dss itsec 2013 conference 07.11.2013 - security in high risk environment

© 2013 IBM Corporation

IBM Security Systems

11© 2013 IBM Corporation

Security in High Risk EnvironmentVulnerabilities, Vulnerabilities and Vulnerabilities

Jan BojtosSecurity Channel ManagerCentral & Eastern EuropeIBM Security [email protected]

Jan BojtosSecurity Channel ManagerCentral & Eastern EuropeIBM Security [email protected]



22

You know? You can do this online now.



33

Agenda

Application SecurityVulnerability ManagementNew Generation Network Security



44

Agenda




55

Security Incidents in the first half of



66

The Application Security landscape

Web application vulnerabilities dominate the enterprise threat landscape

*IBM X-Force 2012 Trend & Risk Report **IBM X-Force 2012 Trend & Risk Report

• Web application vulnerabilities surged 14% from 2,921 vulnerabilities in 2011

to 3,551 vulnerabilities in 2012• 47% of all vulnerabilities that the IBM X-

Force documented in 2012 were considered web application

vulnerabilities

Production Applications Developed in house

Acquired

Off-the-shelf commercial apps

In-house development

Outsourced development

Applications in Development

Vulnerabilities are spread through a wide variety of applications



77

Challenge 1: Finding more vulnerabilities using advanced techniques

Static Analysis

- Analyze Source Code- Use during development

- Uses Taint Analysis / Pattern Matching

Dynamic Analysis

- Correlate Dynamic and Static results

- Assists remediation by identification of line of code

Hybrid Analysis

7

- Analyze Live Web Application- Use during testing

- Uses HTTP tampering

Client-Side Analysis

- Analyze downloaded Javascript code which runs in client

- Unique in the industry

Run-Time Analysis

- Combines Dynamic Analysis with run-time agent

- More results, better accuracy New!New! New!New!

Total PotentialTotal PotentialSecurity IssuesSecurity Issues

Applications



88

Challenge 2: Reducing Costs Through a Secure by Design Approach

Find during Development

$80/defect

Find during Build

$240/defect

Find during QA/Test

$960/defect

Find in Production

$7,600 / defect

80% of development costs are spent identifying and

correcting defects!*

80% of development costs are spent identifying and

correcting defects!*

** Source: Ponemon Institute 2009-10

“As financially-motivated attackers have shifted their focus to applications, Web application security has become a top priority. However, the responsibility for web application security cannot rest solely with information security. Enterprises should evaluate how to identify

vulnerabilities in Web applications earlier in the development process as transparently as possible using web application security testing products or services.”

Neil MacDonald, Gartner, 12-6-11

“As financially-motivated attackers have shifted their focus to applications, Web application security has become a top priority. However, the responsibility for web application security cannot rest solely with information security. Enterprises should evaluate how to identify

vulnerabilities in Web applications earlier in the development process as transparently as possible using web application security testing products or services.”

Neil MacDonald, Gartner, 12-6-11

* Source: National Institute of Standards and Technology

Average Cost of a Data Breach$7.2M** from law suits, loss of customer

trust, damage to brand

Average Cost of a Data Breach$7.2M** from law suits, loss of customer

trust, damage to brand



99

Challenge 3: Bridging the Security/Development gap

Dashboard of application risk

Enable compliance with regulation-specific reporting

Security experts establish security testing policies

Development teams test early in the cycle

Treat vulnerabilities as development defects

“… we wanted to go to a multiuser web-based solution that enabled us to do concurrent scans and provide our customers with a web-based portal for accessing and

sharing information on identified issues.”Alex Jalso, Asst Dir, Office of InfoSecurity, WVU

“… we wanted to go to a multiuser web-based solution that enabled us to do concurrent scans and provide our customers with a web-based portal for accessing and

sharing information on identified issues.”Alex Jalso, Asst Dir, Office of InfoSecurity, WVU

Provide Management VisibilityBreak down organizational silos

Architect

Developer

QualityProfessional

Security Auditor

Enables Collaboration



1010

Finding Vulnerabilities During Security Test Phase

Build

SDLCSDLC

Coding QA Security Production

Most Issues are found by security auditors prior to going live.

Most Issues are found by security auditors prior to going live.

% o

f Issue fo

un

d b

y stage o

f S

DL

C



1111

Maturity of Security Testing

Build

SDLCSDLC

Coding QA Security Production

Desired ProfileDesired Profile

% o

f Issue fo

un

d b

y stage o

f S

DL

C



1212

Organizations need to take a proactive approach to Application Security

Embed security testing early in the development lifecycle to support agile delivery demands

Bridge the gap between “Security” and “Development” through joint collaboration and visibility, enabling regulatory compliance

Integrate security testing into the development lifecycle, through interfaces to development tools

A proactive team approach to Application Security

Architect

Analyst Developer

QualityProfessional

Security Auditor

AppScan

HybridAnalysis

Visibility

Collaboration

Governance

StaticAnalysis

Dynamic Analysis



1313

IBM Security Systems AppScan Suite – Comprehensive Application Vulnerability Management

13

REQUIREMENTSREQUIREMENTS CODECODE BUILDBUILD PRE-PRODPRE-PROD PRODUCTIONPRODUCTIONQAQA

AppScan Standard

AppScan SourceSecurity

Requirements Definition

AppScan Standard

Security / compliance testing incorporated

into testing & remediation

workflows

Security requirements

defined before design &

implementation

Outsourced testing for security audits &

production site monitoring

Security & Compliance

Testing, oversight, control,

policy, audits

Build security testing into the

IDE

Application Security Best Practices – Secure Engineering Framework

Automate Security / Compliance testing in the Build Process

SECURITYSECURITY

AppScan Enterprise AppScan onDemand

Dynamic Analysis/Blackbox – Static Analysis/Whitebox -



1414

Agenda




1515

Vulnerability market trends

Escalating threat landscapeEscalating threat landscape

Evolving IT infrastructuresEvolving IT infrastructures

Surpassing simple compliance effortsSurpassing simple compliance efforts1 2 3

Vulnerabilities are increasing in volume and severity, while attackers

are exploiting them quicker than ever before…

and with greater sophistication

Rapid adoption of mobile and cloud – as well as the ever

increasing speed and complexity of IT – make

discovery and accuracy of new and existing risks a

daunting task

Routine snapshots may satisfy the

auditors, but hardly enough to understand

what’s really going on within your IT

environment



1616

Customer business problems

Problems in current Vulnerability management deployments:

Data overload inhibitorData overload inhibitor

Hidden risks remainHidden risks remain

Siloed system limitationsSiloed system limitations

Your Vulnerabilities

CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE

CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVECVE

CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVECVE

CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE







CVE CVECVE CVE CVE CVE CVE CVE CVECVE CVE CVE


































• Has that been patched?• Has or will it be exploited?• Does my firewall block it?• Does my IPS block it?• Does it matter?

Leaves unanswered questions

Creates security gaps

!!

!!

!!



1717

Our solution: IBM Security QRadar Vulnerability Manager

Unique VA solution integrated with Security Intelligence context/data

Providing unified view of all vulnerability information

Dramatically improving actionable information through rich context

Reducing total cost of ownership through product consolidation

Log Manager SIEM

Network Activity Monitor

Risk Manager

VulnerabilityManager

New

Security Intelligence is extending and transforming vulnerability management – just as it did with logs, events, flows and risk management.

Solution Highlights



1818

IBM Security QRadar Vulnerability Manager key features

Contains an embedded, well proven, scalable, analyst recognised, PCI certified scanner

Detects 70,000+ vulnerabilities

Tracks National Vulnerability Database (CVE)

Present in all QRadar log and flow collectors and processors

Integrated external scanner

Complete vulnerability view supporting 3rd party vulnerability system data feeds

Supports exception and remediation processes of VM with seamlessly integrated reporting and dash boarding

Complete Vulnerability Context and Visibility

Integrated vulnerability

scanner

Network discovery and

asset information

IBM Security Context

AppScanGuardium

Endpoint (BigFix)Network IPS

X-Force

3rd Partyvulnerability

solutions

e.g. QualysRapid7NessusnCircleMcAfee



2020

Security Intelligence Integration

QVM scanners present in every QRadar appliance

− ‘Switch’ on distributed scanning

Event triggered scanning

− E.g. New asset seen

Rapid and dynamic scans using asset search based scans

− Less time spent searching

Shared reporting and dashboard infrastructure, providing single view

External threat posture, exploit events, network usage, and security context seamlessly integrated

ScanningScanning



2222

QRadar QVMStandard VM

What’s a difference?















































CVECVE

CVECVE CVE CVE

CVECVE CVE

CVE CVE CVE

CVECVE

CVE CVE CVECVE

CVECVE CVE

CVE CVE CVE

CVECVE

CVE CVE CVE CVECVE

CVE CVECVE CVE CVE

CVECVE

CVE CVE CVECVE

CVECVE CVE

CVE CVE CVE

CVECVE

CVE CVECVE CVE

CVECVE

CVE CVE CVE CVE

CVECVE

CVE CVECVE CVE

CVECVE

CVECVE CVE CVE

CVECVE

CVE CVECVE CVE

CVECVE CVE

CVE CVE CVE

CVECVE

CVE CVECVE CVE

CVECVE

CVECVE CVE CVE

CVECVE CVE

CVECVE CVE

CVECVE CVE

CVE CVE CVE

CVECVE

CVECVE CVE CVE

CVECVE CVE

CVE CVE CVE

CVECVE

CVE CVECVE CVE

CVECVE CVE

CVE CVE CVE

CVECVE

CVE CVE CVE CVECVE

CVE CVECVE CVE CVE

CVECVE

CVE CVE CVE CVECVE

CVE CVECVE CVE CVE

CVECVE

CVE CVE CVECVE CVE

CVE CVECVE CVE CVE

Patched

CriticalBlocked

Inactive

Exploited!

At risk!

!!



2323

QVM enables customers to interpret ‘sea’ of vulnerabilities

CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE

Inactive

Inactive: QFlow Collector data helps QRadar Vulnerability Manager sense application activity Blocked

Blocked: QRadar Risk Manager helps QVM understand which vulnerabilities are blocked by firewalls and IPSs

PatchedPatched: IBM Endpoint Manager helps QVM understand which vulnerabilities will be patched

Critcal

Critical: Vulnerability knowledge base, remediation flow and QRM policies inform QVM about business critical vulnerabilities

At Risk: X-Force Threat and SIEM security incident data, coupled with QFlow network traffic visibility, help QVM see assets communicating with potential threats

At Risk! Exploited!

Exploited: SIEM correlation and IPS data help QVM reveal which vulnerabilities have been exploited



2424

QRadar Vulnerability Manager offering structure

Licensed based on number of Assets scanned

Base Vulnerability Manager capability– QVM vulnerability scans up to 255 assets

– Unlimited QVM discovery scans

– Hosted scanner for DMZ scanning

– Ability to apply QVM functionality to all 3rd party scanner data integrated with QRadar

– Deploy QVM Scanner on any managed host

– Deploy unlimited standalone software or Virtual Scanners

Simple capacity increases

AppScan

IBM Endpoint Manager



2525

Agenda




2626

The Evolving Challenges of Network Security

Complexity of AttacksComplexity of Attacks

Complexity of UsersComplexity of Users

Complexity ofTechnologyComplexity ofTechnology1 2 3

• Advanced Persistent Threats

• 0-Day Vulnerabilities

• Targeted Phishing

• Stealth Botnets

• Designer Malware

• Blending work/personal use

• Broad information sharing

• Poor security vigilance

• Targeted by social engineering

• Point solutions creating “Security Sprawl”

• Bring Your Own Device

• Evolving networking and connectivity standards

• Rapid growth of web applications



2727

Adaptive deployment and superior integration with

the full line of IBM security solutions

Helps discover and block existing infections and

rogue applications while enforcing access policies

Proven protection from sophisticated and

constantly evolving threats, powered by

X-Force®

Introducing IBM Security Network Protection XGS The Next Generation of IBM intrusion prevention solutions

ADVANCED THREAT PROTECTION

COMPREHENSIVEVISIBILITY & CONTROL

SEAMLESS DEPLOYMENT & INTEGRATION



2828

Infrastructure

Advanced Threat Protection

System-level Attacks

Client-side Application Protection

Extensible, Ahead-of-the-Threat Protection

backed by the power of IBM X-Force® to help protect against mutating threats

Users

Web Application Attacks

Spear Phishing

Malicious Attachments

Web/Social Media Risks

X

X

X

X

X

X

The XGS 5100 helps protect against a full spectrum of targeted attacks, even in SSL-encrypted connections

Service-level Attacks



3030

Comprehensive Visibility & Control

Context-aware access control policies blockpre-existing infections, rogue applications, and policy violations

Complete Identity Awareness associates valuable users and groups with their network activity, application usage and application actions

Access Control Policies block pre-existing compromises and rogue applications as well as enforce corporate usage policies

Deep Packet Inspection fully classifies network traffic, regardless of address, port , protocol, application, application action or security event

400+Protocols and File Formats Analyzed

2,000+Applications and Actions Identified

20 Billion+ URLs classified in 70 Categories



3232

Seamless Deployment and Integration

• Helps mitigate known and unknown attacks

• Detect “low and slow” and advanced persistent threats

• Analysis and correlation across both IBM and non-IBM products

• Seven varieties of network interface modules

• Flexible performance licensing

• Built-in, programmable network bypass

• Integrated SSL inspection

Quick initial deployment and immediate integration points with other security technologies such as QRadar

• Protection of people, data, applications and infrastructure

• Advanced cross-product research & development

• Solutions and services for practically every security need

Adaptable Deployment

Advanced QRadar Integration

Breadth and Depth of Portfolio



3333

New XGS Product Line



3434

IBM Security Network Protection (XGS)The Next Generation of IBM’s legendary network security solutions

Top 5 Reasons to Upgrade to or Purchase an XGS Appliance

1.Visibility and Control over Web and non-Web applications and use2.Ability to secure encrypted traffic without separate hardware (SSL)3.Wide performance range with a simple license (600Mbps - 5Gbps)4.Integrated bypass and flexible network connections (1GbE/10GbE)5.Tight integration with QRadar including ability to send flow data



3535

ibm.com/security

© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

dss itsec 2013 conference 07.11.2013 - security in high risk environment

Technology

ibm security systemsyou

ibm corporation

information security

security auditors

ibm xforce

ibm xforce

web applications

security test phasesdlc