Top 5 Things to Look for in an IPS Solution

Top 5 Things to Look for in an IPS Solution
Eric P. York
November 10, 2016
Sr. Product Offering Manager, Infrastructure Security
IBM Security

2 IBM Security
Traditional intrusion prevention systems (IPS) are missing key
components to protect against today’s threats
• Build multiple perimeters
• Protect all systems
• Use signature-based methods
• Periodically scan for known threats
• Shut down systems
Tactical Approach
Compliance-driven, reactionary
Today’s Attacks
• Assume constant compromise
• Prioritize high-risk assets
• Use behavioral-based methods
• Continuously monitor activity
• Gather, preserve, retrace evidence
Strategic Approach
Intelligent, orchestrated, automated
Indiscriminate malware,
spam and DDoS activity
Advanced, persistent, organized,
politically or financially motivated
It takes power and precision to stop adversaries and unknown threats
Yesterday’s Attacks

3 IBM Security
Next-generation intrusion prevention systems have many advantages over traditional IPS
1. Threat Detection Method
2. Application & User Controls
3. Encrypted Traffic Inspection
4. Flexible Performance Options
5. Integration with Existing Security Investments

4 IBM Security
1. Threat Detection Method
Pattern Matching Behavior Analysis
vs.
If it looks like a duck, swims like a duck,
and quacks like a duck…
• Reactive
• Known threats
• Numerous signatures
• Proactive
• Better against unknown threats
• Fewer signatures required

5 IBM Security
2. Application & User Controls
• Gain greater network visibility and control over application and user
• Control access to applications or limit actions taken within applications by user or user group
IPS Firewall Internet

6 IBM Security
Sandvine, 2016
… 70% of global Internet traffic
will be encrypted in 2016, with
many network exceeding 80%.
ENCRYPTED INTERNET TRAFFIC REPORT
3. Encrypted Traffic Inspection

7 IBM Security
4. Flexible Deployment Options
Balance acquisition costs with anticipated future needs
Network Traffic to be inspected
(bandwidth)
Network topology changes

8 IBM Security
5. Integration with Existing Security Investments
Better protection along the entire attack lifecycle
IPS
Security
Analytics
Incident
Response
Platform
Prevent
Disrupt malware & exploits at the point of attack.
Detect
Send network data to security analytics to enrich
threat intelligence and identify threats across the
environment.
Respond
Orchestrate and automate incident response,
enabling rapid network policy updates to prevent or
mitigate impact of attack.

9 IBM Security
Data exfiltrationExploit
Delivery
of weaponized
content
Exploitation
of app vulnerability
Malware
delivery
Malware
persistency
Execution and malicious
access
to content
Establish
communication
channels
Data
exfiltration
Complexity of the exploit-chain
Pre-exploit
0011100101
1101000010
1111000110
0011001101

10 IBM Security
No.ofTypes
Attack Progression
Delivery
of weaponized
content
Exploitation
Malware
delivery
Malware
persistency
access
to content
Establish
communication
channels
Data
exfiltration
Pre-exploit
0011100101
1101000010
1111000110
0011001101
Destinations
(C&C traffic
detection)
Endless
Unpatched
and zero-day
vulnerabilities
(patching)
Many
Weaponized
content
(IPS, sandbox)
Endless
Malicious
files
(antivirus,
whitelisting)
Endless
Many
Malicious
behavior
activities
(HIPs)
Java
execution
Ways to infect:
deliver  persist
Ways to
communicate out

11 IBM Security
No.ofTypes
Attack Progression
Delivery
of weaponized
content
Exploitation
Malware
delivery
Malware
persistency
access
to content
Establish
communication
channels
Data
exfiltration
Pre-exploit
0011100101
1101000010
1111000110
0011001101
Strategic
Chokepoint
Strategic
Chokepoint
Strategic
Chokepoint
Destinations
(C&C traffic
detection)
Endless
Unpatched
and zero-day
vulnerabilities
(patching)
Many
Weaponized
content
(IPS, sandbox)
Endless
Malicious
files
(antivirus,
whitelisting)
Endless
Many
Malicious
behavior
activities
(HIPs)
Java
execution
Ways to infect:
deliver  persist
Ways to
communicate out

12 IBM Security
No.ofTypes
Attack Progression
Delivery
of weaponized
content
Exploitation
Malware
delivery
Malware
persistency
access
to content
Establish
communication
channels
Data
exfiltration
Pre-exploit
0011100101
1101000010
1111000110
0011001101
Strategic
Chokepoint
Strategic
Chokepoint
Strategic
Chokepoint
File
inspection
Vulnerability
assessment
& reporting
Credential
protection
Destinations
(C&C traffic
detection)
Endless
Unpatched
and zero-day
vulnerabilities
(patching)
Many
Weaponized
content
(IPS, sandbox)
Endless
Malicious
files
(antivirus,
whitelisting)
Endless
Many
Malicious
behavior
activities
(HIPs)
Java
execution
Ways to infect:
deliver  persist
Ways to
communicate out

13 IBM Security
Evolving beyond intrusion prevention to provide greater value
1997+ 2002+ 2005+ 2008+ 2012+ 2013+ 2014+ Future
Threat Management.NEXT
New protection and integration capabilities to stay ahead of the threat
Advanced Malware Defense
Blocks malware
infections
on the
network
SSL/TLS Inspection
Protects against attacks
hidden inside
encrypted
traffic
URL/App Control
Protects users from
visiting
risky sites
on the web
Web App Protection
Heuristically protects
against common
app-based
attacks
Behavioral Defense
Protects against
attacks based
on behavior,
not specific
vulnerabilities
Intrusion Prevention
Protects against
attacks on
vulnerabilities,
not exploits
Intrusion
Detection
Evolutionbasedonclientneeds

14 IBM Security
IBM Security Network Protection (XGS)
Next-generation intrusion prevention protects against the latest attacks
IBM Security
Network
Protection
PROTECTION
Disrupt known and unknown
exploits and malware attacks
VISIBILITY
Gain insight into network traffic
patterns to detect anomalies
CONTROL
Limit the use of risky applications
to reduce your attack surface



15 IBM Security
Exploit-matching engines can be useless against even simple mutations
A simple change to a variable
name allows the attack to
succeed, while rendering the
protection of a signature
matching engines useless
A simple change to the HTML
code in a compromised web
page makes the attack invisible
to signature protection
Simply adding a comment
to a web page results in an
attack successfully bypassing
signature IPS
Original Variable Names Mutated Variable Names
Shellcode somecode
Block brick
heapLib badLib
Original Class Reference Mutated Class Reference
<html><head></head>
<body><applet archive="jmBXTMuv.jar"
code="msf.x.Exploit.class" width="1"
height="1"><param name="data"
value=""/><param name="jar">
<html><head></head>
<body><applet archive="eXRZLr.jar"
code="msf.x.badguy.class" width="1"
height="1"><param name="data"
value=""/><param name="jar">
Original Code Mutated Code
var t = unescape; var t = unescape <!— Comment -->;
Source: Tolly Group

16 IBM Security
IBM goes beyond pattern matching with a broad spectrum
of vulnerability and exploit coverage
Exploit
Signatures
Attack-specific
pattern matching
Web
Injection Logic
Patented protection
against web attacks,
e.g., SQL injection
and cross-site scripting
Vulnerability
Decodes
Focused algorithms
for mutating threats
Application
Layer Heuristics
Proprietary algorithms
to block malicious use
Protocol
Anomaly Detection
Protection against misuse,
unknown vulnerabilities,
and tunneling across
230+ protocols
Shellcode
Heuristics
Behavioral protection
to block exploit payloads
Content
Analysis
File and document
inspection and
anomaly detection
Other IPS solutions
stop at pattern matching

17 IBM Security
IBM Security
Network
Protection
IBM XGS protects against a full spectrum of attack techniques…
Web App
System and
Service
Traffic-based
User
Risky
Applications
Protocol
Tunneling
RFC Non-
Compliance
Unpatched /
Unpatchable
Vulnerabilities
Code
Injection
Buffer
Overflows
Cross-site
Scripting
SQL
Injection
Cross-site
Request Forgery
Cross-path
Injection
Spear
Phishing
Drive-by
Downloads
Malicious
Attachments
Malware
Links
Obfuscation
Techniques
Protocol
Anomalies
Traffic on Non-
Standard Ports
DoS / DDoS
Information
Leakage
Social
Media
File
Sharing
Remote
Access
Audio / Video
Transmission

18 IBM Security
Network Traffic
and Flows
… delivering visibility and control over your network traffic
Identity and Application
Awareness
Associates users and groups
with their network activity,
application usage and actions
Deep Packet
Inspection
Classifies network
traffic, regardless of
port or protocol
SSL
Visibility
Identifies encrypted
threats, without
a separate appliance
500+
Protocols and file formats analyzed
2,000+
Applications and actions identified
25+ Billion
URLs classified
in 70 categories
Inbound Traffic
Outbound Traffic
Application A
Application B
Employee A
Employee B
Employee C
Prohibited Application
Attack Traffic
Botnet Traffic
Good Application
Clean Traffic

19 IBM Security
IBM X-Force® Research and Development
Expert analysis and data sharing on the global threat landscape
Vulnerability
Protection
IP
Reputation
Anti-Spam
Malware
Analysis
Web
Application
Control
URL / Web
Filtering
Zero-day
Research
The IBM X-Force Mission
 Monitor and evaluate the rapidly changing threat landscape
 Research new attack techniques and develop protection for tomorrow’s security challenges
 Educate our customers and the general public
 Integrate and distribute Threat Protection and Intelligence to make IBM solutions smarter

20 IBM Security
The benefits of behavioral detection, Part 1
Stopping mutated threats
 Delivers superior protection from evolving threats with high levels of performance
 Stops 99% of tested, publicly available attacks
 Is nearly twice as effective as Snort at stopping “mutated” attacks
INLINE IPS SYSTEM EFFICACY (2012)
IBM IPS GX7800 versus Snort IPS
SOURCE: IBM SECURITY NETWORK INTRUSION PREVENTION SYSTEM GX7800 EVALUATION, TOLLY GROUP, 2012

21 IBM Security
The benefits of behavioral detection, Part 2
Stopping encrypted threats and evasion techniques
 Stopped 100% of tested, publically disclosed attacks, both encrypted & unencrypted
 Stopped 100% of McAfee Evader test suite attacks
 Delivered 17 Gbps of Multi-protocol throughput with SSL/TLS inspection enabled; 26
Gbps without SSL/TLS inspection enabled
INLINE IPS SYSTEM EFFICACY (2016)
IBM next-gen IPS XGS7100
SOURCE: IBM SECURITY NETWORK PROTECTION XGS7100 EVALUATION, TOLLY GROUP, 2016

22 IBM Security
Modular network interfaces help future-proof your investment
Eight different network interface modules (NIM) meet current and future connectivity needs
4-port Fixed fiber (LX)
with built-in bypass
8-port RJ-45 copper
4-port Fixed fiber (SX)
2-port 10GbE (SR)
2-port 10GbE (LR)
4-port SFP
(requires transceivers)
2-port 10GbE SFP+
XGS 7100 supports 4 NIMs; XGS 5100 supports 2 NIMs (+ 4 built-in RJ-45 ports); XGS 4100 supports 1 NIM (+ 4 built-in RJ-45 ports)
2-port 40GbE QSFP+
XGS 7100 only

23 IBM Security
Flexible Performance Licensing (FPL)
Enables performance upgrades without changing hardware
FPL Level 2
FPL Level 2
800
Mb/s Inspected
Throughput
FPL Level 1 (base)
400
Mb/s Inspected
Throughput
750
Mb/s Inspected
Throughput
1.5
Gb/s Inspected
Throughput
XGS 3100
XGS 4100
XGS 5100
FPL Level 1 (base)
FPL Level 1 (base) FPL Level 2 FPL Level 3 FPL Level 4
5.0
Gb/s Inspected
Throughput
10.0
Gb/s Inspected
Throughput
15.0
Gb/s Inspected
Throughput
XGS 7100
FPL Level 1 (base) FPL Level 2
20.0
Gb/s Inspected
Throughput
FPL Level 3
25.0
Gb/s Inspected
Throughput
FPL Level 5
FPL Level 2
1.0
Gb/s Inspected
Throughput
600
Mb/s Inspected
Throughput
XGS Virtual
FPL Level 4
FPL Level 1 (base)
2.5
Gb/s Inspected
Throughput
4.0
Gb/s Inspected
Throughput
7.0
Gb/s Inspected
Throughput
5.5
Gb/s Inspected
Throughput

24 IBM Security
IBM XGS protects both your network and investment
Forrester determined XGS has the following three-year risk-adjusted financial impact:
RETURN ON
INVESTMENT
340%
NET PRESENT
VALUE
$1,075,592
PAYBACK
PERIOD
1.9 months
SOURCE: THE TOTAL ECONOMIC IMPACT OF IBM SECURITY NETWORK SECURITY (XGS), FORRESTER RESEARCH, 2016
IBM Security
Network
Protection

25 IBM Security
IBM QRadar and XGS integration improves intelligence and security
Send data flows to QRadar and send quarantine commands to XGS directly from QRadar
Layer 7 Flow Data to QRadar Offense-blocking from QRadar
• Detect abnormal activity through network
flow data generated through XGS
• Identify application misuse via user
and application information
• Save money by reducing the need for
a separate flow generation appliance
• Make QRadar Intelligence actionable by
leveraging XGS to block in-progress attacks
• Reduce response time by initiating blocking
within the QRadar console to stop threats
quickly

26 IBM Security
IBM positioned in the “Leaders” Quadrant in the
2015 Gartner Magic Quadrant for Intrusion Prevention Systems
Magic Quadrant for
Intrusion Prevention Systems
“The capabilities of leading IPS products have adapted to
changing threats, and next-generation IPSs (NGIPSs) have
evolved incrementally in response to advanced targeted
threats that can evade first-generation IPSs.”
Craig Lawson, Adam Hils, and Claudio Neiva
Gartner, November 16, 2015
This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report.
The link to the Gartner report is available upon request from IBM.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation.
Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties,
expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

27 IBM Security
1. Threat Detection Method Behavior analysis
2. Application & User Controls Granular controls
3. Encrypted Traffic Inspection Fast on-board inspection
4. Flexible Performance Options FPL and NIM’s
5. Integration with Security Investments IBM QRadar & more
IBM
XGS






ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU

Top 5 Things to Look for in an IPS Solution

More Related Content

What's hot

Similar to Top 5 Things to Look for in an IPS Solution

More from IBM Security

Recently uploaded

Top 5 Things to Look for in an IPS Solution