IBM Software

Thought Leadership White Paper

January 2014

Defending against malware: A holistic approach to one of today’s biggest IT risksUnderstand how attacks work—then deploy comprehensive, integrated solutions to fight each step malware takes

2 Defending against malware: A holistic approach to one of today’s biggest IT risks

IntroductionMalware is a fact of life. A 2013 study of large US and global companies revealed an average of two successful attacks per company per week, 18 percent more than the previous year.1 Malware is costly. The same study found large companies suffered an average loss of USD11.6 million per year in these attacks.1 And malware comes from anywhere. According to the IBM® X-Force® research and development team, the country where the most malicious links are hosted—42 percent—is right in many companies’ backyards: the United States.2

But fighting malware doesn’t have to be a losing battle. Even as their tactics evolve, malware attacks often employ familiar tech-nologies and follow known paths through the IT environment. The quantity and sophistication of malware may have grown, but so have the available methods for defending against attacks. The key is to remember that the varieties of malware on the loose today mean no single method of defense will suffice. An integrated portfolio of solutions, each providing strong defense capabilities but all of them working together to enhance protec-tion, is necessary.

This white paper will examine the changing strategies that mal-ware has employed in recent years, explain the typical sequence of events that occurs during an attack, and describe how an inte-grated defense can help keep the enterprise safe from these advanced persistent threats. It will present IBM solutions that are purpose-built for combating malware and that also work

together to protect the environment. These offerings provide a comprehensive solution that is not possible using simply a special-function, point-product approach.

Sophisticated, targeted malware is an especially dangerous threatThreats today aren’t your parents’ malware. They aren’t, for that matter, even the malware you encountered yourself just a few years ago. The fact is that, while malware protection has long been a basic IT security function, many organizations still strug-gle to stay safe. The double whammy of rapid malware prolifera-tion and slow manual security processes means that the typical network still averages between 10 and 30 vulnerabilities per IP address.2

But the danger lies not only in numbers. Malware is more sophisticated than ever, too. The longtime practice of launching “drive-by” attacks, in which purveyors of malware applications exploit vulnerabilities in web browsers to install malware without a user’s knowledge, or tactics such as spear phishing, which count on users to hand over confidential information or down-load malicious code almost by chance, has given way to methods that selectively target individual users or types of users. It is not unusual today for an attacker to write unique “designer” code that has never been seen before to disrupt operations or steal information from only one company—and then to create addi-tional unique code for the next target.

3IBM Software

An attack category known as “watering hole” attacks, for example, has breached a number of high-tech companies and government agencies by injecting browser exploits onto websites frequently visited by targeted employees. Capitalizing on the trust that already exists between users and websites they know, these sophisticated exploits can reach a large number of select targets by compromising a single, centralized location.2

Endpoints are vulnerable, but detection works best on the networkVery often, malware is designed to attack employee endpoints not only to access information or cause disruption on the end-points themselves, but also to infiltrate the enterprise. The mal-ware that succeeds in infecting endpoints uses them as a gateway to the network, where it navigates its way to valuable business information. Keeping endpoints safe from infection therefore remains an important function of enterprise security.

In recent years, however, protecting the network has become an area of still greater focus. Traditional firewall approaches to protection become less effective as mobile endpoints make the enterprise perimeter f luid and ever-changing. And traditional anti-virus solutions for protecting endpoints cannot keep up with today’s volumes and variants of malicious code. What’s more, once an endpoint is infected, the compromise can no longer be detected via the endpoint itself, as most advanced malware employs rootkit-type techniques to hide itself from the majority of host-based protection products.

The network, then, becomes the key battleground for stopping malware—and the most effective place to take advantage of capabilities that can prevent malware from doing its dirty work.

The network provides an environment where security teams can centrally manage multiple advanced solutions for protection that is more comprehensive than point solutions. The network is the place where the evidence of malware infection shows itself most clearly—where suspicious data f lows appear and where malware

communicates with its offsite command center, for example. To discover and eliminate malware already in place, as well as malware trying to install itself in the infrastructure, enterprise-wide visibility is essential to effective protection—and possible only on the network.

What organizations need, as a result, are solutions that provide the most complete security, visibility and control over the network possible—and that reduce the cost and complexity of protection by replacing point solutions with an integrated, extensible network security platform. They need threat protec-tion technologies that can monitor thousands of security events and reduce them to a manageable list of suspected offenses. They need the ability to automatically and accurately determine if an application action is legitimate or malicious, protect com-monly exploited applications that process untrusted external content, and restrict untrusted files from executing sensitive operations.

An integrated portfolio that provides these and other protection capabilities is the best way to protect against today’s sophisti-cated malware attacks.

Anatomy of an attack: Understanding the enemy is the key to defenseThe first step to protecting against malware is to understand what happens during an attack. From the initial overtures by the attacker in assessing a target to stealing information and sending it to the attacker’s home base, an attack can typically be described as four steps: break in, latch on, expand, and gather and exfiltrate.

4 Defending against malware: A holistic approach to one of today’s biggest IT risks

Step one: Break inAttacks can arrive in a dizzying number of ways. There can be spear-phishing emails that try to trick the target into giving up information voluntarily, Trojan horses that download code that later blooms into malware, drive-by downloads that install mal-ware without a user’s knowledge, or cross-site scripting that can trick users into installing malware.

One common way to protect against break-ins is to patch end-points to help eliminate the vulnerabilities that make these attacks possible. But while necessary, patching can be over-whelming in a large enterprise, due to the numbers and varieties of both endpoints and vulnerabilities. When zero-day attacks install malware by exploiting vulnerabilities as soon as they are known, patching seldom occurs quickly enough. Making matters worse, fewer than 30 percent of known vulnerabilities have vendor-supplied patches available.2

A better approach is to protect against break-ins through the network. A network-based intrusion prevention system can discover and block attempts to exploit endpoint vulnerabilities for malware infection, even if the endpoint is not patched. Additionally, network-based solutions can block endpoints from visiting websites or other locations that are known to harbor malware.

Step two: Latch onIf malware is not caught as it enters through the network—or if it is an advanced persistent threat that has been lurking unde-tected before starting its attack—finding and stopping the attack can be difficult using anti-virus or other traditional endpoint protection methods.

Malware activity and prevention across the attack lifecycleAttack phase External communication Endpoint Malicious activity IBM protection solution

Break in

Latch on

Expand

Gather andexfiltrate

Websitesand email

Command-and-control

center

Home base

Home base

Reconnaissance, spearphishing, remote exploits

to gain access

Malware and backdoorsinstalled to establish

a foothold

Lateral movement toincrease access andmaintain a presence

Acquisition and aggregationof confidential data;

exfiltration to externalnetworks

IBM Security NetworkProtection

TrusteerApex

IBM EndpointManager

IBM Security NetworkProtection

TrusteerApex

IBM SecurityNetwork Protection

5IBM Software

To guard against these cases, an advanced protection solution can take a two-pronged approach. It can help prevent malware from attaching itself by assessing the state of endpoints— determining which vulnerabilities have been patched, which have not and which patches are most critical. It can then apply a patch to eliminate the vulnerability. If malware escapes detection and attempts to run malicious code, other security applications can block the application’s operation. Protection can be targeted to guard specific assets—a server where intellectual property resides, for example—or it can be applied across the infrastructure.

Advanced malware protection solutions offer further security by blocking the malware’s ability to communicate with the outside world. To steal information, malware must be able to transmit to a remote command-and-control center—but by blocking the malware’s ability to “phone home,” the right protection solutions can render the malware ineffective.

Step three: ExpandMalware in the network doesn’t stay put—but neither does it wander aimlessly. Malware is programmed to look for specific targets, and in many instances the initial point of entry, the endpoint, is not that target. Rather, targets are typically higher-value assets such as servers containing patents, personally- identifiable information such as Social Security numbers, credit card numbers or business information the attacker can steal for financial gain.

The path the malware takes to get there, however—and even the target of the attack—can be revealed by the data f low that is created in the malware’s wake. By analyzing the traffic across the network, including between endpoints and systems, advanced malware protection solutions can provide necessary insights for defending the infrastructure.

Integrated protection capabilities can show which systems the malware is using and how these are functioning as part of the attack. They can also provide an understanding of the malware’s

operation that can support blocking the attack. Malware, for example, commonly uses certain types of application protocols to communicate. When security administrators identify these protocols in use on the network, they can implement policies that monitor f lows and block malware from operating.

Step four: Gather and exfiltrateOnce malware finds its target, it begins gathering information. But the real damage is done when it sends that information to its home base. So just as when malware is searching the network, blocking traffic again becomes critical.

Based on the identification of protocols in use on the network, malware protection solutions can prevent sending information outside the organization. Based on knowledge of the intended destination, these solutions can block outbound traffic to sites identified with attackers, whether by previous activities, server identity, geographical location or other reasons.

If the security team discovers through its analysis of data f low, for example, that intellectual property is being sent to a country where the organization does not conduct business, it can invoke capabilities to block that traffic.

Only integrated solutions working together provide the necessary protectionGiven the movement of malware across endpoints and through the network, together with the variety of actions malware takes along the way, it is clear that single-function point solutions cannot provide the complete protection infrastructures that organizations today need. Protection requires a combination of capabilities and solutions that work together to complement one another and defend against the full attack lifecycle, from break-in to exfiltration.

IBM solutions are designed to deliver both the focused strength to block specific malware activities and the comprehensive inte-gration to deliver the visibility and big-picture understanding necessary to block sophisticated malware attacks.

6 Defending against malware: A holistic approach to one of today’s biggest IT risks

IBM Security Network ProtectionAs a single, easy-to-use appliance based on an extensible network security platform, IBM Security Network Protection XGS deliv-ers threat protection, visibility and control that extend the capa-bilities of traditional intrusion prevention systems to better protect against threats, provide critical insight into network activities and enable granular application control.

At the core of the IBM Security Network Protection XGS solu-tion is IBM Protocol Analysis Module, designed and updated by the renowned X-Force research and development team, which provides continuous content-and-security updates to support granular control over common attack delivery methods and protect against attacks at the network level.

The IBM Security Network Protection XGS appliance provides visibility into network activity to help identify non-business- critical activities that create risk. Delivering zero-day threat protection, the appliance supports more than 2,000 applications and individual actions and leverages a database of more than 20 billion URLs.

The appliance can be easily deployed into a wide variety of envi-ronments, integrating with other security technologies such as IBM QRadar® Security Intelligence Platform. Working with QRadar solutions, IBM Security Network Protection XGS appliances can send Internet Protocol Flow Information Export (IPFIX) data to provide a constant data feed for sophisticated analysis and correlation.

IBM Security QRadar SIEMAs a component of QRadar Security Intelligence Platform, IBM Security QRadar SIEM extends the monitoring of logs and network f low data to create security intelligence based on the collection, normalization and correlation of years’ worth of contextual insights.

A highly scalable database captures real-time log event and network f low data, revealing the footprints of would-be attackers. The solution supports anomaly detection capabilities to identify changes in behavior affecting applications, hosts, servers and specific areas of the network.

Trusteer ApexThe Apex software solution provided by Trusteer, an IBM com-pany,3 applies a new approach—Stateful Application Control—to help stop zero-day application exploits and data exfiltration by analyzing application operations (what it is doing) and the application state (why it is doing it). Using this information, Trusteer Apex can automatically and accurately determine whether an application action is legitimate or malicious.

IBM Endpoint ManagerWith security capabilities that include automated patching for distributed endpoints, the IBM Endpoint Manager portfolio provides unified, real-time visibility and enforcement to protect against threats.

IBM delivers insight and expertise to support malware protectionSupporting comprehensive IBM security capabilities is X-Force, a team of security experts dedicated to protecting organizations using an extensive knowledge base and data-collection methods that include one of the world’s most comprehensive databases of known security vulnerabilities. This database has more than 70,000 entries, including detailed analyses of every notable pub-lic vulnerability disclosure since 1994.

By tracking billions of security incidents daily, monitoring mil-lions of spam and phishing attacks, and analyzing billions of web pages and images, X-Force enables organizations to stay ahead of the threat by not only identifying the potential for attacks, but also providing the insight security teams can use to protect their most valuable data and resources. Using advanced techniques that are designed to protect a vulnerability itself (rather than specific attempts to exploit a vulnerability), X-Force solutions provide preemptive protection for thousands of different security issues.

7IBM Software

Through integration with the IBM portfolio of security solu-tions, X-Force delivers proprietary threat insights, including data on malware hosts, spam sources and anonymous proxies. Combining worldwide intelligence from the X-Force team with the security information and event management, log manage-ment, anomaly detection, and configuration and vulnerability management capabilities of IBM security solutions provides context on security incidents that helps improve prioritization of incidents—which enables organizations to prevent or minimize damaging attacks.

ConclusionThe danger of malware extends beyond its sheer numbers and the rapid distribution of malicious code. It lies in the evolution of malware to more sophisticated forms than ever before.

Attackers have moved far beyond relying on users to download malware applications. Today, attacks are targeted—with code sometimes custom-written to infiltrate specific organizations.

Attacks, however, often follow predictable patterns—four steps: break in, latch on, expand, and gather and exfiltrate. And modern defenses are able to recognize those patterns to more effectively combat malware threats. To achieve the full protec-tion available, organizations need a comprehensive solution that goes beyond a special-function, point-product approach. Integrated IBM solutions including IBM Security Network Protection, IBM Security QRadar SIEM, Trusteer Apex and IBM Endpoint Manager can deliver the granular network visibil-ity and powerful tools necessary to help block sophisticated malware attacks.

Preemptive threat protection from IBM X-ForcePre-2009 2009 2010 2011 2012 2013

Java byte code exploitation

Client-based threats

Web application attacks

HTML browser plugin overflow

Java sandbox code execution

Java malicious applet

Compound file embedded SWF

Script suspicious scoreJavaScript_NOOP_sled

Cross-sitescripting

SQL injection

= Attacks = Preemptive detection

Please Recycle

For more informationTo learn more about IBM malware protection solutions, please contact your IBM representative or IBM Business Partner, or visit: ibm.com/security

About IBM Security solutionsIBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned X-Force research and development, provides security intelligence to help organizations holistically protect their people, infrastructures, data and applica-tions, offering solutions for identity and access management, database security, application development, risk management, endpoint management, network security and more. These solutions enable organizations to effectively manage risk and implement integrated security for mobile, cloud, social media and other enterprise business architectures. IBM operates one of the world’s broadest security research, development and delivery organizations, monitors 15 billion security events per day in more than 130 countries, and holds more than 3,000 security patents.

© Copyright IBM Corporation 2014

IBM Corporation Software Group Route 100 Somers, NY 10589

Produced in the United States of America January 2014

IBM, the IBM logo, ibm.com, QRadar, and X-Force are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party.

1 Ponemon Institute, “2013 Cost of Cyber Crime Study: United States,” October 2013. http://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf

2 IBM X-Force, “IBM X-Force 2013 Mid- Y ear Trend and Risk Report,” September 2013. https://www14.software.ibm.com/webapp/iwm/web/ signup.do?source=swg-WW_Security_Organic&S_PKG=ov16986& S_TACT=102PW63W

3 Trusteer was acquired by IBM in August of 2013.

WGW03050-USEN-00