Although the majority of organizations subscribe to threat intelligence feeds to enhance their security decision making, it's difficult to take full advantage of true insights due to the overwhelming amounts of information available. Even with an integrated security operations portfolio to identify and respond to threats, many companies don't take full advantage of the benefits of external context that threat intelligence brings to identify true indicators of compromise. By taking advantage of both machine- and human-generated indicators within a collaborative threat intelligence platform, security analysts can streamline investigations and speed the time to action.
Join this webinar to hear from the IBM Security Chief Technology Officer for Threat Intelligence to learn:
How the IBM Security Operations and Response architecture can help you identify and response to threats faster
Why threat intelligence is a fundamental component of security investigations
How to seamlessly integrate threat intelligence into existing security solutions for immediate action
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
1. Orchestrating Your Security Defenses
with Threat Intelligence
August 15, 2017
Sam Dillingham
Senior Offering Manager
IBM X-Force
Pamela Cobb
Portfolio Manager
IBM X-Force
2. 2 IBM Security
Today’s agenda
Intro to Threat Intelligence
Threat Intelligence use cases
Taking action with integrations
Get started today!
3. 3 IBM Security
It takes too long to make
information actionable
Analysts can’t separate
the signal from the noise
Data is gathered from
untrusted sources
1 Source: ESG Global
65%
of enterprise firms use external
threat intelligence to enhance their
security decision making 1
Security teams often lack critical support to make the most of these resources.
4. 4 IBM Security
More companies are
sharing and consuming
threat intelligence
1. Timely and early warning of
relevant threats to stay a step ahead
2. Increased visibility to emerging
threats as more organizations benefit
from other organization’s detections
3. Validation and prioritization of threats
based on context of suspicious activity
4. Faster and more orchestrated
response through enrichment of
incidents with IoCs
5. More awareness of targets and tactics
to help plan, build and evolve your
security strategy
How to Collect, Refine, Utilize and Create Threat Intelligence
Gartner, Oct 2016
IBM and Business Partner Use Only
5. 5 IBM Security
IBM X-Force Exchange
is a threat intelligence sharing
platform designed to help
security teams research,
collaborate and integrate.
xforce.ibmcloud.com
IBM and Business Partner Use Only
6. 6 IBM Security
Collections streamline security investigations
with research from curated content
Groups allow public or private collaboration
to validate threats and develop response plans
Integrations strengthen security solutions and
provide additional threat intelligence
• Validate findings
• Aid in forensic investigations
• Provide tactical / strategic intelligence
• Address investigations
• Enable research workflow
• Interact with X-Force research community
• X-Force Exchange SDK / API / STIX / TAXII
• Threat Feed Manager
• Free / commercial usage
IBM and Business Partner Use Only
7. 7 IBM Security
Today’s agenda
Intro to Threat Intelligence
Threat Intelligence use cases
Taking action with integrations
Get started today!
8. 8 IBM Security
for threat
intelligence
use cases Real-time blocking
Security operations
Threat research & hunting
9. 9 IBM Security
Use Case 1: Real-time blocking
Usage
• Blocking access to known
malicious actors
• Can include IPs, domains, URLs,
etc.
• Implemented by firewalls, IPSes,
proxies, and other security
devices
Critical Factors
• Speed in making blocking
decisions
• Scoring flexibility to set a threshold
of what to block
• Frequent incremental updates to
minimize performance impact
Delivery
Route
• Software development kits (SDKs)
• Block lists
10. 10 IBM Security
In IBM X-Force Exchange, classification and scoring for URLs and IP
addresses combines results of multiple analyses.
12. 12 IBM Security
Use Case 2: Security Operations
Usage
• Maps threat intelligence to data
observed in your environment
• Includes intelligence that can be
mapped to network and host-
based indicators
• Integration with operational tools,
such as SIEM and incident
response
Critical Factors
• Support for open standards for
easy integration into existing
solutions
• Pivotability among indicators to aid
in rapid investigation
• Completeness of data
Delivery
Route
• STIX/TAXII feeds
• Cybox
13. 13 IBM Security
The use of open standards maximizes interoperability with existing
systems
API queries based on
query/response model for threat
intelligence
Leverages basic authentication
Load balanced to support traffic
loads
Node SDK module available
TAXII services provided to access
threat intelligence
Supports STIX/Cybox objects
JSON RESTful API STIX / TAXII Standards Support
14. 14 IBM Security
Use Threat Intelligence through open STIX/TAXII format
Use reference sets for correlation, searching, reporting
• Load threat indicators in
Collections into QRadar
Reference sets
• Create custom rule response
to post IOCs to Collection
• Bring Watchlists of IP
addresses from X-Force
Exchange and create a rule to
raise the magnitude of any
offense that includes the IP
Watchlist
IBM and Business Partner Use Only
15. 15 IBM Security
Use Case 3: Threat Research and Hunting
Usage
• Research of potential threats that
may or may not yet be affecting
your organization
• Can be done via a web-based UI
or API
Critical Factors
• Scriptable access of data in an
easy-to-use manner
• Aggregation of multiple
intelligence sources (from different
vendors) into a single stream
• Flexible search
Delivery
Route
• REST-based API
• Research platforms with web interfaces
16. 16 IBM Security
X-Force global threat intelligence delivers a wide range of benefits
Higher
Order
Intelligence
Observables
and
Indicators
Actors Campaigns Incidents TTPs
Vulnerabilities MalwareAnti-SpamWeb App
Control
IP ReputationURL / Web
Filtering
17. 17 IBM Security
Correlation of indicators and higher-order intelligence is critical
173.242.117.120 is a malware C&C server
djs14.com is a malware C&C server
CVE-2013-3029 is an Excel vulnerability
abc@xyz.com sends SPAM
Organization Y is a threat actor
Indicator Feeds Correlated Threat Intelligence
173.242.117.120 is a malware C&C server
… which is associated with PoSeidon malware family
targeted against retailers
used by attackers in country X, Y and Z
to steal credit card information from PoS systems
Communicates with
C&C servers: 173.242.117.120, 203.19.201.20
C&C domains: djs14.com, jdjnci.net
Twitter feed @malwarecommander
Infects via
drive-by download exploiting CVE-2015-2093
malicious Excel file exploiting CVE-2013-3029
email attachment from abc@xyz.com
Host indicators
Registry keys A, B, C
Processes D, E, F
Event log entries G, H
Memory fingerprint J, K
vs.
18. 18 IBM Security
Correlation provides pivotability to accelerate threat investigation
Network traffic
to C&C IP
observed
Malware
associated
with C&C
server
Other
C&C IPs
for the
malware
Host IoCs
for the
malware
Actor/
campaign
details
Infection
method
details
What does this
communication mean?
What is the
attacker after?
How did
they get in?
Where else
are they?
How do I verify
infections?
Send indicators to EDR
tool
Correlate CVEs to SIEM vuln scansCorrelate IPs to flow data in SIEM
Understand
motivations,
report to exec mgt
Initiate patchingInvestigate exfiltration
Quarantine infected
endpoints
19. 19 IBM Security
X-Force Exchange Collections streamline security investigations
Higher Order Intelligence
Free text area of the Collection is used to
organize Identifiers, Campaigns, TTPs, TLP
status, and other pertinent details.
Observables & Indicators
Related reports on URL / IP
reputation, malware, vulnerabilities,
and related attachments
20. 20 IBM Security
Agenda
Intro to Threat Intelligence
Threat Intelligence use cases
Taking action with integrations
Get started today!
21. 21 IBM Security
20,000+ devices
under contract
20B events managed
per day
133 monitored countries
3,700+ security-related
patents
270M endpoints monitored
for malware
38B analyzed
web pages and images
8M spam and
phishing attacks daily
850K malicious IP addresses
113K documented
vulnerabilities
Millions of unique malware
samples
As of May 2017
The scale of IBM Security brings unique breadth and depth to X-Force
threat intelligence
22. 22 IBM Security
SDK
X-Force Threat Intelligence can be integrated into security solutions via
multiple methods
IBM CONFIDENTIAL - LIMIT DISTRIBUTION UNTIL MAY 16
Data &
intelligence
sources
Analytics
Engine
IBM
Security
Products
OEM
SDK
Platform
Users
Open
API
Com-
mercial
API
APIPortal
Threat Intelligence Content
pDNS
Whois information
Collections
Higher Order
Intelligence
Vulnerabilities
Malware Sandbox
Malware Families
IP Reputation
URL Reputation
Web Applications
Delivery
Layer
Threat integration Threat consumers
Platform
Layer
XFMA
XGS
Platform
Users
23. 23 IBM Security
There is a comprehensive range of Threat Intelligence available via API
Indicators/Content Details
Vulnerabilities
Risk score (CVSS), Exploit characteristics, Exploit consequences, Remedy information, Affected Products,
Protection information (e.g. references for IPS, Vulnerability Assessment content), and External references
Malware
Disposition, Hash value, First observed, Malware family, Vendors covering (%), Download sources, Command and
Control Servers, Email sources, and Email subjects
Malware Families First/Last Observance, and Associated hash values (MD5) /
IP Reputation
Risk score (1-10), Geolocation, Applications associated, Malware associated, Categorization – current and historical
with confidence value (1-100%), Passive DNS information, Subnet reputation
URL Reputation Risk score (1-10), Applications associated, Categorization – current and historical, DNS information
Web Applications Risk score, Categorization, Base URL, Vulnerabilities, Hosting URLs, and Hosting IPs
pDNS Passive DNS information
Whois information Registrant information – name, organization, country, and e-mail.
IBM Network Protection
Monthly XPU Content, as well as each signature, date of its release, and the vulnerability for which it provides
coverage
Collections Curated content on specific security investigations, including both structured and unstructured content.
Higher Order Intelligence
Cybox objects such as campaign, threat actor, tools, tactics, procedures, course of action, and indicator information,
as part of the collections.
24. 24 IBM Security
IBM Security App Exchange
Driving the evolution of collaborative defense
Access user and business
partner innovations
Extend IBM Security
solution functionality
to new use cases
Download validated
security apps from
a single platform
A platform for
security collaboration
https://apps.xforce.ibmcloud.com
25. 25 IBM Security
React faster, coordinate better, respond smarter to incidents
Single Hub Provides Easy Workflow Customization and Process Automation
• Helps cyber security teams
orchestrate IR process and manage
and respond to incidents faster, better
and more intelligently
• Drives down response times by
streamlining the process of escalating
and managing incidents
• Ensures consistency and adherence
to regulatory requirements and legal
obligations
• Automates time-consuming tasks
• Leverages staff more effectively
26. 26 IBM Security
IBM X-Force Malware Analysis
Submit suspicious files directly into IBM X-Force Exchange
Automate
suspicious file investigation
Act
on in-depth intelligence reports
Access
anywhere, anytime with a
scalable cloud architecture
IBM and Business Partner Use Only
27. 27 IBM Security
A diversified financial services company greatly improved their threat
research capabilities and collaboration workflows
“I didn’t realize I was on X-Force
Exchange that much. The collaboration
capabilities and threat intelligence are
highly valuable to me and a great help
to my challenges and activities
throughout each day.”
-Network Security Analyst II
Business challenge
Need for curated threat research to complement their SIEM
Lack of internal collaboration in the threat investigation process
IBM X-Force Exchange with IBM QRadar
Helped better defend the organization’s network from attacks, scans and phishing attempts on a
daily basis, using IP / URL reputation data, geo-location status of IPs, vulnerability data, md5 detail
and shared collections from X-Force Exchange in conjunction with IBM QRadar.
Research, collaborate and integrate
28. 28 IBM Security
Agenda
Intro to Threat Intelligence
Threat Intelligence use cases
Taking action with integrations
Get started today!
29. 29 IBM Security
Helpful Resources
X-Force Exchange
• Try it: xforce.ibmcloud.com
• API: https://api.xforce.ibmcloud.com/doc/
General X-Force information:
• X-Force blogs on SecurityIntelligence.com
• IBM X-Force Threat Intelligence Report for 2017
• IBM Interactive Security Incidents website to stay
up to date on latest verified breaches
IBM/BUSINESS PARTNER USE
Contact Us!
Sam Dillingham, sam.dillingham@us.ibm.com, Sr Offering Manager
Pamela Cobb, pcobb@us.ibm.com, Portfolio Manager