IBM Security, profile picture
Uploaded byIBM Security
PPTX, PDF3,242 views

Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence

The document discusses the integration and utilization of threat intelligence in enhancing cybersecurity through tools like IBM X-Force Exchange. It outlines use cases for threat intelligence, including real-time blocking, security operations, and threat research, emphasizing the importance of timely and actionable insights for security teams. Additionally, the document highlights the benefits of collaborating and sharing threat intelligence among organizations to improve overall security posture.

Embed presentation

Downloaded 108 times
Orchestrating Your Security Defenses with Threat Intelligence August 15, 2017 Sam Dillingham Senior Offering Manager IBM X-Force Pamela Cobb Portfolio Manager IBM X-Force
2 IBM Security Today’s agenda Intro to Threat Intelligence Threat Intelligence use cases Taking action with integrations Get started today!
3 IBM Security It takes too long to make information actionable Analysts can’t separate the signal from the noise Data is gathered from untrusted sources 1 Source: ESG Global 65% of enterprise firms use external threat intelligence to enhance their security decision making 1 Security teams often lack critical support to make the most of these resources.
4 IBM Security More companies are sharing and consuming threat intelligence 1. Timely and early warning of relevant threats to stay a step ahead 2. Increased visibility to emerging threats as more organizations benefit from other organization’s detections 3. Validation and prioritization of threats based on context of suspicious activity 4. Faster and more orchestrated response through enrichment of incidents with IoCs 5. More awareness of targets and tactics to help plan, build and evolve your security strategy How to Collect, Refine, Utilize and Create Threat Intelligence Gartner, Oct 2016 IBM and Business Partner Use Only
5 IBM Security IBM X-Force Exchange is a threat intelligence sharing platform designed to help security teams research, collaborate and integrate. xforce.ibmcloud.com IBM and Business Partner Use Only
6 IBM Security Collections streamline security investigations with research from curated content Groups allow public or private collaboration to validate threats and develop response plans Integrations strengthen security solutions and provide additional threat intelligence • Validate findings • Aid in forensic investigations • Provide tactical / strategic intelligence • Address investigations • Enable research workflow • Interact with X-Force research community • X-Force Exchange SDK / API / STIX / TAXII • Threat Feed Manager • Free / commercial usage IBM and Business Partner Use Only
7 IBM Security Today’s agenda Intro to Threat Intelligence Threat Intelligence use cases Taking action with integrations Get started today!
8 IBM Security for threat intelligence use cases Real-time blocking Security operations Threat research & hunting
9 IBM Security Use Case 1: Real-time blocking Usage • Blocking access to known malicious actors • Can include IPs, domains, URLs, etc. • Implemented by firewalls, IPSes, proxies, and other security devices Critical Factors • Speed in making blocking decisions • Scoring flexibility to set a threshold of what to block • Frequent incremental updates to minimize performance impact Delivery Route • Software development kits (SDKs) • Block lists
10 IBM Security In IBM X-Force Exchange, classification and scoring for URLs and IP addresses combines results of multiple analyses.
11 IBM Security Web applications are scored on several risk factors
12 IBM Security Use Case 2: Security Operations Usage • Maps threat intelligence to data observed in your environment • Includes intelligence that can be mapped to network and host- based indicators • Integration with operational tools, such as SIEM and incident response Critical Factors • Support for open standards for easy integration into existing solutions • Pivotability among indicators to aid in rapid investigation • Completeness of data Delivery Route • STIX/TAXII feeds • Cybox
13 IBM Security The use of open standards maximizes interoperability with existing systems  API queries based on query/response model for threat intelligence  Leverages basic authentication  Load balanced to support traffic loads  Node SDK module available  TAXII services provided to access threat intelligence  Supports STIX/Cybox objects JSON RESTful API STIX / TAXII Standards Support
14 IBM Security Use Threat Intelligence through open STIX/TAXII format Use reference sets for correlation, searching, reporting • Load threat indicators in Collections into QRadar Reference sets • Create custom rule response to post IOCs to Collection • Bring Watchlists of IP addresses from X-Force Exchange and create a rule to raise the magnitude of any offense that includes the IP Watchlist IBM and Business Partner Use Only
15 IBM Security Use Case 3: Threat Research and Hunting Usage • Research of potential threats that may or may not yet be affecting your organization • Can be done via a web-based UI or API Critical Factors • Scriptable access of data in an easy-to-use manner • Aggregation of multiple intelligence sources (from different vendors) into a single stream • Flexible search Delivery Route • REST-based API • Research platforms with web interfaces
16 IBM Security X-Force global threat intelligence delivers a wide range of benefits Higher Order Intelligence Observables and Indicators Actors Campaigns Incidents TTPs Vulnerabilities MalwareAnti-SpamWeb App Control IP ReputationURL / Web Filtering
17 IBM Security Correlation of indicators and higher-order intelligence is critical 173.242.117.120 is a malware C&C server djs14.com is a malware C&C server CVE-2013-3029 is an Excel vulnerability abc@xyz.com sends SPAM Organization Y is a threat actor Indicator Feeds Correlated Threat Intelligence 173.242.117.120 is a malware C&C server … which is associated with PoSeidon malware family targeted against retailers used by attackers in country X, Y and Z to steal credit card information from PoS systems Communicates with C&C servers: 173.242.117.120, 203.19.201.20 C&C domains: djs14.com, jdjnci.net Twitter feed @malwarecommander Infects via drive-by download exploiting CVE-2015-2093 malicious Excel file exploiting CVE-2013-3029 email attachment from abc@xyz.com Host indicators Registry keys A, B, C Processes D, E, F Event log entries G, H Memory fingerprint J, K vs.
18 IBM Security Correlation provides pivotability to accelerate threat investigation Network traffic to C&C IP observed Malware associated with C&C server Other C&C IPs for the malware Host IoCs for the malware Actor/ campaign details Infection method details What does this communication mean? What is the attacker after? How did they get in? Where else are they? How do I verify infections? Send indicators to EDR tool Correlate CVEs to SIEM vuln scansCorrelate IPs to flow data in SIEM Understand motivations, report to exec mgt Initiate patchingInvestigate exfiltration Quarantine infected endpoints
19 IBM Security X-Force Exchange Collections streamline security investigations Higher Order Intelligence Free text area of the Collection is used to organize Identifiers, Campaigns, TTPs, TLP status, and other pertinent details. Observables & Indicators Related reports on URL / IP reputation, malware, vulnerabilities, and related attachments
20 IBM Security Agenda Intro to Threat Intelligence Threat Intelligence use cases Taking action with integrations Get started today!
21 IBM Security 20,000+ devices under contract 20B events managed per day 133 monitored countries 3,700+ security-related patents 270M endpoints monitored for malware 38B analyzed web pages and images 8M spam and phishing attacks daily 850K malicious IP addresses 113K documented vulnerabilities Millions of unique malware samples As of May 2017 The scale of IBM Security brings unique breadth and depth to X-Force threat intelligence
22 IBM Security SDK X-Force Threat Intelligence can be integrated into security solutions via multiple methods IBM CONFIDENTIAL - LIMIT DISTRIBUTION UNTIL MAY 16 Data & intelligence sources Analytics Engine IBM Security Products OEM SDK Platform Users Open API Com- mercial API APIPortal Threat Intelligence Content pDNS Whois information Collections Higher Order Intelligence Vulnerabilities Malware Sandbox Malware Families IP Reputation URL Reputation Web Applications Delivery Layer Threat integration Threat consumers Platform Layer XFMA XGS Platform Users
23 IBM Security There is a comprehensive range of Threat Intelligence available via API Indicators/Content Details Vulnerabilities Risk score (CVSS), Exploit characteristics, Exploit consequences, Remedy information, Affected Products, Protection information (e.g. references for IPS, Vulnerability Assessment content), and External references Malware Disposition, Hash value, First observed, Malware family, Vendors covering (%), Download sources, Command and Control Servers, Email sources, and Email subjects Malware Families First/Last Observance, and Associated hash values (MD5) / IP Reputation Risk score (1-10), Geolocation, Applications associated, Malware associated, Categorization – current and historical with confidence value (1-100%), Passive DNS information, Subnet reputation URL Reputation Risk score (1-10), Applications associated, Categorization – current and historical, DNS information Web Applications Risk score, Categorization, Base URL, Vulnerabilities, Hosting URLs, and Hosting IPs pDNS Passive DNS information Whois information Registrant information – name, organization, country, and e-mail. IBM Network Protection Monthly XPU Content, as well as each signature, date of its release, and the vulnerability for which it provides coverage Collections Curated content on specific security investigations, including both structured and unstructured content. Higher Order Intelligence Cybox objects such as campaign, threat actor, tools, tactics, procedures, course of action, and indicator information, as part of the collections.
24 IBM Security IBM Security App Exchange Driving the evolution of collaborative defense  Access user and business partner innovations  Extend IBM Security solution functionality to new use cases  Download validated security apps from a single platform A platform for security collaboration https://apps.xforce.ibmcloud.com
25 IBM Security React faster, coordinate better, respond smarter to incidents Single Hub Provides Easy Workflow Customization and Process Automation • Helps cyber security teams orchestrate IR process and manage and respond to incidents faster, better and more intelligently • Drives down response times by streamlining the process of escalating and managing incidents • Ensures consistency and adherence to regulatory requirements and legal obligations • Automates time-consuming tasks • Leverages staff more effectively
26 IBM Security IBM X-Force Malware Analysis Submit suspicious files directly into IBM X-Force Exchange Automate suspicious file investigation Act on in-depth intelligence reports Access anywhere, anytime with a scalable cloud architecture IBM and Business Partner Use Only
27 IBM Security A diversified financial services company greatly improved their threat research capabilities and collaboration workflows “I didn’t realize I was on X-Force Exchange that much. The collaboration capabilities and threat intelligence are highly valuable to me and a great help to my challenges and activities throughout each day.” -Network Security Analyst II Business challenge  Need for curated threat research to complement their SIEM  Lack of internal collaboration in the threat investigation process IBM X-Force Exchange with IBM QRadar Helped better defend the organization’s network from attacks, scans and phishing attempts on a daily basis, using IP / URL reputation data, geo-location status of IPs, vulnerability data, md5 detail and shared collections from X-Force Exchange in conjunction with IBM QRadar. Research, collaborate and integrate
28 IBM Security Agenda Intro to Threat Intelligence Threat Intelligence use cases Taking action with integrations Get started today!
29 IBM Security Helpful Resources X-Force Exchange • Try it: xforce.ibmcloud.com • API: https://api.xforce.ibmcloud.com/doc/ General X-Force information: • X-Force blogs on SecurityIntelligence.com • IBM X-Force Threat Intelligence Report for 2017 • IBM Interactive Security Incidents website to stay up to date on latest verified breaches IBM/BUSINESS PARTNER USE Contact Us! Sam Dillingham, sam.dillingham@us.ibm.com, Sr Offering Manager Pamela Cobb, pcobb@us.ibm.com, Portfolio Manager
ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. FOLLOW US ON: THANK YOU

More Related Content

PPTX
Detect and Respond to Threats Better with IBM Security App Exchange Partners
byIBM Security
 
PDF
IBM Security Services Overview
byCasey Lucas
 
PPTX
How to Improve Threat Detection & Simplify Security Operations
byIBM Security
 
PPTX
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
byIBM Security
 
PDF
Orchestrate Your Security Defenses; Protect Against Insider Threats
byIBM Security
 
PPTX
Compete To Win: Don’t Just Be Compliant – Be Secure!
byIBM Security
 
PPTX
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
byIBM Security
 
PPTX
Top 5 Things to Look for in an IPS Solution
byIBM Security
 
Detect and Respond to Threats Better with IBM Security App Exchange Partners
byIBM Security
 
IBM Security Services Overview
byCasey Lucas
 
How to Improve Threat Detection & Simplify Security Operations
byIBM Security
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
byIBM Security
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
byIBM Security
 
Compete To Win: Don’t Just Be Compliant – Be Secure!
byIBM Security
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
byIBM Security
 
Top 5 Things to Look for in an IPS Solution
byIBM Security
 

What's hot

PPTX
IBM Security QRadar
byVirginia Fernandez
 
PPTX
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
byNetEnrich, Inc.
 
PPTX
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
bySirius
 
PPTX
The Board and Cyber Security
byFireEye, Inc.
 
PPTX
IBM Security Strategy
byCamilo Fandiño Gómez
 
PPTX
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
byIBM Security
 
PDF
Journey to the Center of Security Operations
by♟Sergej Epp
 
PDF
ICION 2016 - Cyber Security Governance
byCharles Lim
 
PDF
Ibm security products portfolio
byPatrick Bouillaud
 
PPTX
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
byIBM Security
 
PDF
The Cyber Security Landscape: An OurCrowd Briefing for Investors
byOurCrowd
 
PDF
Cloud computing security infrastructure
byIntel IT Center
 
PPTX
The State Of Information and Cyber Security in 2016
byShannon G., MBA
 
PDF
M-Trends® 2013: Attack the Security Gap
byFireEye, Inc.
 
PDF
What’s the State of Your Endpoint Security?
byIBM Security
 
PPTX
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
byIBM Security
 
PPTX
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
byIBM Security
 
PPTX
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
byIBM Security
 
PDF
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
byShah Sheikh
 
PDF
CYBER THREAT FORCAST 2016
byBolaji James Bankole CCSS,CEH,MCSA,MCSE,MCP,CCNA,
 
IBM Security QRadar
byVirginia Fernandez
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
byNetEnrich, Inc.
 
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...
bySirius
 
The Board and Cyber Security
byFireEye, Inc.
 
IBM Security Strategy
byCamilo Fandiño Gómez
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
byIBM Security
 
Journey to the Center of Security Operations
by♟Sergej Epp
 
ICION 2016 - Cyber Security Governance
byCharles Lim
 
Ibm security products portfolio
byPatrick Bouillaud
 
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
byIBM Security
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
byOurCrowd
 
Cloud computing security infrastructure
byIntel IT Center
 
The State Of Information and Cyber Security in 2016
byShannon G., MBA
 
M-Trends® 2013: Attack the Security Gap
byFireEye, Inc.
 
What’s the State of Your Endpoint Security?
byIBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
byIBM Security
 
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
byIBM Security
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
byIBM Security
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
byShah Sheikh
 
CYBER THREAT FORCAST 2016
byBolaji James Bankole CCSS,CEH,MCSA,MCSE,MCP,CCNA,
 

Similar to Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence

PDF
IBM QRadar Security Intelligence Overview
byCamilo Fandiño Gómez
 
PDF
IBM Security Strategy Overview
byxband
 
PPTX
QRadar Security Intelligence Overview.pptx
byDmitry718707
 
PDF
IBM QRadar Security Intelligence Overview
byCamilo Fandiño Gómez
 
PPT
IBM Security Strategy Intelligence,
byInformation Security Awareness Group
 
PDF
IBM Qradar & resilient
byPrime Infoserv
 
PPTX
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
byLuigi Delgrosso
 
PPT
Avoiding data breach using security intelligence and big data to stay out of ...
byIBM Security
 
PDF
A New Remedy for the Cyber Storm Approaching
bySPI Conference
 
PDF
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
byIBM Security
 
PDF
Level Up Your Security with Threat Intelligence
byIBM Security
 
PDF
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
byIBM Security
 
PPTX
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
byFrancisco González Jiménez
 
PDF
Cyber Security 4.0 conference 30 November 2016
byInfinIT - Innovationsnetværket for it
 
PDF
IBM X-Force Research
byJosefina Almorza Hidalgo
 
PDF
Security Operations and Response
byxband
 
PDF
Big Data - Amplifying Security Intelligence
byIBM Danmark
 
PDF
IBM Security Products: Intelligence, Integration, Expertise
byShwetank Jayaswal
 
PPTX
Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...
byIBM Security
 
PPT
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
byAndris Soroka
 
IBM QRadar Security Intelligence Overview
byCamilo Fandiño Gómez
 
IBM Security Strategy Overview
byxband
 
QRadar Security Intelligence Overview.pptx
byDmitry718707
 
IBM QRadar Security Intelligence Overview
byCamilo Fandiño Gómez
 
IBM Security Strategy Intelligence,
byInformation Security Awareness Group
 
IBM Qradar & resilient
byPrime Infoserv
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
byLuigi Delgrosso
 
Avoiding data breach using security intelligence and big data to stay out of ...
byIBM Security
 
A New Remedy for the Cyber Storm Approaching
bySPI Conference
 
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
byIBM Security
 
Level Up Your Security with Threat Intelligence
byIBM Security
 
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
byIBM Security
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
byFrancisco González Jiménez
 
Cyber Security 4.0 conference 30 November 2016
byInfinIT - Innovationsnetværket for it
 
IBM X-Force Research
byJosefina Almorza Hidalgo
 
Security Operations and Response
byxband
 
Big Data - Amplifying Security Intelligence
byIBM Danmark
 
IBM Security Products: Intelligence, Integration, Expertise
byShwetank Jayaswal
 
Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...
byIBM Security
 
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
byAndris Soroka
 

More from IBM Security

PPTX
IBM QRadar UBA
byIBM Security
 
PPTX
Automation: Embracing the Future of SecOps
byIBM Security
 
PDF
Accelerating SOC Transformation with IBM Resilient and Carbon Black
byIBM Security
 
PDF
WannaCry Ransomware Attack: What to Do Now
byIBM Security
 
PDF
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
byIBM Security
 
PPTX
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
byIBM Security
 
PDF
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
byIBM Security
 
PPTX
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
byIBM Security
 
PDF
Mobile Vision 2020
byIBM Security
 
PDF
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
byIBM Security
 
PPTX
Valuing Data in the Age of Ransomware
byIBM Security
 
PDF
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
byIBM Security
 
PPTX
See How You Measure Up With MaaS360 Mobile Metrics
byIBM Security
 
PPTX
Integrated Response with v32 of IBM Resilient
byIBM Security
 
PPTX
Are You Ready to Move Your IAM to the Cloud?
byIBM Security
 
PDF
Top 12 Cybersecurity Predictions for 2017
byIBM Security
 
PPTX
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
byIBM Security
 
PDF
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
byIBM Security
 
PDF
Close the Loop on Incident Response
byIBM Security
 
PDF
Retail Mobility, Productivity and Security
byIBM Security
 
IBM QRadar UBA
byIBM Security
 
Automation: Embracing the Future of SecOps
byIBM Security
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
byIBM Security
 
WannaCry Ransomware Attack: What to Do Now
byIBM Security
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
byIBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
byIBM Security
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
byIBM Security
 
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
byIBM Security
 
Mobile Vision 2020
byIBM Security
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
byIBM Security
 
Valuing Data in the Age of Ransomware
byIBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
byIBM Security
 
See How You Measure Up With MaaS360 Mobile Metrics
byIBM Security
 
Integrated Response with v32 of IBM Resilient
byIBM Security
 
Are You Ready to Move Your IAM to the Cloud?
byIBM Security
 
Top 12 Cybersecurity Predictions for 2017
byIBM Security
 
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
byIBM Security
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
byIBM Security
 
Close the Loop on Incident Response
byIBM Security
 
Retail Mobility, Productivity and Security
byIBM Security
 

Recently uploaded

PDF
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
PDF
Supercharging Android Apps with On-Device AI: Gemini Nano
bydinoykraj
 
PPTX
AI: Beyond Generative AI and LLM | Harrie de Groot (harrie.dev)
byHarrie de Groot
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PDF
Case Study: How LKQ Corporation Improved Training Efficiency & Delivery
byRustici Software
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PDF
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
PDF
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
bywesley chun
 
PDF
Webinar: Introduction to LF Energy SEAPATH
byDanBrown980551
 
PDF
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
PDF
Infuse Intelligence Into your App with Foundry Local
byNilesh Gule
 
PPTX
Building powerful web apps to improve productivity and engagement - Esri UK W...
byEsri UK
 
PPTX
Redcentric Data Centres: vision, mission and values
byRedcentric
 
PDF
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PDF
AI in Food Production (Foodwell) - AI Solutions Supporting Operations
bybyteLAKE
 
PDF
SELinux Policy Management in RHEL - RHCSA+.pdf
byLinuxCert Guru
 
PDF
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
PDF
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
PDF
Mastering Handlers, Conditions, and Loops in Ansible Playbooks - RHCE.pdf
byLinuxCert Guru
 
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
Supercharging Android Apps with On-Device AI: Gemini Nano
bydinoykraj
 
AI: Beyond Generative AI and LLM | Harrie de Groot (harrie.dev)
byHarrie de Groot
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
Case Study: How LKQ Corporation Improved Training Efficiency & Delivery
byRustici Software
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
bywesley chun
 
Webinar: Introduction to LF Energy SEAPATH
byDanBrown980551
 
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
Infuse Intelligence Into your App with Foundry Local
byNilesh Gule
 
Building powerful web apps to improve productivity and engagement - Esri UK W...
byEsri UK
 
Redcentric Data Centres: vision, mission and values
byRedcentric
 
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
AI in Food Production (Foodwell) - AI Solutions Supporting Operations
bybyteLAKE
 
SELinux Policy Management in RHEL - RHCSA+.pdf
byLinuxCert Guru
 
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
Mastering Handlers, Conditions, and Loops in Ansible Playbooks - RHCE.pdf
byLinuxCert Guru
 

Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence

  • 1.
    Orchestrating Your SecurityDefenses with Threat Intelligence August 15, 2017 Sam Dillingham Senior Offering Manager IBM X-Force Pamela Cobb Portfolio Manager IBM X-Force
  • 2.
    2 IBM Security Today’sagenda Intro to Threat Intelligence Threat Intelligence use cases Taking action with integrations Get started today!
  • 3.
    3 IBM Security Ittakes too long to make information actionable Analysts can’t separate the signal from the noise Data is gathered from untrusted sources 1 Source: ESG Global 65% of enterprise firms use external threat intelligence to enhance their security decision making 1 Security teams often lack critical support to make the most of these resources.
  • 4.
    4 IBM Security Morecompanies are sharing and consuming threat intelligence 1. Timely and early warning of relevant threats to stay a step ahead 2. Increased visibility to emerging threats as more organizations benefit from other organization’s detections 3. Validation and prioritization of threats based on context of suspicious activity 4. Faster and more orchestrated response through enrichment of incidents with IoCs 5. More awareness of targets and tactics to help plan, build and evolve your security strategy How to Collect, Refine, Utilize and Create Threat Intelligence Gartner, Oct 2016 IBM and Business Partner Use Only
  • 5.
    5 IBM Security IBMX-Force Exchange is a threat intelligence sharing platform designed to help security teams research, collaborate and integrate. xforce.ibmcloud.com IBM and Business Partner Use Only
  • 6.
    6 IBM Security Collectionsstreamline security investigations with research from curated content Groups allow public or private collaboration to validate threats and develop response plans Integrations strengthen security solutions and provide additional threat intelligence • Validate findings • Aid in forensic investigations • Provide tactical / strategic intelligence • Address investigations • Enable research workflow • Interact with X-Force research community • X-Force Exchange SDK / API / STIX / TAXII • Threat Feed Manager • Free / commercial usage IBM and Business Partner Use Only
  • 7.
    7 IBM Security Today’sagenda Intro to Threat Intelligence Threat Intelligence use cases Taking action with integrations Get started today!
  • 8.
    8 IBM Security forthreat intelligence use cases Real-time blocking Security operations Threat research & hunting
  • 9.
    9 IBM Security UseCase 1: Real-time blocking Usage • Blocking access to known malicious actors • Can include IPs, domains, URLs, etc. • Implemented by firewalls, IPSes, proxies, and other security devices Critical Factors • Speed in making blocking decisions • Scoring flexibility to set a threshold of what to block • Frequent incremental updates to minimize performance impact Delivery Route • Software development kits (SDKs) • Block lists
  • 10.
    10 IBM Security InIBM X-Force Exchange, classification and scoring for URLs and IP addresses combines results of multiple analyses.
  • 11.
    11 IBM Security Webapplications are scored on several risk factors
  • 12.
    12 IBM Security UseCase 2: Security Operations Usage • Maps threat intelligence to data observed in your environment • Includes intelligence that can be mapped to network and host- based indicators • Integration with operational tools, such as SIEM and incident response Critical Factors • Support for open standards for easy integration into existing solutions • Pivotability among indicators to aid in rapid investigation • Completeness of data Delivery Route • STIX/TAXII feeds • Cybox
  • 13.
    13 IBM Security Theuse of open standards maximizes interoperability with existing systems  API queries based on query/response model for threat intelligence  Leverages basic authentication  Load balanced to support traffic loads  Node SDK module available  TAXII services provided to access threat intelligence  Supports STIX/Cybox objects JSON RESTful API STIX / TAXII Standards Support
  • 14.
    14 IBM Security UseThreat Intelligence through open STIX/TAXII format Use reference sets for correlation, searching, reporting • Load threat indicators in Collections into QRadar Reference sets • Create custom rule response to post IOCs to Collection • Bring Watchlists of IP addresses from X-Force Exchange and create a rule to raise the magnitude of any offense that includes the IP Watchlist IBM and Business Partner Use Only
  • 15.
    15 IBM Security UseCase 3: Threat Research and Hunting Usage • Research of potential threats that may or may not yet be affecting your organization • Can be done via a web-based UI or API Critical Factors • Scriptable access of data in an easy-to-use manner • Aggregation of multiple intelligence sources (from different vendors) into a single stream • Flexible search Delivery Route • REST-based API • Research platforms with web interfaces
  • 16.
    16 IBM Security X-Forceglobal threat intelligence delivers a wide range of benefits Higher Order Intelligence Observables and Indicators Actors Campaigns Incidents TTPs Vulnerabilities MalwareAnti-SpamWeb App Control IP ReputationURL / Web Filtering
  • 17.
    17 IBM Security Correlationof indicators and higher-order intelligence is critical 173.242.117.120 is a malware C&C server djs14.com is a malware C&C server CVE-2013-3029 is an Excel vulnerability abc@xyz.com sends SPAM Organization Y is a threat actor Indicator Feeds Correlated Threat Intelligence 173.242.117.120 is a malware C&C server … which is associated with PoSeidon malware family targeted against retailers used by attackers in country X, Y and Z to steal credit card information from PoS systems Communicates with C&C servers: 173.242.117.120, 203.19.201.20 C&C domains: djs14.com, jdjnci.net Twitter feed @malwarecommander Infects via drive-by download exploiting CVE-2015-2093 malicious Excel file exploiting CVE-2013-3029 email attachment from abc@xyz.com Host indicators Registry keys A, B, C Processes D, E, F Event log entries G, H Memory fingerprint J, K vs.
  • 18.
    18 IBM Security Correlationprovides pivotability to accelerate threat investigation Network traffic to C&C IP observed Malware associated with C&C server Other C&C IPs for the malware Host IoCs for the malware Actor/ campaign details Infection method details What does this communication mean? What is the attacker after? How did they get in? Where else are they? How do I verify infections? Send indicators to EDR tool Correlate CVEs to SIEM vuln scansCorrelate IPs to flow data in SIEM Understand motivations, report to exec mgt Initiate patchingInvestigate exfiltration Quarantine infected endpoints
  • 19.
    19 IBM Security X-ForceExchange Collections streamline security investigations Higher Order Intelligence Free text area of the Collection is used to organize Identifiers, Campaigns, TTPs, TLP status, and other pertinent details. Observables & Indicators Related reports on URL / IP reputation, malware, vulnerabilities, and related attachments
  • 20.
    20 IBM Security Agenda Introto Threat Intelligence Threat Intelligence use cases Taking action with integrations Get started today!
  • 21.
    21 IBM Security 20,000+devices under contract 20B events managed per day 133 monitored countries 3,700+ security-related patents 270M endpoints monitored for malware 38B analyzed web pages and images 8M spam and phishing attacks daily 850K malicious IP addresses 113K documented vulnerabilities Millions of unique malware samples As of May 2017 The scale of IBM Security brings unique breadth and depth to X-Force threat intelligence
  • 22.
    22 IBM Security SDK X-ForceThreat Intelligence can be integrated into security solutions via multiple methods IBM CONFIDENTIAL - LIMIT DISTRIBUTION UNTIL MAY 16 Data & intelligence sources Analytics Engine IBM Security Products OEM SDK Platform Users Open API Com- mercial API APIPortal Threat Intelligence Content pDNS Whois information Collections Higher Order Intelligence Vulnerabilities Malware Sandbox Malware Families IP Reputation URL Reputation Web Applications Delivery Layer Threat integration Threat consumers Platform Layer XFMA XGS Platform Users
  • 23.
    23 IBM Security Thereis a comprehensive range of Threat Intelligence available via API Indicators/Content Details Vulnerabilities Risk score (CVSS), Exploit characteristics, Exploit consequences, Remedy information, Affected Products, Protection information (e.g. references for IPS, Vulnerability Assessment content), and External references Malware Disposition, Hash value, First observed, Malware family, Vendors covering (%), Download sources, Command and Control Servers, Email sources, and Email subjects Malware Families First/Last Observance, and Associated hash values (MD5) / IP Reputation Risk score (1-10), Geolocation, Applications associated, Malware associated, Categorization – current and historical with confidence value (1-100%), Passive DNS information, Subnet reputation URL Reputation Risk score (1-10), Applications associated, Categorization – current and historical, DNS information Web Applications Risk score, Categorization, Base URL, Vulnerabilities, Hosting URLs, and Hosting IPs pDNS Passive DNS information Whois information Registrant information – name, organization, country, and e-mail. IBM Network Protection Monthly XPU Content, as well as each signature, date of its release, and the vulnerability for which it provides coverage Collections Curated content on specific security investigations, including both structured and unstructured content. Higher Order Intelligence Cybox objects such as campaign, threat actor, tools, tactics, procedures, course of action, and indicator information, as part of the collections.
  • 24.
    24 IBM Security IBMSecurity App Exchange Driving the evolution of collaborative defense  Access user and business partner innovations  Extend IBM Security solution functionality to new use cases  Download validated security apps from a single platform A platform for security collaboration https://apps.xforce.ibmcloud.com
  • 25.
    25 IBM Security Reactfaster, coordinate better, respond smarter to incidents Single Hub Provides Easy Workflow Customization and Process Automation • Helps cyber security teams orchestrate IR process and manage and respond to incidents faster, better and more intelligently • Drives down response times by streamlining the process of escalating and managing incidents • Ensures consistency and adherence to regulatory requirements and legal obligations • Automates time-consuming tasks • Leverages staff more effectively
  • 26.
    26 IBM Security IBMX-Force Malware Analysis Submit suspicious files directly into IBM X-Force Exchange Automate suspicious file investigation Act on in-depth intelligence reports Access anywhere, anytime with a scalable cloud architecture IBM and Business Partner Use Only
  • 27.
    27 IBM Security Adiversified financial services company greatly improved their threat research capabilities and collaboration workflows “I didn’t realize I was on X-Force Exchange that much. The collaboration capabilities and threat intelligence are highly valuable to me and a great help to my challenges and activities throughout each day.” -Network Security Analyst II Business challenge  Need for curated threat research to complement their SIEM  Lack of internal collaboration in the threat investigation process IBM X-Force Exchange with IBM QRadar Helped better defend the organization’s network from attacks, scans and phishing attempts on a daily basis, using IP / URL reputation data, geo-location status of IPs, vulnerability data, md5 detail and shared collections from X-Force Exchange in conjunction with IBM QRadar. Research, collaborate and integrate
  • 28.
    28 IBM Security Agenda Introto Threat Intelligence Threat Intelligence use cases Taking action with integrations Get started today!
  • 29.
    29 IBM Security HelpfulResources X-Force Exchange • Try it: xforce.ibmcloud.com • API: https://api.xforce.ibmcloud.com/doc/ General X-Force information: • X-Force blogs on SecurityIntelligence.com • IBM X-Force Threat Intelligence Report for 2017 • IBM Interactive Security Incidents website to stay up to date on latest verified breaches IBM/BUSINESS PARTNER USE Contact Us! Sam Dillingham, sam.dillingham@us.ibm.com, Sr Offering Manager Pamela Cobb, pcobb@us.ibm.com, Portfolio Manager
  • 30.
    ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBMCorporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. FOLLOW US ON: THANK YOU