Security Trends and Risk Mitigation for the Public Sector

© 2013 IBM Corporation

Cyber Security Briefing: Security Trends and Risk Mitigation for the Public Sector

Ottawa – June 12, 2013

© 2013 IBM Corporation 2

IBM Security Systems

Agenda

8:30 am - Registration & Breakfast

9:00 am – Opening Remarks Rodney Helal, Sales Executive, Software, Canadian Federal Accounts

9:15 am - Keynote: Security Trends and Risk Mitigation for the Public Sector Sandy Bird, CTO - Security Division, IBM Canada Ltd.

9:45 am - Application Security for mobile and web applications Patrick Vandenberg, Program Director, IBM Security Segment Marketing

10:15 am - Detect threat and mitigate risk using Security Intelligence Sandy Bird, CTO - Security Division, IBM Canada Ltd.

10:45 am - Investigating, Mitigating, and Preventing Cyber Attacks with Security Analytics and Visualization Orion Suydam, Director of Product Management, 21CT



3 © 2013 IBM Corporation

IBM X-Force 2012 Annual Trend & Risk Report

Sandy Bird CTO IBM Security Systems

May 2013



4

Oct 2011 Acquired

Update on IBM Security

Oct Controlling privileged user access

Aug NextGen network security

March Enhanced identity management

May Integration across domains

Jan 2012 Formed IBM Security Systems division

10 Leader in virtually all of the markets we target, according to Gartner, IDC and Forrester

IBM X-Force Award-winning X-Force® security research with one of the industry s largest vulnerability databases

25 New organic product releases in 2012 focused on integrations

15% Year-to-year growth of Security Systems

Market leadership

Enrich capabilities

Jan 2013 Big data security analytics

Mar iOS Mobile App Security

18 Product development labs WW

4 Rank by revenue in security software



5

Cloud security is a key concern as customers rethink how IT resources are designed, deployed and consumed

Cloud Computing

Shaping our strategy – the megatrends

Regulatory and compliance pressures are mounting as companies store more data and can become susceptible to audit failures

Regulation and Compliance

Sophisticated, targeted attacks designed to gain continuous access to critical information are increasing in severity and occurrence

Advanced Threats

Securing employee-owned devices and connectivity to corporate applications are top of mind as CIOs broaden support for mobility

Mobile Computing

Advanced Persistent Threats Stealth Bots Targeted Attacks Designer Malware Zero-days

Enterprise Customers

GLBA



6

X-Force is the foundation for advanced security and threat research across the IBM Security Framework



7

Collaborative IBM teams monitor and analyze the latest threats

20,000+ devices under contract

3,700+ managed clients worldwide

13B+ events managed per day

133 monitored countries (MSS)

1,000+ security related patents

20B analyzed web pages & images

45M spam & phishing attacks

73K documented vulnerabilities

Billions of intrusion attempts daily

Millions of unique malware samples



8

The Global IBM Security Community

15,000 researchers, developers and subject matter experts working security initiatives worldwide

Security Operations Centers Security Research Centers Security Solution Development Centers Institute for Advanced Security Branches



9 IBM Security Systems

What are we seeing?

Annual Trend Report gives an X-Force view of the changing threat landscape



10

2011: “The year of the targeted attack”

Source: IBM X-Force® Research 2011 Trend and Risk Report

Marketing Services

Online Gaming

Online Gaming

Online Gaming

Online Gaming

Central Government

Gaming

Gaming

Internet Services

Online Gaming

Online Gaming

Online Services

Online Gaming

IT Security

Banking

IT Security

Government Consulting

IT Security

Tele-communic

ations

Enter-tainment

Consumer Electronics

Agriculture Apparel

Insurance

Consulting


Internet Services

Central Govt

Central Govt

Central Govt

Attack Type

SQL Injection

URL Tampering

Spear Phishing

3rd Party Software

DDoS

SecureID

Trojan Software

Unknown

Size of circle estimates relative impact of breach in terms of cost to business

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Entertainment

Defense

Defense

Defense


Central Government

Central Government

Central Government

Central Government

Central Government

Central Government

Central Government


National Police

National Police

State Police

State Police

Police

Gaming

Financial Market

Online Services

Consulting

Defense

Heavy Industry

Entertainment

Banking

2011 Sampling of Security Incidents by Attack Type, Time and Impact Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses

Threats Operational Security Emerging Trends



11

2012: The explosion of breaches continues!

Source: IBM X-Force® Research 2012 Trend and Risk Report

2012 Sampling of Security Incidents by Attack Type, Time and Impact Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses




12

Attacker motivations remain similar, although methods evolve

Many security incidents disclosed in 2012 were carried out by attackers going after a broad target base while using off-the-shelf tools and techniques (top left)

SQL injection and DDoS continue to be tried-and-true methods of attack

Attackers are opportunistic; not all advanced adversaries use exotic malware and zero-day vulnerabilities




13

Operational sophistication, not always technical sophistication




14

Tried and true techniques - SQL and Command Injection attacks

Dramatic and sustained rise in SQL injection-based traffic

Alerts came from all industry sectors, with a bias toward banking and finance targets




15

Tried and true techniques - Distributed Denial of Service (DDoS)

High profile DDoS attacks marked by a significant increase in traffic volume

Implementation of botnets on compromised web servers in high bandwidth data centers




16

Tried and true techniques - Spear-phishing using social networks


Overall spam volume continues to decline, but spam containing malicious attachments is on the rise

Scammers rotate the “carousel” of their targets – focusing on social networks in 2012



17

Botnet Command & Control Server resiliency

Operational sophistication: When botnet command and control servers are taken down, other readily available networks can be put into action




18

Why was Java one of 2012’s hottest software targets?


1. Java is cross-platform

2. Exploits written for Java vulnerabilities are very reliable and do not need to circumvent mitigations in modern OSes

3. The Java plugin runs without a sandbox – making it easier to install persistent malware on the system

http://java-0day.com/



19

As a result, exploit authors and toolkits favor Java


Web browser exploit kits - aka “exploit packs” - are built for one particular purpose: to install malware on end-user systems

In 2012 we observed an upsurge in web browser exploit kit development and activity -the primary target of which are Java vulnerabilities



20

And more…


http://www.kahusecurity.com



21

Blackhole Crimeware

Blackhole Exploit Kit – First appeared in August 2007 – Advertised as a “Systems for Network Testing” – Protects itself with blacklists and integrated antivirus – Comes in Russian or English – Currently the most purchased exploit pack

Flexible Pricing Plan • Purchase

• $1500/annual • $1000/semi-annual • $700/quarterly

• Lease • $50/24 hours • $200/1 week • $300/2 weeks • $400/3 weeks • $500/month

*($35 domain name change fee if necessary)




22

Software vulnerabilities - disclosures up in 2012

8,168 publicly disclosed vulnerabilities

An increase of over 14% from 2011




23

Public exploit disclosures – not as many “true exploits”

Continued downward trend in percentage of public exploit disclosures to vulnerabilities

Slightly up in actual numbers compared to 2011




24

Web application vulnerabilities surge upward

14% increase in web application vulnerabilities

Cross-site scripting represented

53%




25

Content Management Systems plug-ins provide soft target


Attackers know that CMS vendors more readily address and patch their exposures

Compared to smaller organizations and individuals producing the add-ons and plug-ins



26

Impact on Risk

Risk = Threat x Vulnerability

Risk is growing as threats become more hostile and vulnerabilities continue to grow

Better understanding helps to focus strategies




27

Social Media and Intelligence Gathering

50% of all websites connected to social media

Enhanced spear-phishing seemingly originating from trusted friends and co-workers




28

Mobile devices should be more secure in 2014

- Separation of Personas & Roles - Ability to Remotely Wipe Data - Biocontextual Authentication - Secure Mobile App Development - Mobile Enterprise App Platform

(MEAP)


Mobile computing is becoming increasingly secure, based on technical controls occurring with security professionals and software development



29

What are we seeing? Key Findings from the 2012 Trend Report

Software vulnerability disclosures up in 2012 Web application vulnerabilities surge upward XSS vulnerabilities highest ever seen at 53% Content Management Systems plug-ins provide soft target

Social Media leveraged for enhanced spear-phishing techniques and intelligence gathering

Mobile Security should be more secure than traditional user computing devices by 2014

40% increase in breach events for 2012 Sophistication is not always about technology SQL Injection, DDoS, Phishing activity increased from 2011 Java means to infect as many systems as possible

Threats and Activity

Operational Security

Emerging Trends



30

Get Engaged with IBM X-Force Research and Development

Follow us at @ibmsecurity and @ibmxforce

Subscribe to X-Force alerts at iss.net/rss.php or X-Force Security Insights blog at www.ibm.com/blogs/xforce

Download IBM X-Force 2012 Annual Trend & Risk Report ibm.com/security/xforce



31

ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.


IBM Security Systems Application Security Overview

Patrick Vandenberg Program Director, IBM Security Segment Marketing



Securing Applications is a Challenge

Your Application Portfolio Different Types & Sources

Financial

In-house Outsource

HR Logistics Intranet

Legacy Open Src

Your Policies Data Privacy Regulatory Compliance Accountability

Your SDLC Processes

Large and diverse application portfolios

Mobile applications

In-house and outsource development

External & internal regulatory pressure

Pockets of security expertise

Yet another task for developers

Need an efficient, scalable, automated way to develop and deliver secure applications…



X-Force is the foundation for advanced security and threat research across the IBM Security Framework



What are we seeing? Key Findings from the 2012 Trend Report

Software vulnerability disclosures up in 2012 Web application vulnerabilities surge upward XSS vulnerabilities highest ever seen at 53% Content Management Systems plug-ins provide soft target

Social Media leveraged for enhanced spear-phishing techniques and intelligence gathering

Mobile Security should be more secure than traditional user computing devices by 2014

40% increase in breach events for 2012 Sophistication is not always about technology SQL Injection, DDoS, Phishing activity increased from 2011 Java means to infect as many systems as possible

Threats and Activity

Operational Security

Emerging Trends



Tried and true techniques - SQL and Command Injection attacks

Dramatic and sustained rise in SQL injection-based traffic

Alerts came from all industry sectors, with a bias toward banking and finance targets



Web application vulnerabilities surge upward

14% increase in web application vulnerabilities

Cross-site scripting represented

53%



Both Paid and Free Apps are Targeted

Source: Arxan State of Security in the App Economy – 2012

Mobile increases risk of applications as attack vector



SQL injection continues to be one of the most popular points of entry for extracting data from a website

Web app vulnerabilities also allow attackers to inject malicious scripts and files onto legitimate websites

The high rate of vulnerable web applications and their plugins allow attackers to use automated scripts to scan the web for targets

Application Threats

Analyze applications before deployment, to identify security vulnerabilities

Scan applications as early as possible in the development cycle, to reduce costs

Remediate critical vulnerabilities, and validate by re-scanning

Integrate scanning results with intrusion prevention, to block attacks before apps are updated

Continuously monitor database activities to detect suspicious activity and respond in real-time

Detect database vulnerabilities to prevent threats



Adopt a Secure by Design approach to enable you to design, deliver and manage smarter software and services

Build security into your application development process

Efficiently and effectively address security defects before deployment

Collaborate effectively between Security and Development

Provide Management visibility

Deliver New Services Faster

Reduce Costs

Innovate Securely

Proactively address vulnerabilities early in the development process



When it comes to risk, all applications are not created equal



Application Security Testing

• Training – Applications Security & Product ( Instructor led , self paced – classroom & web based) • Test policies, test templates and access control • Dashboards, detailed reports & trending • Manage regulatory requirements such as DIACAP, PCI, GLBA and HIPAA (40+ out-of-the-box compliance reports)

Scanning Techniques

Applications

Governance & Collaboration

Build Systems improve scan

efficiencies Integrated

Audience Development teams Security teams Penetration Testers

CODING BUILD QA SECURITY PRODUCTION

Static analysis (white box)

SDLC

(Rational Build Forge, Rational Team Concert,

Hudson, Maven)

Defect Tracking Systems

track remediation

(Rational Team Concert, Rational ClearQuest,

HP QC, MS Team Foundation Server)

IDEs remediation assistance

(RAD, Rational Team Concert,

Eclipse, Visual Studio

Security Intelligence raise threat level

(SiteProtector, QRadar, Guardium)

Source code vulnerabilities & code quality risks Data & Call Flow analysis tracks tainted data

Dynamic analysis (black box)

Live Web Application Web crawling & Manual testing

Hybrid Glass Box analysis



Finding more vulnerabilities using advanced techniques

Static Analysis - Analyze Source Code - Use during development - Uses Taint Analysis /

Pattern Matching

Dynamic Analysis

- Correlate Dynamic and Static results

- Assists remediation by identification of line of code

Hybrid Analysis

43

- Analyze Live Web Application - Use during testing - Uses HTTP tampering

Client-Side Analysis - Analyze downloaded Javascript

code which runs in client - Unique in the industry

Run-Time Analysis - Combines Dynamic Analysis with

run-time agent - More results, better accuracy



Bridging the Security/Development gap

Dashboard of application risk

Enable compliance with regulation-specific reporting

Security experts establish security testing policies

Development teams test early in the cycle Treat vulnerabilities as development

defects

“… we wanted to go to a multiuser web-based solution that enabled us to do concurrent scans and provide our customers with a web-based portal for accessing and sharing information on identified issues.”

Alex Jalso, Asst Dir, Office of InfoSecurity, WVU

Provide Management Visibility Break down organizational silos

Architect

Developer

Quality Professional

Security Auditor

Enables Collaboration



Reducing Costs Through a Secure by Design Approach

Find during Development $80 / defect

*$8,000 / application

Find during Build

$240 / defect


Find during QA/Test

$960 / defect


Find in Production

$7,600 / defect


80% of development costs are spent identifying and

correcting defects!***

** Source: Ponemon Institute 2009-10 *** Source: National Institute of Standards and Technology

Average Cost of a Data Breach $7.2M** from law suits, loss of customer

trust, damage to brand

*Based on X-Force analysis of 100 vulnerabilities per application



Server Side LogicSAST (source code) DAST (web interfaces)

Mobile Web Apps

JavaScript / HTML5 hybrid analysis

Native AppsAndroid applications

iOS applications

JavaScript

Static Analysis

N EW Static Analysis

IMPROVED Static Analysis

AppScan Mobile Support: Server and Native



Support for Native iOS apps Mac OS platform support

Security SDK research & risk assessment of over 20k iOS APIs

Xcode interoperability & build automation support Full call and data flow analysis of

Objective-C JavaScript Java

Identify where sensitive data is being leaked

AppScan Source V8.7 – What’s New

IBM formally launched a major initiative to help tighten the security of mobile apps developed for business use on iPhones handsets. -- USA Today

AppScan provides developers with an unmatched view into where vulnerabilities appear in their mobile apps due its deep cognizance of platform APIs. -- eWeek

The real power of AppScan arises from how it performs vulnerability analysis - by using the full trace technique. -- SecurityWeek

iPhone users will benefit from the IBM AppScan update. -- IT PRO



AppScan Components


IBM Security Systems Using Big Data and Analytics to Think Like an Attacker Sandy Bird, CTO IBM Security Systems

50 50

Now, for something you’ve never seen before

51

52 52

53 53

54 54

55 55

56 56

Bring your own IT

Social business

Cloud and virtualization

1 billion mobile workers

1 trillion connected

objects

Innovative technology changes everything

57 57

Attacker motivations are rapidly escalating

National Security

Nation-state actors Stuxnet

Espionage, Activism

Sponsored groups and Hacktivists Aurora

Monetary Gain

Organized crime Zeus

Revenge, Curiosity

Insiders and Script-kiddies Code Red

58 58

Organized groups are using multiple techniques

Using social networking and social engineering to perform reconnaissance on spear-phishing targets, leading to compromised hosts and accounts

Infiltrating a trusted partner and then loading malware onto the target’s network

Creating designer malware tailored to only infect the target organization, preventing positive identification by security vendors

Exploiting zero-day vulnerabilities to gain access to data, applications, systems, and endpoints

Communicating over accepted channels such as port 80 to exfiltrate data from the organization

59 59

dogpile.com kewww.com.cn ynnsuue.com wpoellk.com moveinent.com moptesoft.com varygas.com earexcept.com fullrow.com colonytop.com

117.0.178.252 83.14.12.218 94.23.71.55 103.23.244.254 62.28.6.52 202.231.248.207 175.106.81.66 217.112.94.236 119.252.46.32 180.214.243.243

c69d172078b439545dfff28f3d3aacc1 51e65e6c798b03452ef7ae3d03343d8f 6bb6b9ce713a00d3773cfcecef515e02 c5907f5e2b715bb66b7d4b87ba6e91e7 bf30759c3b0e482813f0d1c324698ae8 6391908ec103847c69646dcbc667df42 23c4dc14d14c5d54e14ea38db2da7115 208066ea6c0c4e875d777276a111543e 00b3bd8d75afd437c1939d8617edc22f 01e22cce71206cf01f9e863dcbf0fd3f

ynnsuue.com

117.0.178.252 51e65e6c798b03452ef7ae3d03343d8f 6bb6b9ce713a00d3773cfcecef515e02

Permutations of malicious identifiers are limitless

60 60

61

Image retrieved from http://melroseedcd.com/?p=1

62 62

A change in mindset is already happening

63 63

By monitoring for subtle indicators across all fronts

Break-in Spoofed email with malicious file attachment sent to users

Command & Control (CnC)

Latch-on Anomalous system behavior and network communications

Expand Device contacting internal hosts in strange patterns

Gather Abnormal user behavior and data access patterns

Command & Control (CnC)

Exfiltrate Movement of data in chunks or streams to unknown hosts

64 64

Big Data Analytics

Traditional Security Operations and Technology

65

66 66

Security Intelligence Platform

Real-time Processing • Real-time data correlation

• Anomaly detection • Event and flow normalization

• Security context & enrichment • Distributed architecture

Security Operations • Pre-defined rules and reports

• Offense scoring & prioritization • Activity and event graphing

• Compliance reporting • Workflow management

Big Data Warehouse • Long-term, multi-PB storage • Unstructured and structured

• Distributed infrastructure • Preservation of raw data • Hadoop-based backend

Big Data Platform

Analytics and Forensics • Advanced visuals and interaction

• Predictive & decision modeling • Ad hoc queries

• Spreadsheet UI for analysts • Collaborative sharing tools

• Pluggable UI

Complementary analytics and workflow from IBM

IBM Security

Intelligence with

Big Data

67 67

QRadar leverages Big Data to identify security threats

Appliances with massive scale

Intelligent data policy management

Payload indexing leveraging a purpose-built data store

Advanced threat visualization and impact analysis

Google-like search of large data sets

Enrichment with X-Force and external intelligence

68 68

Example QRadar uses cases

Irrefutable Botnet Communication Layer 7 flow data shows botnet command and control instructions

Improved Breach Detection360-degree visibility helps distinguish true breaches from benign activity, in real-time

Network Traffic Doesn’t Lie Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)

69 69

Extending Security Intelligence with additional Big Data analytics capabilities

1. Analyze a variety of non-traditional and unstructured datasets

2. Significantly increase the volume of data stored for forensics and historic analysis

3. Visualize and query data in new ways

4. Integrate with my current operations

IBM Security QRadar • Data collection and

enrichment • Event correlation • Real-time analytics • Offense prioritization

Advanced Threat Detection

Traditional data sources


70 70

By integrating QRadar with IBM’s Enterprise Hadoop-based offering

Real-time Streaming

Insights

IBM Security QRadar • Hadoop-based • Enterprise-grade • Any data / volume • Data mining • Ad hoc analytics

• Data collection and enrichment

• Event correlation • Real-time analytics • Offense prioritization

Big Data Platform

Custom Analytics

Traditional data sources

IBM InfoSphere BigInsights

Non-traditional


Advanced Threat Detection

71 71

72

ATTACKER

User receives risky email from personal social network

TARGET

Drive-by exploit is used to install malware on target PC

User is redirected to a malicious website

73 73

Using Big Data to mine for trends within email

Use BigInsights to identify phishing targets and redirects

Build visualizations, such as heat maps, to view top targets

74 74

Loading phishing data and corresponding redirects to QRadar

75

ATTACKER

Attacker registers or acquires a domain Compromised hosts

“phone home” to attacker C&C servers

Attacker changes the location of servers, but domains stay the same

Internal attacks lead to more infections

Hosts and servers phone home and exfiltrate data

76 76

Analyze historical DNS activity within organization

77 77

Automate correlation against DNS registries

78 78

Advanced analytics identify suspicious domains

Why only a few hits across the entire organization to these domains?

Correlating to public DNS registry information increases suspicions

79 79

Importing results to QRadar for real-time analysis

Correlate against network activity and visualize

View real-time data and look for active connections

80 80

1 IBM QRadar Security Intelligence unified architecture for collecting, storing, analyzing and querying log, threat, vulnerability and risk related data

2 IBM Big Data Platform (Streams, Big Insights, Netezza) addresses the speed and flexibility required for customized data exploration, discovery and unstructured analysis

3 IBM i2 Analyst Notebook helps analysts investigate fraud by discovering patterns and trends across volumes of data

4 IBM SPSS unified product family to help capture, predict, discover trends, and automatically deliver high-volume, optimized decisions

Additional IBM analytics capabilities for security

81

1. Traditional defenses are insufficient

2. Security has become a Big Data problem

3. Security Intelligence is a Big Data solution

4. New analysis can lead to new insights



IBM Contacts

Rodney Helal, Software Sales Manager, Canadian Federal Government Accounts – Phone: 613-222-6691 / e-mail: [email protected]

Eliane Guindon, IBM Security Systems Account Manager – Phone: 613-249-2284 / Mobile 613-292-0125 / e-mail: [email protected]

Anita Bowness, Software Client Lead, Canadian Federal Government – Phone: 613-249-2099 / e-mail: [email protected]



ibm.com/security

Date post:	15-Jan-2015
Category:	Technology
Upload:	ibmgovernmentca
View:	2,665 times
Download:	2 times