Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence

1. Orchestrating Your Security Defenses with Threat Intelligence August 15, 2017 Sam Dillingham Senior Offering Manager IBM X-Force Pamela Cobb Portfolio Manager IBM X-Force

2. 2 IBM Security Today’s agenda Intro to Threat Intelligence Threat Intelligence use cases Taking action with integrations Get started today!

3. 3 IBM Security It takes too long to make information actionable Analysts can’t separate the signal from the noise Data is gathered from untrusted sources 1 Source: ESG Global 65% of enterprise firms use external threat intelligence to enhance their security decision making 1 Security teams often lack critical support to make the most of these resources.

4. 4 IBM Security More companies are sharing and consuming threat intelligence 1. Timely and early warning of relevant threats to stay a step ahead 2. Increased visibility to emerging threats as more organizations benefit from other organization’s detections 3. Validation and prioritization of threats based on context of suspicious activity 4. Faster and more orchestrated response through enrichment of incidents with IoCs 5. More awareness of targets and tactics to help plan, build and evolve your security strategy How to Collect, Refine, Utilize and Create Threat Intelligence Gartner, Oct 2016 IBM and Business Partner Use Only

5. 5 IBM Security IBM X-Force Exchange is a threat intelligence sharing platform designed to help security teams research, collaborate and integrate. xforce.ibmcloud.com IBM and Business Partner Use Only

6. 6 IBM Security Collections streamline security investigations with research from curated content Groups allow public or private collaboration to validate threats and develop response plans Integrations strengthen security solutions and provide additional threat intelligence • Validate findings • Aid in forensic investigations • Provide tactical / strategic intelligence • Address investigations • Enable research workflow • Interact with X-Force research community • X-Force Exchange SDK / API / STIX / TAXII • Threat Feed Manager • Free / commercial usage IBM and Business Partner Use Only

7. 7 IBM Security Today’s agenda Intro to Threat Intelligence Threat Intelligence use cases Taking action with integrations Get started today!

8. 8 IBM Security for threat intelligence use cases Real-time blocking Security operations Threat research & hunting

9. 9 IBM Security Use Case 1: Real-time blocking Usage • Blocking access to known malicious actors • Can include IPs, domains, URLs, etc. • Implemented by firewalls, IPSes, proxies, and other security devices Critical Factors • Speed in making blocking decisions • Scoring flexibility to set a threshold of what to block • Frequent incremental updates to minimize performance impact Delivery Route • Software development kits (SDKs) • Block lists

10. 10 IBM Security In IBM X-Force Exchange, classification and scoring for URLs and IP addresses combines results of multiple analyses.

11. 11 IBM Security Web applications are scored on several risk factors

12. 12 IBM Security Use Case 2: Security Operations Usage • Maps threat intelligence to data observed in your environment • Includes intelligence that can be mapped to network and host- based indicators • Integration with operational tools, such as SIEM and incident response Critical Factors • Support for open standards for easy integration into existing solutions • Pivotability among indicators to aid in rapid investigation • Completeness of data Delivery Route • STIX/TAXII feeds • Cybox

13. 13 IBM Security The use of open standards maximizes interoperability with existing systems  API queries based on query/response model for threat intelligence  Leverages basic authentication  Load balanced to support traffic loads  Node SDK module available  TAXII services provided to access threat intelligence  Supports STIX/Cybox objects JSON RESTful API STIX / TAXII Standards Support

14. 14 IBM Security Use Threat Intelligence through open STIX/TAXII format Use reference sets for correlation, searching, reporting • Load threat indicators in Collections into QRadar Reference sets • Create custom rule response to post IOCs to Collection • Bring Watchlists of IP addresses from X-Force Exchange and create a rule to raise the magnitude of any offense that includes the IP Watchlist IBM and Business Partner Use Only

15. 15 IBM Security Use Case 3: Threat Research and Hunting Usage • Research of potential threats that may or may not yet be affecting your organization • Can be done via a web-based UI or API Critical Factors • Scriptable access of data in an easy-to-use manner • Aggregation of multiple intelligence sources (from different vendors) into a single stream • Flexible search Delivery Route • REST-based API • Research platforms with web interfaces

16. 16 IBM Security X-Force global threat intelligence delivers a wide range of benefits Higher Order Intelligence Observables and Indicators Actors Campaigns Incidents TTPs Vulnerabilities MalwareAnti-SpamWeb App Control IP ReputationURL / Web Filtering

17. 17 IBM Security Correlation of indicators and higher-order intelligence is critical 173.242.117.120 is a malware C&C server djs14.com is a malware C&C server CVE-2013-3029 is an Excel vulnerability abc@xyz.com sends SPAM Organization Y is a threat actor Indicator Feeds Correlated Threat Intelligence 173.242.117.120 is a malware C&C server … which is associated with PoSeidon malware family targeted against retailers used by attackers in country X, Y and Z to steal credit card information from PoS systems Communicates with C&C servers: 173.242.117.120, 203.19.201.20 C&C domains: djs14.com, jdjnci.net Twitter feed @malwarecommander Infects via drive-by download exploiting CVE-2015-2093 malicious Excel file exploiting CVE-2013-3029 email attachment from abc@xyz.com Host indicators Registry keys A, B, C Processes D, E, F Event log entries G, H Memory fingerprint J, K vs.

18. 18 IBM Security Correlation provides pivotability to accelerate threat investigation Network traffic to C&C IP observed Malware associated with C&C server Other C&C IPs for the malware Host IoCs for the malware Actor/ campaign details Infection method details What does this communication mean? What is the attacker after? How did they get in? Where else are they? How do I verify infections? Send indicators to EDR tool Correlate CVEs to SIEM vuln scansCorrelate IPs to flow data in SIEM Understand motivations, report to exec mgt Initiate patchingInvestigate exfiltration Quarantine infected endpoints

19. 19 IBM Security X-Force Exchange Collections streamline security investigations Higher Order Intelligence Free text area of the Collection is used to organize Identifiers, Campaigns, TTPs, TLP status, and other pertinent details. Observables & Indicators Related reports on URL / IP reputation, malware, vulnerabilities, and related attachments

20. 20 IBM Security Agenda Intro to Threat Intelligence Threat Intelligence use cases Taking action with integrations Get started today!

21. 21 IBM Security 20,000+ devices under contract 20B events managed per day 133 monitored countries 3,700+ security-related patents 270M endpoints monitored for malware 38B analyzed web pages and images 8M spam and phishing attacks daily 850K malicious IP addresses 113K documented vulnerabilities Millions of unique malware samples As of May 2017 The scale of IBM Security brings unique breadth and depth to X-Force threat intelligence

22. 22 IBM Security SDK X-Force Threat Intelligence can be integrated into security solutions via multiple methods IBM CONFIDENTIAL - LIMIT DISTRIBUTION UNTIL MAY 16 Data & intelligence sources Analytics Engine IBM Security Products OEM SDK Platform Users Open API Com- mercial API APIPortal Threat Intelligence Content pDNS Whois information Collections Higher Order Intelligence Vulnerabilities Malware Sandbox Malware Families IP Reputation URL Reputation Web Applications Delivery Layer Threat integration Threat consumers Platform Layer XFMA XGS Platform Users

23. 23 IBM Security There is a comprehensive range of Threat Intelligence available via API Indicators/Content Details Vulnerabilities Risk score (CVSS), Exploit characteristics, Exploit consequences, Remedy information, Affected Products, Protection information (e.g. references for IPS, Vulnerability Assessment content), and External references Malware Disposition, Hash value, First observed, Malware family, Vendors covering (%), Download sources, Command and Control Servers, Email sources, and Email subjects Malware Families First/Last Observance, and Associated hash values (MD5) / IP Reputation Risk score (1-10), Geolocation, Applications associated, Malware associated, Categorization – current and historical with confidence value (1-100%), Passive DNS information, Subnet reputation URL Reputation Risk score (1-10), Applications associated, Categorization – current and historical, DNS information Web Applications Risk score, Categorization, Base URL, Vulnerabilities, Hosting URLs, and Hosting IPs pDNS Passive DNS information Whois information Registrant information – name, organization, country, and e-mail. IBM Network Protection Monthly XPU Content, as well as each signature, date of its release, and the vulnerability for which it provides coverage Collections Curated content on specific security investigations, including both structured and unstructured content. Higher Order Intelligence Cybox objects such as campaign, threat actor, tools, tactics, procedures, course of action, and indicator information, as part of the collections.

24. 24 IBM Security IBM Security App Exchange Driving the evolution of collaborative defense  Access user and business partner innovations  Extend IBM Security solution functionality to new use cases  Download validated security apps from a single platform A platform for security collaboration https://apps.xforce.ibmcloud.com

25. 25 IBM Security React faster, coordinate better, respond smarter to incidents Single Hub Provides Easy Workflow Customization and Process Automation • Helps cyber security teams orchestrate IR process and manage and respond to incidents faster, better and more intelligently • Drives down response times by streamlining the process of escalating and managing incidents • Ensures consistency and adherence to regulatory requirements and legal obligations • Automates time-consuming tasks • Leverages staff more effectively

26. 26 IBM Security IBM X-Force Malware Analysis Submit suspicious files directly into IBM X-Force Exchange Automate suspicious file investigation Act on in-depth intelligence reports Access anywhere, anytime with a scalable cloud architecture IBM and Business Partner Use Only

27. 27 IBM Security A diversified financial services company greatly improved their threat research capabilities and collaboration workflows “I didn’t realize I was on X-Force Exchange that much. The collaboration capabilities and threat intelligence are highly valuable to me and a great help to my challenges and activities throughout each day.” -Network Security Analyst II Business challenge  Need for curated threat research to complement their SIEM  Lack of internal collaboration in the threat investigation process IBM X-Force Exchange with IBM QRadar Helped better defend the organization’s network from attacks, scans and phishing attempts on a daily basis, using IP / URL reputation data, geo-location status of IPs, vulnerability data, md5 detail and shared collections from X-Force Exchange in conjunction with IBM QRadar. Research, collaborate and integrate

28. 28 IBM Security Agenda Intro to Threat Intelligence Threat Intelligence use cases Taking action with integrations Get started today!

29. 29 IBM Security Helpful Resources X-Force Exchange • Try it: xforce.ibmcloud.com • API: https://api.xforce.ibmcloud.com/doc/ General X-Force information: • X-Force blogs on SecurityIntelligence.com • IBM X-Force Threat Intelligence Report for 2017 • IBM Interactive Security Incidents website to stay up to date on latest verified breaches IBM/BUSINESS PARTNER USE Contact Us! Sam Dillingham, sam.dillingham@us.ibm.com, Sr Offering Manager Pamela Cobb, pcobb@us.ibm.com, Portfolio Manager

30. ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. FOLLOW US ON: THANK YOU

Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence

Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados(20)

Similar a Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence

Similar a Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence(20)

Mais de IBM Security

Mais de IBM Security(20)

Último

Último(20)

Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence