Orchestrating Your Security Defenses with Threat Intelligence
August 15, 2017
Sam DillinghamSenior Offering Manager
IBM X-Force
Pamela CobbPortfolio Manager
IBM X-Force
2 IBM Security
Today’s agenda
Intro to Threat Intelligence
Threat Intelligence use cases
Taking action with integrations
Get started today!
3 IBM Security
It takes too long to make information actionable
Analysts can’t separatethe signal from the noise
Data is gathered from untrusted sources
1 Source: ESG Global
65%of enterprise firms use external
threat intelligence to enhance their
security decision making 1
Security teams often lack critical support to make the most of these resources.
4 IBM Security
More companies are sharing and consuming threat intelligence
1. Timely and early warning of
relevant threats to stay a step ahead
2. Increased visibility to emerging
threats as more organizations benefit
from other organization’s detections
3. Validation and prioritization of threats
based on context of suspicious activity
4. Faster and more orchestrated
response through enrichment of
incidents with IoCs
5. More awareness of targets and tactics
to help plan, build and evolve your
security strategy
How to Collect, Refine, Utilize and Create Threat Intelligence
Gartner, Oct 2016
IBM and Business Partner Use Only
5 IBM Security
IBM X-Force Exchange
is a threat intelligence sharing
platform designed to help
security teams research,
collaborate and integrate.
xforce.ibmcloud.com
IBM and Business Partner Use Only
6 IBM Security
Collections streamline security investigations
with research from curated content
Groups allow public or private collaboration
to validate threats and develop response plans
Integrations strengthen security solutions and
provide additional threat intelligence
• Validate findings
• Aid in forensic investigations
• Provide tactical / strategic intelligence
• Address investigations
• Enable research workflow
• Interact with X-Force research community
• X-Force Exchange SDK / API / STIX / TAXII
• Threat Feed Manager
• Free / commercial usage
IBM and Business Partner Use Only
7 IBM Security
Today’s agenda
Intro to Threat Intelligence
Threat Intelligence use cases
Taking action with integrations
Get started today!
8 IBM Security
for threat
intelligence
use cases Real-time blocking
Security operations
Threat research & hunting
9 IBM Security
Use Case 1: Real-time blocking
Usage
• Blocking access to known
malicious actors
• Can include IPs, domains, URLs,
etc.
• Implemented by firewalls, IPSes,
proxies, and other security
devices
Critical Factors
• Speed in making blocking
decisions
• Scoring flexibility to set a threshold
of what to block
• Frequent incremental updates to
minimize performance impact
Delivery
Route
• Software development kits (SDKs)
• Block lists
10 IBM Security
In IBM X-Force Exchange, classification and scoring for URLs and IP addresses combines results of multiple analyses.
12 IBM Security
Use Case 2: Security Operations
Usage
• Maps threat intelligence to data
observed in your environment
• Includes intelligence that can be
mapped to network and host-
based indicators
• Integration with operational tools,
such as SIEM and incident
response
Critical Factors
• Support for open standards for
easy integration into existing
solutions
• Pivotability among indicators to aid
in rapid investigation
• Completeness of data
Delivery
Route
• STIX/TAXII feeds
• Cybox
13 IBM Security
The use of open standards maximizes interoperability with existing systems
API queries based on
query/response model for threat
intelligence
Leverages basic authentication
Load balanced to support traffic
loads
Node SDK module available
TAXII services provided to access
threat intelligence
Supports STIX/Cybox objects
JSON RESTful API STIX / TAXII Standards Support
14 IBM Security
Use Threat Intelligence through open STIX/TAXII formatUse reference sets for correlation, searching, reporting
• Load threat indicators in
Collections into QRadar
Reference sets
• Create custom rule response
to post IOCs to Collection
• Bring Watchlists of IP
addresses from X-Force
Exchange and create a rule to
raise the magnitude of any
offense that includes the IP
Watchlist
IBM and Business Partner Use Only
15 IBM Security
Use Case 3: Threat Research and Hunting
Usage
• Research of potential threats that
may or may not yet be affecting
your organization
• Can be done via a web-based UI
or API
Critical Factors
• Scriptable access of data in an
easy-to-use manner
• Aggregation of multiple
intelligence sources (from different
vendors) into a single stream
• Flexible search
Delivery
Route
• REST-based API
• Research platforms with web interfaces
16 IBM Security
X-Force global threat intelligence delivers a wide range of benefits
Higher
Order
Intelligence
Observables
and
Indicators
Actors Campaigns Incidents TTPs
Vulnerabilities MalwareAnti-SpamWeb App
Control
IP ReputationURL / Web
Filtering
17 IBM Security
Correlation of indicators and higher-order intelligence is critical
173.242.117.120 is a malware C&C server
djs14.com is a malware C&C server
CVE-2013-3029 is an Excel vulnerability
[email protected] sends SPAM
Organization Y is a threat actor
Indicator Feeds Correlated Threat Intelligence
173.242.117.120 is a malware C&C server
… which is associated with PoSeidon malware family
targeted against retailers
used by attackers in country X, Y and Z
to steal credit card information from PoS systems
Communicates with
C&C servers: 173.242.117.120, 203.19.201.20
C&C domains: djs14.com, jdjnci.net
Twitter feed @malwarecommander
Infects via
drive-by download exploiting CVE-2015-2093
malicious Excel file exploiting CVE-2013-3029
email attachment from [email protected]
Host indicators
Registry keys A, B, C
Processes D, E, F
Event log entries G, H
Memory fingerprint J, K
vs.
18 IBM Security
Correlation provides pivotability to accelerate threat investigation
Network traffic
to C&C IP
observed
Malware
associated
with C&C
server
Other
C&C IPs
for the
malware
Host IoCs
for the
malware
Actor/
campaign
details
Infection
method
details
What does this
communication mean?
What is the
attacker after?
How did
they get in?Where else
are they?
How do I verify
infections?
Send indicators to EDR
tool
Correlate CVEs to SIEM vuln scansCorrelate IPs to flow data in SIEM
Understand
motivations,
report to exec mgt
Initiate patchingInvestigate exfiltration
Quarantine infected
endpoints
19 IBM Security
X-Force Exchange Collections streamline security investigations
Higher Order Intelligence
Free text area of the Collection is used to
organize Identifiers, Campaigns, TTPs, TLP
status, and other pertinent details.
Observables & Indicators
Related reports on URL / IP
reputation, malware, vulnerabilities,
and related attachments
20 IBM Security
Agenda
Intro to Threat Intelligence
Threat Intelligence use cases
Taking action with integrations
Get started today!
21 IBM Security
20,000+ devices
under contract
20B events managed
per day
133 monitored countries
3,700+ security-related
patents
270M endpoints monitored
for malware
38B analyzed
web pages and images
8M spam and
phishing attacks daily
850K malicious IP addresses
113K documented
vulnerabilities
Millions of unique malware
samples
As of May 2017
The scale of IBM Security brings unique breadth and depth to X-Force threat intelligence
22 IBM Security
SDK
X-Force Threat Intelligence can be integrated into security solutions via multiple methods
IBM CONFIDENTIAL - LIMIT DISTRIBUTION UNTIL MAY 16
Data &
intelligence
sources
Analytics
Engine
IBM
Security
Products
OEM
SDK
Platform
Users
Open
API
Com-
mercial
API
APIPortal
Threat Intelligence Content
pDNS
Whois information
Collections
Higher Order
Intelligence
Vulnerabilities
Malware Sandbox
Malware Families
IP Reputation
URL Reputation
Web Applications
Delivery
Layer
Threat integration Threat consumers
Platform
Layer
XFMA
XGSPlatform
Users
23 IBM Security
There is a comprehensive range of Threat Intelligence available via API
Indicators/Content Details
VulnerabilitiesRisk score (CVSS), Exploit characteristics, Exploit consequences, Remedy information, Affected Products,
Protection information (e.g. references for IPS, Vulnerability Assessment content), and External references
MalwareDisposition, Hash value, First observed, Malware family, Vendors covering (%), Download sources, Command and
Control Servers, Email sources, and Email subjects
Malware Families First/Last Observance, and Associated hash values (MD5) /
IP ReputationRisk score (1-10), Geolocation, Applications associated, Malware associated, Categorization – current and historical
with confidence value (1-100%), Passive DNS information, Subnet reputation
URL Reputation Risk score (1-10), Applications associated, Categorization – current and historical, DNS information
Web Applications Risk score, Categorization, Base URL, Vulnerabilities, Hosting URLs, and Hosting IPs
pDNS Passive DNS information
Whois information Registrant information – name, organization, country, and e-mail.
IBM Network ProtectionMonthly XPU Content, as well as each signature, date of its release, and the vulnerability for which it provides
coverage
Collections Curated content on specific security investigations, including both structured and unstructured content.
Higher Order IntelligenceCybox objects such as campaign, threat actor, tools, tactics, procedures, course of action, and indicator information,
as part of the collections.
24 IBM Security
IBM Security App Exchange
Driving the evolution of collaborative defense
Access user and business
partner innovations
Extend IBM Security
solution functionality
to new use cases
Download validated
security apps from
a single platform
A platform for
security collaboration
https://apps.xforce.ibmcloud.com
25 IBM Security
React faster, coordinate better, respond smarter to incidentsSingle Hub Provides Easy Workflow Customization and Process Automation
• Helps cyber security teams
orchestrate IR process and manage
and respond to incidents faster, better
and more intelligently
• Drives down response times by
streamlining the process of escalating
and managing incidents
• Ensures consistency and adherence
to regulatory requirements and legal
obligations
• Automates time-consuming tasks
• Leverages staff more effectively
26 IBM Security
IBM X-Force Malware AnalysisSubmit suspicious files directly into IBM X-Force Exchange
Automatesuspicious file investigation
Acton in-depth intelligence reports
Accessanywhere, anytime with a
scalable cloud architecture
IBM and Business Partner Use Only
27 IBM Security
A diversified financial services company greatly improved their threat research capabilities and collaboration workflows
“I didn’t realize I was on X-Force Exchange that much. The collaboration capabilities and threat intelligence are highly valuable to me and a great help to my challenges and activities throughout each day.”
-Network Security Analyst II
Business challenge
Need for curated threat research to complement their SIEM
Lack of internal collaboration in the threat investigation process
IBM X-Force Exchange with IBM QRadar
Helped better defend the organization’s network from attacks, scans and phishing attempts on a
daily basis, using IP / URL reputation data, geo-location status of IPs, vulnerability data, md5 detail
and shared collections from X-Force Exchange in conjunction with IBM QRadar.
Research, collaborate and integrate
28 IBM Security
Agenda
Intro to Threat Intelligence
Threat Intelligence use cases
Taking action with integrations
Get started today!
29 IBM Security
Helpful Resources
X-Force Exchange
• Try it: xforce.ibmcloud.com
• API: https://api.xforce.ibmcloud.com/doc/
General X-Force information:
• X-Force blogs on SecurityIntelligence.com
• IBM X-Force Threat Intelligence Report for 2017
• IBM Interactive Security Incidents website to stay
up to date on latest verified breaches
IBM/BUSINESS PARTNER USE
Contact Us!
Sam Dillingham, [email protected], Sr Offering Manager
Pamela Cobb, [email protected], Portfolio Manager
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express
or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of,
creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these
materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may
change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and
other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks
or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise.
Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or
product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are
designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT
OF ANY PARTY.
FOLLOW US ON:
THANK YOU