IBM Security: Threat Landscape
IBM Security: Threat Landscape
Michael Andersson
Client Technical Professional
IBM Security Systems
Please note:
• IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
• Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
Agenda
• X-Force overview• Highlights from the 1H 2012 IBM X-Force Trend and Risk Report
– Vulnerabilities– Exploits– Attacks
• IBM Security Advanced Threat Protection Platform
The mission of the IBM X-Force® research and
development team is to:
Research and evaluate threat and protection issues
Deliver security protection for today’s security problems
Develop new technology for tomorrow’s security challenges
Educate the media and user communities
X-Force Research
17B analyzed Web pages & images
40M spam & phishing attacks
68K documented vulnerabilities
13B security events daily
Provides Specific Analysis of: • Vulnerabilities & exploits• Malicious/Unwanted websites• Spam and phishing• Malware• Other emerging trends
X-Force Research
Vulnerability disclosures up in 2012
• Total number of vulnerabilities grew (4,400 in 1H 2012)– the projection could reach all time high in 2012
Web Application Vulnerabilities Rise Again
• At mid-year 2012, 47% of security vulnerabilities affected web applications• Up from 41% in 2011• XSS reaches high of 51%
Vulnerabilities without patches
• Unpatched vulnerabilities, highest numbers in years
Public Exploit Disclosures
• Decrease in percentage of vulnerabilities
• Slightly up in actual numbers compared to 2011
Some categories stays the same
• Number of browser and multi-media exploits are about the same
Things are looking better for mobile platforms
• Better at discovering vulnerabilities
• Harder to exploit
MSS – Top 10 high volume signatures
• Not much change since last year
• SQL Injection is still the most common attack
SQL Injection Attacks against Web Servers
• Very often automated processes of finding victims
XSS reaching new highs in 1H 2011
• More than 6,000 variants of this vulnerability, with uses ranging from hijacking a browser session to a total system web-server-based takeover.
Web browser explotation
SQL Slammer continues to drop
2011: “The year of the targeted attack”
Who is attacking our networks?
Techniques used by attackers are bypassing traditional defenses
Advanced• Using exploits for unreported vulnerabilities, aka a “zero day”
• Advanced, custom malware that is not detected by antivirus products
Persistent• Attacks lasting for months or years
• Attackers are dedicated to the target – they will get in
• Resistant to remediation attempts
Threat• Targeted at specific individuals and
groups within an organization
• Not random attacks – they are actually “out to get you”
These methods have eroded the effectiveness of traditional defenses including firewalls, intrusion prevention systems and antivirus - leaving holes in the network
InfrastructureUsers
Closer look at the attack vectors of today’s threats
1. User Attacks (Client-side) • Drive-by Downloads: User browses to a malicious website
and/or downloads an infected file using an unpatched browser or application
• Targeted Emails: Email containing an exploit or malicious attachment is sent to an individual with the right level of access at the company
2. Infrastructure Attacks (Server-side) • SQL Injection: Attacker sends a specially crafted message
to a web application, allowing them to view, modify, or delete DB table entries
• General Exploitation: Attacker identifies and exploits a vulnerability in unpatched or poorly written software to gain privileges on the system
1 2
IBM Advanced Threat Protection
InfrastructureUsers
1
3
2
Our strategy is to protect our customers with advanced threat protection at the network layer - by strengthening and integrating network security, analytics and threat Intelligence capabilities
1. Advanced Threat Protection PlatformEvolve our Intrusion Prevention System to become a Threat Protection Platform – providing packet, content, file and session inspection to stop threats from entering the corporate network
2. QRadar Security Intelligence Platform Build tight integration between the Network Security products, X-Force intelligence feeds and QRadar Platform product with purpose-built analytics and reporting for threat detection and remediation
3. X-Force Threat IntelligenceIncrease investment in threat intelligence feeds and feedback loops for our products. Leverage the existing Cobion web and email filtering data, but expand into botnet, IP reputation and Managed Security Services data sets
IBM’s Infrastructure Threat Protection
Advanced Threat Protection Platform
24
IBM Security Network IPS: Addressing Today’s Evolving Threats with Hybrid Protection
>300
Custom Signatures (SNORT)
Why Vulnerability-based Research = Preemptive Security Approach
• Protecting against exploits is reactive
– Too late for many
– Variants undo previous updates
• Protecting against vulnerabilities and malicious behaviors is preemptive
– Stops threat at source
– Requires advanced R&D
• Why X-Force?
– One of the best-known commercial security research groups in the world
– IBM X-Force maintains one of the most comprehensive vulnerability database in the world—dating back to the 1990s.
– X-Force constantly updates IBM’s Protocol Analysis Module, the engine inside IBM’s security solutions
Source: IBM X-Force
IBM’s Preemptive Approach vs. Reactive Approach to address Threats
IBM Clients have typically been provided protection guidance prior to or within 24 hours of a vendor
vulnerability disclosure being announced
# of days IBM clients were provided protection guidance “Ahead of the
Threat”
Ahead of the Threat
27
IBM IPS Zero Day (Vuln/Exploit) Web App Protection
New Vulnerability or Exploit Reported Date Ahead of the Threat Since
Nagios expand cross-site scripting 5/1/2011 6/7/2007
Easy Media Script go parameter XSS 5/26/2011 6/7/2007
N-13 News XSS 5/25/2011 6/7/2007 I GiveTest 2.1.0 SQL Injection 6/21/2011 6/7/2007 RG Board SDQL Injection Published: 6/28/2011 6/7/2007
BlogiT PHP Injection 6/28/2011 6/7/2007 IdevSpot SQL Injection (iSupport) 2011-05-23 6/7/2007
2Point Solutions SQL Injection 6/24/2011 6/7/2007 PHPFusion SQL Injection 1/17/2011 6/7/2007 ToursManager PhP Script Blind SQli 2011-07-xx 6/7/2007
Oracle Database SQL Injection 2011-07-xx 6/7/2007 LuxCal Web Calendar 7/7/2011 6/7/2007 Apple Web Developer Website SQL 2011-07-xx 6/7/2007
MySQLDriverCS Cross-Param SQLi 6/27/2011 6/7/2007
• IBM IPS Injection Logic Engine has stopped every large scale SQL injection or XSS attack day-zero.
• Asprox – reported 12/11/2008 – stopped 6/7/2007• Lizamoon – reported 3/29/2011 – stopped 6/7/2007• SONY (published) – reported May/June/2011 – stopped 6/7/2007• Apple Dev Network – reported July/2011 – stopped 6/7/2007
Complete Control: Overcoming a Simple Block-Only Approach
• Network Control by users, groups, systems, protocols, applications & application actions
• Block evolving, high-risk sites such as Phishing and Malware with constantly updated categories
• Comprehensive up-to-date web site coverage with industry-leading 15 Billion+ URLs
• Rich application support with 1000+ applications and individual actions
“We had a case in Europe where workers went on strike for 3 days after Facebook was completely blocked…so granularity is key.”
– IBM Business Partner
Network Security Product Line up
Product Description
IBM Security Network Intrusion Prevention System
The core of any Intrusion Prevention strategy, IBM Security Network IPS appliances help to protect the network infrastructure from a wide range of attacks, up to 23 Gbps inspected throughput
IBM Security Endpoint Defence Focused on protecting individual assets on the network including servers and desktops from both internal and external threats
IBM Security Virtual Server Protection
Virtual Server Protection is integrated with the hypervisor and provides visibility into intra-VM network traffic. Supports ESX 4.1 and 5.0 and 10Gb Ethernet
IBM Security SiteProtector System
Centralized management for IBM Security intrusion prevention solutions that provides a single management point to control security policy, analysis, alerting and reporting
Security Intelligence Platform
Solving Customer Challenges
Major Electric Utility
• Discovered 500 hosts with “Here You Have” virus, which other solutions missedDetecting threats
Fortune 5 Energy Company
• 2 Billion logs and events per day reduced to 25 high priority offensesConsolidating data silos
Branded Apparel Maker
• Trusted insider stealing and destroying key dataDetecting insider fraud
$100B Diversified Corporation
• Automating the policy monitoring and evaluation process for configuration change in the infrastructure
Predicting risks against your business
Industrial Distributor
• Real-time extensive monitoring of network activity, in addition to PCI mandates
Addressing regulatory mandates
Context & Correlation Drive Deepest Insight
Solutions for the Full Compliance and Security Intelligence Timeline
Fully Integrated Security Intelligence
• Turnkey log management• SME to Enterprise• Upgradeable to enterprise SIEM
• Integrated log, threat, risk & compliance mgmt.
• Sophisticated event analytics• Asset profiling and flow analytics• Offense management and workflow• Predictive threat modeling & simulation• Scalable configuration monitoring and audit• Advanced threat visualization and impact
analysis
• Network analytics• Behavior and anomaly detection• Fully integrated with SIEM
• Layer 7 application monitoring• Content capture• Physical and virtual environments
SIEM
Log Management
Risk Management
Network Activity & Anomaly Detection
Network and Application
Visibility
One Console Security
Built on a Single Data Architecture
Security Consulting
ManagedServices
X-Forceand IBM
Research
IBM Security PortfolioIBM Security Portfolio
People Data Applications Infrastructure
IT Infrastructure – Operational Security Domains
QRadar SIEM
QRadar Log Manager
QRadar Risk Manager
IBM Privacy, Audit and Compliance Assessment Services
Identity & Access Management Suite
Federated Identity Manager
Enterprise Single Sign-On
Identity Assessment, Deployment and Hosting Services
Guardium Database Security
Optim Data Masking
Key Lifecycle Manager
Data Security Assessment Service
Encryption and DLP Deployment
AppScan Source/Std. Edition
DataPower Security Gateway
Security Policy Manager
ApplicationAssessment Service
AppScan OnDemand Software as a Service
Network Intrusion Prevention
Server and Virtualization Security
QRadar Anomaly Detection / QFlow
Managed Firewall, Unified Threat and Intrusion PreventionServices
Endpoint Manager (BigFix)
zSecure suite
Penetration Testing Services
Native Server Security (RACF, IBM systems)
Network Endpoint
IT GRC Analytics & Reporting
Enterprise Governance, Risk and Compliance Management
IBM OpenPages Algorithmics (recent acquisition) i2 Corporation (recent acquisition)
IBM Security Framework
• More vulnerability disclosures and exploits in 2012 compared to 2011
• We see more attack activity, with high profile security incidents
• Attacks are getting more sophisticated
• Need for proactive research driven security
• Security Intelligence makes it possible to manage more data, with log and network flow correlation, configuration monitoring and risk and compliance management
Summary
Acknowledgements, disclaimers and trademarks
© Copyright IBM Corporation 2012. All rights reserved.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
References in this publication to IBM products, programs or services do not imply that they will be made available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth, savings or other results. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
Information concerning non-IBM products and services was obtained from a supplier of those products and services. IBM has not tested these products or services and cannot confirm the accuracy of performance, compatibility, or any other claims related to non-IBM products and services. Questions on the capabilities of non-IBM products and services should be addressed to the supplier of those products and services.
All customer examples cited or described are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer and will vary depending on individual customer configurations and conditions. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
Prices are suggested U.S. list prices and are subject to change without notice. Starting price may not include a hard drive, operating system or other features. Contact your IBM representative or Business Partner for the most current pricing in your geography.
IBM, the IBM logo, ibm.com, Tivoli, the Tivoli logo, Tivoli Enterprise Console, Tivoli Storage Manager FastBack, and other IBM products and services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml
Thank You- Q&A
Contact:[email protected]
Top Related