IBM Advanced Threat Protection Solution Fabio Panada IBM Security Tech Sales Leader 1
Advanced Threats is one of today s key mega-trends Advanced Threats Sophisticated, targeted attacks designed to gain continuous access to critical information are increasing in severity and occurrence Cloud Computing Cloud security is a key concern as customers rethink how IT resources are designed, deployed and consumed Advanced Persistent Threats Stealth Bots Targeted Attacks Designer Malware Zero-days Mobile Computing Securing employee-owned devices and connectivity to corporate applications are top of mind as CIOs broaden support for mobility Enterprise Customers Regulation and Compliance Regulatory and compliance pressures are mounting as companies store more data and can become susceptible to audit failures GLBA 2
Targeted Attacks Shake Businesses and Governments 3 IBM Security X-Force 2011 Trend and Risk Report September 2011
Leader Technology IBM Security Network Protection offerings are based on a modular, research-driven protocol analysis engine for vulnerability based deep packet inspection Protecting against exploits is reactive Protecting against vulnerabilities and malicious behaviors is preemptive 4
LOT of Data Online Services Filter Database Server Crawling Crawler robots search the web in parallel. They download the websites and images, and place them in the cache. The information is stored in the database. Analysis Server cluster analyze the data acquired by the crawlers. The analyzed results are stored in the database. 17B 5M/d 60K analyzed web pages & images spam & phishing attacks documented vulnerabilities 9B+ of security events daily Millions 71M of unique malware samples catalogued URLs 270+ web applications Millions IP addresses in IP reputation feed Geo location, Spam, anonymous proxies, dynamic IPs, malware, C&C, 5
Network Intrusion Prevention Solutions Block threats before they impact your organization Uncompromising security backed by X-Force Inspected throughput from 200 Mbps to 20Gbps+ Protection for up to 8 network segments Scale from remote offices to the network core IBM Security Network IPS Models Remote Perimeter Core Model GX4004-200 GX4004 GX5008 GX5108 GX5208 GX7412-5 GX7412-10 GX7412 GX7800 Inspected Throughput 200 Mbps 800 Mbps 1.5 Gbps 2.5 Gbps 4 Gbps 5 Gbps 10 Gbps 15 Gbps 20 Gbps+ Protected Segments 2 2 4 4 4 8 8 8 4 6
QRadar Network Anomaly Detection QRadar Network Anomaly Detection optimized version of QRadar Network Activity Monitoring for IBM Security Network Protection solutions Behavioral analytics and real-time correlation help better detect and prioritize stealthy attacks Integrated analysis of network flow data brings additional security intelligence to IBM Security Network Protection solutions: Traffic profiling to detect zero-day threats Correlation of threat & flow data for enhanced incident analysis Network activity monitoring to profile user and system behavior to improve threat intelligence and complement risk based access strategies Consolidation and correlation of data bring out the needle in the haystack Network and application responsiveness to troubleshoot connections, monitor peaks & outages, baseline for comparison, and distinguish anomaly types Incorporates X-Force IP Reputation Feed, providing insight into suspect entities on the Internet, feeding correlation intelligence 7
IBM Security Network Protection XGS 5000 Proven Security Ultimate Visibility Complete Control Extensible, 0-Day Protection Powered by X-Force Understanding Who, What and When for ALL network activity Enabling multidimensional application access With seamless deployment into your infrastructure, IBM Security Network Protection XGS 5000 empowers IT security teams to finally address BOTH security demands AND business requirements 8
Introducing Advanced Controls Web Category Protection Allow marketing and sales teams to access social networking sites Server Network Web Applications Non-web Applications Access Control Protocol Aware Intrusion Protection Client-Side Protection Block attachments on all outgoing emails and chats A more strict security policy is applied to traffic from countries where I do not do business Geography Reputation Botnet Protection Advanced inspection of web application traffic destined to my web servers User or Group Network Awareness Web Protection Block known botnet servers and phishing sites Reputation Allow, but don t inspect, traffic to financial and medial sites Who What Controls Security 9 172.29.230.15, 192.168.0.0 /16 80, 443,25, 21, 2048-65535 July
10
IBM X-Force Threat Information Center Real-time Security Overview w/ IP Reputation Correlation Identity and User Context Real-time Network Visualization and Application Statistics Inbound Security Events 11
12
ibm.com/security Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United 13 States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Use Cases 14
Identifying and Mitigating Web Application Security Risk by Integrating AppScan with Network Security Solutions 15
IBM Advanced Threat Protection Solution Internal Network Assets & Applications Network IPS Firewall Internet 16
IBM Advanced Threat Protection Solution QRadar -SIEM Internal Network Assets & Applications IPS SiteProtector Firewall Internet 17
IBM Advanced Threat Protection Solution Internal Network Assets & Applications IBM Security AppScan IPS SiteProtector Firewall Internet 18
Check your applications for security vulnerabilities with AppScan Enterprise Security analyst performs automated security assessments of new or already deployed Web applications Security analyst reviews findings and identifies vulnerabilities Application development team are notified about security vulnerabilities 19
SiteProtector SecurityFusion module provides security intelligence 20 IDS/IPS real-time malicious HTTP traffic is correlated with vulnerable application assets SiteProtector alerts network analyst when attacks are likely to succeed Network analyst takes action
Correlating vulnerabilities, events and network traffic IBM Security QRadar correlates vulnerabilities, events and network traffic to create offences. Using information from AppScan Enterprise 21
Web Application Protection and Appscan Network analyst creates a virtual patch by turning on IBM Security IPS Web application protection policy Network analyst enables protection categories in the policy based on the types of discovered vulnerabilities with AppScan 22 Protection categories Client-side attacks Injection Attacks Malicious File Execution Cross-site Request Forgery Information Disclosure Path Traversal Authentication Buffer Overflow Brute Force Directory Indexing Miscellaneous Attacks
IPS with Web Protection policy turned on Internal Network Assets & Applications IBM Security AppScan IPS SiteProtector Firewall Internet 23
Using IBM Next Generation NIPS to protect against Java 0-Day attack 24
27 August 2012 Java 0-Day Exploited in the Wild Zero-Day Season is Not Over Yet Oracle Java Runtime Environment sandbox code execution New Java zero-day vulnerability has been spotted in the wild. We have seen this unpatched exploit being used in limited targeted attacks. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable. In my lab environment, I was able to successfully exploit my test machine against latest version of FireFox with JRE version 1.7 update 6 installed. Description: Oracle Java Runtime Environment could allow a remote attacker to execute arbitrary code on the system. By persuading a victim to visit a speciallycrafted Web site containing a malicious Java applet, an attacker could exploit this vulnerability to bypass sandbox restrictions to download and execute arbitrary code outside the sandbox. 25
28 August 2012 IBM Raising Internet Threat Level to AlertCon 2 The Java exploit (CVE-2012-4681) continues to become more wide spread and, with the inclusion of this code in the Blackhole Exploit Kit, we have decided to raise our Internet Threat Level to AlertCon 2 in an effort to bring increased awareness of this situation to our customers. Customers using our Proventia series of network sensors can enable Java_Possibly_Malicious_Applet. We encourage you to work with your vendor to find the best coverage for this exploit. Customers who can not disable Java, due to application requirements, may want to consider turning off the plugin in your browsers, which should still allow your desktop applications to run properly. 26
29 August 2012 27
30 August 2012 28
31 August 2012 29
31 August 2012 30
Using IBM Next Generation NIPS to protect Intellectual Property 31
32
33
34
35
36
37
38
39
40
41
42