top 5 things to look for in an ips solution
TRANSCRIPT
Top 5 Things to Look for in an IPS Solution
Eric P. York
November 10, 2016
Sr. Product Offering Manager, Infrastructure SecurityIBM Security
2 IBM Security
Traditional intrusion prevention systems (IPS) are missing key components to protect against today’s threats
• Build multiple perimeters
• Protect all systems
• Use signature-based methods
• Periodically scan for known threats
• Shut down systems
Tactical ApproachCompliance-driven, reactionary
Today’s Attacks
• Assume constant compromise
• Prioritize high-risk assets
• Use behavioral-based methods
• Continuously monitor activity
• Gather, preserve, retrace evidence
Strategic ApproachIntelligent, orchestrated, automated
Indiscriminate malware,spam and DDoS activity
Advanced, persistent, organized,
politically or financially motivated
It takes power and precision to stop adversaries and unknown threats
Yesterday’s Attacks
3 IBM Security
Top 5 Things to Look for in an IPS Solution
Next-generation intrusion prevention systems have many advantages over traditional IPS
1. Threat Detection Method
2. Application & User Controls
3. Encrypted Traffic Inspection
4. Flexible Performance Options
5. Integration with Existing Security Investments
4 IBM Security
1. Threat Detection Method
Pattern Matching Behavior Analysis
vs.If it looks like a duck, swims like a duck, and quacks like a duck…
• Reactive• Known threats• Numerous signatures
• Proactive• Better against unknown threats• Fewer signatures required
5 IBM Security
2. Application & User Controls
• Gain greater network visibility and control over application and user
• Control access to applications or limit actions taken within applications by user or user group
IPS Firewall Internet
6 IBM Security
Sandvine, 2016
… 70% of global Internet traffic will be encrypted in 2016, with many network exceeding 80%.
ENCRYPTED INTERNET TRAFFIC REPORT
3. Encrypted Traffic Inspection
7 IBM Security
4. Flexible Deployment Options
Balance acquisition costs with anticipated future needs
Network Traffic to be inspected (bandwidth)
Network topology changes
8 IBM Security
5. Integration with Existing Security Investments
Better protection along the entire attack lifecycle
IPS
Security Analytics
Incident Response Platform
PreventDisrupt malware & exploits at the point of attack.
DetectSend network data to security analytics to enrich threat intelligence and identify threats across the environment.
RespondOrchestrate and automate incident response, enabling rapid network policy updates to prevent or mitigate impact of attack.
9 IBM Security
Data exfiltration ExploitDelivery
of weaponized content
Exploitationof app vulnerability
Malwaredelivery
Malware persistency
Execution and malicious access
to content
Establish communication
channels
Dataexfiltration
Complexity of the exploit-chain
Pre-exploit
0011100101110100001011110001100011001101
10 IBM Security
N
o. o
f Typ
es
Attack Progression
Data exfiltration ExploitDelivery
of weaponized content
Exploitationof app vulnerability
Malwaredelivery
Malware persistency
Execution and malicious access
to content
Establish communication
channels
Dataexfiltration
Complexity of the exploit-chain
Pre-exploit
0011100101110100001011110001100011001101
Destinations (C&C traffic detection)
Endless
Unpatchedand zero-day vulnerabilities
(patching)
ManyWeaponized
content(IPS, sandbox)
Endless
Maliciousfiles
(antivirus, whitelisting)
Endless
Many
Maliciousbehavioractivities
(HIPs)
Javaexecution
Ways to infect: deliver persist
Ways to communicate out
11 IBM Security
N
o. o
f Typ
es
Attack Progression
Data exfiltration ExploitDelivery
of weaponized content
Exploitationof app vulnerability
Malwaredelivery
Malware persistency
Execution and malicious access
to content
Establish communication
channels
Dataexfiltration
Complexity of the exploit-chain
Pre-exploit
0011100101110100001011110001100011001101
Strategic Chokepoint
Strategic Chokepoint
Strategic Chokepoint
Destinations (C&C traffic detection)
Endless
Unpatchedand zero-day vulnerabilities
(patching)
ManyWeaponized
content(IPS, sandbox)
Endless
Maliciousfiles
(antivirus, whitelisting)
Endless
Many
Maliciousbehavioractivities
(HIPs)
Javaexecution
Ways to infect: deliver persist
Ways to communicate out
12 IBM Security
N
o. o
f Typ
es
Attack Progression
Data exfiltration ExploitDelivery
of weaponized content
Exploitationof app vulnerability
Malwaredelivery
Malware persistency
Execution and malicious access
to content
Establish communication
channels
Dataexfiltration
Complexity of the exploit-chain
Pre-exploit
0011100101110100001011110001100011001101
Strategic Chokepoint
Strategic Chokepoint
Strategic Chokepoint
Fileinspection
Vulnerability assessment & reporting
Credentialprotection
Destinations (C&C traffic detection)
Endless
Unpatchedand zero-day vulnerabilities
(patching)
ManyWeaponized
content(IPS, sandbox)
Endless
Maliciousfiles
(antivirus, whitelisting)
Endless
Many
Maliciousbehavioractivities
(HIPs)
Javaexecution
Ways to infect: deliver persist
Ways to communicate out
13 IBM Security
1997+ 2002+ 2005+ 2008+ 2012+ 2013+ 2014+ Future
Threat Management.NEXTNew protection and integration capabilities to stay ahead of the threat
Advanced Malware DefenseBlocks malware
infections on the
networkSSL/TLS Inspection
Protects against attackshidden inside
encrypted traffic
URL/App ControlProtects users from
visiting risky sites
on the webWeb App Protection
Heuristically protects against common
app-based attacks
Behavioral DefenseProtects against
attacks basedon behavior, not specific
vulnerabilities
Intrusion PreventionProtects against
attacks on vulnerabilities,
not exploits
Intrusion Detection
Evol
utio
n ba
sed
on c
lient
nee
ds
14 IBM Security
IBM Security Network Protection (XGS)Next-generation intrusion prevention protects against the latest attacks
IBM SecurityNetwork
Protection
PROTECTIONDisrupt known and unknown exploits and malware attacks
VISIBILITYGain insight into network traffic patterns to detect anomalies
CONTROLLimit the use of risky applications to reduce your attack surface
15 IBM Security
Exploit-matching engines can be useless against even simple mutations
A simple change to a variable name allows the attack to succeed, while rendering the protection of a signature matching engines useless
A simple change to the HTML code in a compromised web page makes the attack invisible to signature protection
Simply adding a comment to a web page results in an attack successfully bypassing signature IPS
Original Variable Names Mutated Variable Names
Shellcode somecode
Block brick
heapLib badLib
Original Class Reference Mutated Class Reference
<html><head></head><body><applet archive="jmBXTMuv.jar" code="msf.x.Exploit.class" width="1" height="1"><param name="data" value=""/><param name="jar">
<html><head></head><body><applet archive="eXRZLr.jar" code="msf.x.badguy.class" width="1" height="1"><param name="data" value=""/><param name="jar">
Original Code Mutated Code
var t = unescape; var t = unescape <!— Comment -->;
Source: Tolly Group
16 IBM Security
ExploitSignatures
Attack-specific pattern matching
WebInjection Logic
Patented protection against web attacks,
e.g., SQL injection and cross-site scripting
VulnerabilityDecodes
Focused algorithmsfor mutating threats
ApplicationLayer Heuristics
Proprietary algorithms to block malicious use
ProtocolAnomaly Detection
Protection against misuse, unknown vulnerabilities,
and tunneling across230+ protocols
ShellcodeHeuristics
Behavioral protectionto block exploit payloads
ContentAnalysis
File and document inspection and
anomaly detection
Other IPS solutionsstop at pattern matching
17 IBM Security
IBM SecurityNetwork
Protection
IBM XGS protects against a full spectrum of attack techniques…
Web App
System andService
Traffic-based
User
RiskyApplications
Protocol Tunneling
RFC Non-Compliance
Unpatched / Unpatchable
Vulnerabilities
CodeInjection
Buffer Overflows
Cross-site Scripting
SQLInjection
Cross-site Request Forgery
Cross-path Injection
Spear Phishing
Drive-by Downloads
Malicious Attachments
MalwareLinks
Obfuscation Techniques
Protocol Anomalies
Traffic on Non-Standard Ports
DoS / DDoS Information Leakage
Social Media
File Sharing
Remote Access
Audio / Video Transmission
18 IBM Security
Network Traffic and Flows
… delivering visibility and control over your network traffic
Identity and Application Awareness Associates users and groups with their network activity, application usage and actions
Deep Packet InspectionClassifies network traffic, regardless of port or protocol
SSLVisibilityIdentifies encrypted threats, withouta separate appliance
500+Protocols and file formats analyzed
2,000+Applications and actions identified
25+ BillionURLs classified in 70 categories
Inbound Traffic
Outbound Traffic
Application A
Application B
Employee A
Employee B
Employee C
Prohibited Application
Attack Traffic
Botnet Traffic
Good Application
Clean Traffic
19 IBM Security
IBM X-Force® Research and DevelopmentExpert analysis and data sharing on the global threat landscape
VulnerabilityProtection
IPReputation
Anti-Spam
MalwareAnalysis
WebApplication
Control
URL / WebFiltering
Zero-dayResearch
The IBM X-Force Mission Monitor and evaluate the rapidly changing threat landscape Research new attack techniques and develop protection for tomorrow’s security challenges Educate our customers and the general public Integrate and distribute Threat Protection and Intelligence to make IBM solutions smarter
20 IBM Security
The benefits of behavioral detection, Part 1Stopping mutated threats
Delivers superior protection from evolving threats with high levels of performance Stops 99% of tested, publicly available attacks Is nearly twice as effective as Snort at stopping “mutated” attacks
INLINE IPS SYSTEM EFFICACY (2012)IBM IPS GX7800 versus Snort IPS
SOURCE: IBM SECURITY NETWORK INTRUSION PREVENTION SYSTEM GX7800 EVALUATION, TOLLY GROUP, 2012
21 IBM Security
The benefits of behavioral detection, Part 2Stopping encrypted threats and evasion techniques
Stopped 100% of tested, publically disclosed attacks, both encrypted & unencrypted Stopped 100% of McAfee Evader test suite attacks Delivered 17 Gbps of Multi-protocol throughput with SSL/TLS inspection enabled; 26
Gbps without SSL/TLS inspection enabled
INLINE IPS SYSTEM EFFICACY (2016)IBM next-gen IPS XGS7100
SOURCE: IBM SECURITY NETWORK PROTECTION XGS7100 EVALUATION, TOLLY GROUP, 2016
22 IBM Security
Modular network interfaces help future-proof your investmentEight different network interface modules (NIM) meet current and future connectivity needs
4-port Fixed fiber (LX)with built-in bypass
8-port RJ-45 copperwith built-in bypass
4-port Fixed fiber (SX)with built-in bypass
2-port 10GbE (SR)with built-in bypass
2-port 10GbE (LR)with built-in bypass
4-port SFP(requires transceivers)
2-port 10GbE SFP+(requires transceivers)
XGS 7100 supports 4 NIMs; XGS 5100 supports 2 NIMs (+ 4 built-in RJ-45 ports); XGS 4100 supports 1 NIM (+ 4 built-in RJ-45 ports)
2-port 40GbE QSFP+ (requires transceivers)XGS 7100 only
23 IBM Security
Flexible Performance Licensing (FPL)Enables performance upgrades without changing hardware
FPL Level 2
FPL Level 2
800 Mb/s Inspected
Throughput
FPL Level 1 (base)
400Mb/s Inspected
Throughput
750Mb/s Inspected
Throughput
1.5 Gb/s Inspected
Throughput
XGS 3100
XGS 4100
XGS 5100
FPL Level 1 (base)
FPL Level 1 (base) FPL Level 2 FPL Level 3 FPL Level 4
5.0Gb/s Inspected
Throughput
10.0 Gb/s Inspected
Throughput
15.0Gb/s Inspected
Throughput
XGS 7100
FPL Level 1 (base) FPL Level 2
20.0Gb/s Inspected
Throughput
FPL Level 3
25.0Gb/s Inspected
Throughput
FPL Level 5
FPL Level 2
1.0 Gb/s Inspected
Throughput
600Mb/s Inspected
Throughput
XGS Virtual
FPL Level 4
FPL Level 1 (base)
2.5Gb/s Inspected
Throughput
4.0 Gb/s Inspected
Throughput
7.0Gb/s Inspected
Throughput
5.5Gb/s Inspected
Throughput
24 IBM Security
IBM XGS protects both your network and investment
Forrester determined XGS has the following three-year risk-adjusted financial impact:
RETURN ON INVESTMENT
340%
NET PRESENTVALUE
$1,075,592PAYBACKPERIOD
1.9 months
SOURCE: THE TOTAL ECONOMIC IMPACT OF IBM SECURITY NETWORK SECURITY (XGS), FORRESTER RESEARCH, 2016
IBM SecurityNetwork
Protection
25 IBM Security
IBM QRadar and XGS integration improves intelligence and securitySend data flows to QRadar and send quarantine commands to XGS directly from QRadar
Layer 7 Flow Data to QRadar Offense-blocking from QRadar
• Detect abnormal activity through network flow data generated through XGS
• Identify application misuse via user and application information
• Save money by reducing the need for a separate flow generation appliance
• Make QRadar Intelligence actionable by leveraging XGS to block in-progress attacks
• Reduce response time by initiating blocking within the QRadar console to stop threats quickly
26 IBM Security
IBM positioned in the “Leaders” Quadrant in the 2015 Gartner Magic Quadrant for Intrusion Prevention Systems
Magic Quadrant for Intrusion Prevention Systems
“The capabilities of leading IPS products have adapted to changing threats, and next-generation IPSs (NGIPSs) have evolved incrementally in response to advanced targeted threats that can evade first-generation IPSs.”
Craig Lawson, Adam Hils, and Claudio NeivaGartner, November 16, 2015
This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report.The link to the Gartner report is available upon request from IBM.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
27 IBM Security
Top 5 Things to Look for in an IPS Solution
1. Threat Detection Method Behavior analysis
2. Application & User Controls Granular controls
3. Encrypted Traffic Inspection Fast on-board inspection
4. Flexible Performance Options FPL and NIM’s
5. Integration with Security Investments IBM QRadar & more
IBM XGS
Q & A
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU