IBM Security: Threat Landscape

IBM Security: Threat Landscape

Michael Andersson

Client Technical Professional

IBM Security Systems

Please note:

• IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.

• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.

• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

• Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

Agenda

• X-Force overview• Highlights from the 1H 2012 IBM X-Force Trend and Risk Report

– Vulnerabilities– Exploits– Attacks

• IBM Security Advanced Threat Protection Platform

The mission of the IBM X-Force® research and

development team is to:

Research and evaluate threat and protection issues

Deliver security protection for today’s security problems

Develop new technology for tomorrow’s security challenges

Educate the media and user communities

X-Force Research

17B analyzed Web pages & images

40M spam & phishing attacks

68K documented vulnerabilities

13B security events daily

Provides Specific Analysis of: • Vulnerabilities & exploits• Malicious/Unwanted websites• Spam and phishing• Malware• Other emerging trends

X-Force Research

Vulnerability disclosures up in 2012

• Total number of vulnerabilities grew (4,400 in 1H 2012)– the projection could reach all time high in 2012

Web Application Vulnerabilities Rise Again

• At mid-year 2012, 47% of security vulnerabilities affected web applications• Up from 41% in 2011• XSS reaches high of 51%

Vulnerabilities without patches

• Unpatched vulnerabilities, highest numbers in years

Public Exploit Disclosures

• Decrease in percentage of vulnerabilities

• Slightly up in actual numbers compared to 2011

Some categories stays the same

• Number of browser and multi-media exploits are about the same

Things are looking better for mobile platforms

• Better at discovering vulnerabilities

• Harder to exploit

MSS – Top 10 high volume signatures

• Not much change since last year

• SQL Injection is still the most common attack

SQL Injection Attacks against Web Servers

• Very often automated processes of finding victims

XSS reaching new highs in 1H 2011

• More than 6,000 variants of this vulnerability, with uses ranging from hijacking a browser session to a total system web-server-based takeover.

Web browser explotation

SQL Slammer continues to drop

2011: “The year of the targeted attack”

Who is attacking our networks?

Techniques used by attackers are bypassing traditional defenses

Advanced• Using exploits for unreported vulnerabilities, aka a “zero day”

• Advanced, custom malware that is not detected by antivirus products

Persistent• Attacks lasting for months or years

• Attackers are dedicated to the target – they will get in

• Resistant to remediation attempts

Threat• Targeted at specific individuals and

groups within an organization

• Not random attacks – they are actually “out to get you”

These methods have eroded the effectiveness of traditional defenses including firewalls, intrusion prevention systems and antivirus - leaving holes in the network

InfrastructureUsers

Closer look at the attack vectors of today’s threats

1. User Attacks (Client-side) • Drive-by Downloads: User browses to a malicious website

and/or downloads an infected file using an unpatched browser or application

• Targeted Emails: Email containing an exploit or malicious attachment is sent to an individual with the right level of access at the company

2. Infrastructure Attacks (Server-side) • SQL Injection: Attacker sends a specially crafted message

to a web application, allowing them to view, modify, or delete DB table entries

• General Exploitation: Attacker identifies and exploits a vulnerability in unpatched or poorly written software to gain privileges on the system

1 2

IBM Advanced Threat Protection

InfrastructureUsers

1

3

2

Our strategy is to protect our customers with advanced threat protection at the network layer - by strengthening and integrating network security, analytics and threat Intelligence capabilities

1. Advanced Threat Protection PlatformEvolve our Intrusion Prevention System to become a Threat Protection Platform – providing packet, content, file and session inspection to stop threats from entering the corporate network

2. QRadar Security Intelligence Platform Build tight integration between the Network Security products, X-Force intelligence feeds and QRadar Platform product with purpose-built analytics and reporting for threat detection and remediation

3. X-Force Threat IntelligenceIncrease investment in threat intelligence feeds and feedback loops for our products. Leverage the existing Cobion web and email filtering data, but expand into botnet, IP reputation and Managed Security Services data sets

IBM’s Infrastructure Threat Protection

Advanced Threat Protection Platform

24

IBM Security Network IPS: Addressing Today’s Evolving Threats with Hybrid Protection

>300

Custom Signatures (SNORT)

Why Vulnerability-based Research = Preemptive Security Approach

• Protecting against exploits is reactive

– Too late for many

– Variants undo previous updates

• Protecting against vulnerabilities and malicious behaviors is preemptive

– Stops threat at source

– Requires advanced R&D

• Why X-Force?

– One of the best-known commercial security research groups in the world

– IBM X-Force maintains one of the most comprehensive vulnerability database in the world—dating back to the 1990s.

– X-Force constantly updates IBM’s Protocol Analysis Module, the engine inside IBM’s security solutions

Source: IBM X-Force

IBM’s Preemptive Approach vs. Reactive Approach to address Threats

IBM Clients have typically been provided protection guidance prior to or within 24 hours of a vendor

vulnerability disclosure being announced

# of days IBM clients were provided protection guidance “Ahead of the

Threat”

Ahead of the Threat

27

IBM IPS Zero Day (Vuln/Exploit) Web App Protection

New Vulnerability or Exploit Reported Date Ahead of the Threat Since

Nagios expand cross-site scripting 5/1/2011 6/7/2007 

Easy Media Script go parameter XSS 5/26/2011 6/7/2007

N-13 News XSS 5/25/2011 6/7/2007 I GiveTest 2.1.0 SQL Injection 6/21/2011 6/7/2007 RG Board SDQL Injection Published: 6/28/2011 6/7/2007

BlogiT PHP Injection 6/28/2011 6/7/2007 IdevSpot SQL Injection (iSupport) 2011-05-23 6/7/2007

2Point Solutions SQL Injection 6/24/2011 6/7/2007 PHPFusion SQL Injection 1/17/2011 6/7/2007 ToursManager PhP Script Blind SQli 2011-07-xx 6/7/2007

Oracle Database SQL Injection 2011-07-xx 6/7/2007 LuxCal Web Calendar 7/7/2011 6/7/2007 Apple Web Developer Website SQL 2011-07-xx 6/7/2007

MySQLDriverCS Cross-Param SQLi 6/27/2011 6/7/2007

• IBM IPS Injection Logic Engine has stopped every large scale SQL injection or XSS attack day-zero.

• Asprox – reported 12/11/2008 – stopped 6/7/2007• Lizamoon – reported 3/29/2011 – stopped 6/7/2007• SONY (published) – reported May/June/2011 – stopped 6/7/2007• Apple Dev Network – reported July/2011 – stopped 6/7/2007

Complete Control: Overcoming a Simple Block-Only Approach

• Network Control by users, groups, systems, protocols, applications & application actions

• Block evolving, high-risk sites such as Phishing and Malware with constantly updated categories

• Comprehensive up-to-date web site coverage with industry-leading 15 Billion+ URLs

• Rich application support with 1000+ applications and individual actions

“We had a case in Europe where workers went on strike for 3 days after Facebook was completely blocked…so granularity is key.”

– IBM Business Partner

Network Security Product Line up

Product Description

IBM Security Network Intrusion Prevention System

The core of any Intrusion Prevention strategy, IBM Security Network IPS appliances help to protect the network infrastructure from a wide range of attacks, up to 23 Gbps inspected throughput

IBM Security Endpoint Defence Focused on protecting individual assets on the network including servers and desktops from both internal and external threats

IBM Security Virtual Server Protection

Virtual Server Protection is integrated with the hypervisor and provides visibility into intra-VM network traffic. Supports ESX 4.1 and 5.0 and 10Gb Ethernet

IBM Security SiteProtector System

Centralized management for IBM Security intrusion prevention solutions that provides a single management point to control security policy, analysis, alerting and reporting

Security Intelligence Platform

Solving Customer Challenges

Major Electric Utility

• Discovered 500 hosts with “Here You Have” virus, which other solutions missedDetecting threats

Fortune 5 Energy Company

• 2 Billion logs and events per day reduced to 25 high priority offensesConsolidating data silos

Branded Apparel Maker

• Trusted insider stealing and destroying key dataDetecting insider fraud

$100B Diversified Corporation

• Automating the policy monitoring and evaluation process for configuration change in the infrastructure

Predicting risks against your business

Industrial Distributor

• Real-time extensive monitoring of network activity, in addition to PCI mandates

Addressing regulatory mandates

Context & Correlation Drive Deepest Insight

Solutions for the Full Compliance and Security Intelligence Timeline

Fully Integrated Security Intelligence

• Turnkey log management• SME to Enterprise• Upgradeable to enterprise SIEM

• Integrated log, threat, risk & compliance mgmt.

• Sophisticated event analytics• Asset profiling and flow analytics• Offense management and workflow• Predictive threat modeling & simulation• Scalable configuration monitoring and audit• Advanced threat visualization and impact

analysis

• Network analytics• Behavior and anomaly detection• Fully integrated with SIEM

• Layer 7 application monitoring• Content capture• Physical and virtual environments

SIEM

Log Management

Risk Management

Network Activity & Anomaly Detection

Network and Application

Visibility

One Console Security

Built on a Single Data Architecture

Security Consulting

ManagedServices

X-Forceand IBM

Research

IBM Security PortfolioIBM Security Portfolio

People Data Applications Infrastructure

IT Infrastructure – Operational Security Domains

QRadar SIEM

QRadar Log Manager

QRadar Risk Manager

IBM Privacy, Audit and Compliance Assessment Services

Identity & Access Management Suite

Federated Identity Manager

Enterprise Single Sign-On

Identity Assessment, Deployment and Hosting Services

Guardium Database Security

Optim Data Masking

Key Lifecycle Manager

Data Security Assessment Service

Encryption and DLP Deployment

AppScan Source/Std. Edition

DataPower Security Gateway

Security Policy Manager

ApplicationAssessment Service

AppScan OnDemand Software as a Service

Network Intrusion Prevention

Server and Virtualization Security

QRadar Anomaly Detection / QFlow

Managed Firewall, Unified Threat and Intrusion PreventionServices

Endpoint Manager (BigFix)

zSecure suite

Penetration Testing Services

Native Server Security (RACF, IBM systems)

Network Endpoint

IT GRC Analytics & Reporting

Enterprise Governance, Risk and Compliance Management

IBM OpenPages Algorithmics (recent acquisition) i2 Corporation (recent acquisition)

IBM Security Framework

• More vulnerability disclosures and exploits in 2012 compared to 2011

• We see more attack activity, with high profile security incidents

• Attacks are getting more sophisticated

• Need for proactive research driven security

• Security Intelligence makes it possible to manage more data, with log and network flow correlation, configuration monitoring and risk and compliance management

Summary

Acknowledgements, disclaimers and trademarks

© Copyright IBM Corporation 2012. All rights reserved.

The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

References in this publication to IBM products, programs or services do not imply that they will be made available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth, savings or other results. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.

Information concerning non-IBM products and services was obtained from a supplier of those products and services. IBM has not tested these products or services and cannot confirm the accuracy of performance, compatibility, or any other claims related to non-IBM products and services. Questions on the capabilities of non-IBM products and services should be addressed to the supplier of those products and services.

All customer examples cited or described are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer and will vary depending on individual customer configurations and conditions. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

Prices are suggested U.S. list prices and are subject to change without notice. Starting price may not include a hard drive, operating system or other features. Contact your IBM representative or Business Partner for the most current pricing in your geography.

IBM, the IBM logo, ibm.com, Tivoli, the Tivoli logo, Tivoli Enterprise Console, Tivoli Storage Manager FastBack, and other IBM products and services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml

Thank You- Q&A

Contact:michael.andersson@se.ibm.com