpg)
© 2014 IBM Corporation
IBM Security Systems
13
Advanced Threat Policy
![Page 14: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/14.jpg)
© 2014 IBM Corporation
IBM Security Systems
14
Menu - Advanced Threat Protection Agents
![Page 15: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/15.jpg)
© 2014 IBM Corporation
IBM Security Systems
15
Advanced Threat Protection Agents
![Page 16: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/16.jpg)
© 2014 IBM Corporation
IBM Security Systems
16
Menu - Active Quarantines
![Page 17: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/17.jpg)
© 2014 IBM Corporation
IBM Security Systems
17
Active Quarantines
![Page 18: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/18.jpg)
© 2014 IBM Corporation
IBM Security Systems
18
Menu – Event Log
![Page 19: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/19.jpg)
© 2014 IBM Corporation
IBM Security Systems
19
Event Log: Advanced Threat Events
![Page 20: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/20.jpg)
© 2012 IBM Corporation
IBM Security Systems
20© 2014 IBM Corporation
Qradar 7.2 MR1
IBM Security Network Protection (XGS)Advanced Threat Protection Integration Framework
QRadar based integration
![Page 21: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/21.jpg)
© 2014 IBM Corporation
IBM Security Systems
21
QRadar
• There are four supported cases:
– Compromise: If the source IP is "right clicked" this IP address is sent to the XGS. This might be used in the case when the host has been infected with malware.
– Reputation: If the destination IP is “right-clicked” this IP address is sent to the XGS. This represents a malicious server such as a C&C server or one hosting Malware.
– Intrusion: If a source port is “right-clicked” this IP address and port combination is sent to the XGS. This can result from that client system attacking a server.
– Exposure: If the destination port is "right clicked" this IP address and port combination is sent to the XGS. This might be used in the case where the service has a vulnerability.
![Page 22: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/22.jpg)
© 2014 IBM Corporation
IBM Security Systems
22
QRadar “right click” Integration (source address)
“on the glass” integration
![Page 23: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/23.jpg)
© 2014 IBM Corporation
IBM Security Systems
23
QRadar “right click” Integration (source address)
![Page 24: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/24.jpg)
© 2014 IBM Corporation
IBM Security Systems
24
QRadar Advanced Threat Events
![Page 25: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/25.jpg)
© 2014 IBM Corporation
IBM Security Systems
25
QRadar 'right click' Integration (destination port)
“on the glass” integration
![Page 26: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/26.jpg)
© 2014 IBM Corporation
IBM Security Systems
26
QRadar 'right click' Integration (destination port)
![Page 27: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/27.jpg)
© 2014 IBM Corporation
IBM Security Systems
27
QRadar Advanced Threat Events
![Page 28: IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework](https://reader036.fdocuments.in/reader036/viewer/2022062516/56812b3e550346895d8f54d4/html5/thumbnails/28.jpg)
© 2014 IBM Corporation
IBM Security Systems
28
ibm.com/security