View on-demand webinar: http://event.on24.com/wcc/r/1238398/409AE8848D4FF1210B56EC81538788EB
Ransomware is a growing threat impacting organizations across all industries. But not all is lost. There are preventative measures that can be taken to help protect against ransomware attacks, including deploying a next-generation intrusion prevention system (IPS), such as the IBM XGS.
Join our webinar to:
Understand the current threats associated with ransomware
Learn how leading-edge research from IBM X-Force powers the XGS to stop ransomware
Hear how IBM XGS proactively blocked ransomware at a large healthcare insurance organization
Nell’iperspazio con Rocket: il Framework Web di Rust!
Failed Ransom: How IBM XGS Defeated Ransomware
1. Failed Ransom:
How IBM XGS Defeated Ransomware
Leslie Horacek
IBM X-Force Threat Response, IBM Security
Richard Rice,
Director of Security Operations, WaveStrong
2. 2 IBM Security
Agenda
1. Monitoring the Threat Landscape
2. The Rise of Ransomware
3. IBM Security Network Protection (XGS)
4. Case Study: How XGS Defeated Ransomware
5. Questions & Answers
4. 4 IBM Security
IBM X-Force® Research and Development
Expert analysis and data sharing on the global threat landscape
Vulnerability
Protection
IP
Reputation
Anti-Spam
Malware
Analysis
Web
Application
Control
URL / Web
Filtering
Zero-day
Research
The IBM X-Force Mission
! Monitor and evaluate the rapidly changing threat landscape
! Research new attack techniques and develop protection for tomorrow’s security challenges
! Educate our customers and the general public
! Integrate and distribute Threat Protection and Intelligence to make IBM solutions smarter
5. 5 IBM Security
Our automated technologies and research teams monitor the global
threat level at all times
Dynamic updates
Threat intelligence
databases are dynamically
updated—delivering up-to-
the-minute accuracy
Analysis
Security teams analyze
the global data to identify
attack trends and share
insightsData capture
The web is continuously
scanned and categorized,
identifying malware hosts,
spam sources, etc.
6. 6 IBM Security
IBM X-Force malware researchers retrieve malware, configuration and
modules from listening points across the globe
Analysis
• Monitor darknet chatter
• Maintain dedicated lab environment
• Reverse engineering
• Proprietary decryption tools
• Versioning
• Investigate malware operator
motivations
Protection
• Identification of incremental
malware changes to develop
and deploy defenses
• Constant monitoring of
bypass attempts
7. 7 IBM Security
Our global threat intelligence delivers a wide range of benefits
HigherOrder
Intelligence
Observables
andIndicators
Actors Campaigns Incidents TTPs
Vulnerabilities MalwareAnti-SpamWeb App
Control
IP ReputationURL / Web
Filtering
8. 8 IBM Security
IBM X-Force Exchange hosts X-Force threat intelligence in a collaborative
platform
Security
analysts and
researchers
Security
Operations
Centers (SOCs)
Security
products and
technologies
X-Force Exchange
enables users to:
• Research threat indicators
• Participate and build in public
and private communities
• Collaborate with peers and
X-Force analysts to share
evidence and discoveries
• Help increase the quality of
threat intelligence
• Operationalize threat
intelligence to streamline
security decision making
Collaborative platform to consume, share and act
on real-time threat intelligence
10. 10 IBM Security
Cerber ransomware operation exposed... and boy is it lucrative!
$$$
161
active
campaigns
8
new campaigns
launching / day
Infected approximately 150,000 users
worldwide in 201 countries and
territories in the past month alone.
Affiliate system makes Cerber one of the
most lucrative RaaS platforms in the world.
At only 0.3% paying ransom, still
nets over $1 million USD / year
Average ransom is 1 Bitcoin (~$580)
Reported in August by Checkpoint Research:
Source: https://www.grahamcluley.com/2016/08/cerber-ransomware-operation/ and http://blog.checkpoint.com/2016/08/16/cerberring/
11. 11 IBM Security
July 2016 Client Webinar: Digital Extortion, Will You Pay The Ransom?
Visit the Ransomware landing page to
review the infographic and register to
receive the client engagement guide
• Ransomware: The Malware Path
• By Ways of Digital Extortion
• Attack Statistics
• Will You Pay the Ransom?
• IBM Services Response Guide for
Clients
For a more in-depth review of ransomware,
register to watch the replay.
12. 12 IBM Security
IBM Security Network Protection (XGS)
Next-generation intrusion prevention protects against the latest attacks
IBM Security
Network
Protection
PROTECTION
Disrupt known and unknown
exploits and malware attacks
VISIBILITY
Gain insight into network traffic
patterns to detect anomalies
CONTROL
Limit the use of risky applications
to reduce your attack surface
"
#
13. 13 IBM Security
IBM Security
Network
Protection
IBM XGS protects against a full spectrum of attack techniques…
Web App
System and
Service
Traffic-based
User
Risky
Applications
Protocol
Tunneling
RFC Non-
Compliance
Unpatched /
Unpatchable
Vulnerabilities
Code
Injection
Buffer
Overflows
Cross-site
Scripting
SQL
Injection
Cross-site
Request Forgery
Cross-path
Injection
Spear
Phishing
Drive-by
Downloads
Malicious
Attachments
Malware
Links
Obfuscation
Techniques
Protocol
Anomalies
Traffic on Non-
Standard Ports
DoS / DDoS
Information
Leakage
Social
Media
File
Sharing
Remote
Access
Audio / Video
Transmission
14. 14 IBM Security
IBM goes beyond pattern matching with a broad spectrum
of vulnerability and exploit coverage
Exploit
Signatures
Attack-specific
pattern matching
Web
Injection Logic
Patented protection
against web attacks,
e.g., SQL injection
and cross-site scripting
Vulnerability
Decodes
Focused algorithms
for mutating threats
Application
Layer Heuristics
Proprietary algorithms
to block malicious use
Protocol
Anomaly Detection
Protection against misuse,
unknown vulnerabilities,
and tunneling across
230+ protocols
Shellcode
Heuristics
Behavioral protection
to block exploit payloads
Content
Analysis
File and document
inspection and
anomaly detection
Other IPS solutions
stop at pattern matching
15. 15 IBM Security
Ransomware encrypting servers, endpoints, and databases
Countering the attack chain
! Ransomware Installation
! Command & Control
! Encrypt the User’s Files
! Demand Ransom
Specific signatures within XGS to detect ransomware C&C
Trojan_CryptXXX_CnC
JavaScript_Angler_Exploit_Kit_5
HTTP_Locky_Trojan_CnC
16. 16 IBM Security
How IBM XGS fights Ransomware – Attack Chain broken!
XGS provides URL filtering, IP Reputation, and Geo-location protection
Block traffic to or from unwanted sites via network access policies
Block attempted connections to the Attacker’s C&C site
Integration with third party malware protection solutions
(Damballa, FireEye, Trend Micro)
Protocol Analysis Module (PAM) has specific decodes to identify and
block malicious macros
17. 17 IBM Security
The XGS appliance can operate in three modes
Inline
Simulation
! Active intrusion prevention
! Blocks malicious and unwanted traffic
! Allows legitimate traffic to pass unhinderedPassive
Monitoring
Inline
Prevention
! Accurate intrusion detection
! Supports taps, hubs or SPAN ports
! Monitors traffic for malicious or unwanted traffic
! Simulates inline prevention
! No blocking
! Alerts to events it would have blocked
19. WaveStrong
is
an
Informa5on
Security
Consul5ng
Company:
Since
2001,
WaveStrong
has
been
an
industry
leader
in
enterprise
and
cloud
informa?on
security
consul?ng
services.
We
pride
ourselves
in
our
‘best
of
breed’
security
solu?ons
and
services
that
span
a
myriad
of
ver?cals,
including:
government,
educa?on
and
business.
Our
staff
is
comprised
of
elite
cer?fied
technical
and
business
professionals
who
help
our
clients
successfully
navigate
the
complexi?es
of
planning,
design,
implementa?on
and
management
of
data
security.
…Trusted
by
Industry
Professionals
for
over
15
years
19
20. WAVESTRONG – SECURITY SERVICES METHODOLOGY
Plan,
Build
and
Run
successful
Cyber
Security
Programs:
WaveStrong’s
vision
is
to
become
the
most
advanced,
comprehensive
and
a
trusted
partner
for
cyber
security
solu?ons.
We
provide
complete
set
of
informa?on
security
services
and
solu?ons
to
help
our
customer
with
establishing
a
complete
cyber
security
strategy,
iden?fy
and
remediate
business
risk
and
threat,
select
and
deploy
the
right
technology
and
achieve
opera?onal
readiness
to
protect
from
latest
cyber
threats.
Cyber
Security
Strategy
Security
Program
Strategy
Architecture
and
Design
Deploy
and
Opera5onalize
Managed
Security
Services
20
22. A Ransomware Use Case Background
• Customer
Profile:
• Mid-‐size
Pharmaceu?cal
Company
with
two
datacenters
–
one
in
Pennsylvania
and
2nd
in
New
Jersey
• Problem
Statement:
• Company
received
mul?ple
phishing
emails
containing
Locky
malware
throughout
their
enterprise
targe?ng
system
administrators.
• Four
people
opened
the
a^achment
–
three
at
headquarters
and
one
at
backup
loca?on
• The
Command
and
Control
communica?on
channel
was
blocked
for
the
three
at
the
HQ
office,
but
only
simulated
block
at
the
second
site
• The
worksta?on
that
was
at
the
second
site
was
infected,
but
all
valuable
data
was
backed
up
so
they
reimaged
the
worksta?on.
• Solu5on
Provided:
• Customer
purchased
two
XGS-‐4100
appliances
with
SiteProtector
• Services
Provided:
• XGS
deployed
inline
at
both
datacenters
with
one
in
protec?on
mode
and
other
in
simula?on
mode
• Both
appliances
configured
for
moderate
protec?on
with
automa?c
signature
updates
22
23. A Ransomware Use Case Timeline
PHISHING
EMAIL
A^acker
sends
email
VICTIM
OPENS
LINK
Four
people
clicked
on
link
to
download
malware
THREE
ARE
BLOCKED
XGS
blocked
outbound
communica?on
ONE
GETS
INFECTED
Site
with
XGS
in
simula?on
mode
ATTACK
NOTICED
XGS
admin
sees
ac?vity
in
primary
site
CALLED
FOR
HELP
WaveStrong
called
in
to
configure
secondary
XGS
XGS
IN
PROTECT
MODE
Secondary
site
moved
to
protec?on
mode
CONTINUE
TO
MONITOR
Did
not
see
any
more
a^ack
a^empts
23
24. A Ransomware Use Case – RecommendaJons
• Best
prac?ce
is
to
put
newly
deployed
IPS
appliances
in
monitor
or
simula?on
mode
to
minimize
poten?al
impact
to
produc?on
traffic
**Note**
When
you
transi?on
from
simula?on
mode
to
protec?on
mode,
all
network
connec?ons
are
dropped
while
the
port
is
renego?a?ng
with
the
switch
(Lost
VPN
connec?ons
temporarily)
• If
you
have
two
or
more
appliances,
SiteProtector
is
highly
recommended
for
ease
of
management
and
monitoring
• Make
sure
to
maintain
con?nuous
monitoring
of
your
appliances
and
alerts
24
IBM
QRadar
IBM
XGS
IBM
AppScan
IBM
X-‐Force
Monitor and evaluate today’s threats
Detect, analyze, and prioritize threats
Network Protection & Monitoring
Develop more secure applications
IBM
BigFix
Unified Endpoint Security
IBM
Guardium
Database Auditing & Monitoring
25. Contact InformaJon
Harpreet
Walia:
President
and
CEO
Office:
925.264.8080
Email:
harpreet@wavestrong.com
Corporate
Headquarters:
5674
Stoneridge
Drive,
Suite
225,
Pleasanton,
CA
94568
Richard
Rice:
Director
Security
Opera5ons
Office:
925-‐264-‐8079
Email:
rich@wavestrong.com
Corporate
Headquarters:
5674
Stoneridge
Drive,
Suite
225,
Pleasanton,
CA
94568
https://www.wavestrong.com
25
26. 26 IBM Security
IBM positioned in the “Leaders” Quadrant in the
2015 Gartner Magic Quadrant for Intrusion Prevention Systems
Magic Quadrant for
Intrusion Prevention Systems
“The capabilities of leading IPS products have adapted to
changing threats, and next-generation IPSs (NGIPSs) have
evolved incrementally in response to advanced targeted
threats that can evade first-generation IPSs.”
Craig Lawson, Adam Hils, and Claudio Neiva
Gartner, November 16, 2015
This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report.
The link to the Gartner report is available upon request from IBM.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation.
Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties,
expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
27. 27 IBM Security
PASS All tests related to “stability and reliability”
PASS All tests related to “evasions”
99.6% Exploit block rate
0 False Positives
25.949 Tested Throughput (Gbps)
NSS Labs testing of IBM Security Network Protection XGS 7100
SOURCE: NSS LABS 2016 DATA CENTER INTRUSION PREVENTION SYSTEM (DCIPS) TEST REPORT
“Using a tuned policy, the IBM XGS 7100 blocked 99.6% of exploits. The device
proved effective against all evasion techniques tested. The device also passed all
stability and reliability tests. The IBM XGS 7100 is rated by NSS at 25.949 Gbps,
which is above the vendor-claimed performance; IBM rates this device at 25Gbps.”
28. 28 IBM Security
XGS protects both your network and investment
Forrester determined XGS has the following three-year risk-adjusted financial impact:
RETURN ON
INVESTMENT
340%
NET PRESENT
VALUE
$1,075,592
PAYBACK
PERIOD
1.9 months
SOURCE: THE TOTAL ECONOMIC IMPACT OF IBM SECURITY NETWORK SECURITY (XGS), FORRESTER RESEARCH, 2016
IBM Security
Network
Protection
29. 29 IBM Security
A Global Leader in Enterprise Security
• #1 in enterprise security
software and services*
• 7,500+ people
• 12,000+ customers
• 133 countries
• 3,500+ security patents
• 15 acquisitions since 2005
*According to Technology Business Research, Inc. (TBR) 2016