2. Please note:
• IBM’s statements regarding its plans, directions, and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
• Information regarding potential future products is intended to outline
our general product direction and it should not be relied on in making a purchasing
decision.
• The information mentioned regarding potential future products is not a
commitment, promise, or legal obligation to deliver any material, code or
functionality. Information about potential future products may not be incorporated
into any contract. The development, release, and timing of any future features or
functionality described for our products remains at our sole discretion.
• Performance is based on measurements and projections using standard IBM
benchmarks in a controlled environment. The actual throughput or performance
that any user will experience will vary depending upon many factors, including
considerations such as the amount of multiprogramming in the user's job stream,
the I/O configuration, the storage configuration, and the workload processed.
Therefore, no assurance can be given that an individual user will achieve results
similar to those stated here. 2
3. Agenda
• X-Force overview
• Highlights from the 2011 IBM X-Force Trend and Risk Report
– New attack activity
– Progress in internet security
– New challenges from mobile and cloud
3
4. X-Force research
X-Force Research
IBMThe missionteam isand
development of the to:
X-Force® research
14B analyzed Web pages & images
40M spam & phishing attacks
54K documented vulnerabilities
13B security events daily
Research and evaluate threat and protection issues
Deliver security protection for today’s security problems Provides Specific Analysis of:
Develop new technology for tomorrow’s security challenges
Educate the media and user communities
• Vulnerabilities & exploits
• Malicious/Unwanted websites
4
6. Key Messages from the 2011 Trend Report
• New Attack Activity
– Rise in Shell Command Injection attacks
– Spikes in SSH Brute Forcing
– Rise in phishing based malware distribution and click fraud
• Progress in Internet Security
– Fewer exploit releases
– Fewer web application vulnerabilities
6
11. MAC malware
• 2011 has seen the most activity in the Mac
malware world.
– Not only in volume compared to previous
years, but also in functionality.
• In 2011, we started seeing Mac malware with
functionalities that we’ve only seen before in
Windows® malware.
11
12. Key Messages from the 2011 Trend Report
• New Attack Activity
–Rise in Shell Command Injection attacks
– Spikes in SSH Brute Forcing
– Rise in phishing based malware distribution and click fraud
• Progress in Internet Security
– Fewer exploit releases
– Fewer web application vulnerabilities
12
13. Public exploit disclosures
• Total number of exploit
releases down to a number
not seen since 2006
– Also down as a
percentage of
vulnerabilities
13
15. Decline in web application vulnerabilities
• In 2011, 41% of security vulnerabilities affected
web applications
– Down from 49% in 2010
– Lowest percentage seen since 2005
15
16. Key Messages from the 2011 Trend Report
• New Attack Activity
–Rise in Shell Command Injection attacks
– Spikes in SSH Brute Forcing
– Rise in phishing based malware distribution and click fraud
• Progress in Internet Security
– Fewer exploit releases
– Fewer web application vulnerabilities
16
17. Mobile OS vulnerabilities & exploits
• Continued interest in Mobile
vulnerabilities as enterprise users
request a “bring your own device”
(BYOD) strategy for the workplace
• Attackers finding these devices
represent lucrative new attack
opportunities
17
18. Social Networking – no longer a fringe pastime
• Attackers finding social networks ripe with valuable informaiton they can mine to build
intelligence about organizations and its staff:
– Scan corporate websites, Google, Google News
– Who works there? What are their titles?
18
18
20. IBM Security Framework
Enterprise Governance, Risk and Compliance Management
IBM OpenPages Algorithmics (recent acquisition) i2 Corporation (recent acquisition)
IBM Security Portfolio
IT GRC Analytics & Reporting
QRadar QRadar Log QRadar IBM Privacy, Audit and
SIEM Manager Risk Manager Compliance Assessment Services
Security
Consulting
IT Infrastructure – Operational Security Domains
People Data Applications Infrastructure
Network Endpoint
Identity & Access Guardium AppScan Network Endpoint
Management Suite Database Security Source/Std. Edition Intrusion Prevention Manager (BigFix)
Managed
Services
Federated Optim DataPower Server and
zSecure suite
Identity Manager Data Masking Security Gateway Virtualization Security
Enterprise Key Lifecycle Security QRadar Anomaly Native Server Security
Single Sign-On Manager Policy Manager Detection / QFlow (RACF, IBM systems)
X-Force
Data Security Application and IBM
Managed Firewall,
Identity Assessment, Assessment Service Assessment Service Research
Unified Threat and Penetration
Deployment and
Intrusion Prevention Testing Services
Hosting Services Encryption and AppScan OnDemand Services
DLP Deployment Software as a Service
20
21. Advanced Threats: The sophistication of Cyber threats,
attackers and motives is rapidly escalating
1995 – 2005 2005 – 2015
1 Decade of the Commercial Internet
st
2 Decade of the Commercial Internet
nd
Motive
Nation-state Actors;
National Security Targeted Attacks / Advanced
Persistent Threat
Espionage,
Competitors, Hacktivists
Political Activism
Monetary Gain Organized Crime, using sophisticated tools
Revenge Insiders, using inside information
Curiosity Script-kiddies or hackers using tools, web-based “how-to’s”
Adversary
21
22. IT Security is a board room discussion
Business Brand image Supply chain Legal Impact of Audit risk
results exposure hacktivism
Sony estimates HSBC data Epsilon breach TJX estimates Lulzsec 50-day Zurich
potential $1B breach impacts 100 $150M class hack-at-will Insurance PLc
long term discloses 24K national brands action spree impacts fined £2.275M
impact – private banking settlement in Nintendo, CIA, ($3.8M) for the
$171M / 100 customers release of PBS, UK NHS, loss and
customers* credit / debit UK SOCA, exposure of
card info Sony … 46K customer
records
22
23. QRadar Security Intelligence
Enterprise Governance, Risk and Compliance Management
IBM OpenPages Algorithmics (recent acquisition) i2 Corporation (recent acquisition)
IBM Security Portfolio
IT GRC Analytics & Reporting
QRadar QRadar Log QRadar IBM Privacy, Audit and
SIEM Manager Risk Manager Compliance Assessment Services
Security
Consulting
IT Infrastructure – Operational Security Domains
People Data Applications Infrastructure
Network Endpoint
Identity & Access Guardium AppScan Network Endpoint
Management Suite Database Security Source/Std. Edition Intrusion Prevention Manager (BigFix)
Managed
Services
Federated Optim DataPower Server and
zSecure suite
Identity Manager Data Masking Security Gateway Virtualization Security
Enterprise Key Lifecycle Security QRadar Anomaly Native Server Security
Single Sign-On Manager Policy Manager Detection / QFlow (RACF, IBM systems)
X-Force
Data Security Application and IBM
Managed Firewall,
Identity Assessment, Assessment Service Assessment Service Research
Unified Threat and Penetration
Deployment and
Intrusion Prevention Testing Services
Hosting Services Encryption and AppScan OnDemand Services
DLP Deployment Software as a Service
23
24. Solutions for the Full Compliance and Security
Intelligence Timeline
24
27. Fully Integrated Security Intelligence
• Turnkey log management
Log
Management
One Console Security
• SME to Enterprise
• Integrated log, threat, risk & compliance mgmt.
SIEM
• Upgradeable to enterprise SIEM
• Sophisticated event analytics
• Predictive threat modeling & simulation
Risk
Management • Asset profiling and flow analytics
• Scalable configuration monitoring and audit
Network • • Offense management and workflow
Network analytics
Activity &
Anomaly • Advanced threat visualization and impact analysis
Detection
• Behavior and anomaly detection
Network and • Layer 7 application monitoring
Application
Visibility
Built on a Single Data Architecture
• Fully integrated with SIEM
• Content capture
27
28. IBM Security Threat Platform
Enterprise Governance, Risk and Compliance Management
IBM OpenPages Algorithmics (recent acquisition) i2 Corporation (recent acquisition)
IBM Security Portfolio
IT GRC Analytics & Reporting
QRadar QRadar Log QRadar IBM Privacy, Audit and
SIEM Manager Risk Manager Compliance Assessment Services
Security
Consulting
IT Infrastructure – Operational Security Domains
People Data Applications Infrastructure
Network Endpoint
Identity & Access Guardium AppScan Network Endpoint
Management Suite Database Security Source/Std. Edition Intrusion Prevention Manager (BigFix)
Managed
Services
Federated Optim DataPower Server and
zSecure suite
Identity Manager Data Masking Security Gateway Virtualization Security
Enterprise Key Lifecycle Security QRadar Anomaly Native Server Security
Single Sign-On Manager Policy Manager Detection / QFlow (RACF, IBM systems)
X-Force
Data Security Application and IBM
Managed Firewall,
Identity Assessment, Assessment Service Assessment Service Research
Unified Threat and Penetration
Deployment and
Intrusion Prevention Testing Services
Hosting Services Encryption and AppScan OnDemand Services
DLP Deployment Software as a Service
28
30. Why Vulnerability-based Research = Preemptive
Security Approach
• Protecting against exploits is reactive
– Too late for many
– Variants undo previous updates
30
31. 31
IBM IPS Zero Day (Vuln/Exploit) Web App Protection
■ IBM IPS Injection Logic Engine has stopped every large scale SQL
injection or XSS attack day-zero.
• Asprox – reported 12/11/2008 – stopped 6/7/2007
New Vulnerability or Exploit Reported Date Ahead of the Threat Since
Nagios expand cross-site scripting 5/1/2011 6/7/2007
Easy Media Script go parameter XSS 5/26/2011 6/7/2007
N-13 News XSS 5/25/2011 6/7/2007
I GiveTest 2.1.0 SQL Injection 6/21/2011 6/7/2007
RG Board SDQL Injection Published: 6/28/2011 6/7/2007
• Lizamoon – reported 3/29/2011 – stopped 6/7/2007
BlogiT PHP Injection 6/28/2011 6/7/2007
IdevSpot SQL Injection (iSupport) 2011-05-23 6/7/2007
2Point Solutions SQL Injection 6/24/2011 6/7/2007
PHPFusion SQL Injection 1/17/2011 6/7/2007
ToursManager PhP Script Blind SQli 2011-07-xx 6/7/2007
Oracle Database SQL Injection 2011-07-xx 6/7/2007
• SONY (published)
LuxCal Web Calendar – reported May/June/2011
7/7/2011 – stopped 6/7/2007
6/7/2007
Apple Web Developer Website SQL 2011-07-xx 6/7/2007
MySQLDriverCS Cross-Param SQLi 6/27/2011 6/7/2007
31
32. Ahead of the Threat
IBM’s Preemptive Approach vs.
Reactive Approach to address Threats
IBM Clients have typically been provided
protection guidance prior to or within 24
hours of a vendor vulnerability disclosure
being announced (89% of the time in 2010)
# of days IBM clients were
provided protection guidance
“Ahead of the Threat”
Source: IBM X-Force
32
32
33. Network Security Product Line up
Product Description
The core of any Intrusion Prevention strategy, IBM
IBM Security Network
Security Network IPS appliances help to protect the
Intrusion Prevention
network infrastructure from a wide range of attacks, up to
System
23 Gbps inspected throughput
Focused on protecting individual assets on the network
IBM Security Endpoint
including servers and desktops from both internal and
Defence
external threats
Virtual Server Protection is integrated with the hypervisor
IBM Security Virtual
and provides visibility into intra-VM network traffic.
Server Protection
Supports ESX 4.1 and 5.0 and 10Gb Ethernet
Centralized management for IBM Security intrusion
IBM Security prevention solutions that provides a single management
SiteProtector System point to control security policy, analysis, alerting and
reporting
33
35. 1 1Q12: Launched IBM Security Network IPS
Powered by X-Force
• Meet signature sharing mandates (i.e. Core Capabilities
Government & Financial Institutions) Unmatched Performance delivering 20Gbps+ of
inspected throughput and 10GbE connectivity
without compromising breadth and depth of
• IBM Hybrid protection security
Evolving protection powered by world renowned
– Using X-Force Protocol Analysis with the X-Force research to stay “ahead of the threat”
ability to write or import custom Snort rules Reduced cost and complexity through
consolidation of point solutions and integrations
with other security tools
Make the move to
IBM Security Network IPS
• IBM Network IPS and Protocol Analysis Modules
(PAM) Core tenant for the Advanced Threat
Protection Platform
Custom Rules
Locked in to Signature-only IPS?
Custom Rules
35
36. 1 Extensible Protection with Protocol Analysis Module
Ahead of the Threat
extensible protection
backed by the power
of X-Force
Client-Side Application Web Application Threat Detection &
Virtual Patch Protection Data Security Application Control
Protection Prevention
What It Does: What It Does: What It Does: What It Does: What It Does: What It Does:
Mitigates vulnerability Protects end users Protects web applications Detects and prevents Monitors, identifies, and Manages control of
exploitation independent against attacks targeting against sophisticated entire classes of threats provides control over unauthorized applications
of a software patch, and applications used every application-level attacks as opposed to a specific unencrypted personally and risks within defined
enables a responsible day such as Microsoft such as SQL Injection, exploit or vulnerability. identifiable information segments of the network,
patch management Office, Adobe PDF, XSS (Cross-site (PII) and other such as ActiveX
process that can be Multimedia files and scripting), PHP file- Why Important: confidential information fingerprinting, Peer To
adhered to without fear of Web browsers. includes, CSRF (Cross- Eliminates need of for data awareness. Also Peer, Instant Messaging,
a breach. site request forgery), and constant signature provides capability to and tunnelling.
Why Important: Directory Traversals. updates. Protection explore data flow through
Why Important: In 2011, vulnerabilities includes the proprietary the network to help Why Important:
At the end of which affect client-side Why Important: technology such as Java determine if any potential Enforces network
2011, 36% of all applications represent Expands security bytecode exploit risks exist. application and service
vulnerabilities disclosed one of the largest capabilities to meet both detection, Flash exploit access based on
during the year had no category of all compliance requirements detection, and Shell Code Why Important: corporate policy and
vendor-supplied patches vulnerability disclosures. and threat evolution. Heuristics (SCH) Flexible and scalable governance.
available to remedy the technology, which has an customized data search
vulnerability. unbeatable track record of criteria; serves as a
protecting against zero complement to data
day vulnerabilities. security strategy.
36
37. 2 2Q12: Launch the X-Force IP Reputation Feed for QRadar
• 2Q12: IBM X-Force powers QRadar with the X-Force IP Reputation Feed
– Providing insight into suspect entities on the internet
• 15+ Billion URLs Monitored and Classified on a continuous basis
• Information about Malicious IPs, Malware hosts, SPAM sources, Dynamic IPs & Anonymous
Proxies
• Enhances QRadar correlation intelligence
37
38. 3 2Q12: Launch QRadar Network Anomaly Detection
Optimized for the Advanced Threat Protection Platform
• QRadar Network Anomaly Detection
SiteProtector as core for command & control
QRadar Network Anomaly Detection for
– An optimized version of QRadar which complements enhanced analytics
SiteProtector QRadar QFlow and VFlow collectors provide
Network Awareness via deep packet
inspection
Integrated policy management & workflows
within SiteProtector facilitate a rapid
• Greater visiblity for SiteProtector/IPS customers response to threat and more proactive
visibility.
• Network flow capture with behavioral analysis AppScan
and anomaly detection provides greater security intelligence: SiteProtector
QRadar NI
QRadar NIPS
Scanner Server
Desktop
– Traffic profiling for added protection from Low and Slow
Visibility Protection
and zero-day threats Suspicious Behavior Proactive Prevention
38
39. Summary
• Fever public vulnerabilities disclosures and exploits in 2011 compared to 2010,
but…
• We see more attack activity, with high profile breaches
39
We leverage numerous intelligence source -- including a database of more than 50,000 computer security vulnerabilities, a global Web crawler and international spam collectors, as well as the real-time monitoring of 13-billion events every day for nearly 4,000 clients in more than 130 countries to stay ahead of these emerging threats for our customers. All of this comes from work done in IBM's nine, global Security Operations Centers.
This chart demonstrates some of the publically recorded breaches that have happened over the course of 2011. In the Mid Year report, which is represented about half way through this chart, IBM XForce decided to declare 2011 the “Year of the security breach”. When you look at this chart, it becomes quite evident why we came to that conclusion. The color of each circle represents the technical means that was used to breach these organizations based on what has been pubically made available. We made a rough estimate of the financial impact of each breach which is represented by the size of the circle. You’ll notice in the latter half of the year, many of the circles are grey which means we don’t know how that particular entity was breached. This leads to an important point. There are a lot of things that motivate organizations to publically disclose that their security has been breached. But usually those things have to do with the privacy of personal information, and often the organizations don’t take the time to disclose the technical problem that was exploited by the attacker. Having access to that information is valuable because it enables other organizations to prioritize the security work they are doing to make sure they address threats that have actually been used against other organizations. Many of these breaches were disclosed with out that information so unfortunately the information is less actionable for security professionals. We’d like to see more of that technical information brought to the forefront when possible. All of these breaches – this activity – has been driving a lot of conversation about computer security in 2011.
Three main themes began to emerge as we were pulling together this 2011 annual report. First, we saw some new attack activity begin to emerge, especially in the latter months of 2011. But also, we saw some improvements in computer security – especially in the area of application security and we’ll dive into that in more detail a bit later in this presentation. Finally, we’ll cover new security challenges that are emerging as organizations look to adopt technologies like cloud and with the proliferation of social media individuals looking to use their personal mobile devices in the enterprise.
Lets start with some of the new attack activity we are seeing. For a long time we have seen a lot of SQL attack activity. This is an attack that targets the database behind a web server. Attackers often engage in this activity in an automated fashion by using bots that scan the internet for looking for websites with SQL injection vulnerabilities. What the attacker attempts to do is hijack the legitimate users who are visiting these sites. The attacker then redirects them unknowingling to malware and exploit tookits that will infect their machines. This is a pretty big problem. 2011 was a banner year for exploiting SQL weaknesses and several high profile and newsworthy episodes of successful SQL injection attacks were made public. The hacktivist groups Anonymous and Lulzsec were major players in SQL injection tactics and continue to hone their skills with new injection attack vectors.
This year, we have seen an uptake in a different kind of web application attack activity and this called Shell Command Injections. Instead of injecting database commands through the web application, attackers inject command line commands that run on the operating system that the web application is running on. You can see in this chart a pretty significant increase in this activity at the end of 2011 – so we are starting to see some automated Shell Command Inject attacks that work largely the same way as the SQL injection attack activity worked but this is a vulnerability that has probably received less focus over that last few years although as a consequence of the increased activity we’ve seen, we think organizations should start paying more attention to it.
We also saw this spike in volume at the end of the year in SSH brute forcing. This is one of the most common types of attacks we see on the internet where people are scanning for computers running SSH and they will try to brute-force user names and passwords on those computers. We’re not sure if this huge spike is an anomaly or if this will continue to be a problem in 2012 but it certainly is alarming and again, if you have SSH running on a computer it is important to be sure you have good passwords because if you don’t those passwords will quickly be automatically compromised.
We also saw another big increase in activity around phishing. In 2008 and 2009 we saw a large amount of phishing activity and we started to get excited in our mid year 2011 report because as you can see here through 2010 there was a relatively small amount of phishing activity and in early 2011 this activity was pretty low as well. It seemed as though the phishing problem has been solved. We still thought there were as many phishing attacks happening in 2010 as there were in 2009 and 2008 but the people sending these emails could not generate as many of them as they used to because if they did, people monitoring for phishing emails would notice them and react by shutting down the server that they were using to collect credentials. So really, the community of people who were working to fight phishing had really made a big dent in 2010. So what happened in the later part of 2011? We’ve seen a new type of phishing-like emails that link to websites which do not necessarily perform a phishing attack. These emails use the good name of a well-known brand – perhaps it looks like it is coming from your bank, or a parcel service you are probably quite familiar with --to click on a malware link or in some cases a link to an otherwise innocuous site such as a retail site. One possible explanation for the latter type of emails might be click-fraud, wherein spammers drive traffic to these sites in exchange for advertising fees. Regardless of the explanation, this nuisance contributed to a large increase in phishing-like emails seen in the later months of the year.
More than in any previous year, 2011 has seen the most activity in the Mac malware world.6 This applies not only to volume, but also in functionality. In 2011, we started seeing Mac malware with functionalities that we’ve only seen before in Windows malware. This may indicate that cyber criminals are now becoming aware of how profitable targeting OS X might be. A couple of note included: MacDefender : What makes MacDefender interesting is that it is the type of malware with a spreading mechanism that has been rampant in the Windows world in the last couple of years. MacDefender belongs to the category of malware called “Rogue Antivirus,” which disguise themselves as legitimate antivirus programs. Once installed, it pretends to scan your system, flagging random files as malicious to make it look like your system is heavily infected. The user interface is professional looking and well made to make it more believable to the user that it is a legitimate app. Register button that will take the user to a website where they can supposedly purchase a license for MacDefender using a credit card. MacDefender displays a message that says to remove the detected malware, you should pay for the licensed version, so a user may feel forced to register. The user’s credit card will then be charged for the amount and on top of that, his credit card number may be used for other purposes as well. Flashback : Flashback disguises itself as a Flash Player installer that can be downloaded when visiting malicious websites, showing a download or install Flash player icon. When installed, Flashback injects code into the application launched by the user. The injected code is responsible for contacting a remote server to download updates or to send data from the infected machine. Flashback also tries to prevent future updates to XProtect by overwriting some relevant files. XProtect is Apple’s built-in basic malware protection system that uses string matching to detect malware. Apple updates XProtect whenever a high-profile Mac malware is discovered. Flashback also tries to thwart analysis by researchers by detecting if it is running on a VMWare virtual machine. Using this detection evasion mechanism is common in Windows malware but this is the first Mac malware we’ve seen that employs this technique. This demonstrates that Mac malware technology is catching up to Windows malware technology. Devilrobber : DevilRobber was discovered inside Mac applications that were illegally shared in BitTorrent, such as GraphicConverter, Flux, CorelPainter, and Pixelmator. DevilRobber is the most sophisticated Mac malware we’ve seen so far and contains several components. It is primarily a backdoor that opens a port in the infected machine to receive commands from a remote attacker but one interesting functionality it has is BitCoin mining, where it installs the BitCoin mining application DiabloMiner to use the computing power of the CPU and GPU (for users with high performance graphics cards) of the infected machine to mine for Bitcoins. It also attempts to steal the Bitcoin wallet if found. DevilRobber also steals the Keychain of the user along with other information from the infected machine and uploads them to a remote FTP server. DevilRobber also has the ability to detect if the infected machine is behind a gateway device, and then enable port-forwarding via UPnP. This enables the attacker to remotely access the infected machine using the port opened by DevilRobber, even if the infected machine is behind a gateway device.
Now we will spend a little time talking about progress we have seen. We are doing a lot of work to make the internet safer, to improve software design – and really, that work is having an impact, and we are seeing it in our statistics.
Another thing that we took note of this year is that there have been few exploits released on the internet that can be used to target publically disclosed vulnerabilities. Typically in the past few years you can see that about 15% of the vulnerabilities that were publically disclosed ended up having exploits released that could be used for malicious intent. This year that number is down to around 11%. This is a big change and we think it is a consequence of the fact that software is getting more resilient to attack. Certain programs have adopted things like sandboxes – so when you exploit a vulnerability its harder to gain control over the surrounding machine – as well as other technologies that are making exploitation more difficult. Over time, we are still see a lot of vulnerabilities get but, but people aren't able to actually leverage them. This is great news and means that computes are getting more secure.
These charts show you particular categories of exploit. You can see that browser exploits are down significantly from where they were a few year ago and that is really importance since a lot of attack activity targets the browser, and the browser environment. We’ve also seen significantly fewer exploits targeting document readers and editors this year – which is also a significant bit of progress. One place were we have yet to see progress is with multimedia players. We saw just as many exploits here this year as we did last year, but we do expect to see some improvements in this area coming in 2012. The fact is, we still see a lot of attack activity out there on the internet, but the software that we use is getting stronger – more secure – and we can see a future were some of this attack activity will be significantly mitigated.
We also saw few web application vulnerabilities in 2011. As I mentioned earlier, the most common type of attack activity we see on the internet targets SQL injection activity. Well, it used to be for the past few years that web application vulnerabilities were about 50% of the vulnerabilities that were being publically disclosed. But this year, that number is down to about 40%. That’s a big change – and again, means that web application developers are getting a bit smarter about how they develop their applications. Maybe they are using tools scan and test for vulnerabilities earlier in the development process, and that will contribute to a safer internet. We still have a lot fo work to do here though! 40% of vulnerabilities disclosed is still a lot of vulnerabilities – and we are seeing the attack types pivoting. We are seeing more Shell Command Attack activity than SQL injection activity because SQL injection is harder to find than it used to be. But the fact is, this is progress – it is moving in the right direction and moving us toward a safer internet.
As I mentioned below, we do continue to create new technologies that we put in our IT environments that create potential new surface areas for attack.
Mobile devices are certainly one of those areas. People want to ‘bring their own device’ into the enterprise and they want to access work through their personal tablet or smart phone – and they want to decide what phone they can use! This is a real IT management challenge. These charts represent vulnerabilities and exploits that have been released that target mobile devices. We saw slightly fewer mobile vulnerabilities this year than we saw last year but it was still a pretty large number. And we saw an increase in the number of exploits that were released on the internet that could be used to target mobile devices. We aren’t seeing that much attack activity – we are still seeing less attack activity that targets the mobile device than traditional desktops however a year ago we were seeing almost no activity of that sort and now it is definitely happening. There have been some significant incidents - in fact a few weeks ago someone reported a 100,000 node botnet that infect mobile devices. That is a significant number of infections – and something to definitely pay attention to – but it is not yet rivaling the scope of the problem targeting traditional desktops.
These guys spend a lot of time researching on Twitter and Facebook and the like in order to try to come up with an organization structure for the organization that they’re targeting. And so that they know who to send these emails to and how to make them compelling. And often they’ll send the email from an account that appears to be an acquaintance or co-worker of the victim.
There is a period of time before every technology is applied for purposes of national security, e.g. the first manned flight by the Wright brothers in 1903 lasted 12 seconds. Within 10 years, the sky became another battlefield no less important than the battlefields on land and sea. What we are witnessing, in many ways, is the weaponization of cyber space for a range of purposes. And we are just seeing the tip of the ice berg. Clearly, there has been an evolution of players (and motives) involve well-funded and resourced actors -- insiders, organized crime, espionage, political activists and nation states which is only matched with an escalation in the high value of the assets being targeted and the sophistication of attack vectors. In many ways, this escalation in the threat is challenging and exposing the weaknesses of the current generation of security controls. Bigger firewalls and better locks are no longer sufficient to protect against sophisticated attacks conducted by nation state level actors. Some statistics: 52% -- Private-sector statistics show that the insider threat is up more than 52% in the past year. $226 Billion -- Economic impact of cyber-attacks on businesses has grown to over $226 billion annually. Source: Congressional Research Service study 158% increase -- Security breaches are on the increase: cyber-attacks have i n creased 158% since 2006, and worldwide cyber-attacks increased 30% over the second half of 2008. Sources: 1US Department of Homeland Security, 2IBM Internet Security Systems X-Force
The X-force approach to protecting against vulnerabilities means IBM solutions can help to stop threats at their source This is a far different approach then reactive measures that “chase” exploits and are negated as soon as an exploit evolves
One of the toughest challenges in security today is keeping pace with the increasing diversity and sheer number of attacks IBM’s preemptive protection approach helps our clients well ahead of major vendor vulnerability disclosures This is far superior to the reactive approach used by many vendors. Our clients are not left unprotected while a reactive measure if developed. In many cases, IBM clients are provided protection guidance before (in many cases 100+ days ahead of time) or within 24 hours of a vendor vulnerability disclosure
Highly accurate stateful inspection algorithms through IBM’s PAM module for resilient protection against network vulnerabilities. Advanced heuristic and deep content analysis engines to protect against advanced threat classes such as browser attacks, data leakage, and web app attacks. The ability to leverage publically available signature sources for known threats. The ability to share custom rules with other security teams to enhance and tune protection for the customer’s network. Helps monitor and control applications in the corporate enterprise to reduce risk of data theft and save money on network bandwidth costs Enables centrally managed protection against known and unknown attacks, included those targeted at web applications Helps protect against targeted and broad based attacks that are designed to evade most security technologies Helps companies meet today’s regulatory compliance requirements, including GLBA, Sarbanes Oxley and PCI-DSS With Firmware 4.4, adds the ability to write or import custom open source signatures and monitor network capacity Many Network IPS Devices only support SNORT – an open source, signature based intrusion detection method with drawbacks SNORT signatures are easy to share, but lack the behavioral intelligence needed for more sophisticated attacks Only IBM Security Network IPS has the leading behavioral-based X-Force Protocol Analysis engine Today IBM announces technology that allows: Customers to dump their SNORT based devices Migrate to IBM’s PAM-based Network IPS Take the customized SNORT rules with them to ease transition Run SNORT in parallel to PAM Hybrid protection using market leading X-Force Protocol Analysis with the ability to write or import custom Snort rules Advanced heuristic and deep content analysis engines provide protection of advanced threats such as browser attacks, data leakage, and malicious web applications designed to evade most security technologies Facilitate adherence to today’s regulatory and compliance mandates, including GLBA, Sarbanes Oxley and PCI-DSS Enables customers to address the changing threat landscape with limited expertise and resources IBM reduces the TCO of IPS by enabling customers easy migration from snort-only alternatives to IBM NIPS Hybrid protection using market leading X-Force Protocol Analysis Users can write or import custom Snort rules Advanced Behavioral Analysis and Deep Content Analysis Engines provide protection from advanced threats such as browser attacks, data leakage, and malicious web applications designed to evade most security technologies Facilitate adherence to today’s regulatory and compliance mandates, including GLBA, Sarbanes Oxley and PCI-DSS IBM Network Protection enables customers to: Dump their SNORT based devices Migrate to IBM’s PAM-based Network IPS Take custom SNORT rules with them
Performs deep packet inspection Performs deep protocol and content analysis Detects protocol and content anomalies Simulates the protocol/content stacks in vulnerable systems Normalizes at each protocol and content layer Provides the ability to add new security functionality within the existing solution