ibm security network protection (xgs) advanced threat protection integration framework summary
DESCRIPTION
IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework Summary Full Details: http://ibm.biz/ISNP_ATP_API. Advanced Threat Protection ( ATP) Integration Framework. - PowerPoint PPT PresentationTRANSCRIPT
© 2012 IBM Corporation
IBM Security Systems
1© 2014 IBM Corporation
IBM Security Network Protection (XGS)Advanced Threat Protection Integration FrameworkSummary
Full Details: http://ibm.biz/ISNP_ATP_API
© 2014 IBM Corporation
IBM Security Systems
2
Advanced Threat Protection (ATP) Integration FrameworkATP Integration Framework is mechanism for IBM Security Network Protection (ISNP) to receive external alerts and act on these alerts using Quarantine
Two integrations methods User instigated via QRadar GUI Right-Click tool Automated via direct XML API on the ISNP Appliance
© 2014 IBM Corporation
IBM Security Systems
3
Advanced Threat Protection Policy
An alert will be mapped to one of five types
Compromise a successful breach of security, currently active within the environment. This could range from subversive human behavior to automated command and control exploits.
Reputation describes characteristics tied to an address or web URI and related to geography or observed content behavior.
Intrusion an instance of an in progress network attack attempt
Malware represents malicious software in flight on the network or at risk on a disk.
© 2014 IBM Corporation
IBM Security Systems
4
Advanced Threat Protection Policy (cont.)
Exposure/vulnerability represents an identified network weaknesses which, if successfully exploited, could result in compromises
• The classification of the alert into one of 3 severities–High–Medium–Low
© 2014 IBM Corporation
IBM Security Systems
5
Advanced Threat Protection Policy (cont.)
© 2014 IBM Corporation
IBM Security Systems
6
Web Security Appliance Uses sandboxing to execute and profile files to identify Command & Control (C&C) hosts Can monitor traffic and identify internal hosts that are compromised (through calls to known C&C sites)
Although Malware Detection systems can raise alerts, they are not enforcement devices
ISNP can provide the enforcement for Malware Detection
i
Sandbox Malware Detection Integration example
© 2014 IBM Corporation
IBM Security Systems
7
Malware Detection / ISNP Network Topology
© 2014 IBM Corporation
IBM Security Systems
8
Typical Use Cases
• There are three supported Quarantine use cases:
• Compromise: A machine infected with malware, transmitting data to a Command & Control Server represents a Compromised Host in an enterprise network.
• Reputation: A Command & Control Server contacted by a Compromised Host or a Web Server Hosting A Web Exploit represents a Malicious Server with a poor reputation.
• Malware: A Malware Object being transmitted over the network to a Target Host from a Hosting Server represents a Threat-In-Flight.
© 2014 IBM Corporation
IBM Security Systems
9
Event Log: Advanced Threat Events
© 2014 IBM Corporation
IBM Security Systems
10
Active Quarantines
© 2014 IBM Corporation
IBM Security Systems
11
IBM Security QRadar Right Click Integration with IBM Security Network Protection
© 2014 IBM Corporation
IBM Security Systems
12
QRadar “right click” Integration (source address)
“on the glass” integration
© 2014 IBM Corporation
IBM Security Systems
13
QRadar “right click” Integration (source address)
© 2014 IBM Corporation
IBM Security Systems
14
QRadar Advanced Threat Events
© 2014 IBM Corporation
IBM Security Systems
15
QRadar 'right click' Integration (destination port)
“on the glass” integration
© 2014 IBM Corporation
IBM Security Systems
16
QRadar 'right click' Integration (destination port)
© 2014 IBM Corporation
IBM Security Systems
17
QRadar Advanced Threat Events
© 2014 IBM Corporation
IBM Security Systems
18
ibm.com/security