5 Things to Know about Protecting against Emerging Threats and Targeted Attacks
AxelBuecker 270000KUKR Visits (4273)
In networks today, organizations are faced with hundreds of new web and non-web applications that are available to their users. The ease and speed at which these new applications can be installed or accessed reduces the effectiveness of perimeter-based security architectures and provides many new types of risks.
An attacker can use these applications to obtain initial access into an organization, bypassing any perimeter-based security. Therefore, the threat landscape has changed dramatically in recent times. New sophisticated, targeted attacks that are designed to gain continuous access to critical information are increasing in severity and occurrence.
Let us talk about the five most important things no organization should ignore when they investigate their security and protection posture.
1. Understand the current threat landscape
In this dramatically changed threat landscape new sophisticated, targeted attacks that are designed to gain continuous access to critical information are increasing in severity and occurrence. Some examples are advanced persistent threats (APTs), stealth bots, targeted application attacks, and designer malware.
To obtain an up-to-date understanding of the threat landscape, IBM provides the IBM
2. The security perimeter in organizations no longer exists
One of the recent key changes is the loss of the security perimeter in organizations. We all have moved to a world of interconnected devices and services. A lapse in policy enforcement at any point in the network can undermine the whole system. Organizations today face new risks through the uncontrolled use of web and non-web applications. Employees everywhere want to use all of the same applications at work as they do in their private lives. With relative ease, a user can access, download, and install these applications - often for non-business purposes. Additionally, the growth of mobile and cloud based computing increases the risk of internally originated security breaches. In many cases, an organization does not have visibility or control of this type of application use.
3. IBM X-Force Research and Development team has deep insights to advance threats
The IBM X-Force team receives and analyzes billions of security events each day that are sourced from the IBM Managed Security Services teams. The X-Force team uses this information to develop new security protections for vulnerabilities, even in the case of no known use. In addition to this function, the IBM X-Force team has close research ties with leading software vendors that allow early awareness of new vulnerabilities. The security protections that are developed by the X-Force team are then incorporated back into the Protocol Analysis Module (PAM) engine, which is the core component of all IBM network protection solutions.
4. What should organizations control on their network?
In many cases, an organization does not have visibility or control of application use. Many organizations approach the problem by using a basic block all approach. That is, they deny all access for these applications.
In most cases this is not a suitable approach because many of these applications do serve a business purpose. Traditional firewalls cannot provide ample protection against rogue application use. Only by using deep packet and session inspection can these applications be identified and controlled.
5. Advanced threat detection and prevention using IBM Security Network Protection
In today’s environment of APTs and ubiquitous web and social media applications, every organization needs deep insights into the usage patterns on their networks so that they can effectively use and secure their network assets. The IBM Security Network Protection solution provides the following capabilities to help organizations detect and prevent these threats:
The IBM Security Network Protection solution can automatically collect network connection information about all network traffic. It then stores this information by using its internal storage for local on-box analysis by the local management interface (LMI). Depending on the amount of network activity, the IBM Security Network Protection can store up to 30 days of network flow data. For more detailed analysis and long-term retention of data for compliance and regulatory purposes, IBM Security Network Protection can export this same network connection information to an external SIEM product using Internet Protocol Flow Information Export (IPFIX) formatted data. This action is known as off-box analysis.
The security administrator is armed with the deep knowledge of network usage that is gained from the network visibility features of the IBM Security Network Protection solution. As an example of granular control, an IBM Security Network Protection policy can be written to allow users the ability to view Facebook content but not post updates to Facebook. That is, this solution can control specific application actions rather than only the complete application.
IBM Security Network Protection network access control is exercised through policy enforcement. Your corporate network access policy is built up using a series of NAP rules. An IBM Security Network Protection policy follows a similar style as a typical firewall rule set, which is intuitive and easily understood by your security administrators. The IBM Security Network Protection policy is highly flexible, giving security administrators the ability to create powerful network access policies quickly and efficiently
The IBM Security Network Protection solution provides inspection of both outbound and inbound SSL connections. This reduces the need to implement a separate SSL inspection appliance. The on-box SSL inspection reduces the administrative overhead compared with other solutions, such as managing an additional SSL inspection appliance. Outbound SSL traffic is the type of traffic initiated from internal clients to remote web applications. It is critical to have the ability to inspect outbound SSL traffic because increasingly web applications rely on SSL encryption to secure the connection between application and user.
IBM Security Network Protection integrates an IP Reputation database from IBM X-Force Research and Development. The database provides the reputation and geographic location information for both source and destination IP addresses. IBM Security Network Protection can therefore use the additional information to provide more accurate analysis of the on-going network traffic in the corporate network. With the geographic information in the IP Reputation database, IBM Security Network Protection can base decisions on the location of the IP address to identify the originator from the country rated as high for malicious activities, such as spam and malware spreading.
This feature allows the IBM Security Network Protection solution to receive alerts from IBM and third party software components and to act on these alerts. It does this by utilizing the IPS Quarantine function that allows both IP addresses and URLs to be blocked for a specific time period. An example alert may report that an attacker has compromised a host on the network, perhaps identified by inappropriate traffic. The alert is parsed by the ATP system and the ATP agent’s policy is consulted. Depending on the alert and the policy, both an event and a quarantine action may be created. Taking this host compromise as an example, the host IP address may be added to the quarantine list, so that communication to and from that host is blocked.
The FireEye WebMPS captures files in transit and uses its sandboxing system in an attempt to identify and profile any files that contain malware. When FireEye raises the alerts, the IBM Security Network Protection appliance consults its FireEye WebMPS policy and determines how to act on these alerts.
IBM QRadar Right-Click Integration allows an administrator to quickly act on an offense raised in QRadar. For example, QRadar might determine a host has been compromised and raises an offense. The administrator can then act on this offense by blocking traffic to or from that host.
To further investigate the protection potential of the IBM Security Network Protection solution, an international team of IBM security experts have created the new IBM Redguide publication “Add
What counter-measures have you already implemented in your organization to fight off those emerging advanced persistent threats and targeted attacks? Make sure you use proper protection when you join the big playing field called the Internet.
Chenta Lee is an Advisory Software Engineer with IBM Security Systems Division. His expertise includes emerging cloud technologies, with five years of experience in cloud security products, and experience in software-defined networking, virtualization, and advanced threat protection. Chenta is a member of the development team of IBM Security Network Protection. He currently focuses on network security in the cloud.