Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prevention

© 2014 IBM Corporation

IBM Security

1© 2014 IBM Corporation

Stopping Advanced Attacks at their Onset:

A Practical Look at Modern Day Prevention

Paul Kaspian

Senior Product Marketing Manager

IBM Security Systems


IBM Security

2 © 2014 IBM Corporation2

We are in an era of continuous breachesAttackers are relentless, victims are targeted, and the damage toll is rising

Source:

IBM X-Force Threat Intelligence Quarterly – 1Q 2014

Operational

Sophistication

IBM X-Force declared

Year of the

Security Breach

Near Daily Leaks

of Sensitive Data

40% increase in reported data

breaches and incidents

Relentless Use

of Multiple Methods

500,000,000+ records were leaked, while the future

shows no sign of change

2011 2012 2013

Note: Size of circle estimates relative impact of incident in terms of cost to business.

2011 2012 2013

https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S_PKG=ov21294&S_TACT=102PW99W


IBM Security

33

Increasing attack surface and threat sophistication

Increasing Number

of Vulnerabilities

Zero-day Attacks and Constantly

Mutating Threats

Multi-faceted Threats

and APTs

• Vulnerabilities increasing

• Overall attack surface is growing

• Patches cannot be instantly implemented or do not exist

• Well coordinated attacks by well coordinated teams

• Attackers move quickly

• Traditional security tools unable to detect or assess the extent of the breach

• Attacks constantly mutating to evade signatures

• Increasing number of zero-day exploits

Spear Phishing

Persistence

Backdoors

Designer Malware

Average cost of a breach is $5.9M

and compliance pressures continue to grow

Growth in Vulnerabilities1996 - 2013

Source: 2014 Cost of a Breach Study: United States, Ponemon Institute


IBM Security

44

Attackers Respond Extremely Quickly to New Vulnerabilities


IBM Security

55

Attackers Respond Extremely Quickly to New Vulnerabilities


IBM Security

66

Threats have

evolved…

…yet the majority

of security teams

are still using siloed,

discrete defenses

Are security teams up for the challenge?

Broad AttacksIndiscriminate malware, spam and DoS activity

Targeted AttacksAdvanced, persistent, organized,

and politically or financially motivated

o Build multiple perimeters

o Protect all systems

o Use signature-based methods

o Periodically scan for known threats

o Read the latest news

o Shut down systems

o Assume constant compromise

o Prioritize high-risk assets

o Use behavioral-based methods

o Continuously monitor activity

o Consume real-time threat feeds

o Gather, preserve, retrace evidence

Requiring a new

approach to protection…

Tactical ApproachCompliance-driven, Reactionary

Strategic ApproachIntelligence-driven, Continuous

New threats require new thinking, but most are defending against yesterday’s attacks


IBM Security

77

Open Integrations

Smarter Prevention Security Intelligence Continuous Response

Global Threat Intelligence

1 2 3

5 4

Ready for IBM Security

Intelligence Ecosystem

New integration with A10 Networks to decrypt SSL Traffic for incident forensics

NEW

IBM X-Force

Threat Intelligence

New virtual real-time sharing of Trusteer threat intelligence from 100M+ endpoints with X-Force

NEW

IBM Emergency

Response Services

IBM Security QRadar

Incident Forensics

In-line packet compression, data import facility and integrated SSL traffic decryption with A10

NEW

Increased global coverage and expertise & Available as Subscription via online

NEW

Trusteer Apex Endpoint

Malware Protection

IBM Security Network

Protection XGS

Threat Flow Visualization and Incident Analysis [Cloud-based File Inspection Feedback]

NEW

IBM XGS7100 with increased 20Gps+ throughput for high-performance datacenters

NEW

IBM Security QRadar

Security Intelligence

Master Console appliance for MSSPs, Greater QFlow collection and data burst handling

NEW

Threat Monitoring

and Intelligence Services

Managed SIEM enhancements, cyber threat intelligence

Introducing the IBM Threat Protection SystemPrevent, Detect and Respond


IBM Security


Exploit Disruption

Prevent malware installs

• Verify the state of applications

• Block exploit attempts used to deliver malware

Prevent mutated exploits

• Verify the state of network protocols

• Block unknown exploits with behavioral heuristics

Malware Quarantine

Prevent control channels

• Stop direct outbound malware communications

• Protect against process hijacking

Prevent active beaconing

• Stop malware and botnet control traffic with real-time reputation and SSL inspection

User Protection

Prevent malicious apps

• Block access to malicious websites

• Protect against web applicationmisuse

Prevent credential loss

• Block keyloggers

• Stop credential useon phishing sites

• Limit reuse of passwords

On the Endpoint

Trusteer Apex

Malware Protection

On the Network


Protection XGS

Focus on critical points in the attack chain with preemptive defenses on both the endpoint and network


IBM Security


Trusteer Apex

Preemptive, low-impact defense for enterprise endpoints

ADVANCED MULTI-LAYERED DEFENSEComprehensive endpoint defense against

advanced threats

DYNAMIC INTELLIGENCEAdvanced threat intelligence collected

from tens of millions of endpoints

LOW OPERATIONAL IMPACTLow overhead on IT / security teams,

transparent to end users

Trusteer

Apex


IBM Security


Trusteer Apex multi-layered defense architecture

Threat and Risk ReportingVulnerability Mapping and Critical Event Reporting

Advanced Threat Analysis and Turnkey Service

CredentialProtection

Exploit Chain Disruption

Malware Detection and

Mitigation

Malicious Communication

Prevention

Lockdownfor Java

Global Threat Research and IntelligenceGlobal threat intelligence delivered in near-real time from the cloud

• Prevent reuse on

non-corporate

sites

• Protect against

submission on

phishing sites

• Report on

credential usage

• Block anomalous

activity caused by

exploits

• Zero-day defense

by controlling

exploit chain

• Detection and

mitigation of

massively

distributed APTs

• Cloud-based

detection of

known threats

• Block malware

communication

• Disrupt command

and control

• Protects against

data exfiltration

• Block high-risk

actions by

malicious Java

applications

• Administer the

trust level

reducing user

disruption


IBM Security

1111

No

. o

f T

yp

es

Attack Progression

Data exfiltrationExploit

Deliveryof weaponized

content

Exploitationof app vulnerability

Malwaredelivery

Malware persistency

Execution and malicious access

to content

Establish communication

channels

Dataexfiltration

Controlling exploit-chain chokepoints

Pre-exploit

0011100101110100001011110001100011001101

Strategic Chokepoint



Fileinspection

Vulnerability assessment & reporting

Credentialprotection

Destinations (C&C traffic detection)

Endless

Unpatchedand zero-day vulnerabilities

(patching)

ManyWeaponized

content(IPS, sandbox)

Endless

Maliciousfiles

(antivirus, whitelisting)

Endless

Many

Maliciousbehavioractivities

(HIPs)

Javaexecution

Ways to infect: deliver persist

Ways to communicate out


IBM Security


IBM Security Network ProtectionEvolving protection to keep you Ahead of the Threat

IBM Security

Network

Protection

ADVANCED INTELLIGENCEPowered by XForce

global threat research

ZERO-DAYPROTECTIONProtects against knownand unknown attacks

BROAD COVERAGEProtects against a full

spectrum of attack techniques

?


IBM Security

1313

Providing protection beyond exploit matching

• Stays ahead of the threat with pre-emptive protection that stops things from breaking the window

• Looks for methods that can break the window

• Keeping up can be challenging

IBM protects the vulnerability Other products only block the exploits

IBM PROTECTION vs. OTHER PRODUCTS

? ? ?

VULNERABILITY vs. EXPLOIT

• Can be used to do something unintended

• Can be exploited in multiple ways

• Many different exploits can target a single vulnerability

• Not all exploits are publicly available, and mutation is common

A weakness in a system A method used to gain system entry


IBM Security

1414

IBM goes beyond pattern matching with a broad spectrum of vulnerability and exploit coverage

Web Injection Logic

Patented protection

against web attacks,e.g., SQL injection

and cross-site scripting

Exploit

Signatures

Attack-specific

pattern matching

Vulnerability

Decodes

Focused algorithms

for mutating threats

Application Layer

Heuristics

Proprietary algorithms

to block malicious use

Protocol Anomaly

Detection

Protection against misuse,

unknown vulnerabilities,

and tunneling across

230+ protocols

Shellcode

Heuristics

Behavioral protection

to block exploit payloads

Content

Analysis

File and document

inspection and

anomaly detection

Other IPS solutions

stop at pattern matching


IBM Security

1515

ShellshockCVE 2014-6271

MS IE Remote

ExploitCVE-2012-4781

Java JRE

Code

ExecutionCVE-2013-2465

Cisco ASA

Cross-Site

ScriptingCVE-2014-2120

Symantec Live

Update SQL

InjectionCVE-2014-1645

Behavioral-based detection blocks attacks that have never been seen before DisclosedIBM Protection

December 20126.8 years ahead

94 vulnerabilities covered

March 2013


March 2014November 2008

5.5 years ahead

8,500+ vulnerabilities covered

March 2014June 2007

6.9 years ahead

9,000+ vulnerabilities covered

2006 2014

5 months ahead

Cross_Site_Scripting

Java_Malicious_Applet

SQL_Injection

JavaScript_NOOP_SledApril 2006

October 2012

Sept 2014June 2007

7.3 years ahead


Shell_Command_Injection


IBM Security


IBM X-Force® Research and DevelopmentExpert analysis and data sharing on the global threat landscape

The IBM X-Force Mission

Monitor and evaluate the rapidly changing threat landscape

Research new attack techniques and develop protection for tomorrow’s security challenges

Educate our customers and the general public

Integrate and distribute Threat Protection and Intelligence to make IBM solutions smarter

VulnerabilityProtection

IPReputation

Anti-Spam

MalwareAnalysis

WebApplication

Control

URL / WebFiltering

Zero-dayResearch


IBM Security

1717

X-Force Provides Powerful Threat Intelligence to Improve Prevention

Coverage20,000+ devices

under contract

3,700+ managed

clients worldwide

15B+ events

managed per day

133 monitored

countries (MSS)

1,000+ security

related patents

100M+ customers protected

from

fraudulent transactions

Depth23B+ analyzed

web pages and images

7M+ spam and

phishing attacks daily

81K+ documented

vulnerabilities

860K+ malicious

IP addresses

1,000+ malware samples

collected daily

Millions of unique malware

samples


IBM Security

1818

Leverage threat intelligence with product integrations that draw upon human and machine-generated information

Global Threat Intelligence

X-Force Intelligence Network

Exploit

Triage

Malware

Tracking

Zero-day

Research

Real-time sharing of Trusteer intelligence

NEW

Phishing

Sites

URL/Web

Categories

IP/Domain

Reputation

• Combines the renowned expertise of

X-Force + Trusteer malware research

• Catalog of 80K+ vulnerabilities,17B+

web pages, and data from 100M+

endpoints

• Intelligence databases dynamically

updated on a minute-by-minute basis


IBM Security

1919


Protection XGS

IBM Trusteer and X-Force integration

IP Reputation Data

IBM Threat Intelligencefrom 100 Million+ Endpoints

Cloud-based Threat, Malwareand Fraud Intelligence


IBM Security

2020

For more information:

And visit us on SecurityIntelligence.com

IBM X-Force Threat Intelligence Reportshttp://www.ibm.com/security/xforce/

Website

ibm.com/security/threat-protection/

YouTube

youtube.com/user/IBMSecuritySolutions

Twitter@ibmsecurity

IBM X-Force Security Insights Blog

www.SecurityIntelligence.com/x-force

http://www.ibm.com/security/xforce/

ibm.com/security/threat-protection/

youtube.com/user/IBMSecuritySolutions

https://twitter.com/IBMSecurity

http://www.securityintelligence.com/x-force

http://blogs.iss.net/

http://blogs.iss.net/


IBM Security

21

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response

to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated

or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure

and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to

be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,

products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

http://www.ibm.com/security

Software

Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prevention