Transcript Malware

IBM Security Systems
IBM Security Network Protection (XGS)
Advanced Threat Protection Integration Framework
http://ibm.biz/ISNP_ATP_API
©1 2014 IBM Corporation
© 2012 IBM Corporation
IBM Security Systems
Advanced Threat Protection (ATP) Overview
ATP Integration Framework is generic mechanism for IBM Security
Network Protection (ISNP) to receive external alerts and act on
these alerts using Quarantine

2
© 2014 IBM Corporation
IBM Security Systems
Advanced Threat Protection Policy

An alert will be mapped to one of five types
Compromise
 a successful breach of security, currently active within the
environment. This could range from subversive human
behavior to automated command and control exploits.
 Reputation
 describes characteristics tied to an address or web URI and
related to geography or observed content behavior.
 Intrusion
 an instance of an in progress network attack attempt
 Malware
 represents malicious software in flight on the network or at
risk on a disk.

3
© 2014 IBM Corporation
IBM Security Systems
Advanced Threat Protection Policy (cont.)

Exposure/vulnerability
 represents an identified network weaknesses which, if
successfully exploited, could result in compromises
• The classification of the alert into one of 3 severities
– High
– Medium
– Low
4
© 2014 IBM Corporation
IBM Security Systems
Advanced Threat Protection Policy (cont.)
5
© 2014 IBM Corporation
IBM Security Systems
Sandbox Malware Detection Integration
Web Security Appliance
 Uses enterprise based sandboxing to execute and profile
files to identify C&C hosts
 Can monitor traffic and identify internal hosts that are
compromised (through calls to known C&C sites)

Although Malware Detection systems can raise alerts, they are
not enforcement devices
 ISNP can provide the enforcement for Malware Detection

6
© 2014 IBM Corporation
IBM Security Systems
Malware Detection / ISNP Network Topology
7
© 2014 IBM Corporation
IBM Security Systems
Typical Use Cases
• There are three supported Quarantine use cases:
• Compromise: A machine infected with malware, transmitting
data to a Command & Control Server represents a
Compromised Host in an enterprise network.
• Reputation: A Command & Control Server contacted by a
Compromised Host or a Web Server Hosting A Web Exploit
represents a Malicious Server with a poor reputation.
• Malware: A Malware Object being transmitted over the
network to a Target Host from a Hosting Server represents a
Threat-In-Flight.
8
© 2014 IBM Corporation
IBM Security Systems
Event Log: Advanced Threat Events
9
© 2014 IBM Corporation
IBM Security Systems
Active Quarantines
10
© 2014 IBM Corporation
IBM Security Systems
Backup
11
© 2014 IBM Corporation
IBM Security Systems
Menu - Advanced Threat Policy
12
© 2014 IBM Corporation
IBM Security Systems
Advanced Threat Policy
13
© 2014 IBM Corporation
IBM Security Systems
Menu - Advanced Threat Protection Agents
14
© 2014 IBM Corporation
IBM Security Systems
Advanced Threat Protection Agents
15
© 2014 IBM Corporation
IBM Security Systems
Menu - Active Quarantines
16
© 2014 IBM Corporation
IBM Security Systems
Active Quarantines
17
© 2014 IBM Corporation
IBM Security Systems
Menu – Event Log
18
© 2014 IBM Corporation
IBM Security Systems
Event Log: Advanced Threat Events
19
© 2014 IBM Corporation
IBM Security Systems
IBM Security Network Protection (XGS)
Advanced Threat Protection Integration Framework
QRadar based integration
Qradar 7.2 MR1
©202014 IBM Corporation
© 2012 IBM Corporation
IBM Security Systems
QRadar
• There are four supported cases:
– Compromise: If the source IP is "right clicked" this IP
address is sent to the XGS. This might be used in the case
when the host has been infected with malware.
– Reputation: If the destination IP is “right-clicked” this IP
address is sent to the XGS. This represents a malicious server
such as a C&C server or one hosting Malware.
– Intrusion: If a source port is “right-clicked” this IP address and
port combination is sent to the XGS. This can result from that
client system attacking a server.
– Exposure: If the destination port is "right clicked" this IP
address and port combination is sent to the XGS. This might
be used in the case where the service has a vulnerability.
21
© 2014 IBM Corporation
IBM Security Systems
QRadar “right click” Integration (source address)
“on the glass” integration
22
© 2014 IBM Corporation
IBM Security Systems
QRadar “right click” Integration (source address)
23
© 2014 IBM Corporation
IBM Security Systems
QRadar Advanced Threat Events
24
© 2014 IBM Corporation
IBM Security Systems
QRadar 'right click' Integration (destination port)
“on the glass” integration
25
© 2014 IBM Corporation
IBM Security Systems
QRadar 'right click' Integration (destination port)
26
© 2014 IBM Corporation
IBM Security Systems
QRadar Advanced Threat Events
27
© 2014 IBM Corporation
IBM Security Systems
ibm.com/security
28
© 2014 IBM Corporation