ibm ridefinisce la strategia e l'approccio verso gli avanced persistent threats (apt) - webinar...
Post on 14-Apr-2017
246 Views
Preview:
TRANSCRIPT
© 2015 IBM Corporation
IBM ridefinisce la strategia e l'approccio verso gli Advanced Persistent Threat (APT)
Webinar - 28 Gennaio 2016
Luigi Del Grosso, Endpoint & ThreatFabrizio Patriarca, Security Architect
Nel caso il collegamento in streaming web non funzioni correttamente, usare i seguenti collegamenti telefonici tradizionali: 800-975100, 02-00621263 - Meeting 80326520
IBM Security
Advanced Persistent Threat
IBM Security
2 © 2015 IBM Corporation
APT and Targeted Attack Methods Evolve Quickly1. Advanced evasive malware bypasses security controls
2. Credentials are exposed through phishing and 3rd party breach
3. Compromised endpoints and stolen credentials enable access to enterprise networks, systems and data
Despite existing controls, employee endpoints are compromised and are used as pivot points into the enterprise network.
Compromised Credentials
VulnerabilityExploit
MalwareInfection
Malicious Activity Data Access
MaliciousCommunication
Admin
**********
A $1Billion APT Attack – Carbanak May Just Be the Biggest Cyber Heist Ever
3 © 2015 IBM Corporation
Criminals attack the weak link
Customer Data and Intellectual
Property
Employees / Contractors /
Partners
Easy
Easy
CyberCriminals
Difficult
4 © 2015 IBM Corporation
APTs and Targeted Attacks
Credentials Theft
****
Phishing Site
WWW
APTs and Targeted Attacks
WWW
Exploit Site
Malware Infection
Weaponized Attachment
MaliciousLink
Credentials Theft
Watering Hole Attack
Spear Phishing
Exploit
Data Exfiltration
1:500 PCs infected with Advanced Evasive APT malware!IBM Trusteer Research
5 © 2015 IBM Corporation
IBM Security Trusteer Apex Advanced Malware ProtectionPreemptive, multi-layered protection against advanced malware and credentials theft
Effective Real-Time ProtectionUsing multiple layers of defense to break the threat lifecycle
Security Analysis and Management Services provided by IBM Trusteer security experts
Zero-day Threat ProtectionLeveraging a positive behavior-based model of trusted application execution
Trusteer Apex
6 © 2015 IBM Corporation
Dynamic intelligence
Crowd-sourced expertise in threat research and dynamic intelligence
Global Threat Research and Intelligence
• Combines the renowned expertise of X-Force with Trusteer malware research
• Catalog of 70K+ vulnerabilities,17B+ web pages, and data from 100M+ endpoints
• Intelligence databases dynamically updated on a minute-by-minute basis
Real-time sharing of Trusteer intelligence
NEW
ThreatIntelligence
MalwareAnalysis
Exploit Research
ExploitTriage
MalwareTracking
Zero-dayResearch
7 © 2015 IBM Corporation
Apex multi-layered defense architecture KB to create icon
Threat and Risk ReportingVulnerability Mapping and Critical Event Reporting
Advanced Threat Analysis and Turnkey Service
CredentialProtection
Exploit Chain Disruption
Advanced Malware
Detection and Mitigation
Malicious Communication
Prevention
Lockdownfor Java
Global Threat Research and IntelligenceGlobal threat intelligence delivered in near-real time from the cloud
• Alert and prevent phishing and reuse on non-corporate sites
• Prevent infections via exploits
• Zero-day defense by controlling exploit-chain choke point
• Mitigates mass-distributed advanced malware infections
• Cloud based file inspection for legacy threats
• Block malware communication
• Disrupt C&C control
• Prevent data exfiltration
• Prevent high-risk actions by malicious Java applications
8 © 2015 IBM Corporation
Data exfiltration Exploit
Deliveryof weaponized
content
Exploitationof app vulnerability
Malwaredelivery
Malware persistency
Execution and malicious access
to content
Establish communication
channels
Dataexfiltration
Breaking the Threat LifeCycle
Pre-exploit
0011100101110100001011110001100011001101
9 © 2015 IBM Corporation
N
o. o
f Typ
es
Attack Progression
Data exfiltration Exploit
Deliveryof weaponized
content
Exploitationof app vulnerability
Malwaredelivery
Malware persistency
Execution and malicious access
to content
Establish communication
channels
Dataexfiltration
Breaking the Threat LifeCycle
Pre-exploit
0011100101110100001011110001100011001101
Destinations (C&C traffic detection)
Endless
Unpatchedand zero-day
vulnerabilities (patching)
ManyWeaponized
content(IPS, sandbox)
Endless
Maliciousfiles
(antivirus, whitelisting)
Endless
Many
Maliciousbehavioractivities
(HIPs)
10 © 2015 IBM Corporation
N
o. o
f Typ
es
Attack Progression
Data exfiltration Exploit
Deliveryof weaponized
content
Exploitationof app vulnerability
Malwaredelivery
Malware persistency
Execution and malicious access
to content
Establish communication
channels
Dataexfiltration
Breaking the Threat LifeCycle
Pre-exploit
0011100101110100001011110001100011001101
Strategic Chokepoint
Strategic Chokepoint
Strategic Chokepoint
Destinations (C&C traffic detection)
Endless
Unpatchedand zero-day
vulnerabilities (patching)
ManyWeaponized
content(IPS, sandbox)
Endless
Maliciousfiles
(antivirus, whitelisting)
Endless
Many
Maliciousbehavioractivities
(HIPs)
Exploit Chain Disruption
Lockdown for Java
Malicious Communication
Blocking
11 © 2015 IBM Corporation
N
o. o
f Typ
es
Attack Progression
Data exfiltration Exploit
Deliveryof weaponized
content
Exploitationof app vulnerability
Malwaredelivery
Malware persistency
Execution and malicious access
to content
Establish communication
channels
Dataexfiltration
Breaking the Threat LifeCycle
Pre-exploit
0011100101110100001011110001100011001101
Strategic Chokepoint
Strategic Chokepoint
Strategic Chokepoint
Advanced Malware
Prevention
Endpoint Vulnerability Reporting
CredentialProtection
Destinations (C&C traffic detection)
Endless
Unpatchedand zero-day
vulnerabilities (patching)
ManyWeaponized
content(IPS, sandbox)
Endless
Maliciousfiles
(antivirus, whitelisting)
Endless
Many
Maliciousbehavioractivities
(HIPs)
Exploit Chain Disruption
Lockdown for Java
Malicious Communication
Blocking
12 © 2015 IBM Corporation
Exploit chain disruption
Disrupt zero day attacks without prior knowledge of the exploit or vulnerability
• Correlate application state with post-exploit actions• Apply allow / block controls across the exploit chain
Write files
Breach other programs
Alter registry
Other breachmethods
Monitor post-exploit actions
Evaluate application states
Exploit propagationApplication states
Indicators
13 © 2015 IBM Corporation
JVM
Lockdown for Java
Monitor and control high risk Java application actions
• Malicious activity is blocked while legitimate Java applications are allowed• Trust for specific Java apps is granted by Trusteer / IT administrator
Monitor and control high-risk activitiesMalicious appRogue Java appbypasses Java’s internal controls
e.g., Display, local calculation
Trusted app
Untrusted app
Allow low-risk activities
e.g., Write to file system, registry change
Trusted app
Untrusted app
Trusted app
14 © 2015 IBM Corporation
Malicious communication blocking
Block suspicious executables that attempt to compromise other applications or open malicious communication channels
1. Assess process trust level2. Identify process breach3. Allow / block external communication
Malicious site
Legitimate siteused as C&C
Direct user download
Pre-existing infection
External Network
Zombieprocess
COMMUNICATIONPASS-THROUGH
DIRECT
Identify application breach Allow / blockAssess trust level
15 © 2015 IBM Corporation
Corporate Credentials Protection
WWW
Credential theft via phishing
Corporate credential reuse
Legitimate corporate site
Enter Password
Submit: Allow• Detect submission• Validate destination
Phishingsite
Unauthorized legitimate site
*******
Authorized site
16 © 2015 IBM Corporation
Threat and risk reporting, vulnerability mapping and critical event reporting
Identify risks from vulnerabilities and user behavior, help ensure compliance
Vulnerability reportsDetailed reporting to visualize and understand which endpoints and apps are vulnerable to exploits
Corporate credential reports Reporting on which users are re-using credentials and out of security policy guidelines
Incident reports Reporting on security incidents – exploits, suspicious communication, infections
17 © 2015 IBM Corporation
IBM is uniquely positioned to offer integrated protection A dynamic, integrated system to disrupt the lifecycle of advanced attacks
and prevent loss
Open Integrations Global Threat Intelligence
Ready for IBM Security Intelligence Ecosystem
IBM Security Network Protection XGS
Smarter Prevention Security Intelligence
IBM EmergencyResponse Services
Continuous Response
IBM X-Force Threat Intelligence• Leverage threat intelligence
from multiple expert sources
• Prevent malware installation and disrupt malware communications
• Prevent remote network exploits and limit the use of risky web applications
• Discover and prioritize vulnerabilities• Correlate enterprise-wide threats and
detect suspicious behavior
• Retrace full attack activity, Search for breach indicators and guide defense hardening
• Assess impact and plan strategically and leverage experts to analyze data and contain threats
• Share security context across multiple products
• 100+ vendors, 400+ products
Trusteer Apex Endpoint Malware Protection
IBM Security QRadar Security Intelligence
IBM Security QRadarIncident Forensics
IBM Guardium Data Activity Monitoring• Prevent remote network exploits and limit
the use of risky web applications
IBM Endpoint Manager• Automate and manage continuous
security configuration policy compliance
18 © 2015 IBM Corporation
Apex integration with the customer SIEM
The integration enables organizations to gain full end-to-end visibility into targeted attack, consolidating security event information from targeted endpoints with data gathered from multiple enterprise security controls.
Correlate endpoint security events with multiple enterprise events for end-to-end visibility
Automate endpoint security event notification and response
Integrate with enterprise security controls for wide-spread protection
Enable integration with additional log management/SIEM solutions that support generic Syslog messages
19 © 2015 IBM Corporation
IBM Trusteer Apex and IBM BigFix
Extend BigFix ROI by stopping exploits before patches are available
Continuously monitor and protect endpoints– Enforce secure configurations– Deploy security patches – Detect and mitigate
advanced malware infections
Effectively respond to security incidents
Create the most robust enterprise endpoint security solution available!
IBMTrusteer Apex
andIBM BigFix
Apex– continuously protects in the window between threat and fix
Maintenance Patch:BigFix ensures it is
quickly deployed on all endpoints
Apex identifies and mitigates malware
infections in real-time stops zero-day exploits
BigFix Incident Response quarantines
infected machines
BigFix enforces secure configurations
Everyone goes back to work on higher value
projects
Unscheduled Patch:BigFix ensures it is
quickly deployed on all endpoints
20 © 2015 IBM Corporation
Why Apex
Credential protection
Exploit chain disruption
Malware detection and mitigation
Lockdown for Java
Malicious communication blocking
Low impact to IT security team
Low-footprint threat prevention
Exceptional turnkey service
Combines the renowned expertise of X-Force with Trusteer malware research
100,000,000+ endpoints collecting intelligence
Protection dynamically updated near real-time
Apex is redefining endpoint protection against advanced threats with a holistic approach
Advanced Multi-Layered Defense
Low Operational Impact
Dynamic Intelligence
21 © 2015 IBM Corporation
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
IBM Internal and Business Partner Use Only
top related