X-Force 2011 Trend and Risk Report

&Advanced Threat Protection

Platform

© 2012 IBM Corporation

Optimizing the World’s InfrastructureMay 2012

2

Please note:

• IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.

• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.

• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

• Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

3

Agenda

• X-Force overview• Highlights from the 2011 IBM X-Force Trend and Risk Report

– New attack activity– Progress in internet security– New challenges from mobile and cloud

• IBM Security Advanced Threat Protection Platform – QRadar Security Intelligence– IBM Security Threat Platform

4

The mission of the IBM X-Force® research and

development team is to:

Research and evaluate threat and protection issues

Deliver security protection for today’s security problems

Develop new technology for tomorrow’s security challenges

Educate the media and user communities

X-Force Research

14B analyzed Web pages & images

40M spam & phishing attacks

54K documented vulnerabilities

13B security events daily

Provides Specific Analysis of: • Vulnerabilities & exploits• Malicious/Unwanted websites• Spam and phishing• Malware• Other emerging trends

X-Force research

5

2011: Year of the security breach

6

Key Messages from the 2011 Trend Report

• New Attack Activity– Rise in Shell Command Injection attacks– Spikes in SSH Brute Forcing– Rise in phishing based malware distribution and click fraud

• Progress in Internet Security– Fewer exploit releases– Fewer web application vulnerabilities – Better patching

• The Challenge of Mobile and the Cloud – Mobile exploit disclosures up– Social Networking no longer fringe pastime

7

SQL injection attacks against web servers

8

Shell Command Injection attacks

9

SSH brute force activity

10

Explosion of phishing based malware distribution and click fraud

11

MAC malware

• 2011 has seen the most activity in the Mac malware world.

– Not only in volume compared to previous years, but also in functionality.

• In 2011, we started seeing Mac malware with functionalities that we’ve only seen before in Windows® malware.

12

Key Messages from the 2011 Trend Report

• New Attack Activity–Rise in Shell Command Injection attacks– Spikes in SSH Brute Forcing– Rise in phishing based malware distribution and click fraud

• Progress in Internet Security– Fewer exploit releases– Fewer web application vulnerabilities – Better patching

• The Challenge of Mobile and the Cloud – Mobile exploit disclosures up– Social Networking no longer fringe pastime

13

Public exploit disclosures

• Total number of exploit releases down to a number not seen since 2006

– Also down as a percentage of vulnerabilities

14

Public exploits

15

Decline in web application vulnerabilities

• In 2011, 41% of security vulnerabilities affected web applications

– Down from 49% in 2010– Lowest percentage seen since 2005

16

Key Messages from the 2011 Trend Report

• New Attack Activity–Rise in Shell Command Injection attacks– Spikes in SSH Brute Forcing– Rise in phishing based malware distribution and click fraud

• Progress in Internet Security– Fewer exploit releases– Fewer web application vulnerabilities – Better patching

• The Challenge of Mobile and the Cloud – Mobile exploit disclosures up– Social Networking no longer fringe pastime

17

Mobile OS vulnerabilities & exploits

• Continued interest in Mobile vulnerabilities as enterprise users request a “bring your own device” (BYOD) strategy for the workplace

• Attackers finding these devices represent lucrative new attack opportunities

18

Social Networking – no longer a fringe pastime

• Attackers finding social networks ripe with valuable informaiton they can mine to build intelligence about organizations and its staff:

– Scan corporate websites, Google, Google News– Who works there? What are their titles?– Create index cards with names and titles

– Search Linkedin, Facebook, Twitter profiles– Who are their colleagues?– Start to build an org chart

– Who works with the information the attacker would like to target?– What is their reporting structure?– Who are their friends?– What are they interested in?– What are their work/personal email addresses?

18

Introducing IBM’sAdvanced Threat Protection Platform

20

IBM Security Framework

Security Consulting

ManagedServices

X-Forceand IBM

Research

IBM Security PortfolioIBM Security Portfolio

People Data Applications Infrastructure

IT Infrastructure – Operational Security Domains

QRadar SIEM

QRadar Log Manager

QRadar Risk Manager

IBM Privacy, Audit and Compliance Assessment Services

Identity & Access Management Suite

Federated Identity Manager

Enterprise Single Sign-On

Identity Assessment, Deployment and Hosting Services

Guardium Database Security

Optim Data Masking

Key Lifecycle Manager

Data Security Assessment Service

Encryption and DLP Deployment

AppScan Source/Std. Edition

DataPower Security Gateway

Security Policy Manager

ApplicationAssessment Service

AppScan OnDemand Software as a Service

Network Intrusion Prevention

Server and Virtualization Security

QRadar Anomaly Detection / QFlow

Managed Firewall, Unified Threat and Intrusion PreventionServices

Endpoint Manager (BigFix)

zSecure suite

Penetration Testing Services

Native Server Security (RACF, IBM systems)

Network Endpoint

IT GRC Analytics & Reporting

Enterprise Governance, Risk and Compliance Management

IBM OpenPages Algorithmics (recent acquisition) i2 Corporation (recent acquisition)

21

Advanced Threats: The sophistication of Cyber threats, attackers and motives is rapidly escalating

Adversary

National Security

Monetary Gain

Espionage,Political Activism

Revenge

Curiosity Script-kiddies or hackers using tools, web-based “how-to’s”

Insiders, using inside information

Organized Crime, using sophisticated tools

Competitors, Hacktivists

Nation-state Actors; Targeted Attacks / Advanced Persistent Threat

1995 – 20051st Decade of the Commercial Internet

2005 – 20152nd Decade of the Commercial Internet

Motive

22

IT Security is a board room discussion

Business results

Sony estimates potential $1B long term impact – $171M / 100 customers*

Supply chain

Epsilon breach impacts 100 national brands

Legal exposure

TJX estimates $150M class action settlement in release of credit / debit card info

Impact of hacktivism

Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony …

Audit risk

Zurich Insurance PLc fined £2.275M ($3.8M) for the loss and exposure of 46K customer records

Brand image

HSBC data breach discloses 24K private banking customers

23

QRadar Security Intelligence

Security Consulting

ManagedServices

X-Forceand IBM

Research

IBM Security PortfolioIBM Security Portfolio

People Data Applications Infrastructure

IT Infrastructure – Operational Security Domains

QRadar SIEM

QRadar Log Manager

QRadar Risk Manager

IBM Privacy, Audit and Compliance Assessment Services

Identity & Access Management Suite

Federated Identity Manager

Enterprise Single Sign-On

Identity Assessment, Deployment and Hosting Services

Guardium Database Security

Optim Data Masking

Key Lifecycle Manager

Data Security Assessment Service

Encryption and DLP Deployment

AppScan Source/Std. Edition

DataPower Security Gateway

Security Policy Manager

ApplicationAssessment Service

AppScan OnDemand Software as a Service

Network Intrusion Prevention

Server and Virtualization Security

QRadar Anomaly Detection / QFlow

Managed Firewall, Unified Threat and Intrusion PreventionServices

Endpoint Manager (BigFix)

zSecure suite

Penetration Testing Services

Native Server Security (RACF, IBM systems)

Network Endpoint

IT GRC Analytics & Reporting

Enterprise Governance, Risk and Compliance Management

IBM OpenPages Algorithmics (recent acquisition) i2 Corporation (recent acquisition)

24

Solutions for the Full Compliance and Security Intelligence Timeline

25

Context & Correlation Drive Deepest Insight

26

Solving Customer Challenges

27

Fully Integrated Security Intelligence

• Turnkey log management• SME to Enterprise• Upgradeable to enterprise SIEM

• Integrated log, threat, risk & compliance mgmt.• Sophisticated event analytics• Asset profiling and flow analytics• Offense management and workflow

• Predictive threat modeling & simulation• Scalable configuration monitoring and audit• Advanced threat visualization and impact analysis

• Network analytics• Behavior and anomaly detection• Fully integrated with SIEM

• Layer 7 application monitoring• Content capture• Physical and virtual environments

SIEM

Log Management

Risk Management

Network Activity & Anomaly Detection

Network and Application

Visibility

One Console Security

Built on a Single Data Architecture

28

IBM Security Threat Platform

Security Consulting

ManagedServices

X-Forceand IBM

Research

IBM Security PortfolioIBM Security Portfolio

People Data Applications Infrastructure

IT Infrastructure – Operational Security Domains

QRadar SIEM

QRadar Log Manager

QRadar Risk Manager

IBM Privacy, Audit and Compliance Assessment Services

Identity & Access Management Suite

Federated Identity Manager

Enterprise Single Sign-On

Identity Assessment, Deployment and Hosting Services

Guardium Database Security

Optim Data Masking

Key Lifecycle Manager

Data Security Assessment Service

Encryption and DLP Deployment

AppScan Source/Std. Edition

DataPower Security Gateway

Security Policy Manager

ApplicationAssessment Service

AppScan OnDemand Software as a Service

Network Intrusion Prevention

Server and Virtualization Security

QRadar Anomaly Detection / QFlow

Managed Firewall, Unified Threat and Intrusion PreventionServices

Endpoint Manager (BigFix)

zSecure suite

Penetration Testing Services

Native Server Security (RACF, IBM systems)

Network Endpoint

IT GRC Analytics & Reporting

Enterprise Governance, Risk and Compliance Management

IBM OpenPages Algorithmics (recent acquisition) i2 Corporation (recent acquisition)

2929

IBM Security Network IPS: Addressing Today’s Evolving Threats

>260

30

Why Vulnerability-based Research = Preemptive Security Approach • Protecting against exploits is reactive

– Too late for many

– Variants undo previous updates

• Protecting against vulnerabilities and malicious behaviors is preemptive

– Stops threat at source

– Requires advanced R&D

• Why X-Force?

– One of the best-known commercial security research groups in the world

– IBM X-Force maintains one of the most comprehensive vulnerability database in the world—dating back to the 1990s.

– X-Force constantly updates IBM’s Protocol Analysis Module, the engine inside IBM’s security solutions

31

31

IBM IPS Zero Day (Vuln/Exploit) Web App Protection

New Vulnerability or Exploit Reported Date Ahead of the Threat Since

Nagios expand cross-site scripting 5/1/2011 6/7/2007 

Easy Media Script go parameter XSS 5/26/2011 6/7/2007

N-13 News XSS 5/25/2011 6/7/2007

I GiveTest 2.1.0 SQL Injection 6/21/2011 6/7/2007

RG Board SDQL Injection Published: 6/28/2011 6/7/2007

BlogiT PHP Injection 6/28/2011 6/7/2007

IdevSpot SQL Injection (iSupport) 2011-05-23 6/7/2007

2Point Solutions SQL Injection 6/24/2011 6/7/2007

PHPFusion SQL Injection 1/17/2011 6/7/2007

ToursManager PhP Script Blind SQli 2011-07-xx 6/7/2007

Oracle Database SQL Injection 2011-07-xx 6/7/2007

LuxCal Web Calendar 7/7/2011 6/7/2007

Apple Web Developer Website SQL 2011-07-xx 6/7/2007

MySQLDriverCS Cross-Param SQLi 6/27/2011 6/7/2007

■ IBM IPS Injection Logic Engine has stopped every large scale SQL injection or XSS attack day-zero.

• Asprox – reported 12/11/2008 – stopped 6/7/2007• Lizamoon – reported 3/29/2011 – stopped 6/7/2007• SONY (published) – reported May/June/2011 – stopped 6/7/2007• Apple Dev Network – reported July/2011 – stopped 6/7/2007

3232

Source: IBM X-Force

IBM’s Preemptive Approach vs. Reactive Approach to address Threats

IBM Clients have typically been provided protection guidance prior to or within 24

hours of a vendor vulnerability disclosure being announced (89% of the time in 2010)

Ahead of the Threat

# of days IBM clients were provided protection guidance

“Ahead of the Threat”

# of days IBM clients were provided protection guidance

“Ahead of the Threat”

33

Network Security Product Line up

Product Description

IBM Security Network Intrusion Prevention System

The core of any Intrusion Prevention strategy, IBM Security Network IPS appliances help to protect the network infrastructure from a wide range of attacks, up to 23 Gbps inspected throughput

IBM Security Endpoint Defence

Focused on protecting individual assets on the network including servers and desktops from both internal and external threats

IBM Security Virtual Server Protection

Virtual Server Protection is integrated with the hypervisor and provides visibility into intra-VM network traffic. Supports ESX 4.1 and 5.0 and 10Gb Ethernet

IBM Security SiteProtector System

Centralized management for IBM Security intrusion prevention solutions that provides a single management point to control security policy, analysis, alerting and reporting

34

IBM’s Vision for Infrastructure Threat Protection – Roadmap

35

1Q12: Launched IBM Security Network IPS Powered by X-Force

• Meet signature sharing mandates (i.e. Government & Financial Institutions)

• IBM Hybrid protection

– Using X-Force Protocol Analysis with the ability to write or import custom Snort rules

• IBM Network IPS and Protocol Analysis Modules (PAM) Core tenant for the Advanced Threat Protection Platform

Core CapabilitiesUnmatched Performance delivering 20Gbps+ of inspected throughput and 10GbE connectivity without compromising breadth and depth of security

Evolving protection powered by world renowned X-Force research to stay “ahead of the threat”

Reduced cost and complexity through consolidation of point solutions and integrations with other security tools

1

Locked in to Signature-only IPS?

Custom Rules

Make the move to IBM Security Network IPS

Custom Rules

36

Extensible Protection with Protocol Analysis Module

What It Does:Mitigates vulnerability exploitation independent of a software patch, and enables a responsible patch management process that can be adhered to without fear of a breach.

Why Important:At the end of 2011, 36% of all vulnerabilities disclosed during the year had no vendor-supplied patches available to remedy the vulnerability.

Virtual Patch

What It Does:Protects end users against attacks targeting applications used every day such as Microsoft Office, Adobe PDF, Multimedia files and Web browsers.

Why Important:In 2011, vulnerabilities which affect client-side applications represent one of the largest category of all vulnerability disclosures.

Client-Side Application Protection

What It Does:Protects web applications against sophisticated application-level attacks such as SQL Injection, XSS (Cross-site scripting), PHP file-includes, CSRF (Cross-site request forgery), and Directory Traversals.

Why Important:Expands security capabilities to meet both compliance requirements and threat evolution.

Web Application Protection

What It Does:Detects and prevents entire classes of threats as opposed to a specific exploit or vulnerability.

Why Important:Eliminates need of constant signature updates. Protection includes the proprietary technology such as Java bytecode exploit detection, Flash exploit detection, and Shell Code Heuristics (SCH) technology, which has an unbeatable track record of protecting against zero day vulnerabilities.

Threat Detection & Prevention

What It Does:Monitors, identifies, and provides control over unencrypted personally identifiable information (PII) and other confidential information for data awareness. Also provides capability to explore data flow through the network to help determine if any potential risks exist.

Why Important:Flexible and scalable customized data search criteria; serves as a complement to data security strategy.

Data Security

What It Does:Manages control of unauthorized applications and risks within defined segments of the network, such as ActiveX fingerprinting, Peer To Peer, Instant Messaging, and tunnelling.

Why Important:Enforces network application and service access based on corporate policy and governance.

Application Control

Ahead of the Threat extensible protection backed by the power of X-Force

1

37

• 2Q12: IBM X-Force powers QRadar with the X-Force IP Reputation Feed

– Providing insight into suspect entities on the internet

• 15+ Billion URLs Monitored and Classified on a continuous basis

• Information about Malicious IPs, Malware hosts, SPAM sources, Dynamic IPs & Anonymous Proxies

• Enhances QRadar correlation intelligence

2Q12: Launch the X-Force IP Reputation Feed for QRadar2

38

Suspicious Behavior Proactive PreventionVisibility Protection

SiteProtectorSiteProtectorQRadar NIQRadar NIQRadarQRadar NIPSNIPS

ServerServer

DesktopDesktop

ScannerScanner

AppScanAppScan

SiteProtector as core for command & control QRadar Network Anomaly Detection for

enhanced analytics QRadar QFlow and VFlow collectors provide

Network Awareness via deep packet inspection

Integrated policy management & workflows within SiteProtector facilitate a rapid response to threat and more proactive visibility.

2Q12: Launch QRadar Network Anomaly DetectionOptimized for the Advanced Threat Protection Platform

3

• QRadar Network Anomaly Detection

– An optimized version of QRadar which complements SiteProtector

• Greater visiblity for SiteProtector/IPS customers

• Network flow capture with behavioral analysis and anomaly detection provides greater security intelligence:

– Traffic profiling for added protection from Low and Slow and zero-day threats

– Correlation of threat data, flow data and system and application vulnerabilities for enhanced incident analysis

• Supports identity sources to associate user activity with incidents

• Support for vulnerability data to correlate attack with vulnerable assets

39

Summary

• Fever public vulnerabilities disclosures and exploits in 2011 compared to 2010, but…

• We see more attack activity, with high profile breaches

• Attacks are getting more sophisticated

• Security Intelligence makes it easier to manage more data, with log and network flow correlation, configuration monitoring and risk and compliance management

• Launch of Advanced Treat Protection Platform to address new sophisticated attacks utilizing QRadar Security Intelligence

40

Acknowledgements, disclaimers and trademarks

© Copyright IBM Corporation 2012. All rights reserved.

The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

References in this publication to IBM products, programs or services do not imply that they will be made available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth, savings or other results. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.

Information concerning non-IBM products and services was obtained from a supplier of those products and services. IBM has not tested these products or services and cannot confirm the accuracy of performance, compatibility, or any other claims related to non-IBM products and services. Questions on the capabilities of non-IBM products and services should be addressed to the supplier of those products and services.

All customer examples cited or described are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer and will vary depending on individual customer configurations and conditions. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

Prices are suggested U.S. list prices and are subject to change without notice. Starting price may not include a hard drive, operating system or other features. Contact your IBM representative or Business Partner for the most current pricing in your geography.

IBM, the IBM logo, ibm.com, Tivoli, the Tivoli logo, Tivoli Enterprise Console, Tivoli Storage Manager FastBack, and other IBM products and services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml

41

Thank You- Q&A