Latest NSS Labs Testing Results


Published on

Download the NSS Labs 2013 IPS Group Test:

Understanding the criteria and test methodology of various third-party testing is a key component of making an informed decision on your next intrusion prevention platform. In this webcast, we will delve into the latest NSS Labs testing results, where IBM scored 95.7% in exploit block rate, and describe what it shows about the effectiveness of IBM Intrusion Prevention Solutions. We will also cover the role of third-party testing in general and how this testing applies to “real-world” threats and constantly changing attacks. Don’t miss the chance to get insight on the latest IBM test results and learn more about what third-party testing means for you.

View the On-demand webinar:

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Writing signatures to match specific exploit or attack traffic is the outermost layer. Many of our competitors rely on this approach as their predominant detection method, but we believe this is insufficient, which is why we've spent over a decade developing additional layers of complex inspection technologies beyond simple pattern matching to stop whole classes of threats.IBM goes deeper and...... build decodes on the vulnerabilities, not the exploits... apply heuristics to application behavior... analyze web traffic for injection attempts... block embedded shellcode... dive into content... and FINALLY, spend a lot of time understanding full network protocols, giving us a unique capability to identify complex techniques such as evasions and tunneling... but also zero-day behavior that might be something entirely new
  • HTML_Browser_Plugin_Overflow - This signature detects the network transfer of HTML directives containing a java plugin instantiation that could overflow a buffer and cause the browser to execute code specified by a remote attacker on a victim's computer. (CVE 2010-3522)Java_Malicious_Applet - This signature analyzes Java applet class files and computes a threat level heuristic representing likely potential for malicious activity. (CVE-2013-2465, CVE-2013-2463)Java_Sandbox_Code_Execution - This signature analyzes Java applet class files for classes and methods that may indicate an attempt to call the security manager with the intent of extending applet permissions.JavaScript_NOOP_Sled - This signature detects a simple NOOP sled in an 'unescape()' JavaScript function. This may indicate an attempt to overflow a buffer by padding the request with a large number of NO-OP instructions. A successful attempt could cause a denial of service or allow arbitrary code to be executed on the system. Script_Suspicious_Score - This event signifies an accumulation of suspicious characteristics in scripting languages. The script source code is scanned for various attributes, each of which might be used legitimately, but, in combination, appear suspicious and may be evidence of malicious or clandestine intent. Blocking by default since July 2012 (CVE-2013-3893)JavaScript_Msvcrt_ROP_Detected - This event detects JavaScript code that appears to be an attempt to exploit return-oriented programming techniques when using the Microsoft Visual Studio C run-time library. (CVE-2013-3893)CompoundFile_Embedded_SWF - This event looks for the transfer of a compound file (for instance, a Microsoft Office document) that appears to embed a SWF file that creates another SWF file. This represents a suspicious condition which may be used to obfuscate an attack. Cross-site scripting – Vulnerability, commonly found in web applications, that makes it possible for attackers to inject malicious code into victim’s web browser,.SQL Injection – vulnerability allowing for malicious SQL statements to run on a database, i.e. reading sensitive data, modify database data, execute admin operations on the database
  • "In order to determine which IPS products were protecting against known public exploits vs. the underlying vulnerability, the NSS Labs 2013 IPS Group Test put increased emphasis on using exploits that varied from their known public form,” said Vikram Phatak, Chairman and CEO of NSS Labs. “IBM performed extremely well in this testing, achieving an overall score of 95.7%. This speaks to the ability of the IBM IPS to perform against the types of constantly evolving threats that are often seen in today’s networks.”
  • The XGS 5100 is a follow-on release from our initial launch of this product last yearPositioning the solution around three main pillars - Threat protection - Network control - IntegrationWe’ll get into each of these pillars a bit more in a minute…
  • Latest NSS Labs Testing Results

    1. 1. IBM Security Systems The Results are in: IBM’s Capabilities Shine in Latest NSS Labs Testing December 10th 2013 Jim Brennan Program Director of Strategy & Product Management Infrastructure Security 1 IBM Security Systems © 2013 IBM Corporation © 2013 IBM Corporation
    2. 2. IBM Security Systems A brief primer to get started … Vulnerability Exploit vs ??? • • • 2 A potential weakness in a system Not a danger on its own May be multiple ways of breaking in IBM Security Systems • • A tool used to gain entry Many different exploits can target a single weakness © 2013 IBM Corporation
    3. 3. IBM Security Systems Two different protection approaches, yielding very different results ??? Focus on the Vulnerability Prevent everything from breaking the window Pre-emptive protection 3 IBM Security Systems Focus on the Exploits Prevent a crowbar from breaking the window Prevent a rock from breaking the window Prevent a cannonball from breaking the window New exploit, new signature © 2013 IBM Corporation
    4. 4. IBM Security Systems Mutated threats evade exploit-focused defense mechanisms Vulnerability Exploit BLUE CROWBAR email password Submit Form input direct to Database query without proper validation or sanitization 4 IBM Security Systems Mutated Exploit RED CROWBAR ' OR username IS NOT NULL OR username = ' JyBPUiB1c2Vybm FtZSBJUyBOT1Q gTlVMTCBPUiB1 c2VybmFtZSA9IC c= Common SQL Injection In plaint text to dump usernames from table The same SQL Injection encoded with Base64 can evade pattern matching © 2013 IBM Corporation
    5. 5. IBM Security Systems IBM’s multiple intrusion prevention technologies work in tandem Spectrum of Vulnerability and Exploit Coverage IBM stays ahead of the threat with these protection engines Vulnerability Decodes Focused algorithms for mutating threats Application Layer Heuristics Proprietary algorithms to block malicious use Web Injection Logic Patented protection against web attacks - e.g. SQL Injection and Command Injection Shellcode Heuristics Behavioral approach to blocking exploit payloads Some IPS solutions stop at pattern matching Exploit Signatures Attack specific pattern matching 5 IBM Security Systems Content Analysis File and document inspection Protocol Anomaly Detection Protection against misuse, unknown vulnerabilities, and tunneling across over 230+ protocols © 2013 IBM Corporation
    6. 6. The signatures and examples shown in this slide are for representation of the heuristic coverage available and do not demonstrate the entire listing of attacks from the time the signature was created. IBM Security Systems The Result = Preemptive protection for today’s threats Pre-2009 2009 2010 2011 2012 2013 Oracle Java Exploit CVE-2012-4681 Java Byte Code Exploitation Red = Attacks Blue = Preemptive Heuristic Detection Java Plug-in for IE Remote Code Java_Sandbox_Code_Execution (IPS) Oracle Java Exploit CVE-2013-2465 and 2463 HTML_Browser_Plugin_Overflow Java_Malicious_Applet MS IE Remote Exploit CVE-2012-4781 Client-based Threats JavaScript_NOOP_Sled MS IE Remote Exploit CVE-2013-3893 JavaScript_Msvcrt_ROP_Detected Script_Suspicious_Score Adobe Flash Code Exec CVE-2011-0611 Gong Da Exploit CVE-2013-0633 CompoundFile_Embedded_SWF Web Application Attacks Cross_Site_Scripting SQL_Injection 6 IBM Security Systems EasyMedia Script XSS PHP-Fusion SQLi MS SharePoint CVE-2012-1859 MS SQL Server CVE-2012-2552 Oracle DB SQLi Lizamoon Lilupophilupop © 2013 IBM Corporation
    7. 7. IBM Security Systems 2012 Tolly Group Report demonstrated IBM’s adaptive protection     7 Delivers superior protection from evolving threats with high levels of performance Stops 99% of tested, publicly available attacks Is nearly twice as effective as Snort at stopping "mutated" attacks Protects streams of 100% HTTP traffic at speeds of 20 Gbps and mixed traffic loads of 35 Gbps+ IBM Security Systems Source: Tolly Test Report October 2012 © 2013 IBM Corporation
    8. 8. IBM Security Systems Simple mutations rendered signature matching engines useless A simple change to a variable name allows the attack to succeed, while rendering the protection of a signature matching engines useless A simple change to the HTML code in a compromised web page makes the attack invisible to signature protection Simply adding a comment to a web page results in an attack successfully bypassing signature IPS 8 IBM Security Systems Original Variable Names Mutated Variable Names Shellcode somecode Block brick heapLib badLib Original Class Reference Mutated Class Reference <html><head></head> <body><applet archive="jmBXTMuv.jar" code="msf.x.Exploit.class" width="1" height="1"><param name="data" value=""/><param name="jar"> <html><head></head> <body><applet archive="eXRZLr.jar" code="msf.x.badguy.class" width="1" height="1"><param name="data" value=""/><param name="jar"> Original Code Mutated Code var t = unescape; var t = unescape <!— Comment -->; © 2013 IBM Corporation
    9. 9. IBM Security Systems NSS Labs  Independent information security research and testing organization  Pioneered third party intrusion detection and prevention system testing with the publication of the first such test criteria in 1999  Evaluates firewall, unified threat management, anti-malware, encryption, web application firewall, and other technologies on a regular basis 9 IBM Security Systems © 2013 IBM Corporation
    10. 10. IBM Security Systems NSS Labs 2013 Group IPS Test: Shows IBM’s solutions are especially effective against mutating threats 95.7% Exploit Block Rate 97.7% Block Rate for Server Attacks 94.1% Block Rate for Client Attacks PASS All tests related to “Stability & Reliability” PASS “ [IBM’s score] speaks to the ability of the IBM IPS to perform against the types of constantly evolving threats that are often seen in today’s networks.” –Vikram Phatak Chairman and CEO, NSS Labs All tests related to “Evasions” 10 IBM Security Systems © 2013 IBM Corporation
    11. 11. IBM Security Systems Coverage by Attack Vector Attacker Initiated: Executed remotely against a vulnerable application or operating system Target Initiated: Initiated by user behavior (clicking on a link, opening an attachment, etc) 11 IBM Security Systems © 2013 IBM Corporation
    12. 12. IBM Security Systems Coverage by Target Vendor “This graph highlights the coverage offered by the IBM GX7800 for some of the top vendor targets (out of more than 70) represented in this round of testing” 12 IBM Security Systems © 2013 IBM Corporation
    13. 13. IBM Security Systems Evasion Results in Detail “The device proved effective against all evasion techniques tested. The IBM GX7800 successfully blocked all evasions, resulting in an overall PASS.” 13 IBM Security Systems © 2013 IBM Corporation
    14. 14. IBM Security Systems Stability & Reliability in Detail “The IBM GX7800 is required to remain operational and stable throughout the tests, and to block 100% of previously blocked traffic, raising an alert for each.” 14 IBM Security Systems © 2013 IBM Corporation
    15. 15. IBM Security Systems Performance Throughput Details 15 IBM Security Systems © 2013 IBM Corporation
    16. 16. IBM Security Systems IBM Security Network Protection XGS The Next Generation of IBM intrusion prevention solutions ADVANCED THREAT PROTECTION SEAMLESS DEPLOYMENT & INTEGRATION Proven adaptive protection from sophisticated and constantly evolving threats, powered by X-Force® 16 COMPREHENSIVE VISIBILITY & CONTROL Helps discover and block existing infections and rogue applications while enforcing access policies Adaptive deployment and superior integration with the full line of IBM security solutions IBM Security Systems © 2013 IBM Corporation
    17. 17. IBM Security Systems IBM’s Vision for Integrated Advanced Threat Protection Cross-domain awareness of threat activity Integrated platform for distribution of threat intelligence In the Wild     Malware analysis Vulnerability analysis URL classification Reputation On the Network     Intrusion prevention URL filtering Application control Malware detection On the Endpoint  Malware prevention  Configuration management Cross-domain awareness of targeted assets 17 IBM Security Systems © 2013 IBM Corporation
    18. 18. IBM Security Systems Executing on the Vision Cross-domain awareness of threat activity Integrated platform for distribution of threat intelligence In the Wild On the Network IBM Network Protection On the Endpoint Endpoint Manager Trusteer Apex Cross-domain awareness of targeted assets 18 IBM Security Systems © 2013 IBM Corporation
    19. 19. IBM Security Systems Summary  Vulnerability-focused intrusion prevention systems offer pre-emptive protection that cannot be easily evaded by mutating threats  IBM’s score of 95.7% exploit block rate in NSS Labs 2013 IPS Group Test speaks to its ability to perform against the types of constantly evolving threats often seen in today’s networks  IBM’s Network Protection platform builds upon IBM’s proven adaptive protection to include robust application visibility and control, and is part of a comprehensive platform that defends against threats 19 IBM Security Systems © 2013 IBM Corporation
    20. 20. IBM Security Systems Learn more about IBM’s IPS offerings: Download the 2013 NSS Labs IPS Group Test : Read the Tolly Test report on IBM: Learn about Forrester’s Zero Trust Model : Visit our: Blog: Website: 20 IBM Security Systems © 2013 IBM Corporation
    21. 21. IBM Security Systems Questions? 21 IBM Security Systems © 2013 IBM Corporation © 2013 IBM Corporation
    22. 22. IBM Security Systems © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are © 2013 IBM Corporation 22 trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, IBM Security Systems or service names may be trademarks or service marks of others.