pcty 2012, threat landscape and security intelligence v. michael andersson
DESCRIPTION
Præsentation fra PCTY 2012 v. Michael AnderssonTRANSCRIPT
X-Force 2011 Trend and Risk Report
&Advanced Threat Protection
Platform
© 2012 IBM Corporation
Optimizing the World’s InfrastructureMay 2012
2
Please note:
• IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
• Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
3
Agenda
• X-Force overview• Highlights from the 2011 IBM X-Force Trend and Risk Report
– New attack activity– Progress in internet security– New challenges from mobile and cloud
• IBM Security Advanced Threat Protection Platform – QRadar Security Intelligence– IBM Security Threat Platform
4
The mission of the IBM X-Force® research and
development team is to:
Research and evaluate threat and protection issues
Deliver security protection for today’s security problems
Develop new technology for tomorrow’s security challenges
Educate the media and user communities
X-Force Research
14B analyzed Web pages & images
40M spam & phishing attacks
54K documented vulnerabilities
13B security events daily
Provides Specific Analysis of: • Vulnerabilities & exploits• Malicious/Unwanted websites• Spam and phishing• Malware• Other emerging trends
X-Force research
5
2011: Year of the security breach
6
Key Messages from the 2011 Trend Report
• New Attack Activity– Rise in Shell Command Injection attacks– Spikes in SSH Brute Forcing– Rise in phishing based malware distribution and click fraud
• Progress in Internet Security– Fewer exploit releases– Fewer web application vulnerabilities – Better patching
• The Challenge of Mobile and the Cloud – Mobile exploit disclosures up– Social Networking no longer fringe pastime
7
SQL injection attacks against web servers
8
Shell Command Injection attacks
9
SSH brute force activity
10
Explosion of phishing based malware distribution and click fraud
11
MAC malware
• 2011 has seen the most activity in the Mac malware world.
– Not only in volume compared to previous years, but also in functionality.
• In 2011, we started seeing Mac malware with functionalities that we’ve only seen before in Windows® malware.
12
Key Messages from the 2011 Trend Report
• New Attack Activity–Rise in Shell Command Injection attacks– Spikes in SSH Brute Forcing– Rise in phishing based malware distribution and click fraud
• Progress in Internet Security– Fewer exploit releases– Fewer web application vulnerabilities – Better patching
• The Challenge of Mobile and the Cloud – Mobile exploit disclosures up– Social Networking no longer fringe pastime
13
Public exploit disclosures
• Total number of exploit releases down to a number not seen since 2006
– Also down as a percentage of vulnerabilities
14
Public exploits
15
Decline in web application vulnerabilities
• In 2011, 41% of security vulnerabilities affected web applications
– Down from 49% in 2010– Lowest percentage seen since 2005
16
Key Messages from the 2011 Trend Report
• New Attack Activity–Rise in Shell Command Injection attacks– Spikes in SSH Brute Forcing– Rise in phishing based malware distribution and click fraud
• Progress in Internet Security– Fewer exploit releases– Fewer web application vulnerabilities – Better patching
• The Challenge of Mobile and the Cloud – Mobile exploit disclosures up– Social Networking no longer fringe pastime
17
Mobile OS vulnerabilities & exploits
• Continued interest in Mobile vulnerabilities as enterprise users request a “bring your own device” (BYOD) strategy for the workplace
• Attackers finding these devices represent lucrative new attack opportunities
18
Social Networking – no longer a fringe pastime
• Attackers finding social networks ripe with valuable informaiton they can mine to build intelligence about organizations and its staff:
– Scan corporate websites, Google, Google News– Who works there? What are their titles?– Create index cards with names and titles
– Search Linkedin, Facebook, Twitter profiles– Who are their colleagues?– Start to build an org chart
– Who works with the information the attacker would like to target?– What is their reporting structure?– Who are their friends?– What are they interested in?– What are their work/personal email addresses?
18
Introducing IBM’sAdvanced Threat Protection Platform
20
IBM Security Framework
Security Consulting
ManagedServices
X-Forceand IBM
Research
IBM Security PortfolioIBM Security Portfolio
People Data Applications Infrastructure
IT Infrastructure – Operational Security Domains
QRadar SIEM
QRadar Log Manager
QRadar Risk Manager
IBM Privacy, Audit and Compliance Assessment Services
Identity & Access Management Suite
Federated Identity Manager
Enterprise Single Sign-On
Identity Assessment, Deployment and Hosting Services
Guardium Database Security
Optim Data Masking
Key Lifecycle Manager
Data Security Assessment Service
Encryption and DLP Deployment
AppScan Source/Std. Edition
DataPower Security Gateway
Security Policy Manager
ApplicationAssessment Service
AppScan OnDemand Software as a Service
Network Intrusion Prevention
Server and Virtualization Security
QRadar Anomaly Detection / QFlow
Managed Firewall, Unified Threat and Intrusion PreventionServices
Endpoint Manager (BigFix)
zSecure suite
Penetration Testing Services
Native Server Security (RACF, IBM systems)
Network Endpoint
IT GRC Analytics & Reporting
Enterprise Governance, Risk and Compliance Management
IBM OpenPages Algorithmics (recent acquisition) i2 Corporation (recent acquisition)
21
Advanced Threats: The sophistication of Cyber threats, attackers and motives is rapidly escalating
Adversary
National Security
Monetary Gain
Espionage,Political Activism
Revenge
Curiosity Script-kiddies or hackers using tools, web-based “how-to’s”
Insiders, using inside information
Organized Crime, using sophisticated tools
Competitors, Hacktivists
Nation-state Actors; Targeted Attacks / Advanced Persistent Threat
1995 – 20051st Decade of the Commercial Internet
2005 – 20152nd Decade of the Commercial Internet
Motive
22
IT Security is a board room discussion
Business results
Sony estimates potential $1B long term impact – $171M / 100 customers*
Supply chain
Epsilon breach impacts 100 national brands
Legal exposure
TJX estimates $150M class action settlement in release of credit / debit card info
Impact of hacktivism
Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony …
Audit risk
Zurich Insurance PLc fined £2.275M ($3.8M) for the loss and exposure of 46K customer records
Brand image
HSBC data breach discloses 24K private banking customers
23
QRadar Security Intelligence
Security Consulting
ManagedServices
X-Forceand IBM
Research
IBM Security PortfolioIBM Security Portfolio
People Data Applications Infrastructure
IT Infrastructure – Operational Security Domains
QRadar SIEM
QRadar Log Manager
QRadar Risk Manager
IBM Privacy, Audit and Compliance Assessment Services
Identity & Access Management Suite
Federated Identity Manager
Enterprise Single Sign-On
Identity Assessment, Deployment and Hosting Services
Guardium Database Security
Optim Data Masking
Key Lifecycle Manager
Data Security Assessment Service
Encryption and DLP Deployment
AppScan Source/Std. Edition
DataPower Security Gateway
Security Policy Manager
ApplicationAssessment Service
AppScan OnDemand Software as a Service
Network Intrusion Prevention
Server and Virtualization Security
QRadar Anomaly Detection / QFlow
Managed Firewall, Unified Threat and Intrusion PreventionServices
Endpoint Manager (BigFix)
zSecure suite
Penetration Testing Services
Native Server Security (RACF, IBM systems)
Network Endpoint
IT GRC Analytics & Reporting
Enterprise Governance, Risk and Compliance Management
IBM OpenPages Algorithmics (recent acquisition) i2 Corporation (recent acquisition)
24
Solutions for the Full Compliance and Security Intelligence Timeline
25
Context & Correlation Drive Deepest Insight
26
Solving Customer Challenges
27
Fully Integrated Security Intelligence
• Turnkey log management• SME to Enterprise• Upgradeable to enterprise SIEM
• Integrated log, threat, risk & compliance mgmt.• Sophisticated event analytics• Asset profiling and flow analytics• Offense management and workflow
• Predictive threat modeling & simulation• Scalable configuration monitoring and audit• Advanced threat visualization and impact analysis
• Network analytics• Behavior and anomaly detection• Fully integrated with SIEM
• Layer 7 application monitoring• Content capture• Physical and virtual environments
SIEM
Log Management
Risk Management
Network Activity & Anomaly Detection
Network and Application
Visibility
One Console Security
Built on a Single Data Architecture
28
IBM Security Threat Platform
Security Consulting
ManagedServices
X-Forceand IBM
Research
IBM Security PortfolioIBM Security Portfolio
People Data Applications Infrastructure
IT Infrastructure – Operational Security Domains
QRadar SIEM
QRadar Log Manager
QRadar Risk Manager
IBM Privacy, Audit and Compliance Assessment Services
Identity & Access Management Suite
Federated Identity Manager
Enterprise Single Sign-On
Identity Assessment, Deployment and Hosting Services
Guardium Database Security
Optim Data Masking
Key Lifecycle Manager
Data Security Assessment Service
Encryption and DLP Deployment
AppScan Source/Std. Edition
DataPower Security Gateway
Security Policy Manager
ApplicationAssessment Service
AppScan OnDemand Software as a Service
Network Intrusion Prevention
Server and Virtualization Security
QRadar Anomaly Detection / QFlow
Managed Firewall, Unified Threat and Intrusion PreventionServices
Endpoint Manager (BigFix)
zSecure suite
Penetration Testing Services
Native Server Security (RACF, IBM systems)
Network Endpoint
IT GRC Analytics & Reporting
Enterprise Governance, Risk and Compliance Management
IBM OpenPages Algorithmics (recent acquisition) i2 Corporation (recent acquisition)
2929
IBM Security Network IPS: Addressing Today’s Evolving Threats
>260
30
Why Vulnerability-based Research = Preemptive Security Approach • Protecting against exploits is reactive
– Too late for many
– Variants undo previous updates
• Protecting against vulnerabilities and malicious behaviors is preemptive
– Stops threat at source
– Requires advanced R&D
• Why X-Force?
– One of the best-known commercial security research groups in the world
– IBM X-Force maintains one of the most comprehensive vulnerability database in the world—dating back to the 1990s.
– X-Force constantly updates IBM’s Protocol Analysis Module, the engine inside IBM’s security solutions
31
31
IBM IPS Zero Day (Vuln/Exploit) Web App Protection
New Vulnerability or Exploit Reported Date Ahead of the Threat Since
Nagios expand cross-site scripting 5/1/2011 6/7/2007
Easy Media Script go parameter XSS 5/26/2011 6/7/2007
N-13 News XSS 5/25/2011 6/7/2007
I GiveTest 2.1.0 SQL Injection 6/21/2011 6/7/2007
RG Board SDQL Injection Published: 6/28/2011 6/7/2007
BlogiT PHP Injection 6/28/2011 6/7/2007
IdevSpot SQL Injection (iSupport) 2011-05-23 6/7/2007
2Point Solutions SQL Injection 6/24/2011 6/7/2007
PHPFusion SQL Injection 1/17/2011 6/7/2007
ToursManager PhP Script Blind SQli 2011-07-xx 6/7/2007
Oracle Database SQL Injection 2011-07-xx 6/7/2007
LuxCal Web Calendar 7/7/2011 6/7/2007
Apple Web Developer Website SQL 2011-07-xx 6/7/2007
MySQLDriverCS Cross-Param SQLi 6/27/2011 6/7/2007
■ IBM IPS Injection Logic Engine has stopped every large scale SQL injection or XSS attack day-zero.
• Asprox – reported 12/11/2008 – stopped 6/7/2007• Lizamoon – reported 3/29/2011 – stopped 6/7/2007• SONY (published) – reported May/June/2011 – stopped 6/7/2007• Apple Dev Network – reported July/2011 – stopped 6/7/2007
3232
Source: IBM X-Force
IBM’s Preemptive Approach vs. Reactive Approach to address Threats
IBM Clients have typically been provided protection guidance prior to or within 24
hours of a vendor vulnerability disclosure being announced (89% of the time in 2010)
Ahead of the Threat
# of days IBM clients were provided protection guidance
“Ahead of the Threat”
# of days IBM clients were provided protection guidance
“Ahead of the Threat”
33
Network Security Product Line up
Product Description
IBM Security Network Intrusion Prevention System
The core of any Intrusion Prevention strategy, IBM Security Network IPS appliances help to protect the network infrastructure from a wide range of attacks, up to 23 Gbps inspected throughput
IBM Security Endpoint Defence
Focused on protecting individual assets on the network including servers and desktops from both internal and external threats
IBM Security Virtual Server Protection
Virtual Server Protection is integrated with the hypervisor and provides visibility into intra-VM network traffic. Supports ESX 4.1 and 5.0 and 10Gb Ethernet
IBM Security SiteProtector System
Centralized management for IBM Security intrusion prevention solutions that provides a single management point to control security policy, analysis, alerting and reporting
34
IBM’s Vision for Infrastructure Threat Protection – Roadmap
35
1Q12: Launched IBM Security Network IPS Powered by X-Force
• Meet signature sharing mandates (i.e. Government & Financial Institutions)
• IBM Hybrid protection
– Using X-Force Protocol Analysis with the ability to write or import custom Snort rules
• IBM Network IPS and Protocol Analysis Modules (PAM) Core tenant for the Advanced Threat Protection Platform
Core CapabilitiesUnmatched Performance delivering 20Gbps+ of inspected throughput and 10GbE connectivity without compromising breadth and depth of security
Evolving protection powered by world renowned X-Force research to stay “ahead of the threat”
Reduced cost and complexity through consolidation of point solutions and integrations with other security tools
1
Locked in to Signature-only IPS?
Custom Rules
Make the move to IBM Security Network IPS
Custom Rules
36
Extensible Protection with Protocol Analysis Module
What It Does:Mitigates vulnerability exploitation independent of a software patch, and enables a responsible patch management process that can be adhered to without fear of a breach.
Why Important:At the end of 2011, 36% of all vulnerabilities disclosed during the year had no vendor-supplied patches available to remedy the vulnerability.
Virtual Patch
What It Does:Protects end users against attacks targeting applications used every day such as Microsoft Office, Adobe PDF, Multimedia files and Web browsers.
Why Important:In 2011, vulnerabilities which affect client-side applications represent one of the largest category of all vulnerability disclosures.
Client-Side Application Protection
What It Does:Protects web applications against sophisticated application-level attacks such as SQL Injection, XSS (Cross-site scripting), PHP file-includes, CSRF (Cross-site request forgery), and Directory Traversals.
Why Important:Expands security capabilities to meet both compliance requirements and threat evolution.
Web Application Protection
What It Does:Detects and prevents entire classes of threats as opposed to a specific exploit or vulnerability.
Why Important:Eliminates need of constant signature updates. Protection includes the proprietary technology such as Java bytecode exploit detection, Flash exploit detection, and Shell Code Heuristics (SCH) technology, which has an unbeatable track record of protecting against zero day vulnerabilities.
Threat Detection & Prevention
What It Does:Monitors, identifies, and provides control over unencrypted personally identifiable information (PII) and other confidential information for data awareness. Also provides capability to explore data flow through the network to help determine if any potential risks exist.
Why Important:Flexible and scalable customized data search criteria; serves as a complement to data security strategy.
Data Security
What It Does:Manages control of unauthorized applications and risks within defined segments of the network, such as ActiveX fingerprinting, Peer To Peer, Instant Messaging, and tunnelling.
Why Important:Enforces network application and service access based on corporate policy and governance.
Application Control
Ahead of the Threat extensible protection backed by the power of X-Force
1
37
• 2Q12: IBM X-Force powers QRadar with the X-Force IP Reputation Feed
– Providing insight into suspect entities on the internet
• 15+ Billion URLs Monitored and Classified on a continuous basis
• Information about Malicious IPs, Malware hosts, SPAM sources, Dynamic IPs & Anonymous Proxies
• Enhances QRadar correlation intelligence
2Q12: Launch the X-Force IP Reputation Feed for QRadar2
38
Suspicious Behavior Proactive PreventionVisibility Protection
SiteProtectorSiteProtectorQRadar NIQRadar NIQRadarQRadar NIPSNIPS
ServerServer
DesktopDesktop
ScannerScanner
AppScanAppScan
SiteProtector as core for command & control QRadar Network Anomaly Detection for
enhanced analytics QRadar QFlow and VFlow collectors provide
Network Awareness via deep packet inspection
Integrated policy management & workflows within SiteProtector facilitate a rapid response to threat and more proactive visibility.
2Q12: Launch QRadar Network Anomaly DetectionOptimized for the Advanced Threat Protection Platform
3
• QRadar Network Anomaly Detection
– An optimized version of QRadar which complements SiteProtector
• Greater visiblity for SiteProtector/IPS customers
• Network flow capture with behavioral analysis and anomaly detection provides greater security intelligence:
– Traffic profiling for added protection from Low and Slow and zero-day threats
– Correlation of threat data, flow data and system and application vulnerabilities for enhanced incident analysis
• Supports identity sources to associate user activity with incidents
• Support for vulnerability data to correlate attack with vulnerable assets
39
Summary
• Fever public vulnerabilities disclosures and exploits in 2011 compared to 2010, but…
• We see more attack activity, with high profile breaches
• Attacks are getting more sophisticated
• Security Intelligence makes it easier to manage more data, with log and network flow correlation, configuration monitoring and risk and compliance management
• Launch of Advanced Treat Protection Platform to address new sophisticated attacks utilizing QRadar Security Intelligence
40
Acknowledgements, disclaimers and trademarks
© Copyright IBM Corporation 2012. All rights reserved.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
References in this publication to IBM products, programs or services do not imply that they will be made available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth, savings or other results. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
Information concerning non-IBM products and services was obtained from a supplier of those products and services. IBM has not tested these products or services and cannot confirm the accuracy of performance, compatibility, or any other claims related to non-IBM products and services. Questions on the capabilities of non-IBM products and services should be addressed to the supplier of those products and services.
All customer examples cited or described are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer and will vary depending on individual customer configurations and conditions. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
Prices are suggested U.S. list prices and are subject to change without notice. Starting price may not include a hard drive, operating system or other features. Contact your IBM representative or Business Partner for the most current pricing in your geography.
IBM, the IBM logo, ibm.com, Tivoli, the Tivoli logo, Tivoli Enterprise Console, Tivoli Storage Manager FastBack, and other IBM products and services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml
41
Thank You- Q&A