7 ways to stay 7 years ahead of the threat 2015
TRANSCRIPT
© 2015 IBM Corporation
Behavior-based protection for your network
Barny SanchezCTO, Threat & Infrastructure
IBM Security
Paul GriswoldProgram Director, Strategy & Product Management, Network Protection
IBM Security
7 Ways to Stay 7 Years Ahead of the Threat
2 © 2015 IBM Corporation
Customers are fighting a losing battle
Humans will always make mistakes System and application vulnerabilities
continue to emerge Most malware detection is reactive
Criminals use IRS website to steal data on 104,000 people
Data Breach at Anthem May Forecast a Trend
Premera Blue Cross Breach Exposes Financial, Medical Records
Ashley Madison Breach Could Expose Privates Of 37 Million Cheaters
3 © 2015 IBM Corporation
Large-scale infections create large surface area for new massively-distributed APT style attacks
New APT attack that can evade AV and standard controlsAttack attempts to set up remote control or steal corporate credentials
4 © 2015 IBM Corporation
The disclosure of last year’s Shellshock bug brought immediate exploit attempts
1992 2014
27 Sep 2014
IBM MSS observes 1000% increase above average of shellcode injection attacks
1992
Vulnerability in Bash shell introduced in Linux v1.14
Patching the original vulnerability was complicated by the development of additional exploit techniques, resulting in additional CVE numbers created.
24 Sep 2014
Shellshock vulnerability disclosed in CVE 2014-6271
Vendor patch for CVE 2014-6271 found insufficient. Add’l CVE 2014-7169 created.
25 Sep 2014
X-Force elevates AlertCon level to a 3
Additional CVEs created to document Shellshock, bringing total to 6
5 © 2015 IBM Corporation
IBM customers avoided the shock
6 © 2015 IBM Corporation
IBM Security Network Protection
Pre-emptive protection to keep you Ahead of the Threat
IBM SecurityNetwork
Protection
ADVANCED INTELLIGENCEPowered by X-Force global threat research
ZERO-DAYPROTECTIONProtects against knownand unknown attacks
BROAD COVERAGEProtects against a full spectrum of attack techniques
?
7 © 2015 IBM Corporation
IBM SecurityNetwork
Protection
Broad coverage
Protects against a full spectrum of attack techniques
Web App
System andService
Traffic-based
User
RiskyApplications
Protocol Tunneling
RFC Non-Compliance
Unpatched / Unpatchable
Vulnerabilities
CodeInjection
Buffer Overflows
Cross-site Scripting
SQLInjection
Cross-site Request Forgery
Cross-path Injection
Spear Phishing
Drive-by Downloads
Malicious Attachments
MalwareLinks
Obfuscation Techniques
Protocol Anomalies
Protocol Anomalies
DoS / DDoSInformation
Leakage
Social Media
File Sharing
Remote Access
Audio / Video Transmission
THREATS…
8 © 2015 IBM Corporation
Network Traffic and Flows
Broad coverage
Comprehensive protection, visibility, and control over network traffic
Identity and Application Awareness
Associates users and groups with their network activity,
application usage and actions
Deep Packet Inspection
Fully classifies network traffic, regardless of
address, port, or protocol
SSLVisibility
Identifies inbound and outbound traffic threats, without needing
a separate appliance
400+Protocols and file formats analyzed
2,000+Applications and actions identified
22+ BillionURLs classified in 70 categories
Application A
Application B
Employee A
Employee B Prohibited Application
Attack Traffic
Employee C Botnet Traffic
Inbound Traffic
Outbound Traffic
Good Application
Clean Traffic
9 © 2015 IBM Corporation
IBM goes beyond pattern matching with a broad spectrum of vulnerability and exploit coverage
Web Injection Logic
Patented protection against web attacks,
e.g., SQL injection and cross-site scripting
ExploitSignatures
Attack-specific pattern matching
VulnerabilityDecodes
Focused algorithmsfor mutating threats
Application LayerHeuristics
Proprietary algorithms to block malicious use
Protocol Anomaly Detection
Protection against misuse, unknown vulnerabilities,
and tunneling across 230+ protocols
ShellcodeHeuristics
Behavioral protectionto block exploit payloads
ContentAnalysis
File and document inspection and
anomaly detection
Other IPS solutionsstop at pattern matching
10 © 2015 IBM Corporation
ShellshockCVE 2014-6271
MS IE Remote ExploitCVE-2012-4781
Java JRE Code ExecutionCVE-2013-2465
Cisco ASA Cross-Site ScriptingCVE-2014-2120
Symantec Live Update SQL InjectionCVE-2014-1645
Heuristics-based detection blocks attacks that have never been seen before
DisclosedIBM Protection
December 20126.8 years ahead94 vulnerabilities covered
March 20138 vulnerabilities covered
March 2014November 2008
5.5 years ahead
8,500+ vulnerabilities covered
March 2014June 2007
6.9 years ahead
9,000+ vulnerabilities covered
2006 2014
5 months ahead
Cross_Site_Scripting
Java_Malicious_Applet
SQL_Injection
JavaScript_NOOP_SledApril 2006
October 2012
Sept 2014June 20077.3 years ahead
10 vulnerabilities covered
Shell_Command_Injection
11 © 2015 IBM Corporation
PASS All tests related to “stability and reliability”
PASS All tests related to “evasions”
98.9% Exploit block rate for combined attacker and target initiated attacks
100.0% Service exposure block rate
94.6% Block rate for live exploits
NSS Labs testing of IBM Security Network Protection XGS 7100
Source: NSS Labs 2015 Next Generation Intrusion Prevention System (NGIPS) Test Report
“The device proved effective against all evasion techniques tested. The device also passed all stability and reliability tests. The IBM Security Network Protection XGS 7100 is rated by NSS at 24,194 Mbps, which is higher than the vendor-claimed performance; IBM rates this device at 20Gbps.”
12 © 2015 IBM Corporation
INLINE IPS SYSTEM EFFICACYIBM IPS GX7800 vs. Snort IPS
Publicly-Available Exploits Blocked(Out of 74)
Mutated Exploits Blocked(Out of 31)
Source: Tolly Test Report , October 2012
• Delivers superior protection from evolving threats with high levels of performance
• Stops 99% of tested, publicly available attacks
• Is nearly twice as effective as Snort at stopping “mutated” attacks
The Tolly Report Illustrates the Benefits of Behavioral Detection
13 © 2015 IBM Corporation
Simple mutations will render exploit-matching engines useless
A simple change to a variable name allows the attack to succeed, while rendering the protection of a signature matching engines useless
A simple change to the HTML code in a compromised web page makes the attack invisible to signature protection
Simply adding a comment to a web page results in an attack successfully bypassing signature IPS
Original Variable Names Mutated Variable Names
Shellcode somecode
Block brick
heapLib badLib
Original Class Reference Mutated Class Reference
<html><head></head><body><applet archive="jmBXTMuv.jar" code="msf.x.Exploit.class" width="1" height="1"><param name="data" value=""/><param name="jar">
<html><head></head><body><applet archive="eXRZLr.jar" code="msf.x.badguy.class" width="1" height="1"><param name="data" value=""/><param name="jar">
Original Code Mutated Code
var t = unescape;var t = unescape <!— Comment --
>;
14 © 2015 IBM Corporation
IBM X-Force® Research and DevelopmentExpert analysis and data sharing on the global threat landscape
The IBM X-Force Mission
Monitor and evaluate the rapidly changing threat landscape
Research new attack techniques and develop protection for tomorrow’s security challenges
Educate our customers and the general public
Integrate and distribute Threat Protection and Intelligence to make IBM solutions smarter
VulnerabilityProtection
IPReputation
Anti-Spam
MalwareAnalysis
WebApplication
Control
URL / WebFiltering
Zero-dayResearch
15 © 2015 IBM Corporation
IBM Security Network Protection XGS
IBM Trusteer and X-Force integration
IP Reputation Data
IBM Threat Intelligencefrom 270 Million+ Endpoints
Cloud-based Threat, Malwareand Fraud Intelligence
16 © 2015 IBM Corporation
Layer 7 Flow Data to QRadar Offense-blocking from QRadar
Improved Intelligence and Security through QRadar integration
Send data flows to QRadar and as well as receive quarantine commands
Detect abnormal activity through network flow data generated through XGS
Identify application misuse via user and application information
Save money by reducing the need for a separate flow generation appliance
Make QRadar Intelligence actionable by leveraging the XGS to block in-progress attacks
Reduce response time by initiating blocking within the QRadar console to stop threats quickly
17 © 2015 IBM Corporation
IBM Intelligent Threat ProtectionA dynamic, integrated system to disrupt the lifecycle of advanced attacks and prevent loss
Open Integrations Global Threat Intelligence
Ready for IBM Security Intelligence Ecosystem
IBM Security Network Protection XGS
Smarter Prevention Security Intelligence
IBM EmergencyResponse Services
Continuous Response
IBM X-Force Threat Intelligence
• Leverage threat intelligencefrom multiple expert sources
• Prevent malware installation and disrupt malware communications
• Prevent remote network exploits and limit the use of risky web applications
• Discover and prioritize vulnerabilities
• Correlate enterprise-wide threats and detect suspicious behavior
• Retrace full attack activity, Search for breach indicators and guide defense hardening
• Assess impact and plan strategically and leverage experts to analyze data and contain threats
• Share security context across multiple products
• 100+ vendors, 400+ products
Trusteer Apex Endpoint Malware Protection
IBM Security QRadar Security Intelligence
IBM Security QRadarIncident Forensics
IBM Guardium Data Activity Monitoring• Prevent unauthorized data access or
leaks to help ensure data integrity
IBM BigFix• Automate and manage continuous
security configuration policy compliance
18 © 2015 IBM Corporation
XGS provides the protection needed for today’s threats
Guard against mutated threatsBy protecting the vulnerability, not looking for the exploit
Protect against zero-day vulnerabilitiesThrough advanced behavioral techniques
Fight malwareDisrupt the attack chain including integration with Trusteer Apex and leading malware sandboxes
Protect usersLimit access to phishing messages, while blocking malicious links, drive-by downloads, and file attachments
Integrates seamlessly with QRadarSend Layer 7 flow data to QRadar and receive quarantine commands
19 © 2015 IBM Corporation
IBM Security: Delivering intelligence, integration and expertise across a comprehensive framework
Broadest and deepest coverage across all security domains
Worldwide research, development, and security experts
Award-winning global threat research
Intelligence. Integration. Expertise.
20 © 2015 IBM Corporation
133 countries where IBM delivers managed security services
20 industry analyst reports rankIBM Security as a LEADER
TOP 3 enterprise security software vendor in total revenue
10K clients protected including…
24 of the top 33 banks in Japan, North America, and Australia
Learn more about IBM Security
Visit our web page IBM.com/Security
Watch our videosIBM Security YouTube Channel
View upcoming webinars & blogsSecurityIntelligence.com
Follow us on Twitter@ibmsecurity
© 2015 IBM Corporation
Questions
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security
© 2015 IBM Corporation
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at “Copyright and trademark information” www.ibm.com/legal/copytrade.shtml
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity.
IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Legal notices and disclaimers