top 5 things to look for in an ips solution

Top 5 Things to Look for in an IPS Solution

Eric P. York

November 10, 2016

Sr. Product Offering Manager, Infrastructure SecurityIBM Security

2 IBM Security

Traditional intrusion prevention systems (IPS) are missing key components to protect against today’s threats

• Build multiple perimeters

• Protect all systems

• Use signature-based methods

• Periodically scan for known threats

• Shut down systems

Tactical ApproachCompliance-driven, reactionary

Today’s Attacks

• Assume constant compromise

• Prioritize high-risk assets

• Use behavioral-based methods

• Continuously monitor activity

• Gather, preserve, retrace evidence

Strategic ApproachIntelligent, orchestrated, automated

Indiscriminate malware,spam and DDoS activity

Advanced, persistent, organized,

politically or financially motivated

It takes power and precision to stop adversaries and unknown threats

Yesterday’s Attacks

3 IBM Security


Next-generation intrusion prevention systems have many advantages over traditional IPS

1. Threat Detection Method

2. Application & User Controls

3. Encrypted Traffic Inspection

4. Flexible Performance Options

5. Integration with Existing Security Investments

4 IBM Security

1. Threat Detection Method

Pattern Matching Behavior Analysis

vs.If it looks like a duck, swims like a duck, and quacks like a duck…

• Reactive• Known threats• Numerous signatures

• Proactive• Better against unknown threats• Fewer signatures required

5 IBM Security

2. Application & User Controls

• Gain greater network visibility and control over application and user

• Control access to applications or limit actions taken within applications by user or user group

IPS Firewall Internet

6 IBM Security

Sandvine, 2016

… 70% of global Internet traffic will be encrypted in 2016, with many network exceeding 80%.

ENCRYPTED INTERNET TRAFFIC REPORT

3. Encrypted Traffic Inspection

7 IBM Security

4. Flexible Deployment Options

Balance acquisition costs with anticipated future needs

Network Traffic to be inspected (bandwidth)

Network topology changes

8 IBM Security

5. Integration with Existing Security Investments

Better protection along the entire attack lifecycle

IPS

Security Analytics

Incident Response Platform

PreventDisrupt malware & exploits at the point of attack.

DetectSend network data to security analytics to enrich threat intelligence and identify threats across the environment.

RespondOrchestrate and automate incident response, enabling rapid network policy updates to prevent or mitigate impact of attack.

9 IBM Security

Data exfiltration ExploitDelivery

of weaponized content

Exploitationof app vulnerability

Malwaredelivery

Malware persistency

Execution and malicious access

to content

Establish communication

channels

Dataexfiltration

Complexity of the exploit-chain

Pre-exploit

0011100101110100001011110001100011001101

10 IBM Security

N

o. o

f Typ

es

Attack Progression




Malwaredelivery

Malware persistency


to content


channels

Dataexfiltration


Pre-exploit

0011100101110100001011110001100011001101

Destinations (C&C traffic detection)

Endless

Unpatchedand zero-day vulnerabilities

(patching)

ManyWeaponized

content(IPS, sandbox)

Endless

Maliciousfiles

(antivirus, whitelisting)

Endless

Many

Maliciousbehavioractivities

(HIPs)

Javaexecution

Ways to infect: deliver persist

Ways to communicate out

11 IBM Security

N

o. o

f Typ

es

Attack Progression




Malwaredelivery

Malware persistency


to content


channels

Dataexfiltration


Pre-exploit

0011100101110100001011110001100011001101

Strategic Chokepoint




Endless


(patching)

ManyWeaponized


Endless

Maliciousfiles


Endless

Many


(HIPs)

Javaexecution



12 IBM Security

N

o. o

f Typ

es

Attack Progression




Malwaredelivery

Malware persistency


to content


channels

Dataexfiltration


Pre-exploit

0011100101110100001011110001100011001101




Fileinspection

Vulnerability assessment & reporting

Credentialprotection


Endless


(patching)

ManyWeaponized


Endless

Maliciousfiles


Endless

Many


(HIPs)

Javaexecution



13 IBM Security

1997+ 2002+ 2005+ 2008+ 2012+ 2013+ 2014+ Future

Threat Management.NEXTNew protection and integration capabilities to stay ahead of the threat

Advanced Malware DefenseBlocks malware

infections on the

networkSSL/TLS Inspection

Protects against attackshidden inside

encrypted traffic

URL/App ControlProtects users from

visiting risky sites

on the webWeb App Protection

Heuristically protects against common

app-based attacks

Behavioral DefenseProtects against

attacks basedon behavior, not specific

vulnerabilities

Intrusion PreventionProtects against

attacks on vulnerabilities,

not exploits

Intrusion Detection

Evol

utio

n ba

sed

on c

lient

nee

ds

14 IBM Security

IBM Security Network Protection (XGS)Next-generation intrusion prevention protects against the latest attacks

IBM SecurityNetwork

Protection

PROTECTIONDisrupt known and unknown exploits and malware attacks

VISIBILITYGain insight into network traffic patterns to detect anomalies

CONTROLLimit the use of risky applications to reduce your attack surface

15 IBM Security

Exploit-matching engines can be useless against even simple mutations

A simple change to a variable name allows the attack to succeed, while rendering the protection of a signature matching engines useless

A simple change to the HTML code in a compromised web page makes the attack invisible to signature protection

Simply adding a comment to a web page results in an attack successfully bypassing signature IPS

Original Variable Names Mutated Variable Names

Shellcode somecode

Block brick

heapLib badLib

Original Class Reference Mutated Class Reference

<html><head></head><body><applet archive="jmBXTMuv.jar" code="msf.x.Exploit.class" width="1" height="1"><param name="data" value=""/><param name="jar">

<html><head></head><body><applet archive="eXRZLr.jar" code="msf.x.badguy.class" width="1" height="1"><param name="data" value=""/><param name="jar">

Original Code Mutated Code

var t = unescape; var t = unescape <!— Comment -->;

Source: Tolly Group

16 IBM Security

ExploitSignatures

Attack-specific pattern matching

WebInjection Logic

Patented protection against web attacks,

e.g., SQL injection and cross-site scripting

VulnerabilityDecodes

Focused algorithmsfor mutating threats

ApplicationLayer Heuristics

Proprietary algorithms to block malicious use

ProtocolAnomaly Detection

Protection against misuse, unknown vulnerabilities,

and tunneling across230+ protocols

ShellcodeHeuristics

Behavioral protectionto block exploit payloads

ContentAnalysis

File and document inspection and

anomaly detection

Other IPS solutionsstop at pattern matching

17 IBM Security

IBM SecurityNetwork

Protection

IBM XGS protects against a full spectrum of attack techniques…

Web App

System andService

Traffic-based

User

RiskyApplications

Protocol Tunneling

RFC Non-Compliance

Unpatched / Unpatchable

Vulnerabilities

CodeInjection

Buffer Overflows

Cross-site Scripting

SQLInjection

Cross-site Request Forgery

Cross-path Injection

Spear Phishing

Drive-by Downloads

Malicious Attachments

MalwareLinks

Obfuscation Techniques

Protocol Anomalies

Traffic on Non-Standard Ports

DoS / DDoS Information Leakage

Social Media

File Sharing

Remote Access

Audio / Video Transmission

18 IBM Security

Network Traffic and Flows

… delivering visibility and control over your network traffic

Identity and Application Awareness Associates users and groups with their network activity, application usage and actions

Deep Packet InspectionClassifies network traffic, regardless of port or protocol

SSLVisibilityIdentifies encrypted threats, withouta separate appliance

500+Protocols and file formats analyzed

2,000+Applications and actions identified

25+ BillionURLs classified in 70 categories

Inbound Traffic

Outbound Traffic

Application A

Application B

Employee A

Employee B

Employee C

Prohibited Application

Attack Traffic

Botnet Traffic

Good Application

Clean Traffic

19 IBM Security

IBM X-Force® Research and DevelopmentExpert analysis and data sharing on the global threat landscape

VulnerabilityProtection

IPReputation

Anti-Spam

MalwareAnalysis

WebApplication

Control

URL / WebFiltering

Zero-dayResearch

The IBM X-Force Mission Monitor and evaluate the rapidly changing threat landscape Research new attack techniques and develop protection for tomorrow’s security challenges Educate our customers and the general public Integrate and distribute Threat Protection and Intelligence to make IBM solutions smarter

20 IBM Security

The benefits of behavioral detection, Part 1Stopping mutated threats

Delivers superior protection from evolving threats with high levels of performance Stops 99% of tested, publicly available attacks Is nearly twice as effective as Snort at stopping “mutated” attacks

INLINE IPS SYSTEM EFFICACY (2012)IBM IPS GX7800 versus Snort IPS

SOURCE: IBM SECURITY NETWORK INTRUSION PREVENTION SYSTEM GX7800 EVALUATION, TOLLY GROUP, 2012

21 IBM Security

The benefits of behavioral detection, Part 2Stopping encrypted threats and evasion techniques

Stopped 100% of tested, publically disclosed attacks, both encrypted & unencrypted Stopped 100% of McAfee Evader test suite attacks Delivered 17 Gbps of Multi-protocol throughput with SSL/TLS inspection enabled; 26

Gbps without SSL/TLS inspection enabled

INLINE IPS SYSTEM EFFICACY (2016)IBM next-gen IPS XGS7100

SOURCE: IBM SECURITY NETWORK PROTECTION XGS7100 EVALUATION, TOLLY GROUP, 2016

22 IBM Security

Modular network interfaces help future-proof your investmentEight different network interface modules (NIM) meet current and future connectivity needs

4-port Fixed fiber (LX)with built-in bypass

8-port RJ-45 copperwith built-in bypass

4-port Fixed fiber (SX)with built-in bypass

2-port 10GbE (SR)with built-in bypass

2-port 10GbE (LR)with built-in bypass

4-port SFP(requires transceivers)

2-port 10GbE SFP+(requires transceivers)

XGS 7100 supports 4 NIMs; XGS 5100 supports 2 NIMs (+ 4 built-in RJ-45 ports); XGS 4100 supports 1 NIM (+ 4 built-in RJ-45 ports)

2-port 40GbE QSFP+ (requires transceivers)XGS 7100 only

23 IBM Security

Flexible Performance Licensing (FPL)Enables performance upgrades without changing hardware

FPL Level 2

FPL Level 2

800 Mb/s Inspected

Throughput

FPL Level 1 (base)

400Mb/s Inspected

Throughput

750Mb/s Inspected

Throughput

1.5 Gb/s Inspected

Throughput

XGS 3100

XGS 4100

XGS 5100

FPL Level 1 (base)

FPL Level 1 (base) FPL Level 2 FPL Level 3 FPL Level 4

5.0Gb/s Inspected

Throughput

10.0 Gb/s Inspected

Throughput

15.0Gb/s Inspected

Throughput

XGS 7100

FPL Level 1 (base) FPL Level 2

20.0Gb/s Inspected

Throughput

FPL Level 3

25.0Gb/s Inspected

Throughput

FPL Level 5

FPL Level 2

1.0 Gb/s Inspected

Throughput

600Mb/s Inspected

Throughput

XGS Virtual

FPL Level 4

FPL Level 1 (base)

2.5Gb/s Inspected

Throughput

4.0 Gb/s Inspected

Throughput

7.0Gb/s Inspected

Throughput

5.5Gb/s Inspected

Throughput

24 IBM Security

IBM XGS protects both your network and investment

Forrester determined XGS has the following three-year risk-adjusted financial impact:

RETURN ON INVESTMENT

340%

NET PRESENTVALUE

$1,075,592PAYBACKPERIOD

1.9 months

SOURCE: THE TOTAL ECONOMIC IMPACT OF IBM SECURITY NETWORK SECURITY (XGS), FORRESTER RESEARCH, 2016

IBM SecurityNetwork

Protection

25 IBM Security

IBM QRadar and XGS integration improves intelligence and securitySend data flows to QRadar and send quarantine commands to XGS directly from QRadar

Layer 7 Flow Data to QRadar Offense-blocking from QRadar

• Detect abnormal activity through network flow data generated through XGS

• Identify application misuse via user and application information

• Save money by reducing the need for a separate flow generation appliance

• Make QRadar Intelligence actionable by leveraging XGS to block in-progress attacks

• Reduce response time by initiating blocking within the QRadar console to stop threats quickly

26 IBM Security

IBM positioned in the “Leaders” Quadrant in the 2015 Gartner Magic Quadrant for Intrusion Prevention Systems

Magic Quadrant for Intrusion Prevention Systems

“The capabilities of leading IPS products have adapted to changing threats, and next-generation IPSs (NGIPSs) have evolved incrementally in response to advanced targeted threats that can evade first-generation IPSs.”

Craig Lawson, Adam Hils, and Claudio NeivaGartner, November 16, 2015

This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report.The link to the Gartner report is available upon request from IBM.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

27 IBM Security


1. Threat Detection Method Behavior analysis

2. Application & User Controls Granular controls

3. Encrypted Traffic Inspection Fast on-board inspection

4. Flexible Performance Options FPL and NIM’s

5. Integration with Security Investments IBM QRadar & more

IBM XGS

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

FOLLOW US ON:

THANK YOU

top 5 things to look for in an ips solution

Technology