The document discusses top 5 things to look for in an intrusion prevention system (IPS) solution and how IBM's next-generation IPS addresses these areas. It recommends looking for 1) behavioral threat detection methods, 2) granular application and user controls, 3) fast encrypted traffic inspection, 4) flexible performance options like Field Programmable Gate Arrays (FPGAs) and modular network interfaces, and 5) integration capabilities with security investments like IBM QRadar. The document claims IBM's next-gen IPS (XGS) provides all of these areas to protect against modern attacks beyond just signature-based methods.
1. Top 5 Things to Look for in an IPS Solution
Eric P. York
November 10, 2016
Sr. Product Offering Manager, Infrastructure Security
IBM Security
2. 2 IBM Security
Traditional intrusion prevention systems (IPS) are missing key
components to protect against today’s threats
• Build multiple perimeters
• Protect all systems
• Use signature-based methods
• Periodically scan for known threats
• Shut down systems
Tactical Approach
Compliance-driven, reactionary
Today’s Attacks
• Assume constant compromise
• Prioritize high-risk assets
• Use behavioral-based methods
• Continuously monitor activity
• Gather, preserve, retrace evidence
Strategic Approach
Intelligent, orchestrated, automated
Indiscriminate malware,
spam and DDoS activity
Advanced, persistent, organized,
politically or financially motivated
It takes power and precision to stop adversaries and unknown threats
Yesterday’s Attacks
3. 3 IBM Security
Top 5 Things to Look for in an IPS Solution
Next-generation intrusion prevention systems have many advantages over traditional IPS
1. Threat Detection Method
2. Application & User Controls
3. Encrypted Traffic Inspection
4. Flexible Performance Options
5. Integration with Existing Security Investments
4. 4 IBM Security
1. Threat Detection Method
Pattern Matching Behavior Analysis
vs.
If it looks like a duck, swims like a duck,
and quacks like a duck…
• Reactive
• Known threats
• Numerous signatures
• Proactive
• Better against unknown threats
• Fewer signatures required
5. 5 IBM Security
2. Application & User Controls
• Gain greater network visibility and control over application and user
• Control access to applications or limit actions taken within applications by user or user group
IPS Firewall Internet
6. 6 IBM Security
Sandvine, 2016
… 70% of global Internet traffic
will be encrypted in 2016, with
many network exceeding 80%.
ENCRYPTED INTERNET TRAFFIC REPORT
3. Encrypted Traffic Inspection
7. 7 IBM Security
4. Flexible Deployment Options
Balance acquisition costs with anticipated future needs
Network Traffic to be inspected
(bandwidth)
Network topology changes
8. 8 IBM Security
5. Integration with Existing Security Investments
Better protection along the entire attack lifecycle
IPS
Security
Analytics
Incident
Response
Platform
Prevent
Disrupt malware & exploits at the point of attack.
Detect
Send network data to security analytics to enrich
threat intelligence and identify threats across the
environment.
Respond
Orchestrate and automate incident response,
enabling rapid network policy updates to prevent or
mitigate impact of attack.
9. 9 IBM Security
Data exfiltrationExploit
Delivery
of weaponized
content
Exploitation
of app vulnerability
Malware
delivery
Malware
persistency
Execution and malicious
access
to content
Establish
communication
channels
Data
exfiltration
Complexity of the exploit-chain
Pre-exploit
0011100101
1101000010
1111000110
0011001101
10. 10 IBM Security
No.ofTypes
Attack Progression
Data exfiltrationExploit
Delivery
of weaponized
content
Exploitation
of app vulnerability
Malware
delivery
Malware
persistency
Execution and malicious
access
to content
Establish
communication
channels
Data
exfiltration
Complexity of the exploit-chain
Pre-exploit
0011100101
1101000010
1111000110
0011001101
Destinations
(C&C traffic
detection)
Endless
Unpatched
and zero-day
vulnerabilities
(patching)
Many
Weaponized
content
(IPS, sandbox)
Endless
Malicious
files
(antivirus,
whitelisting)
Endless
Many
Malicious
behavior
activities
(HIPs)
Java
execution
Ways to infect:
deliver persist
Ways to
communicate out
11. 11 IBM Security
No.ofTypes
Attack Progression
Data exfiltrationExploit
Delivery
of weaponized
content
Exploitation
of app vulnerability
Malware
delivery
Malware
persistency
Execution and malicious
access
to content
Establish
communication
channels
Data
exfiltration
Complexity of the exploit-chain
Pre-exploit
0011100101
1101000010
1111000110
0011001101
Strategic
Chokepoint
Strategic
Chokepoint
Strategic
Chokepoint
Destinations
(C&C traffic
detection)
Endless
Unpatched
and zero-day
vulnerabilities
(patching)
Many
Weaponized
content
(IPS, sandbox)
Endless
Malicious
files
(antivirus,
whitelisting)
Endless
Many
Malicious
behavior
activities
(HIPs)
Java
execution
Ways to infect:
deliver persist
Ways to
communicate out
12. 12 IBM Security
No.ofTypes
Attack Progression
Data exfiltrationExploit
Delivery
of weaponized
content
Exploitation
of app vulnerability
Malware
delivery
Malware
persistency
Execution and malicious
access
to content
Establish
communication
channels
Data
exfiltration
Complexity of the exploit-chain
Pre-exploit
0011100101
1101000010
1111000110
0011001101
Strategic
Chokepoint
Strategic
Chokepoint
Strategic
Chokepoint
File
inspection
Vulnerability
assessment
& reporting
Credential
protection
Destinations
(C&C traffic
detection)
Endless
Unpatched
and zero-day
vulnerabilities
(patching)
Many
Weaponized
content
(IPS, sandbox)
Endless
Malicious
files
(antivirus,
whitelisting)
Endless
Many
Malicious
behavior
activities
(HIPs)
Java
execution
Ways to infect:
deliver persist
Ways to
communicate out
13. 13 IBM Security
Evolving beyond intrusion prevention to provide greater value
1997+ 2002+ 2005+ 2008+ 2012+ 2013+ 2014+ Future
Threat Management.NEXT
New protection and integration capabilities to stay ahead of the threat
Advanced Malware Defense
Blocks malware
infections
on the
network
SSL/TLS Inspection
Protects against attacks
hidden inside
encrypted
traffic
URL/App Control
Protects users from
visiting
risky sites
on the web
Web App Protection
Heuristically protects
against common
app-based
attacks
Behavioral Defense
Protects against
attacks based
on behavior,
not specific
vulnerabilities
Intrusion Prevention
Protects against
attacks on
vulnerabilities,
not exploits
Intrusion
Detection
Evolutionbasedonclientneeds
14. 14 IBM Security
IBM Security Network Protection (XGS)
Next-generation intrusion prevention protects against the latest attacks
IBM Security
Network
Protection
PROTECTION
Disrupt known and unknown
exploits and malware attacks
VISIBILITY
Gain insight into network traffic
patterns to detect anomalies
CONTROL
Limit the use of risky applications
to reduce your attack surface
15. 15 IBM Security
Exploit-matching engines can be useless against even simple mutations
A simple change to a variable
name allows the attack to
succeed, while rendering the
protection of a signature
matching engines useless
A simple change to the HTML
code in a compromised web
page makes the attack invisible
to signature protection
Simply adding a comment
to a web page results in an
attack successfully bypassing
signature IPS
Original Variable Names Mutated Variable Names
Shellcode somecode
Block brick
heapLib badLib
Original Class Reference Mutated Class Reference
<html><head></head>
<body><applet archive="jmBXTMuv.jar"
code="msf.x.Exploit.class" width="1"
height="1"><param name="data"
value=""/><param name="jar">
<html><head></head>
<body><applet archive="eXRZLr.jar"
code="msf.x.badguy.class" width="1"
height="1"><param name="data"
value=""/><param name="jar">
Original Code Mutated Code
var t = unescape; var t = unescape <!— Comment -->;
Source: Tolly Group
16. 16 IBM Security
IBM goes beyond pattern matching with a broad spectrum
of vulnerability and exploit coverage
Exploit
Signatures
Attack-specific
pattern matching
Web
Injection Logic
Patented protection
against web attacks,
e.g., SQL injection
and cross-site scripting
Vulnerability
Decodes
Focused algorithms
for mutating threats
Application
Layer Heuristics
Proprietary algorithms
to block malicious use
Protocol
Anomaly Detection
Protection against misuse,
unknown vulnerabilities,
and tunneling across
230+ protocols
Shellcode
Heuristics
Behavioral protection
to block exploit payloads
Content
Analysis
File and document
inspection and
anomaly detection
Other IPS solutions
stop at pattern matching
17. 17 IBM Security
IBM Security
Network
Protection
IBM XGS protects against a full spectrum of attack techniques…
Web App
System and
Service
Traffic-based
User
Risky
Applications
Protocol
Tunneling
RFC Non-
Compliance
Unpatched /
Unpatchable
Vulnerabilities
Code
Injection
Buffer
Overflows
Cross-site
Scripting
SQL
Injection
Cross-site
Request Forgery
Cross-path
Injection
Spear
Phishing
Drive-by
Downloads
Malicious
Attachments
Malware
Links
Obfuscation
Techniques
Protocol
Anomalies
Traffic on Non-
Standard Ports
DoS / DDoS
Information
Leakage
Social
Media
File
Sharing
Remote
Access
Audio / Video
Transmission
18. 18 IBM Security
Network Traffic
and Flows
… delivering visibility and control over your network traffic
Identity and Application
Awareness
Associates users and groups
with their network activity,
application usage and actions
Deep Packet
Inspection
Classifies network
traffic, regardless of
port or protocol
SSL
Visibility
Identifies encrypted
threats, without
a separate appliance
500+
Protocols and file formats analyzed
2,000+
Applications and actions identified
25+ Billion
URLs classified
in 70 categories
Inbound Traffic
Outbound Traffic
Application A
Application B
Employee A
Employee B
Employee C
Prohibited Application
Attack Traffic
Botnet Traffic
Good Application
Clean Traffic
19. 19 IBM Security
IBM X-Force® Research and Development
Expert analysis and data sharing on the global threat landscape
Vulnerability
Protection
IP
Reputation
Anti-Spam
Malware
Analysis
Web
Application
Control
URL / Web
Filtering
Zero-day
Research
The IBM X-Force Mission
Monitor and evaluate the rapidly changing threat landscape
Research new attack techniques and develop protection for tomorrow’s security challenges
Educate our customers and the general public
Integrate and distribute Threat Protection and Intelligence to make IBM solutions smarter
20. 20 IBM Security
The benefits of behavioral detection, Part 1
Stopping mutated threats
Delivers superior protection from evolving threats with high levels of performance
Stops 99% of tested, publicly available attacks
Is nearly twice as effective as Snort at stopping “mutated” attacks
INLINE IPS SYSTEM EFFICACY (2012)
IBM IPS GX7800 versus Snort IPS
SOURCE: IBM SECURITY NETWORK INTRUSION PREVENTION SYSTEM GX7800 EVALUATION, TOLLY GROUP, 2012
21. 21 IBM Security
The benefits of behavioral detection, Part 2
Stopping encrypted threats and evasion techniques
Stopped 100% of tested, publically disclosed attacks, both encrypted & unencrypted
Stopped 100% of McAfee Evader test suite attacks
Delivered 17 Gbps of Multi-protocol throughput with SSL/TLS inspection enabled; 26
Gbps without SSL/TLS inspection enabled
INLINE IPS SYSTEM EFFICACY (2016)
IBM next-gen IPS XGS7100
SOURCE: IBM SECURITY NETWORK PROTECTION XGS7100 EVALUATION, TOLLY GROUP, 2016
22. 22 IBM Security
Modular network interfaces help future-proof your investment
Eight different network interface modules (NIM) meet current and future connectivity needs
4-port Fixed fiber (LX)
with built-in bypass
8-port RJ-45 copper
with built-in bypass
4-port Fixed fiber (SX)
with built-in bypass
2-port 10GbE (SR)
with built-in bypass
2-port 10GbE (LR)
with built-in bypass
4-port SFP
(requires transceivers)
2-port 10GbE SFP+
(requires transceivers)
XGS 7100 supports 4 NIMs; XGS 5100 supports 2 NIMs (+ 4 built-in RJ-45 ports); XGS 4100 supports 1 NIM (+ 4 built-in RJ-45 ports)
2-port 40GbE QSFP+
(requires transceivers)
XGS 7100 only
24. 24 IBM Security
IBM XGS protects both your network and investment
Forrester determined XGS has the following three-year risk-adjusted financial impact:
RETURN ON
INVESTMENT
340%
NET PRESENT
VALUE
$1,075,592
PAYBACK
PERIOD
1.9 months
SOURCE: THE TOTAL ECONOMIC IMPACT OF IBM SECURITY NETWORK SECURITY (XGS), FORRESTER RESEARCH, 2016
IBM Security
Network
Protection
25. 25 IBM Security
IBM QRadar and XGS integration improves intelligence and security
Send data flows to QRadar and send quarantine commands to XGS directly from QRadar
Layer 7 Flow Data to QRadar Offense-blocking from QRadar
• Detect abnormal activity through network
flow data generated through XGS
• Identify application misuse via user
and application information
• Save money by reducing the need for
a separate flow generation appliance
• Make QRadar Intelligence actionable by
leveraging XGS to block in-progress attacks
• Reduce response time by initiating blocking
within the QRadar console to stop threats
quickly
26. 26 IBM Security
IBM positioned in the “Leaders” Quadrant in the
2015 Gartner Magic Quadrant for Intrusion Prevention Systems
Magic Quadrant for
Intrusion Prevention Systems
“The capabilities of leading IPS products have adapted to
changing threats, and next-generation IPSs (NGIPSs) have
evolved incrementally in response to advanced targeted
threats that can evade first-generation IPSs.”
Craig Lawson, Adam Hils, and Claudio Neiva
Gartner, November 16, 2015
This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report.
The link to the Gartner report is available upon request from IBM.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation.
Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties,
expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
27. 27 IBM Security
Top 5 Things to Look for in an IPS Solution
1. Threat Detection Method Behavior analysis
2. Application & User Controls Granular controls
3. Encrypted Traffic Inspection Fast on-board inspection
4. Flexible Performance Options FPL and NIM’s
5. Integration with Security Investments IBM QRadar & more
IBM
XGS