Today’s advanced threats use low and slow techniques to hide below the radar of traditional security products and approaches. Join this engaging presentation on IBM’s strategy to disrupt the attack chain. Learn how applying intelligence and integrating across security silos can help harden defenses, detect exploits, analyze attacks, and remediate weaknesses to defeat advanced threats.
View the on-demand webinar: https://www2.gotomeeting.com/register/472103354
Too many productsWe have multiple examples of customers who have invested in many, many tools. One US government agency alone has 200 security products – that entails the license costs, but perhaps more problematically, the configuration and maintenance of all of those products in a constantly changing infrastructure. They’re not getting their money’s worth. They can’t. It’s too complex and too costly.Too many point products from too many vendorsBesides having too many products, they have too many vendors – point products from each vendor that do not integrate in any way. And those point products cannot find the advanced attacks that these enterprises are experiencing. One customer had 85 products from 45 different security vendors.Products don’t workAntivirus products cannot reliably defend against malware. In another case a customer had 46 security vendors who all failed to prevent a malware attack.http://krebsonsecurity.com/
Too many productsWe have multiple examples of customers who have invested in many, many tools. One US government agency alone has 200 security products – that entails the license costs, but perhaps more problematically, the configuration and maintenance of all of those products in a constantly changing infrastructure. They’re not getting their money’s worth. They can’t. It’s too complex and too costly.Too many point products from too many vendorsBesides having too many products, they have too many vendors – point products from each vendor that do not integrate in any way. And those point products cannot find the advanced attacks that these enterprises are experiencing. One customer had 85 products from 45 different security vendors.Products don’t workAntivirus products cannot reliably defend against malware. In another case a customer had 46 security vendors who all failed to prevent a malware attack.http://krebsonsecurity.com/
This chart highlights the volume of threat activity that is happening out there -- you can see its quite a lot considering this is a mere sampling of what was probably actually going on.Color of circles represent the technical means used by attackers to breach these customers.The size of the circle estimates the financial impact that might have occurred based on what was reported publically.Though the seemingly insurmountable magnitude of these threats is alarming, they’re certainly preventable if you’re armed with the right approach.
Sophisticated attackers will exploit a multitude of technical and social engineering vulnerabilities to attack an organization, however, attacks tend to follow a five stage sequence. The attacker will break into the system, frequently by using social engineering to gain access to a users’ credentials.Once inside the attacker will install malware and phone home that it has successfully compromised the system. Advanced attackers are generally patient and use a ‘low and slow’ attack style to expand across systems to maximize access to sensitive data.Once they have succeeded in accessing the desired data, attackers assemble the data they are looking for in preparation for transmittal out of they system.The attacker covertly transmits the data to an external location.These attacks can be spread out over days, weeks or months and may feather the ongoing exfiltration of data from the target, rather than a one time event.
Countering an advanced attack is an continuous process that requires integration between the multifaceted security tools. First, security admins must harden their systems against known vulnerabilities. Second, they must monitor activity with as much context as possible to detect attacks when they occur. Then, they must have to data and capability to drill into a suspected attack to determine the extent of the compromised systems and data, and enough about the attack vector that they can stop the attack and remediate systems to prevent similar attacks in the future.As you will see, the IBM Security portfolio is well suited and integrated to give security professionals the tools they need to harden against, detect and analyze advanced attacks.
Harden EndpointsManage hundreds of thousands of endpoints regardless of location, connection type or status Automatically enforce security baselines across all endpoints, including software versions and configuration settingsHardenApplicationsLeverage multiple source code scanning technologies for issue discovery and remediation across security and development teamsScan production web apps to detect vulnerabilitiessuch as SQL injection and cross-site scriptingHarden Network TrafficVirtually patch detected vulnerabilities at the network levelFilters internet traffic according to enterprise security policiesHarden DatabasesVirtually patch detected vulnerabilities at the network levelFilters internet traffic according to enterprise security policiesScan database exposures(missing patches, weak passwords, unauthorized changes, and misconfigured privileges)Detect behavioral vulnerabilities(account sharing, excessive administrative logins and after-hours activity)Vulnerability ManagementPerforms real-time vulnerability scans for 70,000+ vulnerabilities on router, firewall, OS, DB, web servers, DNS, mail serverEnsures hardened network device configuration across all assetsViews prioritization of vulnerabilities using context from IBM tools and X-Force threat intelligence Addresses the most critical risks first when hardening the system
Thanks Marc. We have here a great screenshot from QRadar Vulnerability Manager. What makes Vulnerability Manager so powerful is the ability to not just identify, but also risk adjust vulnerabilities using context specific to your environment. You can see from this screen capture that the server vulnerability shown has a score of 60. That’s good to know, but what does a score of 60 really mean? How did Vulnerability Manager come up with that? That 60 is comprised of a base score of 10, which is the score given by QRadar vulnerability manager’s native scanner. The base score is then adjusted using context specific to the environment. The risk is increased by 10 because Network Protection XGS provided context showing that the vulnerably system had communicated with malicious IPs identified by X-Force research. The risk was reduced by 10 because this server’s vulnerability is scheduled to be patched by IBM Security Endpoint Manager. Finally, the risk score is increased by 50 because the network topology from QRadar Risk manager indicates that the server in question is not adequately protected behind firewall and intrusion prevention systems.It is this context from integrated solutions that helps the security analyst sort through numerous vulnerabilities to identify the most risky.
As Marc explained, hardening against unusual behavior from users is key to successfully defend from advanced threats. An important part of hardening people is having the integration in place to be alerted when suspicious identity events occur. As you can see in the screen capture here, intelligence from identity and access manager, is captured in the QRadar dashboard. The security analyst using QRadar sees immediately the multiple login failures from the same user. Right from QRadar, the analyst can then can drill into the details of the failed logins.
In this scenario, our persistent attacker has sent an email containing a link to malware, in an attempt to compromise your organization. A powerful Intrusion Prevention system is a key component in detecting attack on your environment. However, intrusion prevention is only as effective as the intelligence it is using to identify and block suspicious traffic. That is why the close integration between our Network Protection XGS and X-Force threat research is so important. This series of screen captures from the XGS user interface demonstrates the integration. In the top screenshot you can see url reputation data from X-Force, one of the largest URL reputation databases in the world. In the second screenshot you can see that URLs are broken into category for example, botnet command and controls, malware etc, finally you can see the actual policy telling the XGS to reject any connections to this source, the link from the attacker’s email, because it is a known malware host.URL reputation data is only the first way that integrations between X-Force research and the network protection XGS Device is protecting you from malware. The XGS also integrates X-Force intelligence into its protocol analysis module, this deep understanding of protocols allows the XGS to identify and block malware traversing the network regardless of the source.Now that we’ve prevented the malicious link….
..our attacker has moved on in an attempt to exploit an SQL injection vulnerability.The security analyst is first made aware of the attempted SQL injection through an event sent to from Access Manager’s web application firewall that is protecting the application where the attempted exploit is taking place. The security analyst can use IBM Security AppScan to run a scan of the web application in question. AppScan, shown in the top screen shot will identify the SQL injection vulnerability in the application. If that was the end of this action, we would have a problem because it can take some time for developers create a patch and update the vulnerable application. Luckily, this analyst has SiteProtector. The integration between AppScan and SiteProtector means that right from the AppScan interface, as shown in the second screen capture, the analyst can select vulnerabilities and click export to SiteProtetor. Once in SiteProtector, the analyst can deploy a virtual patch that will block SQL injection to that web application at the network level while the development team is working on a patch. SiteProtector then pushes the virtual patch out at once to all Security Network XGS devices protecting the network.
Still undaunted, our persistent attacker manages to steal a highly privileged system administrator’s login credentials. He realizes that using the system administrator's credentials won’t go unnoticed for long so he decides to use the account only briefly, to give increased permissions to a non-administrator who’s account he has also compromised. Later, he intends to use this account to gather and exfiltrate sensitive data.Fortunately for this organization, the system administrator is being monitored by privileged identity manager. Like we saw with the Identity and Access Manager example earlier, Privileged Identity manager is integrated with QRadar. As you can see in the top screen capture, Privileged Identity Manager sends the detail of increased permission to QRadar. Because of this deep integration, right from QRadar the security analyst can drill into detail to see, for example, that the user bouncy15, elevated the privileges of user bouncy17. Because the organization is using Privileged Identity Manager, the security analyst can open a recording of the administrator, bouncy15’s, screen while he was granting the increased permission. After reviewing the recording, the analyst determines that the compromised administrator account was giving permissions outside of the normal procedure and revokes both access to both the administrator and the user whose permissions were escalated.
IBM Security QRadar SIEM analyzes tremendous amounts of data (logs, network flows) and uses context to transform it useful, actionable information as is depicted in this slide. Here's what a security team member would see when they begin to investigate an offense record triggered by a correlation rule. The analyst can see the who, what and where behind the offense and quickly determine if it's a legitimate threat or a false positive. IBM Security QRadar SIEM is strong from an event-management and analysis perspective and is very effective in detecting threats because it can leverage a broad range of data, analyze it, and apply context from an extensive range of sources. This reduces false positives, and tells users not only what has been exploited but also what kind of activity is taking place. This results in quicker threat detection and response. QRadar continuously monitors data sources across the IT infrastructure, leveraging the full context in which systems are operating. That context includes security and network device logs, vulnerabilities, configuration data, network traffic telemetry, application events and activities, user identities, assets, geo-location, and application content. This generates a staggering amount of data, and QRadar SIEM leverages it to establish very specific context around each potential area of concern, and uses sophisticated analytics to accurately detect more and different types of threats. For example, a potential exploit of a web server reported by an intrusion detection system can be validated by unusual outbound network activity detected by QRadar network behavioral anomaly detection (NBAD) capabilities.QRadar uses intelligence, automation and analytics to provide very actionable security information including the number of targets involved in a threat, who was responsible, what kind of attack occurred, whether it was successful, vulnerabilities, evidence for forensics, etc.
Source: Protecting consumer and business information with advanced threat protectionhttp://public.dhe.ibm.com/common/ssi/ecm/en/wgc12350usen/WGC12350USEN.PDF
The IBM Security Systems portfolio is built around protecting the security domains of People, Data, Applications, and Infrastructure, with a layer of Security Intelligence and Analytics providing true integration and visibility into the enterprise security landscape, and underpinned by IBM X-Force Research providing threat intelligence. The acquisition of Trusteer provides enhanced endpoint protection and threat research, while extending the portfolio with a layer of advanced fraud protection.