A quick look at the IBM Endpoint Security Strategy
Alex Donatelli 270002NDF9 Visits (6054)
It is a well-known statement in the endpoint security field that the only way to protect a device, aka endpoint, from malicious attacks is to keep it switched off. This method, though very effective, is not very practical. Therefore a different solution is required for endpoints that are attacked and compromised. The best way to cope with potential exposures and security risks is to avoid an incident to occur in the first place (Prevent). However, prevention itself has demonstrated not to be bulletproof. Therefore, if an attack is successfully carried out, an investigative step is required (Detect). In this step evidences of an attack are investigated and, if/when those are found, the most appropriate action to remediate any damage is identified (Respond). Remediation can either be an internal organic set of actions or outsourced to security firms.
Every endpoint security solution has to deal with those steps that identify the pre and post-exploit time of an attack. Evidently, the best mechanisms are the ones that aim at blocking most, if not all, of the potential attacks in the pre-exploit phase. However, history and the nature of technology have demonstrated that this goal is not reachable, so the available technology should cover the second phase, post-exploit, as well.
The IBM Endpoint Security strategy supports the prevention, detection and remediation phases, previously described, by delivering solutions that help Customers answer four main questions about their endpoints: Is my endpoint...
For each of the above questions, the strategy provides specific capabilities in our products’ offering, capabilities that are also integrated with the other elements securing the environment.
BigFix Patch and BigFix Lifecycle cover primarily the vulnerability field. Capabilities are provided to state the posture of an endpoint towards operating system or application exposures that could be addressed by patches. BigFix Inventory, hardware and software, as well as software deployment to endpoints, further strengthen the ability to keep devices as less vulnerable as possible. The BigFix capability to report on vulnerabilities and the integration with QRadar to identify and potentially fix vulnerability are additional strengths of the endpoint security strategy in this field.
Compliance is the area where the BigFix offering provides the ability to ensure that endpoints adhere to specific configuration baselines like the ones created by DISA, CIS and PCI-DSS. Another type of compliance is to ensure that only the approved and licensed software is present in the enterprise. BigFix offers that capability in the Inventory product (previously called Software Use Analysis), which can also deliver IBM required license compliance.
The protection area is covered by two main offerings. The first one is the BigFix capability to manage the lifecycle of security agents on the devices. This aspect is achieved by the BigFix Protection offering. It ensures that Firewall and Antivirus are deployed and configured. The solution covers all of the major players in the Firewall and Antivirus area. As stated at the beginning, preventing is much better than fixing a problem. The second offering consists of IBM Trusteer Apex and its advanced persistent malware detection ability. They deliver key and distinctive functionality in detecting malicious actions, especially when the other technologies, like Firewall and Antivirus are not effective. This typically happens in the zero-day attacks.
Finally yet importantly, in case a device is either already compromised or there is a suspect that it might have been compromised, BigFix can be used to investigate the case effectively. A whitepaper that explains in details how to use the power of BigFix to investigate a threat during a forensic analysis is available. You can find it here and I would suggest you to take the time to look at it as it contains many good hints. The BigFix Relevance language is a powerful tool to investigate many aspects of the endpoints. The whitepaper explains how to use it at best to collect key forensic data. It also provides a guide on how to take a standard Indicator Of Compromise (IOC) and translate it into a Relevance expression. This allows leveraging the huge knowledge base available on the Internet about malware identification and putting it to work in a BigFix managed environment. There is also a section that will help you in the adoption of Yara within BigFix and another one that explains how to remediate the environment.