Security Trends and Risk Mitigation for the Public Sector

© 2013 IBM Corporation
Cyber Security Briefing:
Security Trends and Risk Mitigation for the
Public Sector
Ottawa – June 12, 2013

© 2013 IBM Corporation2
IBM Security Systems
Agenda
8:30 am - Registration & Breakfast
9:00 am – Opening Remarks
Rodney Helal, Sales Executive, Software, Canadian Federal Accounts
9:15 am - Keynote: Security Trends and Risk Mitigation for the Public Sector
Sandy Bird, CTO - Security Division, IBM Canada Ltd.
9:45 am - Application Security for mobile and web applications
Patrick Vandenberg, Program Director, IBM Security
Segment Marketing
10:15 am - Detect threat and mitigate risk using Security Intelligence
Sandy Bird, CTO - Security Division, IBM Canada Ltd.
10:45 am - Investigating, Mitigating, and Preventing Cyber Attacks with
Security Analytics and Visualization
Orion Suydam, Director of Product Management, 21CT

3© 2013 IBM Corporation
IBM X-Force 2012 Annual Trend & Risk Report
Sandy Bird
CTO IBM Security Systems
May 2013

4
Oct 2011
Acquired
Update on IBM Security
Oct
Controlling privileged
user access
Aug
NextGen network
security
March
Enhanced identity
management
May
Integration across
domains
Jan 2012
Formed IBM Security
Systems division
10
Leader in virtually all of the markets
we target, according to Gartner, IDC
and Forrester
IBM X-Force
Award-winning X-Force® security
research with one of the industry s
largest vulnerability databases
25
New organic product releases
in 2012 focused on integrations
15%
Year-to-year growth of Security Systems
Market leadership
Enrich capabilities
Jan 2013
Big data security
analytics
Mar
iOS Mobile
App Security
18
Product development labs WW
4
Rank by revenue in security software

5
Cloud security is a key concern as
customers rethink how IT resources are
designed, deployed and consumed
Cloud Computing
Shaping our strategy – the megatrends
Regulatory and compliance pressures are
mounting as companies store more data
and can become susceptible to audit
failures
Regulation and Compliance
Sophisticated, targeted attacks designed
to gain continuous access to critical
information are increasing in severity and
occurrence
Advanced Threats
Securing employee-owned devices and
connectivity to corporate applications are
top of mind as CIOs broaden support for
mobility
Mobile Computing
Advanced Persistent Threats
Stealth Bots Targeted Attacks
Designer Malware Zero-days
Enterprise
Customers
GLBA

6
X-Force is the foundation for advanced security and threat research
across the IBM Security Framework

7
Collaborative IBM teams monitor and analyze the latest threats
20,000+ devices
under contract
3,700+ managed
clients worldwide
13B+ events
managed per day
133 monitored
countries (MSS)
1,000+ security
related patents
20B analyzed
web pages & images
45M spam &
phishing attacks
73K documented
vulnerabilities
Billions of intrusion
attempts daily
Millions of unique
malware samples

8
The Global IBM Security Community
15,000 researchers, developers and subject matter experts
working security initiatives worldwide
Security Operations Centers
Security Research Centers
Security Solution Development Centers
Institute for Advanced Security Branches

9 IBM Security Systems
What are we seeing?
Annual Trend Report
gives an X-Force
view of the changing
threat landscape

10
2011: “The year of the targeted attack”
Source: IBM X-Force® Research 2011 Trend and Risk Report
Marketing
Services
Online
Gaming
Online
Gaming
Online
Gaming
Online
Gaming
Central
Government
Gaming
Gaming
Internet
Services
Online
Gaming
Online
Gaming
Online
Services
Online
Gaming
IT
Security
Banking
IT
Security
Government
Consulting
IT
Security
Tele-
communic
ations
Enter-
tainment
Consumer
Electronics
Agriculture
Apparel
Insurance
Consulting
Consumer
Electronics
Internet
Services
Central
Govt
Central
Govt
Central
Govt
Attack Type
SQL Injection
URL Tampering
Spear Phishing
3rd Party Software
DDoS
SecureID
Trojan Software
Unknown
Size of circle estimates relative impact of
breach in terms of cost to business
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Entertainment
Defense
Defense
Defense
Consumer
Electronics
Central
Government
Central
Government
Central
Government
Central
Government
Central
Government
Central
Government
Central
Government
Consumer
Electronics
National
Police
National
Police
State
Police
State
Police
Police
Gaming
Financial
Market
Online
Services
Consulting
Defense
Heavy
Industry
Entertainment
Banking
2011 Sampling of Security Incidents by Attack Type, Time and Impact
Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses
Threats Operational Security Emerging Trends

11
2012: The explosion of breaches continues!
Source: IBM X-Force® Research 2012 Trend and Risk Report
2012 Sampling of Security Incidents by Attack Type, Time and Impact
Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses

12
Attacker motivations remain similar, although methods evolve
Many security incidents disclosed in 2012
were carried out by attackers going after a
broad target base while using off-the-shelf
tools and techniques (top left)
SQL injection and
DDoS continue to be
tried-and-true
methods of attack
Attackers are opportunistic; not
all advanced adversaries use
exotic malware and zero-day
vulnerabilities

13
Operational sophistication, not always technical sophistication

14
Tried and true techniques - SQL and Command Injection attacks
Dramatic and
sustained rise
in SQL injection-
based traffic
Alerts came from
all industry
sectors, with a
bias toward
banking and
finance targets

15
Tried and true techniques - Distributed Denial of Service (DDoS)
High profile DDoS
attacks marked by a
significant increase
in traffic volume
Implementation of
botnets on
compromised web
servers in high
bandwidth data
centers

16
Tried and true techniques - Spear-phishing using social networks
Overall spam volume
continues to decline, but
spam containing
malicious attachments
is on the rise
Scammers rotate the
“carousel” of their targets
– focusing on social
networks in 2012

17
Botnet Command & Control Server resiliency
Operational
sophistication:
When botnet
command and
control servers are
taken down, other
readily available
networks can be
put into action

18
Why was Java one of 2012’s hottest software targets?
1. Java is cross-platform
2. Exploits written for Java
vulnerabilities are very
reliable and do not need
to circumvent mitigations
in modern OSes
3. The Java plugin runs
without a sandbox –
making it easier to install
persistent malware on
the system
http://java-0day.com/

19
As a result, exploit authors and toolkits favor Java
Web browser
exploit kits - aka
“exploit packs” - are built
for one particular purpose:
to install malware on end-
user systems
In 2012 we observed an
upsurge in web browser exploit
kit development and activity -
the primary target of which are
Java vulnerabilities

20
And more…
http://www.kahusecurity.com

21
Blackhole Crimeware
Blackhole Exploit Kit
– First appeared in August 2007
– Advertised as a “Systems for Network Testing”
– Protects itself with blacklists and integrated antivirus
– Comes in Russian or English
– Currently the most purchased exploit pack
Flexible Pricing Plan
• Purchase
• $1500/annual
• $1000/semi-annual
• $700/quarterly
• Lease
• $50/24 hours
• $200/1 week
• $300/2 weeks
• $400/3 weeks
• $500/month
*($35 domain name change fee if necessary)

22
Software vulnerabilities - disclosures up in 2012
8,168
publicly
disclosed
vulnerabilities
An increase of
over 14% from
2011

23
Public exploit disclosures – not as many “true exploits”
Continued
downward trend
in percentage
of public exploit
disclosures to
vulnerabilities
Slightly up in
actual numbers
compared to
2011

24
Web application vulnerabilities surge upward
14%
increase in
web application
vulnerabilities
Cross-site scripting
represented
53%

25
Content Management Systems plug-ins provide soft target
Attackers know that CMS
vendors more readily
address and patch their
exposures
Compared to smaller
organizations and
individuals producing the
add-ons and plug-ins

26
Impact on Risk
Risk = Threat x Vulnerability
Risk is growing as
threats become more
hostile and vulnerabilities
continue to grow
Better understanding
helps to focus strategies

27
Social Media and Intelligence Gathering
50%
of all websites
connected to
social media
Enhanced
spear-phishing
seemingly
originating from
trusted friends
and co-workers

28
Mobile devices should be more secure in 2014
- Separation of Personas & Roles
- Ability to Remotely Wipe Data
- Biocontextual Authentication
- Secure Mobile App Development
- Mobile Enterprise App Platform
(MEAP)
Mobile computing is becoming increasingly secure,
based on technical controls occurring with security
professionals and software development

29
What are we seeing? Key Findings from the 2012 Trend Report
Software vulnerability disclosures up in 2012
XSS vulnerabilities highest ever seen at 53%
Social Media leveraged for enhanced spear-phishing
techniques and intelligence gathering
Mobile Security should be more secure than traditional user
computing devices by 2014
40% increase in breach events for 2012
Sophistication is not always about technology
SQL Injection, DDoS, Phishing activity increased from 2011
Java means to infect as many systems as possible
Threats
and Activity
Operational
Security
Emerging
Trends

30
Get Engaged with IBM X-Force Research and Development
Follow us at @ibmsecurity and @ibmxforce
Subscribe to X-Force alerts at iss.net/rss.php
or X-Force Security Insights blog at www.ibm.com/blogs/xforce
Download IBM X-Force 2012 Annual Trend & Risk Report
ibm.com/security/xforce

31
ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s
sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in
any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the
United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Application Security Overview
Patrick Vandenberg
Program Director, IBM Security Segment Marketing

Securing Applications is a Challenge
Your Application Portfolio
Different Types & Sources
Financial
In-houseOutsource
HR Logistics Intranet
Legacy Open Src
Your Policies
Data Privacy
Regulatory Compliance
Accountability
Your SDLC Processes
Large and diverse application
portfolios
Mobile applications
In-house and outsource
development
External & internal regulatory
pressure
Pockets of security expertise
Yet another task for developers
Need an efficient, scalable,
automated way to develop and
deliver secure applications…

X-Force is the foundation for advanced security and threat research
across the IBM Security Framework

What are we seeing? Key Findings from the 2012 Trend Report
Software vulnerability disclosures up in 2012
XSS vulnerabilities highest ever seen at 53%
Social Media leveraged for enhanced spear-phishing
techniques and intelligence gathering
Mobile Security should be more secure than traditional user
computing devices by 2014
40% increase in breach events for 2012
Sophistication is not always about technology
SQL Injection, DDoS, Phishing activity increased from 2011
Java means to infect as many systems as possible
Threats
and Activity
Operational
Security
Emerging
Trends

Tried and true techniques - SQL and Command Injection attacks
Dramatic and
sustained rise
in SQL injection-
based traffic
Alerts came from
all industry
sectors, with a
bias toward
banking and
finance targets

14%
increase in
web application
vulnerabilities
Cross-site
scripting
represented
53%

Both Paid and Free Apps are Targeted
Source: Arxan State of Security in the App Economy – 2012
Mobile increases risk of applications as attack vector

SQL injection continues to be one of
the most popular points of entry for
extracting data from a website
Web app vulnerabilities also allow
attackers to inject malicious scripts
and files onto legitimate websites
The high rate of vulnerable web
applications and their plugins allow
attackers to use automated scripts to
scan the web for targets
Application Threats
Analyze applications before
deployment, to identify security
vulnerabilities
Scan applications as early as
possible in the development cycle,
to reduce costs
Remediate critical vulnerabilities,
and validate by re-scanning
Integrate scanning results with
intrusion prevention, to block
attacks before apps are updated
Continuously monitor database
activities to detect suspicious
activity and respond in real-time
Detect database vulnerabilities to
prevent threats

Adopt a Secure by Design approach to enable you to design, deliver
and manage smarter software and services
Build security into your application
development process
Efficiently and effectively address
security defects before deployment
Collaborate effectively between Security
and Development
Provide Management visibility
Deliver New
Services Faster
Reduce
Costs
Innovate
Securely
Proactively address vulnerabilities early in the development process

When it comes to risk, all applications are not created equal

Application Security Testing
• Training – Applications Security & Product ( Instructor led , self paced – classroom & web based)
• Test policies, test templates and access control
• Dashboards, detailed reports & trending
• Manage regulatory requirements such as DIACAP, PCI, GLBA and HIPAA (40+ out-of-the-box compliance reports)
Scanning
Techniques
Applications
Governance &
Collaboration

Build Systems
improve scan
efficiencies
Integrated
Audience Development teams Security teams Penetration Testers
CODING BUILD QA SECURITY PRODUCTION
Static analysis
(white box)
SDLC

(Rational Build Forge, Rational
Team Concert,
Hudson, Maven)
Defect Tracking
Systems
track remediation
(Rational Team Concert, Rational
ClearQuest,
HP QC, MS Team Foundation
Server)
IDEs
remediation assistance
(RAD, Rational Team
Concert,
Eclipse, Visual Studio
Security Intelligence
raise threat level
(SiteProtector, QRadar, Guardium)
Source code vulnerabilities & code quality risks
Data & Call Flow analysis tracks tainted data
Dynamic analysis
(black box)
Live Web Application
Web crawling & Manual testing
Hybrid Glass Box analysis

Finding more vulnerabilities using advanced techniques
Static Analysis
- Analyze Source Code
- Use during development
- Uses Taint Analysis /
Pattern Matching
Dynamic Analysis
- Correlate Dynamic and
Static results
- Assists remediation by
identification of line of code
Hybrid Analysis
43
- Analyze Live Web Application
- Use during testing
- Uses HTTP tampering
Client-Side Analysis
- Analyze downloaded Javascript
code which runs in client
- Unique in the industry
Run-Time Analysis
- Combines Dynamic Analysis with
run-time agent
- More results, better accuracy

Bridging the Security/Development gap
Dashboard of application risk
Enable compliance with
regulation-specific reporting
Security experts establish security testing
policies
Development teams test early in the cycle
Treat vulnerabilities as development
defects
“… we wanted to go to a multiuser web-based solution
that enabled us to do concurrent scans and provide our
customers with a web-based portal for accessing and
sharing information on identified issues.”
Alex Jalso, Asst Dir, Office of InfoSecurity, WVU
Provide Management VisibilityBreak down organizational silos
Architect
Developer
Quality
Professional
Security Auditor
Enables
Collaboration

Reducing Costs Through a Secure by Design Approach
Find during
Development
$80 / defect
*$8,000 / application
Find during Build
$240 / defect
Find during QA/Test
$960 / defect
Find in Production
$7,600 / defect
80% of development costs
are spent identifying and
correcting defects!***
** Source: Ponemon Institute 2009-10
*** Source: National Institute of Standards and Technology
Average Cost of a Data Breach
$7.2M** from law suits, loss of customer
trust, damage to brand
*Based on X-Force analysis of 100 vulnerabilities per application

Server Side Logic
SAST (source code)
DAST (web interfaces)
Mobile Web Apps
JavaScript / HTML5 hybrid analysis
Native Apps
Android applications
iOS applications
JavaScript
Static Analysis
N EWStatic Analysis
IMPROVEDStatic Analysis
AppScan Mobile Support: Server and Native

Support for Native iOS apps
Mac OS platform support
Security SDK research & risk
assessment of over 20k iOS
APIs
Xcode interoperability & build
automation support
Full call and data flow
analysis of
Objective-C
JavaScript
Java
Identify where sensitive data
is being leaked
AppScan Source V8.7 – What’s New
IBM formally launched a major initiative to help tighten
the security of mobile apps developed for business use
on iPhones handsets. -- USA Today
AppScan provides developers with an unmatched view
into where vulnerabilities appear in their mobile apps due
its deep cognizance of platform APIs. -- eWeek
The real power of AppScan arises from how it performs
vulnerability analysis - by using the full trace technique. --
SecurityWeek
iPhone users will benefit from the IBM AppScan update.
-- IT PRO

AppScan Components

Using Big Data and Analytics to
Think Like an Attacker
Sandy Bird, CTO IBM Security Systems

50
50
Now, for
something
you’ve
never
seen
before

56
56
Bring your
own IT
Social
business
Cloud and
virtualization
1 billion mobile
workers
1 trillion
connected
objects
Innovative technology changes everything

57
57
Attacker motivations are rapidly escalating
National
Security
Nation-state
actors
Stuxnet
Espionage,
Activism
Sponsored groups
and Hacktivists
Aurora
Monetary
Gain
Organized
crime
Zeus
Revenge,
Curiosity
Insiders and
Script-kiddies
Code Red

58
58
Organized groups are using multiple techniques
Using social networking and social engineering to
perform reconnaissance on spear-phishing targets,
leading to compromised hosts and accounts
Infiltrating a trusted partner and then loading malware
onto the target’s network
Creating designer malware tailored to only infect the
target organization, preventing positive identification
by security vendors
Exploiting zero-day vulnerabilities to gain access to
data, applications, systems, and endpoints
Communicating over accepted channels such as port
80 to exfiltrate data from the organization

59
59
dogpile.com
kewww.com.cn
ynnsuue.com
wpoellk.com
moveinent.com
moptesoft.com
varygas.com
earexcept.com
fullrow.com
colonytop.com
117.0.178.252
83.14.12.218
94.23.71.55
103.23.244.254
62.28.6.52
202.231.248.207
175.106.81.66
217.112.94.236
119.252.46.32
180.214.243.243
c69d172078b439545dfff28f3d3aacc1
51e65e6c798b03452ef7ae3d03343d8f
6bb6b9ce713a00d3773cfcecef515e02
c5907f5e2b715bb66b7d4b87ba6e91e7
bf30759c3b0e482813f0d1c324698ae8
6391908ec103847c69646dcbc667df42
23c4dc14d14c5d54e14ea38db2da7115
208066ea6c0c4e875d777276a111543e
00b3bd8d75afd437c1939d8617edc22f
01e22cce71206cf01f9e863dcbf0fd3f
ynnsuue.com
117.0.178.252
51e65e6c798b03452ef7ae3d03343d8f
6bb6b9ce713a00d3773cfcecef515e02
Permutations of malicious identifiers are limitless

61
Image retrieved from http://melroseedcd.com/?p=1

62
62
A change in mindset is already happening

63
63
By monitoring for subtle indicators across all fronts
Break-in Spoofed email with malicious
file attachment sent to users
Command
& Control (CnC)
Latch-on Anomalous system behavior
and network communications
Expand
Device contacting internal
hosts in strange patterns
Gather Abnormal user behavior and
data access patterns
Command
& Control (CnC)
Exfiltrate Movement of data in chunks
or streams to unknown hosts

64
64
Big Data
Analytics
Traditional Security
Operations and
Technology

66
66
Platform
Real-time Processing
• Real-time data correlation
• Anomaly detection
• Event and flow normalization
• Security context & enrichment
• Distributed architecture
Security Operations
• Pre-defined rules and reports
• Offense scoring & prioritization
• Activity and event graphing
• Compliance reporting
• Workflow management
Big Data Warehouse
• Long-term, multi-PB storage
• Unstructured and structured
• Distributed infrastructure
• Preservation of raw data
• Hadoop-based backend
Big Data
Platform
Analytics and Forensics
• Advanced visuals and interaction
• Predictive & decision modeling
• Ad hoc queries
• Spreadsheet UI for analysts
• Collaborative sharing tools
• Pluggable UI
Complementary analytics and workflow from IBM
IBM
Security
Intelligence
with
Big Data

67
67
QRadar leverages Big Data to identify security threats
Appliances
with massive scale
Intelligent data
policy management
Payload indexing leveraging
a purpose-built data store
Advanced threat visualization
and impact analysis
Google-like search
of large data sets
Enrichment with X-Force
and external intelligence

68
68
Example QRadar uses cases
Irrefutable Botnet
Communication
Layer 7 flow data shows botnet
command and control
instructions
Improved  
Breach Detection
360-degree visibility helps
distinguish true breaches
from benign activity, in real-
time
Network Traffic
Doesn’t Lie
Attackers can stop logging
and erase their tracks, but
can’t cut off the network
(ﬂow data)

69
69
Extending Security Intelligence with additional
Big Data analytics capabilities
1. Analyze a variety of
non-traditional and
unstructured datasets
2. Significantly increase
the volume of data
stored for forensics and
historic analysis
3. Visualize and query
data in new ways
4. Integrate with my
current operations
IBM Security QRadar
• Data collection and
enrichment
• Event correlation
• Real-time analytics
• Offense prioritization
Advanced Threat Detection
Traditional data sources
Security Intelligence Platform

70
70
By integrating QRadar with IBM’s Enterprise
Hadoop-based offering
Real-time
Streaming
Insights
IBM Security QRadar
• Hadoop-based
• Enterprise-grade
• Any data / volume
• Data mining
• Ad hoc analytics
• Data collection and
enrichment
• Event correlation
• Real-time analytics
• Offense prioritization
Big Data Platform
Custom Analytics
Traditional data sources
IBM InfoSphere BigInsights
Non-traditional
Security Intelligence Platform
Advanced Threat Detection

72
ATTACKER
User receives risky
email from personal
social network
TARGET
Drive-by exploit is
used to install
malware on target PC
User is redirected to
a malicious website

73
73
Using Big Data to mine for trends within email
Use BigInsights to
identify phishing targets
and redirects
Build visualizations,
such as heat maps, to
view top targets

74
74
Loading phishing data and corresponding
redirects to QRadar

75
ATTACKER
Attacker registers
or acquires a domain Compromised hosts
“phone home” to
attacker C&C servers
Attacker changes the
location of servers, but
domains stay the same
Internal attacks lead
to more infections
Hosts and servers
phone home and
exfiltrate data

76
76
Analyze historical DNS activity within organization

77
77
Automate correlation against DNS registries

78
78
Advanced analytics identify suspicious domains
Why only a few hits
across the entire
organization to these
domains?
Correlating to
public DNS registry
information
increases suspicions

79
79
Importing results to QRadar for real-time analysis
Correlate against
network activity
and visualize
View real-time data and look for active connections

80
80
1
IBM QRadar
unified architecture for collecting, storing,
analyzing and querying log, threat,
vulnerability and risk related data
2
IBM Big Data Platform (Streams, Big Insights, Netezza)
addresses the speed and flexibility required for customized data
exploration, discovery and unstructured analysis
3
IBM i2
Analyst Notebook
helps analysts
investigate fraud by
discovering patterns and
trends across volumes of
data
4
IBM SPSS
unified product family to
help capture, predict,
discover trends, and
automatically deliver
high-volume, optimized
decisions
Additional IBM analytics capabilities for security

81
1. Traditional defenses are insufficient
2. Security has become a Big Data problem
3. Security Intelligence is a Big Data solution
4. New analysis can lead to new insights

IBM Contacts
Rodney Helal, Software Sales Manager, Canadian Federal Government
Accounts – Phone: 613-222-6691 / e-mail: rhelal@ca.ibm.com
Eliane Guindon, IBM Security Systems Account Manager – Phone:
613-249-2284 / Mobile 613-292-0125 / e-mail: elianeg@ca.ibm.com
Anita Bowness, Software Client Lead, Canadian Federal Government –
Phone: 613-249-2099 / e-mail: anitbown@ca.ibm.com

ibm.com/security

Security Trends and Risk Mitigation for the Public Sector

More Related Content

What's hot

Viewers also liked

Similar to Security Trends and Risk Mitigation for the Public Sector

More from IBMGovernmentCA

Recently uploaded

Security Trends and Risk Mitigation for the Public Sector