Presentation is loading. Please wait.

Presentation is loading. Please wait.

Collaborative Threat Intelligence and Actionable integration

Published byGöker Eroğlu Modified over 6 years ago

Similar presentations

Presentation on theme: "Collaborative Threat Intelligence and Actionable integration"— Presentation transcript:

1 Collaborative Threat Intelligence and Actionable integration
IBM X-Force Exchange Collaborative Threat Intelligence and Actionable integration Adrian Aldea IBM Security Senior Consultant CEE Nov 2017, Chisinau

2 65% of enterprise firms use external threat intelligence to enhance their security decision making 1 Security teams often lack critical support to make the most of these resources. Data is gathered from untrusted sources It takes too long to make information actionable Analysts can’t separate the signal from the noise 1 Source: ESG Global

3 IBM X-Force Exchange is a threat intelligence sharing platform designed to help your security teams research, collaborate, and act. xforce.ibmcloud.com

4 collaborative threat intelligence
3 Research: Enhance security insights with curated content Collaborate: Engage with peers to validate threats and develop response plans Act: Strengthen security solutions with threat intelligence delivered through open standards use cases: collaborative threat intelligence IBM X-Force Exchange is a new platform for consuming, sharing and acting on threat intelligence. X-Force Exchange is: OPEN—A robust platform with access to a wealth of threat intelligence data ACTIONABLE—An integrated solution to help quickly stop threats SOCIAL—A collaborative platform for sharing threat intelligence

5 RESEARCH Investigate security incidents with curated content
COLLABORATE Validate threats and develop response plans with peers ACT Integrate threat intelligence with security solutions through open standards

6 Our automated technologies and research teams monitor the global threat level at all times
Dynamic updates Threat intelligence databases are dynamically updated—delivering up-to-the-minute accuracy Analysis Security teams analyze the global data to identify attack trends and share insights Data capture The web is continuously scanned and categorized, identifying malware hosts, spam sources, etc. The X-Force team has a long history of collecting information from across the internet and cataloguing it into different repositories that can then be applied to different products within the portfolio. The infrastructure that IBM uses for collecting data includes a web crawler, that is similar in technology to what Google would use, but is focused on identifying threats and malicious web domains, honeypots and darknets to capture the network communication indicative of malware, and spam traps for obtaining as much spam as possible. Capturing this data is important; equally important is turning the information collected into insights that can integrated with products and help protect an enterprise.

7 20,000+ devices under contract 20B events managed per day
The scale of IBM Security brings unique breadth and depth to X-Force threat intelligence 20,000+ devices under contract 20B events managed per day 133 monitored countries 3,700+ security-related patents 270M endpoints monitored for malware 32B analyzed web pages and images 17M spam and phishing attacks daily 18k identified bad actors 850K malicious IP addresses 100K documented vulnerabilities Millions of unique malware samples IBM X-Force has a long standing history as one of the best known commercial security research and development groups in the world Can leverage security expertise across IBM to better understand what is happening in security Work closely with IBM managed security services group Monitor over 20B security events every day from nearly 4,000 security clients in over 133 countries Have numerous intelligence sources: Global web crawler, probably biggest in world behind Google and Bing Spam traps around the work database of more than 100k security vulnerability – monitored every day International spam collectors All of this is done to stay ahead of continuing threats for our customers Web crawler is particularly interested in files, images, or pages that contain malicious links or content. The team in Kassel Germany who builds our web crawler also developed an anti spam product We have spam traps around the world, receive large amounts of spam so that we can analyze and understand the different types so that we can preemptively block that spam Our work covers 4 key areas: Research Engines Content Deliver Industry/Customer deliverables – such as this X-Force report, blogs, articles, presentations and speaking engagements As of August 13, 2017

8 Correlation of indicators and higher-order intelligence is critical
Indicator Feeds vs. Correlated Threat Intelligence is a malware C&C server djs14.com is a malware C&C server CVE is an Excel vulnerability sends SPAM Organization Y is a threat actor is a malware C&C server … which is associated with PoSeidon malware family targeted against retailers used by attackers in country X, Y and Z to steal credit card information from PoS systems Communicates with C&C servers: , C&C domains: djs14.com, jdjnci.net Twitter Infects via drive-by download exploiting CVE malicious Excel file exploiting CVE attachment from Host indicators Registry keys A, B, C Processes D, E, F Event log entries G, H Memory fingerprint J, K

9 Correlation provides pivotability to accelerate threat investigation
Network traffic to C&C IP observed Actor/ campaign details What does this communication mean? Host IoCs for the malware Understand motivations, report to exec mgt Malware associated with C&C server Send indicators to EDR tool What is the attacker after? How do I verify infections? Quarantine infected endpoints Where else are they? How did they get in? Other C&C IPs for the malware Infection method details Correlate IPs to flow data in SIEM Correlate CVEs to SIEM vuln scans Investigate exfiltration Initiate patching

10 Collections streamline security investigations to quickly provide answers
What is the risk? What IoCs are connected? Where is this coming from? What should I look out for? When did this happen? What are the experts saying? xforce.ibmcloud.com

11 RESEARCH Investigate security incidents with curated content
COLLABORATE Validate threats and develop response plans with peers ACT Integrate threat intelligence with security solutions through open standards

12 Inhibitors to collaborative defense
Fear of liability Corporate policies Non-existent processes Lack of resources Lack of trust relationships Inhibitors to collaborative defense Many companies are not comfortable contributing to collaborative defenses outside their organizations. Fear of liability from threat intelligence sharing Corporate policies often prohibit threat intelligence to be shared outside of an organization Processes are non-existent within an organization to anonymize and distribute threat intelligence back into the community Resources are not allocated to define process or operationalize TI sharing back into the community Trust relationships are not established sufficiently to provide confidence to share

13 To address these inhibitors, companies can participate in private collaboration on X-Force Exchange
Private groups with shared collections to address investigations and research workflow Offering Summary Chart with checkpoint objectives and summary risk assessment for the offering. The possible decision outcomes are: Go - Project moves into the next phase. Issues or action items may be identified but project team does not need additional "permission" to proceed. No Go - Project is cancelled. Project team conducts an orderly shutdown. Redirect. - Decision Execution Team does not have sufficient information to make a decision or there is disagreement about the approach/design. Issues or action items must be addressed and information provided back to the Decision Execution Team for a "go" or "no go" decision, Portfolio Management Investment Model: Portfolio Management Model (Terminology and Concepts are from SWG 2015 Business Model): Stars are key growth engines. High growth, low development E/R, High profit (upper right quadrant of matrix) Opportunity plays are incubator engines for IBM SWG. Market investments and new initiatives start in this quadrant. New products, starting point for an investment. Grace period 24 months before mandatory reclassification (upper left quadrant of matrix) Power plants are typically profit engines of the portfolio. Moderate to low growth, greater than zero but less than 5% and low E/R (lower than 12%). Underperformers do not contribute to revenue growth while consuming expense that could be applied to fueling opportunity plays or stars. Underperformers require immediate action and are reviewed on a quarterly basis for both action plan execution and progress. Seed is NOT part of the Portfolio Management Model but is an important new option for introducing new offerings quickly to market. This investment phase is typically applied to new bets, innovations and market creation activities. New IBM products where we are creating a new market. Product or offering isn’t fully “commercialized” while we test the market and product viability. The table at the bottom of the chart represents the risk status for each of the areas covered in the rest of the deck. The lowest common status should be represented here. Details on the risks and mitigations that the team want to highlight should be included on the Risks charts on page Color coding guidance: Red=High Risk impacting success metrics - DET assistance requested, Yellow= Medium Risk no impact to success metrics at this time – DET awareness, Green= Low Risk that has been mitigated – DET awareness. 13

14 Groups allow public or private collaboration to speed detection
Address investigations Research workflow Share collections Build sub-groups Upload via xforce.ibmcloud.com

15 Participants in industry consortiums can also collaborate on the platform
Finds the domain and applies blocking rules to quickly stop malicious traffic. Shares with his CISO using the Exchange SECURITY ANALYST Discovers a new malware domain and marks it as malicious in the X-Force Exchange INCIDENT RESPONDER 2 1 Adds the domain to a public collection named “Malicious Traffic Sources Targeting Financial Industry” to share with industry peers Clients can interact with IBM X- Force security researchers and experts directly. Identify X-Force contributors by the blue market on their profile. 3 CISO 4 IBM X-FORCE

16 RESEARCH Investigate security incidents with curated content
COLLABORATE Validate threats and develop response plans with peers ACT Integrate threat intelligence with security solutions through open standards

17 There is a comprehensive range of Threat Intelligence available via API
Indicators/Content Details Vulnerabilities Risk score (CVSS), Exploit characteristics, Exploit consequences, Remedy information, Affected Products, Protection information (e.g. references for IPS, Vulnerability Assessment content), and External references Malware Disposition, Hash value, First observed, Malware family, Vendors covering (%), Download sources, Command and Control Servers, sources, and subjects Malware Families First/Last Observance, and Associated hash values (MD5) / IP Reputation Risk score (1-10), Geolocation, Applications associated, Malware associated, Categorization – current and historical with confidence value (1-100%), Passive DNS information, Subnet reputation URL Reputation Risk score (1-10), Applications associated, Categorization – current and historical, DNS information Web Applications Risk score, Categorization, Base URL, Vulnerabilities, Hosting URLs, and Hosting IPs pDNS Passive DNS information Whois information Registrant information – name, organization, country, and . IBM Network Protection Monthly XPU Content, as well as each signature, date of its release, and the vulnerability for which it provides coverage Collections Curated content on specific security investigations, including both structured and unstructured content. Higher Order Intelligence Cybox objects such as campaign, threat actor, tools, tactics, procedures, course of action, and indicator information, as part of the collections.

18 Threat Feed Manager expands and simplifies threat intelligence
Enable 3rd party threat intelligence sources Integrate data Single pane of glass xforce.ibmcloud.com

19 STIX / TAXII Standards Support
The use of open standards maximize interoperability with existing systems JSON RESTful API STIX / TAXII Standards Support API queries based on query/response model for threat intelligence Leverages basic authentication Load balanced to support traffic loads Node SDK module available TAXII services provided to access threat intelligence Supports STIX/Cybox objects

20 A fundamental piece of the IBM Security Immune System
SECURITY TRANSFORMATION SERVICES Management consulting | Systems integration | Managed security App Exchange X-Force Exchange X-Force Malware Analysis on Cloud BigFix QRadar Incident Forensics SECURITY OPERATIONS AND RESPONSE QRadar SIEM QRadar User Behavior Analytics MaaS360 Trusteer Mobile Trusteer Rapport Trusteer Pinpoint INFORMATION RISK AND PROTECTION AppScan Guardium Cloud Security Privileged Identity Manager Identity Governance and Access Cloud Identity Service Key Manager zSecure QRadar Vulnerability / Risk Manager Resilient Incident Response QRadar Advisor with Watson i2 Enterprise Insight Analysis IBM offers a rich portfolio of products and services that are organized into three domains that uniquely address client needs. <Mouse click> First is the Security Operations and Response domain that helps organizations orchestrate their defenses throughout the attack lifecycle. <Mouse click> The second is the Information Risk and Protection domain that helps organizations protect their most critical information and risks. <Mouse click> And the third is the Security Transformation Services which help organizations transform their security program. All of the IBM Security offerings are backed by an extensive business partner ecosystem which consists of industry-leading technology, sales and service partners. Security Operations and Response Key Offerings: IBM X-Force Exchange: Automatically update incident artifacts with threat intelligence IBM App Exchange: Quickly defend your organization with apps and add-ons IBM BigFix: Find, fix, and secure endpoint threats and vulnerabilities IBM Security Network Protection: Prevent network exploits and limit malware communications IBM QRadar Security Intelligence: Use advanced analytics to discover and eliminate threats IBM Resilient Incident Response Platform: Generate response playbooks and coordinate activity IBM QRadar User Behavior Analytics: Helps detect insider threat and risks IBM Security Services: Deliver operations consulting to help implement processes and response experts when something goes wrong Information Risk and Protection Key Offerings: IBM Cloud Security: Delivering new investments to help secure innovation to and from the cloud IBM MaaS360: Mobile productivity and enterprise security without compromise IBM Identity Governance and Access Management: Govern and enforce context-based access to critical assets IBM Guardium: Protect crown jewels across the enterprise and cloud IBM AppScan: Scan and remediate vulnerabilities in modern applications IBM Trusteer: Stop financial and phishing fraud, and account takeovers IBM Security Services: Deliver governance, risk and compliance consulting, systems integration and managed security services Security Transformation Services: Security Strategy, Risk and Compliance: Automate governance, risk and compliance programs Security Intelligence and Operations: Build security operations and security fusion centers Cyber Security Assessment and Response: Establish robust security testing and incident management programs Identity Governance and Management: Modernize identity and access management for the cloud and mobile era Data and Application Security: Deploy robust critical data protection programs Infrastructure and Endpoint Security: Redefine infrastructure and endpoint solutions with secure software-defined networks DRAFT: IBM CONFIDENTIAL

21 Mandatory Thank You Slide (available in English only).

Download ppt "Collaborative Threat Intelligence and Actionable integration"

Similar presentations

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
© 2009 IBM Corporation Delivering Quality Service with IBM Service Management April 13 th, 2009.

© 2009 IBM Corporation Delivering Quality Service with IBM Service Management April 13 th, 2009.
1 Panda Malware Radar Discovering hidden threats Channel Presentation Name Date.

1 Panda Malware Radar Discovering hidden threats Channel Presentation Name Date.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Security Business Partner Guide Value Propositions

Security Business Partner Guide Value Propositions
Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.
IBM Mobile Security solutions 1IBM and Business Partner Sellers Only Enterprise Applications and Cloud Services Identity, Fraud, and Data Protection Device.

IBM Mobile Security solutions 1IBM and Business Partner Sellers Only Enterprise Applications and Cloud Services Identity, Fraud, and Data Protection Device.
FFIEC Cyber Security Assessment Tool

FFIEC Cyber Security Assessment Tool
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.

ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
© 2011 IBM Corporation IBM Security Services Smarter Security Enabling Growth and Innovation Obbe Knoop – Security Services Leader Pacific.

© 2011 IBM Corporation IBM Security Services Smarter Security Enabling Growth and Innovation Obbe Knoop – Security Services Leader Pacific.
Why SIEM – Why Security Intelligence??

Why SIEM – Why Security Intelligence??

Similar presentations

Ads by Google