Orchestrating Your Security Defenses with Threat Intelligence

August 15, 2017

Sam DillinghamSenior Offering Manager

IBM X-Force

Pamela CobbPortfolio Manager

IBM X-Force

2 IBM Security

Today’s agenda

Intro to Threat Intelligence

Threat Intelligence use cases

Taking action with integrations

Get started today!

3 IBM Security

It takes too long to make information actionable

Analysts can’t separatethe signal from the noise

Data is gathered from untrusted sources

1 Source: ESG Global

65%of enterprise firms use external

threat intelligence to enhance their

security decision making 1

Security teams often lack critical support to make the most of these resources.

4 IBM Security

More companies are sharing and consuming threat intelligence

1. Timely and early warning of

relevant threats to stay a step ahead

2. Increased visibility to emerging

threats as more organizations benefit

from other organization’s detections

3. Validation and prioritization of threats

based on context of suspicious activity

4. Faster and more orchestrated

response through enrichment of

incidents with IoCs

5. More awareness of targets and tactics

to help plan, build and evolve your

security strategy

How to Collect, Refine, Utilize and Create Threat Intelligence

Gartner, Oct 2016

IBM and Business Partner Use Only

5 IBM Security

IBM X-Force Exchange

is a threat intelligence sharing

platform designed to help

security teams research,

collaborate and integrate.

xforce.ibmcloud.com

IBM and Business Partner Use Only

6 IBM Security

Collections streamline security investigations

with research from curated content

Groups allow public or private collaboration

to validate threats and develop response plans

Integrations strengthen security solutions and

provide additional threat intelligence

• Validate findings

• Aid in forensic investigations

• Provide tactical / strategic intelligence

• Address investigations

• Enable research workflow

• Interact with X-Force research community

• X-Force Exchange SDK / API / STIX / TAXII

• Threat Feed Manager

• Free / commercial usage

IBM and Business Partner Use Only

7 IBM Security

Today’s agenda

Intro to Threat Intelligence

Threat Intelligence use cases

Taking action with integrations

Get started today!

8 IBM Security

for threat

intelligence

use cases Real-time blocking

Security operations

Threat research & hunting

9 IBM Security

Use Case 1: Real-time blocking

Usage

• Blocking access to known

malicious actors

• Can include IPs, domains, URLs,

etc.

• Implemented by firewalls, IPSes,

proxies, and other security

devices

Critical Factors

• Speed in making blocking

decisions

• Scoring flexibility to set a threshold

of what to block

• Frequent incremental updates to

minimize performance impact

Delivery

Route

• Software development kits (SDKs)

• Block lists

10 IBM Security

In IBM X-Force Exchange, classification and scoring for URLs and IP addresses combines results of multiple analyses.

11 IBM Security

Web applications are scored on several risk factors

12 IBM Security

Use Case 2: Security Operations

Usage

• Maps threat intelligence to data

observed in your environment

• Includes intelligence that can be

mapped to network and host-

based indicators

• Integration with operational tools,

such as SIEM and incident

response

Critical Factors

• Support for open standards for

easy integration into existing

solutions

• Pivotability among indicators to aid

in rapid investigation

• Completeness of data

Delivery

Route

• STIX/TAXII feeds

• Cybox

13 IBM Security

The use of open standards maximizes interoperability with existing systems

API queries based on

query/response model for threat

intelligence

Leverages basic authentication

Load balanced to support traffic

loads

Node SDK module available

TAXII services provided to access

threat intelligence

Supports STIX/Cybox objects

JSON RESTful API STIX / TAXII Standards Support

14 IBM Security

Use Threat Intelligence through open STIX/TAXII formatUse reference sets for correlation, searching, reporting

• Load threat indicators in

Collections into QRadar

Reference sets

• Create custom rule response

to post IOCs to Collection

• Bring Watchlists of IP

addresses from X-Force

Exchange and create a rule to

raise the magnitude of any

offense that includes the IP

Watchlist

IBM and Business Partner Use Only

15 IBM Security

Use Case 3: Threat Research and Hunting

Usage

• Research of potential threats that

may or may not yet be affecting

your organization

• Can be done via a web-based UI

or API

Critical Factors

• Scriptable access of data in an

easy-to-use manner

• Aggregation of multiple

intelligence sources (from different

vendors) into a single stream

• Flexible search

Delivery

Route

• REST-based API

• Research platforms with web interfaces

16 IBM Security

X-Force global threat intelligence delivers a wide range of benefits

Higher

Order

Intelligence

Observables

and

Indicators

Actors Campaigns Incidents TTPs

Vulnerabilities MalwareAnti-SpamWeb App

Control

IP ReputationURL / Web

Filtering

17 IBM Security

Correlation of indicators and higher-order intelligence is critical

173.242.117.120 is a malware C&C server

djs14.com is a malware C&C server

CVE-2013-3029 is an Excel vulnerability

abc@xyz.com sends SPAM

Organization Y is a threat actor

Indicator Feeds Correlated Threat Intelligence

173.242.117.120 is a malware C&C server

… which is associated with PoSeidon malware family

targeted against retailers

used by attackers in country X, Y and Z

to steal credit card information from PoS systems

Communicates with

C&C servers: 173.242.117.120, 203.19.201.20

C&C domains: djs14.com, jdjnci.net

Twitter feed @malwarecommander

Infects via

drive-by download exploiting CVE-2015-2093

malicious Excel file exploiting CVE-2013-3029

email attachment from abc@xyz.com

Host indicators

Registry keys A, B, C

Processes D, E, F

Event log entries G, H

Memory fingerprint J, K

vs.

18 IBM Security

Correlation provides pivotability to accelerate threat investigation

Network traffic

to C&C IP

observed

Malware

associated

with C&C

server

Other

C&C IPs

for the

malware

Host IoCs

for the

malware

Actor/

campaign

details

Infection

method

details

What does this

communication mean?

What is the

attacker after?

How did

they get in?Where else

are they?

How do I verify

infections?

Send indicators to EDR

tool

Correlate CVEs to SIEM vuln scansCorrelate IPs to flow data in SIEM

Understand

motivations,

report to exec mgt

Initiate patchingInvestigate exfiltration

Quarantine infected

endpoints

19 IBM Security

X-Force Exchange Collections streamline security investigations

Higher Order Intelligence

Free text area of the Collection is used to

organize Identifiers, Campaigns, TTPs, TLP

status, and other pertinent details.

Observables & Indicators

Related reports on URL / IP

reputation, malware, vulnerabilities,

and related attachments

20 IBM Security

Agenda

Intro to Threat Intelligence

Threat Intelligence use cases

Taking action with integrations

Get started today!

21 IBM Security

20,000+ devices

under contract

20B events managed

per day

133 monitored countries

3,700+ security-related

patents

270M endpoints monitored

for malware

38B analyzed

web pages and images

8M spam and

phishing attacks daily

850K malicious IP addresses

113K documented

vulnerabilities

Millions of unique malware

samples

As of May 2017

The scale of IBM Security brings unique breadth and depth to X-Force threat intelligence

22 IBM Security

SDK

X-Force Threat Intelligence can be integrated into security solutions via multiple methods

IBM CONFIDENTIAL - LIMIT DISTRIBUTION UNTIL MAY 16

Data &

intelligence

sources

Analytics

Engine

IBM

Security

Products

OEM

SDK

Platform

Users

Open

API

Com-

mercial

API

APIPortal

Threat Intelligence Content

pDNS

Whois information

Collections

Higher Order

Intelligence

Vulnerabilities

Malware Sandbox

Malware Families

IP Reputation

URL Reputation

Web Applications

Delivery

Layer

Threat integration Threat consumers

Platform

Layer

XFMA

XGSPlatform

Users

23 IBM Security

There is a comprehensive range of Threat Intelligence available via API

Indicators/Content Details

VulnerabilitiesRisk score (CVSS), Exploit characteristics, Exploit consequences, Remedy information, Affected Products,

Protection information (e.g. references for IPS, Vulnerability Assessment content), and External references

MalwareDisposition, Hash value, First observed, Malware family, Vendors covering (%), Download sources, Command and

Control Servers, Email sources, and Email subjects

Malware Families First/Last Observance, and Associated hash values (MD5) /

IP ReputationRisk score (1-10), Geolocation, Applications associated, Malware associated, Categorization – current and historical

with confidence value (1-100%), Passive DNS information, Subnet reputation

URL Reputation Risk score (1-10), Applications associated, Categorization – current and historical, DNS information

Web Applications Risk score, Categorization, Base URL, Vulnerabilities, Hosting URLs, and Hosting IPs

pDNS Passive DNS information

Whois information Registrant information – name, organization, country, and e-mail.

IBM Network ProtectionMonthly XPU Content, as well as each signature, date of its release, and the vulnerability for which it provides

coverage

Collections Curated content on specific security investigations, including both structured and unstructured content.

Higher Order IntelligenceCybox objects such as campaign, threat actor, tools, tactics, procedures, course of action, and indicator information,

as part of the collections.

24 IBM Security

IBM Security App Exchange

Driving the evolution of collaborative defense

Access user and business

partner innovations

Extend IBM Security

solution functionality

to new use cases

Download validated

security apps from

a single platform

A platform for

security collaboration

https://apps.xforce.ibmcloud.com

25 IBM Security

React faster, coordinate better, respond smarter to incidentsSingle Hub Provides Easy Workflow Customization and Process Automation

• Helps cyber security teams

orchestrate IR process and manage

and respond to incidents faster, better

and more intelligently

• Drives down response times by

streamlining the process of escalating

and managing incidents

• Ensures consistency and adherence

to regulatory requirements and legal

obligations

• Automates time-consuming tasks

• Leverages staff more effectively

26 IBM Security

IBM X-Force Malware AnalysisSubmit suspicious files directly into IBM X-Force Exchange

Automatesuspicious file investigation

Acton in-depth intelligence reports

Accessanywhere, anytime with a

scalable cloud architecture

IBM and Business Partner Use Only

27 IBM Security

A diversified financial services company greatly improved their threat research capabilities and collaboration workflows

“I didn’t realize I was on X-Force Exchange that much. The collaboration capabilities and threat intelligence are highly valuable to me and a great help to my challenges and activities throughout each day.”

-Network Security Analyst II

Business challenge

Need for curated threat research to complement their SIEM

Lack of internal collaboration in the threat investigation process

IBM X-Force Exchange with IBM QRadar

Helped better defend the organization’s network from attacks, scans and phishing attempts on a

daily basis, using IP / URL reputation data, geo-location status of IPs, vulnerability data, md5 detail

and shared collections from X-Force Exchange in conjunction with IBM QRadar.

Research, collaborate and integrate

28 IBM Security

Agenda

Intro to Threat Intelligence

Threat Intelligence use cases

Taking action with integrations

Get started today!

29 IBM Security

Helpful Resources

X-Force Exchange

• Try it: xforce.ibmcloud.com

• API: https://api.xforce.ibmcloud.com/doc/

General X-Force information:

• X-Force blogs on SecurityIntelligence.com

• IBM X-Force Threat Intelligence Report for 2017

• IBM Interactive Security Incidents website to stay

up to date on latest verified breaches

IBM/BUSINESS PARTNER USE

Contact Us!

Sam Dillingham, sam.dillingham@us.ibm.com, Sr Offering Manager

Pamela Cobb, pcobb@us.ibm.com, Portfolio Manager

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express

or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of,

creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these

materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may

change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and

other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks

or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise.

Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or

product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are

designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.

IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT

OF ANY PARTY.

FOLLOW US ON:

THANK YOU