IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threats (APT) - Webinar 28/1/2016

© 2015 IBM Corporation

IBM ridefinisce la strategia e l'approccio verso gli Advanced Persistent Threat (APT)

Webinar - 28 Gennaio 2016

Luigi Del Grosso, Endpoint & ThreatFabrizio Patriarca, Security Architect

Nel caso il collegamento in streaming web non funzioni correttamente, usare i seguenti collegamenti telefonici tradizionali: 800-975100, 02-00621263 - Meeting 80326520

IBM Security

Advanced Persistent Threat

IBM Security

2 © 2015 IBM Corporation

APT and Targeted Attack Methods Evolve Quickly1. Advanced evasive malware bypasses security controls

2. Credentials are exposed through phishing and 3rd party breach

3. Compromised endpoints and stolen credentials enable access to enterprise networks, systems and data

Despite existing controls, employee endpoints are compromised and are used as pivot points into the enterprise network.

Compromised Credentials

VulnerabilityExploit

MalwareInfection

Malicious Activity Data Access

MaliciousCommunication

Admin

**********

A $1Billion APT Attack – Carbanak May Just Be the Biggest Cyber Heist Ever


Criminals attack the weak link

Customer Data and Intellectual

Property

Employees / Contractors /

Partners

Easy

Easy

CyberCriminals

Difficult


APTs and Targeted Attacks

Credentials Theft

****

Phishing Site

WWW

APTs and Targeted Attacks

WWW

Exploit Site

Malware Infection

Weaponized Attachment

MaliciousLink

Credentials Theft

Watering Hole Attack

Spear Phishing

Exploit

Data Exfiltration

1:500 PCs infected with Advanced Evasive APT malware!IBM Trusteer Research


IBM Security Trusteer Apex Advanced Malware ProtectionPreemptive, multi-layered protection against advanced malware and credentials theft

Effective Real-Time ProtectionUsing multiple layers of defense to break the threat lifecycle

Security Analysis and Management Services provided by IBM Trusteer security experts

Zero-day Threat ProtectionLeveraging a positive behavior-based model of trusted application execution

Trusteer Apex


Dynamic intelligence

Crowd-sourced expertise in threat research and dynamic intelligence

Global Threat Research and Intelligence

• Combines the renowned expertise of X-Force with Trusteer malware research

• Catalog of 70K+ vulnerabilities,17B+ web pages, and data from 100M+ endpoints

• Intelligence databases dynamically updated on a minute-by-minute basis

Real-time sharing of Trusteer intelligence

NEW

ThreatIntelligence

MalwareAnalysis

Exploit Research

ExploitTriage

MalwareTracking

Zero-dayResearch


Apex multi-layered defense architecture KB to create icon

Threat and Risk ReportingVulnerability Mapping and Critical Event Reporting

Advanced Threat Analysis and Turnkey Service

CredentialProtection

Exploit Chain Disruption

Advanced Malware

Detection and Mitigation

Malicious Communication

Prevention

Lockdownfor Java

Global Threat Research and IntelligenceGlobal threat intelligence delivered in near-real time from the cloud

• Alert and prevent phishing and reuse on non-corporate sites

• Prevent infections via exploits

• Zero-day defense by controlling exploit-chain choke point

• Mitigates mass-distributed advanced malware infections

• Cloud based file inspection for legacy threats

• Block malware communication

• Disrupt C&C control

• Prevent data exfiltration

• Prevent high-risk actions by malicious Java applications


Data exfiltration Exploit

Deliveryof weaponized

content

Exploitationof app vulnerability

Malwaredelivery

Malware persistency

Execution and malicious access

to content

Establish communication

channels

Dataexfiltration

Breaking the Threat LifeCycle

Pre-exploit

0011100101110100001011110001100011001101


N

o. o

f Typ

es

Attack Progression



content


Malwaredelivery

Malware persistency


to content


channels

Dataexfiltration


Pre-exploit

0011100101110100001011110001100011001101

Destinations (C&C traffic detection)

Endless

Unpatchedand zero-day

vulnerabilities (patching)

ManyWeaponized

content(IPS, sandbox)

Endless

Maliciousfiles

(antivirus, whitelisting)

Endless

Many

Maliciousbehavioractivities

(HIPs)


N

o. o

f Typ

es

Attack Progression



content


Malwaredelivery

Malware persistency


to content


channels

Dataexfiltration


Pre-exploit

0011100101110100001011110001100011001101

Strategic Chokepoint




Endless



ManyWeaponized


Endless

Maliciousfiles


Endless

Many


(HIPs)


Lockdown for Java


Blocking


N

o. o

f Typ

es

Attack Progression



content


Malwaredelivery

Malware persistency


to content


channels

Dataexfiltration


Pre-exploit

0011100101110100001011110001100011001101




Advanced Malware

Prevention

Endpoint Vulnerability Reporting

CredentialProtection


Endless



ManyWeaponized


Endless

Maliciousfiles


Endless

Many


(HIPs)


Lockdown for Java


Blocking


Exploit chain disruption

Disrupt zero day attacks without prior knowledge of the exploit or vulnerability

• Correlate application state with post-exploit actions• Apply allow / block controls across the exploit chain

Write files

Breach other programs

Alter registry

Other breachmethods

Monitor post-exploit actions

Evaluate application states

Exploit propagationApplication states

Indicators


JVM

Lockdown for Java

Monitor and control high risk Java application actions

• Malicious activity is blocked while legitimate Java applications are allowed• Trust for specific Java apps is granted by Trusteer / IT administrator

Monitor and control high-risk activitiesMalicious appRogue Java appbypasses Java’s internal controls

e.g., Display, local calculation

Trusted app

Untrusted app

Allow low-risk activities

e.g., Write to file system, registry change

Trusted app

Untrusted app

Trusted app


Malicious communication blocking

Block suspicious executables that attempt to compromise other applications or open malicious communication channels

1. Assess process trust level2. Identify process breach3. Allow / block external communication

Malicious site

Legitimate siteused as C&C

Direct user download

Pre-existing infection

External Network

Zombieprocess

COMMUNICATIONPASS-THROUGH

DIRECT

Identify application breach Allow / blockAssess trust level


Corporate Credentials Protection

WWW

Credential theft via phishing

Corporate credential reuse

Legitimate corporate site

Enter Password

Submit: Allow• Detect submission• Validate destination

Phishingsite

Unauthorized legitimate site

*******

Authorized site


Threat and risk reporting, vulnerability mapping and critical event reporting

Identify risks from vulnerabilities and user behavior, help ensure compliance

Vulnerability reportsDetailed reporting to visualize and understand which endpoints and apps are vulnerable to exploits

Corporate credential reports Reporting on which users are re-using credentials and out of security policy guidelines

Incident reports Reporting on security incidents – exploits, suspicious communication, infections


IBM is uniquely positioned to offer integrated protection A dynamic, integrated system to disrupt the lifecycle of advanced attacks

and prevent loss

Open Integrations Global Threat Intelligence

Ready for IBM Security Intelligence Ecosystem

IBM Security Network Protection XGS

Smarter Prevention Security Intelligence

IBM EmergencyResponse Services

Continuous Response

IBM X-Force Threat Intelligence• Leverage threat intelligence

from multiple expert sources

• Prevent malware installation and disrupt malware communications

• Prevent remote network exploits and limit the use of risky web applications

• Discover and prioritize vulnerabilities• Correlate enterprise-wide threats and

detect suspicious behavior

• Retrace full attack activity, Search for breach indicators and guide defense hardening

• Assess impact and plan strategically and leverage experts to analyze data and contain threats

• Share security context across multiple products

• 100+ vendors, 400+ products

Trusteer Apex Endpoint Malware Protection

IBM Security QRadar Security Intelligence

IBM Security QRadarIncident Forensics

IBM Guardium Data Activity Monitoring• Prevent remote network exploits and limit

the use of risky web applications

IBM Endpoint Manager• Automate and manage continuous

security configuration policy compliance


Apex integration with the customer SIEM

The integration enables organizations to gain full end-to-end visibility into targeted attack, consolidating security event information from targeted endpoints with data gathered from multiple enterprise security controls.

Correlate endpoint security events with multiple enterprise events for end-to-end visibility

Automate endpoint security event notification and response

Integrate with enterprise security controls for wide-spread protection

Enable integration with additional log management/SIEM solutions that support generic Syslog messages


IBM Trusteer Apex and IBM BigFix

Extend BigFix ROI by stopping exploits before patches are available

Continuously monitor and protect endpoints– Enforce secure configurations– Deploy security patches – Detect and mitigate

advanced malware infections

Effectively respond to security incidents

Create the most robust enterprise endpoint security solution available!

IBMTrusteer Apex

andIBM BigFix

Apex– continuously protects in the window between threat and fix

Maintenance Patch:BigFix ensures it is

quickly deployed on all endpoints

Apex identifies and mitigates malware

infections in real-time stops zero-day exploits

BigFix Incident Response quarantines

infected machines

BigFix enforces secure configurations

Everyone goes back to work on higher value

projects

Unscheduled Patch:BigFix ensures it is

quickly deployed on all endpoints


Why Apex

Credential protection

Exploit chain disruption

Malware detection and mitigation

Lockdown for Java

Malicious communication blocking

Low impact to IT security team

Low-footprint threat prevention

Exceptional turnkey service

Combines the renowned expertise of X-Force with Trusteer malware research

100,000,000+ endpoints collecting intelligence

Protection dynamically updated near real-time

Apex is redefining endpoint protection against advanced threats with a holistic approach

Advanced Multi-Layered Defense

Low Operational Impact

Dynamic Intelligence


www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

IBM Internal and Business Partner Use Only

http://www.ibm.com/security

Software

IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threats (APT) - Webinar 28/1/2016