DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment

IBM Security Systems

Security in High Risk Environment
Vulnerabilities, Vulnerabilities and Vulnerabilities

Jan Bojtos
Security Channel Manager
Central & Eastern Europe
jan.bojtos@sk.ibm.com

© 2013 IBM Corporation
1



You know? You can
do this online now.

2



Agenda

 Application Security
 Vulnerability Management
 New Generation Network Security

3



Agenda


4



Security
Incident
s in the
first
half of

5



The Application Security landscape
Web application vulnerabilities dominate the enterprise threat landscape
Applications in Development
 In-house development
 Outsourced development

Production Applications
 Developed in house
 Acquired
 Off-the-shelf commercial apps

•
•

6

Web application vulnerabilities surged
14% from 2,921 vulnerabilities in 2011
to 3,551 vulnerabilities in 2012
47% of all vulnerabilities that the IBM XForce documented in 2012 were
considered web application
vulnerabilities
*IBM X-Force 2012 Trend & Risk Report

 Vulnerabilities are spread through
a wide variety of applications

**IBM X-Force 2012 Trend & Risk Report


Applications


Challenge 1: Finding more vulnerabilities using advanced techniques

Total Potential
Security Issues

Static Analysis
- Analyze Source Code
- Use during development
- Uses Taint Analysis /
Pattern Matching

Dynamic Analysis
- Analyze Live Web Application
- Use during testing
- Uses HTTP tampering

Hybrid Analysis
- Correlate Dynamic and
Static results
- Assists remediation by
identification of line of code

Run-Time Analysis
- Combines Dynamic Analysis
with run-time agent
- More results, better accuracy
77

Client-Side Analysis

!New
!New

- Analyze downloaded Javascript
code which runs in client
!New
- Unique in the industry !New


Challenge 2: Reducing Costs Through a Secure by Design
Approach
80% of development costs
80% of development costs
are spent identifying and
are spent identifying and
correcting defects!*
correcting defects!*

Average Cost of a Data Breach
Average Cost of a Data Breach
$7.2M** from law suits, loss of customer
$7.2M** from law suits, loss of customer
trust, damage to brand
trust, damage to brand

Find during Development

Find during Build

Find during QA/Test

Find in Production

$80/defect

$240/defect

$960/defect

$7,600 / defect

“As financially-motivated attackers have shifted their focus to applications, Web application security has become a top priority. However,
“As financially-motivated attackers have shifted their focus to applications, Web application
the responsibility for web application security cannot rest solely with information security. Enterprises should evaluate how to identify
the responsibility for web application security cannot rest solely with information security. Enterprises should evaluate how to
vulnerabilities in Web applications earlier in the development process as transparently as possible using web application security testing
vulnerabilities
products or services.”
products or services.”
Neil MacDonald, Gartner, 12-6-11
Neil MacDonald, Gartner, 12-6-11

8

* Source: National Institute of Standards and Technology

** Source: Ponemon Institute 2009-10



Challenge 3: Bridging the Security/Development gap
Break down organizational silos
 Security experts establish security testing
policies
 Development teams test early in the cycle

Provide Management Visibility
 Dashboard of application risk
 Enable compliance with
regulation-specific reporting

 Treat vulnerabilities as development
defects

“… we wanted to go to a multiuser web-based solution
“… we wanted to go to a multiuser web-based solution
that enabled us to do concurrent scans and provide our
that enabled us to do concurrent scans and provide our
customers with a web-based portal for accessing and
customers with a web-based portal for accessing and
sharing information on identified issues.”
sharing information on identified issues.”
Alex Jalso, Asst Dir, Office of InfoSecurity, WVU
Alex Jalso, Asst Dir, Office of InfoSecurity, WVU
9

Developer
Architect
Quality
Professional

Enables
Collaboration
Security Auditor



Finding Vulnerabilities During Security Test Phase

SDLC
Coding
% of Issue found by stage of SDLC
10

Build

QA

Security

Production

Most Issues are
Most Issues are
found by security
found by security
auditors prior to
auditors prior to
going live.
going live.



Maturity of Security Testing

SDLC
Coding
% of Issue found by stage of SDLC
11

Build

QA

Security

Production

Desired Profile
Desired Profile



Organizations need to take a proactive approach to Application Security
 Embed security testing early in the
development lifecycle to support agile
delivery demands
 Bridge the gap between “Security”
and “Development” through joint
collaboration and visibility, enabling
regulatory compliance
 Integrate security testing into the
development lifecycle, through
interfaces to development tools

A proactive team approach to
Application Security
AppScan
Static
Analysis

Hybrid
Analysis

Dynamic
Analysis

Collaboration
Governance

Visibility

Analyst

Developer

Quality
Professional

Architect

Security Auditor

12



IBM Security Systems AppScan Suite –
Comprehensive Application Vulnerability Management
SECURITY
REQUIREMENTS

CODE

BUILD

QA

AppScan Enterprise

Security
Requirements
Definition
Security
requirements
defined before
design &
implementation

AppScan Source

Build security
testing into the
IDE

PRE-PROD

PRODUCTION

AppScan onDemand

AppScan
Standard

Security &
Automate Security Security / compliance
Compliance
testing incorporated
/ Compliance
Testing,
into testing &
testing in the
oversight, control,
remediation
Build Process
policy, audits
workflows

AppScan
Standard
Outsourced testing
for security audits &
production site
monitoring

Application Security Best Practices – Secure Engineering Framework

13
13

Dynamic Analysis/Blackbox –
Static Analysis/Whitebox -



Agenda


14



Vulnerability market trends

1

Escalating
Escalating
threat landscape
threat landscape

Vulnerabilities are
increasing in volume and
severity, while attackers
are exploiting them
quicker than ever before…
and with greater
sophistication

15

2

Evolving IT
Evolving IT
infrastructures
infrastructures

Rapid adoption of mobile and
cloud – as well as the ever
increasing speed and
complexity of IT – make
discovery and accuracy of
new and existing risks a
daunting task

3

Surpassing simple
Surpassing simple
compliance efforts
compliance efforts

Routine snapshots
may satisfy the
auditors, but hardly
enough to understand
what’s really going
on within your IT
environment



Customer business problems
Problems in current Vulnerability management deployments:

!!

Yo
ur
V

Siloed system limitations

!!

rV

uln

rV

uln

era

uln

era
bil
itie
era
s
bil
itie
s

bil
it

ies

Hidden risks remain

Leaves
unanswered
questions

16

Yo
u

Data overload inhibitor

!!

Yo
u

CV
E
CV CV
E
E
CV CV CV
CV
E E E
CV CV CV CVE
E
CV CV
E E
E
E C C C C CV
E
CV CV CV VE VE VE CVE C E C
V
E E CE C C C
V V
V
CV CV CV VE VE E VE C E C E C E CV
CV
E
E C C C C C CV VE VE VE
E
E
E
V VE VE E
C
C
E
CV CV CVE VE VE EVC C C C CV CV CVE CVE VE
E
V
E
C CV C VE E VE
C
CVE CV CCV CVE VE E VE CVC E C E CV CVE CVE CVE VE
VE V C
E E VEE C C CVCVCVE VE CVE E VE E C C
C C C
CV CV V V E E
CV CV CV E E E E C C C C CVC CV C V VE VE VE VE C
C CV
E CE C C CC CV CV V V VE VE EVE E VE E C C
E
V
C C C
V E
EE E C
CV CV CVVE VE E VVE E C C C CV V CV VCV VE V VE VE VE C E C E CV
CC
E
E E CE CCV C CV V C V V V E E CE E C CE C CV C
V V
E
VE
CV CV CVE E VE E VE E E VE E CE E CVCV V CV VCV VE VE E VE C E C E CV
V
C
V
C C CVV
E C C C CC CV V V CCE VE V E E E CE E C C C C
E
E
V
E
C E
VE
V E
CV CV CVVE VE E VVE E E E CVECC CE C CVCV VE VE CVEVE VEVE E C E CV
CC CV V V V V
C
E
E CC E CC CV CVE V CVECE EVE E VE E C C C C CVC CVCV V VE E
E
E
V
CV CV V VE VVE CCE VEE C C C CE VC CV CV V V VE VE EVE E E E C CV
C
E CCE V C CV VV V V V CEVE E E E E C C C C C
C
C
E CE C C
V
V
E
E
VEV
V E VVC C E EV E C C CC E
CC C V
CV CV CVVE VE E VVE E E E E EECCV E CV V CV VE V VCVEVE VEVE C E C E CV
C
V
E E
C
V
E
C C CV V V V VE E CE E E E CCE C CVC C C
E
VE C V
CV CV CCVECCVE VE E VVECE E E E CECCE V V V VE V VE VE EVEVEVEVE C E CV
E CC
C CC CV
V
V
V
E CE
E
C C C C V CV V VV E C E CE E C C C C C
E
VV C E V VV E CVE EE E CV CVV V V C V V V
CV CV CVVECCEE VVE VE E CEEC E E V CV CV VE V CEE E E VE E E E C E CV
C E
CV CE V CVE E E E
E
CC
V
E
E E
CC CC C V V
CV C CV CVE V VC CV V
C V C CC
CV CV CV CCVE VVE VVECVE E C EEC E E V CVE VCVE E EVE E VE E C E CV
E C C
VE E
V CVE E E E E E C C C CVC CV
V
E E
C CC
V
E
E
VV
CV CV V V
CV
CV CV CV CVE CVVE VVECC EECVEE C E CCCVE CVE E E E VE EVE E C E C
CV C
E CC E
E E
E
VV V E VV VV C E E C C CV C CV V V
CV
E
CV CV CV CVE CVE VVE C EEC E C V E CEE CV CVECVE VE E VE E C E C E
EC
CV C CV V VEE E VE C C C
V
E E
C
V V
E
V
CC VC C V V
CV CV CVE CVE VE VVE C EECC EECCE E V V CCV VE VE EVE E C E C E
EC
V
E C E C C CV CV
V VE
V E VVE VVE E E CEE C CVC CV
E
C V
CE V
VE VE VE C E C E C E C V CCV CCVE VE E VE E VE E CV E CV
V
CV
CV CV VE VE VE VEE CEE C E CCV CV CVE E E C E
C
E
CV VE
E C E C CV CV CV CVVE VVE VEE
E
EC
E C E C E CCV CCV CVE CVE
VE VE
E
VE E
VEE
VE
CV CV CV
V V
C C
E C E C E C E CVE CV CCVE VE VE
V
VE VE VE
E E C E CV CVE
EC
CV CV CVE CVE VE
VE
E C E C CV CV
VE VE
E E
CV CV CVE
EC EC
VE VE
CV
E

Creates
security
gaps

•
•
•
•
•

Has that been patched?
Has or will it be exploited?
Does my firewall block it?
Does my IPS block it?
Does it matter?



Our solution: IBM Security QRadar Vulnerability Manager
Solution Highlights
 Unique VA solution
integrated with Security
Intelligence context/data

New

Log
Manager

SIEM

Network
Activity
Monitor

Risk
Manager

Vulnerability
Manager

 Providing unified view of all
vulnerability information
 Dramatically improving
actionable information
through rich context
 Reducing total cost of
ownership through product
consolidation
Security Intelligence is extending and transforming vulnerability management
– just as it did with logs, events, flows and risk management.
17



IBM Security QRadar Vulnerability Manager key features
 Contains an embedded, well
proven, scalable, analyst
recognised, PCI certified scanner
 Detects 70,000+ vulnerabilities
 Tracks National Vulnerability
Database (CVE)
 Present in all QRadar log and flow
collectors and processors
 Integrated external scanner
 Complete vulnerability view
supporting 3rd party vulnerability
system data feeds
 Supports exception and
remediation processes of VM with
seamlessly integrated reporting
and dash boarding
18

Complete Vulnerability Context and Visibility

Integrated
vulnerability
scanner

Network
discovery and
asset
information

IBM
Security
Context

3rd Party
vulnerability
solutions

AppScan
Guardium
Endpoint (BigFix)
Network IPS
X-Force

e.g. Qualys
Rapid7
Nessus
nCircle
McAfee


Security Intelligence Integration
 QVM scanners present in every QRadar
appliance
− ‘Switch’ on distributed scanning
 Event triggered scanning
− E.g. New asset seen
 Rapid and dynamic scans using asset
search based scans
− Less time spent searching
 Shared reporting and dashboard
infrastructure, providing single view

Scanning

 External threat posture, exploit events,
network usage, and security context
seamlessly integrated

20



What’s a difference?
Standard VM

Y
Yo our V
Yo
u
ur r Vu ulne
Vu
r
l
lne nera abili
t ie
rab bil
ilit ities s
ies

CV
E
CV CV CV
E E C EC
CV
V
E CV CV V
CV CV E C E C E C E CV
CV
EC
E CVE VE VE VE
EC C E C
CV CV
C
V
E C VE E CVE VE
E CVE CVC CVE VE VE C E C
C
CV CV V
VC C C V
V
EV
E
CV CVC CVE CVE VE VE C E C
E
E
E
C
E
CV CV CVE EVC EVCV CV CVE VE VE
CV C VC CVE CVE
E
E
E
E
C
C
E CVE CVC EV
C
E
E CV CV
CV CV CVC EVC EVCV EVCVC CVE CVE VE VE
C C
E E C
E CE E EVCV VCV VE V VE VC E CV E CV CV CV
V C E VE C C E C CV
EC E C
EV
CV CV
E E C VC E
V
E C E C EC
E
E
E CV E CVE
CV
E CVC VEVC CVC VC VE C E VE E C
E
V
CV CV E V E VE EVE EVE CVCVE CVE VE VE VE C E C
EC
CVC CV EVC CVC
C
E CE C CVC CVE EV EVE EVE EVE CV CV VE VE
CV CV
VE
VE E EV VCV
CV
E
CV CV VE CV E CV CVC CVE E
E
C C C E C E C C CV
E C CVE
E
E
V
E EVC CVE EV V VCV CV E CV E V
E CE C CVE CVC
E
V
V
E
E C C
CV CV E VE CVC E VE VE C CVE CVE VE CV VCV E C E CV E CV
E
EV
E
CV CV C CVE CVE VCV VC C E C E CV V CVE E
EC
E C C E V CV
E CVE E
EV E C
EC
E CVC CVE E
E C C VE CV C VC E
CV CV
E E CV C E E
E EVC EVE C V
C C
CV VE C
E VE E CVE VC VE
C EE
E CVC CV C CV C V E C C E V E V V VC V CVC CV E VE VE
E
C
E
CV CC E V E VE E VE E VE CVE E CE E E CV VCV VE C VE CV CV
E C VE
CV C CV
E E
CV CV V C V C E
VE CV CV
EC
VE CVC CVC CVE CVE E
E
VE
E E C E C CV CV E E EV
CV EVC CVE E VE E VE VE E CVC CVEV VE VE C E C
CV
CV CV
VE
E
CV C
E
C
E
C C CV
E CE C CV C EVC V C VE VE E V CV E VC C V CV E VE VE
E C
V E
C
E
CV CV E V E VE E VE VE CV C CE E E C EVCV VCVC E C E CV
EC EE
CV CV C CVE CVE E V V CV VEVE E C E CV CV
C
E EE
C
E
E C E EVE E VE E
CV V
C
CV CV CVE E VE VE VE CE E CVC VCV VCV VE C E CV
C
E E
E C E C CVE VE V VE V E V CVE E VCV CVC CVE CVE
E
CV C C C C C CE CV C VC CVE CVE V E
E E
CV E V EVC CV CV
VE VE CV C E E E E VE
E C CV C
E
E
V C VC
C
E E
CV E
CV CV E VE VE VE VE CVC CVEV VE C VE C E
CV CV CVE CVE CVE V VC E E C E
E
EC EC E
C
V
C E V CV CVE E C VE C V V
E
C C
V
C
VE VE VE CE E CE E CVC VCV VE C E C E
E E
V
C V C C C E E
CV VE V CV CVE EVE E CV CVE VE
CV
CE
E C VC VCV E V E C
E C E C VE VE V EV E C C
C
CV
E
C
E CV
VE VE VE CV C CVC EVE VE C VE
E
CV VCV E VE EVEV CV V
E C C EC
CV
VE C
E C E C E CV VE V E C E C E
E
VE
VE VE CVC CVE CVE VE
E
CV CVE E VE CV CV
CV
E
EC C E E
VE VE CV
E
CV
E

22

QRadar QVM

!!

CV
E
CV CV
E
E
CV CV CV
E EC
E
CV CV CV
VE
E E
E
CV CV ICVE CVE
CV
E na C
C
E E
C c
CV CV CVE VE tiVE VE C
E
v
E
CV CV eCVE VE
CV CV CV
E
C CV CV
E E EC
E
CV CV CV CVE VE VE E C E C
E
CV CV V
E
VE
E
C
C
CV CV CVE VE VE E C E C E CV CV
E
E
E
CV CV CVE VE VE E
CV CV CVE
Pa E C E C C CV CVE CVE CVE
E
E
CV
tcE VE VE VE E C C CV CVE
CV CV CV
hC C CV CV VE VE E
E
E E
ed
CV CV CV CVE VE VE E C E C CV CV CVE
C
E
C
E EC
VE E
E
CV CV
CV V CVE VE VE VE
CV CV
E
C C
E EC
E
E
CV CVE CVE VE VE E C
CV CV CV CVE VE
E
CV CV CVE VE
C
E
E
Cr E CVE CVE CVE CVE CVE CVE C E CVE CV CVE
CV
iE iC C CV CV CV VE VE l E C E C
B
tc V
E E
VEl E
E
a
C Coc V V
CV CV CVE CVE VE VE keE C E
CV
E
E
E
C C CV d VE
CV CV CVE CVE VE VE E C
E
C
V
EA
C
CV CV CVE CVE VE VE C E
t ri E
CV
Es
CV CV CVE CVE E VE
kE E
!
C C
CV CV CVE VE VE
E
E
CV CV
CV CV
E
E
Ex E CV E CV
CV
pEo E C E
l Ci V
VE E
ted
CV
!E

Yo
ur
V

uln
e

rab
ilit

ies



QVM enables customers to interpret ‘sea’ of vulnerabilities
Inactive: QFlow
Collector data helps
QRadar Vulnerability
Manager sense
application activity
Patched: IBM
Endpoint Manager
helps QVM
understand which
vulnerabilities will be
patched
Critical: Vulnerability
knowledge base,
remediation flow and
QRM policies inform
QVM about business
critical vulnerabilities
23

CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE

Inactive

Blocked

Patched

Critcal

At Risk!

Blocked: QRadar
Risk Manager helps
QVM understand
which vulnerabilities
are blocked by
firewalls and IPSs

Exploited!

At Risk: X-Force Threat and SIEM
security incident data, coupled with
QFlow network traffic visibility, help
QVM see assets communicating with
potential threats

Exploited: SIEM
correlation and IPS
data help QVM
reveal which
vulnerabilities have
been exploited



QRadar Vulnerability Manager offering structure
 Licensed based on number of Assets
scanned
 Base Vulnerability Manager capability
– QVM vulnerability scans up to 255 assets
– Unlimited QVM discovery scans
– Hosted scanner for DMZ scanning
– Ability to apply QVM functionality to all 3rd
party scanner data integrated with QRadar
– Deploy QVM Scanner on any managed
host

AppScan

– Deploy unlimited standalone software or
Virtual Scanners

 Simple capacity increases

24

IBM
Endpoint
Manager



Agenda


25



The Evolving Challenges of Network Security

1

Complexity of
Complexity of
Attacks
Attacks

2

Complexity of
Complexity of
Users
Users

• Advanced Persistent Threats

• Blending work/personal use

• 0-Day Vulnerabilities

• Broad information sharing

• Targeted Phishing

• Poor security vigilance

• Stealth Botnets

• Targeted by social engineering

• Designer Malware

26

3

Complexity of
Complexity of
Technology
Technology

• Point solutions creating
“Security Sprawl”
• Bring Your Own Device
• Evolving networking and
connectivity standards
• Rapid growth of web
applications



Introducing IBM Security Network Protection XGS
The Next Generation of IBM intrusion prevention solutions

ADVANCED
THREAT PROTECTION

SEAMLESS DEPLOYMENT &
INTEGRATION

Proven protection from
sophisticated and
constantly evolving
threats, powered by
X-Force®

27

COMPREHENSIVE
VISIBILITY & CONTROL

Helps discover and block
existing infections and
rogue applications while
enforcing access policies

Adaptive deployment and
superior integration with
the full line of IBM
security solutions



Advanced Threat Protection
The XGS 5100 helps protect against a full spectrum of targeted attacks,
even in SSL-encrypted connections

Infrastructure
System-level
Attacks

Service-level
Attacks

Users
Web Application
Attacks

Spear
Phishing
Client-side
Application
Protection

Malicious
Attachments

Web/Social
Media Risks

X
X
X
X

X
X












Extensible, Ahead-of-the-Threat Protection
backed by the power of IBM X-Force® to help
protect against mutating threats

28



Comprehensive Visibility & Control
Context-aware access control policies block
pre-existing infections, rogue applications, and policy violations

Complete Identity Awareness
associates valuable users and
groups with their network activity,
application usage and
application actions

Access Control Policies block
pre-existing compromises and
rogue applications as well as
enforce corporate usage policies

400+

2,000+

20 Billion+

Protocols and File Formats Analyzed

Applications and Actions Identified

Deep Packet Inspection fully
classifies network traffic,
regardless of address, port ,
protocol, application, application
action or security event

30

URLs classified in 70 Categories


Seamless Deployment and Integration
Quick initial deployment and immediate integration points with other security
technologies such as QRadar
Adaptable
Deployment

Advanced QRadar
Integration

• Seven varieties of network
interface modules

• Helps mitigate known
and unknown attacks

• Flexible performance
licensing

• Detect “low and slow”
and advanced persistent
threats

• Built-in, programmable
network bypass
• Integrated SSL inspection

32

• Analysis and correlation
across both IBM and
non-IBM products

Breadth and Depth of
Portfolio

• Protection of people, data,
applications and
infrastructure
• Advanced cross-product
research & development
• Solutions and services for
practically every security
need


New XGS Product Line

33



IBM Security Network Protection (XGS)

The Next Generation of IBM’s legendary network security solutions

Top 5 Reasons to Upgrade to or Purchase an XGS
Appliance
1.Visibility and Control over Web and non-Web applications and use
2.Ability to secure encrypted traffic without separate hardware (SSL)
3.Wide performance range with a simple license (600Mbps - 5Gbps)
4.Integrated bypass and flexible network connections (1GbE/10GbE)
5.Tight integration with QRadar including ability to send flow data

34



ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
35 States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (20)

Similar to DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment

Similar to DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment (20)

More from Andris Soroka

More from Andris Soroka (20)

Recently uploaded

Recently uploaded (20)

DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment

Editor's Notes