IBM Managed Security Services for security intelligence

Transcription

1 IBM Global Services April 2005 IBM Managed Security Services for security intelligence By: David Mackey, security intelligence Jeff Lahann, security intelligence

2 Page 2 Contents 2 Foreword 3 Introduction 6 Service overview 15 For more information Foreword Throughout thousands of years of military history, battlefield commanders have relied on information, or intelligence, to win battles. Where am I most vulnerable? What type of weaponry does my enemy have? Is an attack imminent? These questions have pressed commanders to seek more intelligence about impending battlefield events. Although computer networks do not typically carry the life-and-death struggle of a military battlefield, they do hold sensitive, critical information that is vital to the lives of companies, educational institutions and government organizations. These computer networks have been under siege for decades, and it is only recently that leaders have recognized the battlefield before them. In doing so, these leaders like their military counterparts understand the need to gain better intelligence in order to successfully defend their assets. This white paper details a new intelligence offering that IBM Managed Security Services is delivering IBM Managed Security Services for security intelligence. The goal of the offering is to allow clients to make timely and informed decisions around improving their information technology (IT) defenses. IBM will help to identify what constitutes an imminent threat and what is just noise. This valuable intelligence will help IT leaders in determining whether they should divert their limited resources to apply emergency patches, review firewall rules, or perform other defensive measures to be successful on the IT battlefield.

3 Page 3 IBM transforms otherwise overwhelming volumes of securityrelated data into meaningful, actionable business intelligence. Other managed security services providers (MSSPs) also offer business or security intelligence solutions to help IT leaders. Yet all too often, IT organizations are overwhelmed by the volume of data they receive from these solutions. In terms of the human ability to interpret and comprehend data, too much information can be overwhelming and just as problematic as having too little. By utilizing correlation, trending and expert analysis, IBM transforms the volumes of security-related data into concise business intelligence that today s IT leaders can use to quickly and effectively defend their IT assets. For this reason, as well as the quality of the analysis, best-practice methodologies, and other value-adds outlined in this white paper, outsourcing threat analysis to IBM is a sound business decision. IT attacks, including viruses, worms and malicious hacker activity, result in lost productivity, computing downtime and disruptive operations. Introduction IT threats remain a growing source of concern and financial loss for companies. Viruses infect countless machines, requiring extensive time in both troubleshooting and cleaning the infected systems. Worms propagate through corporate networks, preventing legitimate network traffic and consuming cycles. Hackers consistently find new ways to penetrate IT infrastructures to steal computing resources, deface Web sites and pilfer proprietary information. These threats result in lost employee productivity and downtime for critical computing resources.

4 Page 4 Additionally, time frames for companies to implement effective security measures to counter an emerging threat are getting shorter. Consider the following: The length of time between the announcement of a software vulnerability and the discovery of exploitative threats is becoming increasingly shorter. Software used to exploit vulnerabilities in pervasive software (e.g., Microsoft Windows, Cisco IOS, etc.) is released, on average, 9.3 days after the vulnerability is announced to the public. A worm is released to take advantage of those same vulnerabilities, on average, 70.1 days, or approximately two months, after the vulnerability is announced to the public. Unfortunately, a worm has been released as soon as one day after the vulnerability was announced. Fortunately for most IT organizations, news of a software vulnerability and a patch are released at the same time. An IT organization learns about the vulnerability and can then work to promptly implement the software patch. However, to accomplish a coordinated vulnerability report and patch release takes cooperation from both the vulnerability researcher and the software manufacturer. If the person discovering the vulnerability does not notify the software manufacturer, or the vulnerability information is leaked at some point before the software manufacturer can develop a fix, abusive users (abusers) have a larger time window in which to learn about the vulnerability and use it to attack IT systems.

5 Page 5 Worms to exploit vulnerabilities have been discovered as soon as one day after the vulnerability was announced. Number of days after public vulnerability disclosure Major Worm Outbreaks Code Red (2001) Nimda (2001) SQL Slammer (2003) Blaster (2003) Welchia (2003) Witty (2004) Sasser (2004) Exploit code publicly released Worm discovered It is critical that organizations identify new IT threats as quickly as possible to avoid costly business disruptions. Figure 1: This figure shows the timeline of when the public was notified about a software vulnerability, when software exploiting the vulnerability was publicly released, and when a worm was discovered. Data is shown only for vulnerabilities contributing to the most pervasive and costliest worm outbreaks from January 2001 to May For example, code to exploit the Microsoft SQL server resolution service vulnerability was released 34 days after Microsoft notified the public that the vulnerability existed. The Slammer worm, which targeted this vulnerability, was discovered in the wild 151 days later. As these statistics demonstrate, it is crucial that organizations identify new IT threats as quickly as possible before they impact business operations. The IBM Managed Security Services for security intelligence offering is designed to do

6 Page 6 The IBM Managed Security Services for security intelligence offering is designed to help IT leaders focus their security resources on threats posing the greatest risk to their organization and operations. just that. IBM teams collect, analyze and disseminate intelligence about imminent IT threats and attacks for its clients. In addition to providing advance warning of threats, IBM strives to provide only viable intelligence to help IT leaders focus their security resources on threats that pose the greatest risk to vital information and information technology. Note: There are a number of key terms used throughout this paper that may have different meanings for different audiences. For the purposes of helping to define this IBM service, here are the definitions used: Threat: A threat is a potential attack or disruptive event. Attack: An attack is any computer or network-related event or activity that has disrupted or is disrupting the IT services of an organization. Intelligence: Intelligence is viable and concise analysis of available information outlining a possible threat or attack that could affect the IT services of an infrastructure. Service overview The IBM Managed Security Services for security intelligence offering is an advance warning service designed to assist clients in understanding the current threats to their environments. Those threats may be from malicious computer users and viruses or even natural disasters and man-made events. Information is gathered from numerous sources and is analyzed, distilled and disseminated as viable intelligence. IBM uses the traditional intelligence lifecycle to collect information from numerous sources, analyze the information for details on possible threats, and disseminate viable intelligence to clients. This overall lifecycle takes in raw information and produces viable intelligence to aid IT leaders in implementing effective defenses.

7 Page 7 IBM looks at information from a variety of sources, reviewing current enterprise events, analyzing security incident details, coordinating with anti-virus organizations, and profiling and tracking data from historical attacks around the world. Information collection IBM Managed Security Services for security intelligence is provided by individuals who look at numerous sources of information to determine when the next IT threat is likely to materialize. IBM collects information from securityevent data provided by other IBM teams and data sources, such as: Security Operations Center: The IBM Security Operations Center (SOC) provides ongoing analysis of current events occurring across enterprise systems, local area networks (LANs), wide area networks (WANs), wireless networks and Internet activities. Incident Management: The IBM Incident Management team helps clients investigate and recover from computer attacks. Evidence discovered during the course of security incident investigations is analyzed to determine if it might be part of a pervasive threat. Virus Response Team: The IBM Virus Response team provides consulting and advice on malicious code activity. This team leverages relationships with anti-virus organizations and vendors to provide clients with the latest information about new viruses, blended security threats and suggestions for mitigating risks. Security intelligence: The security intelligence group provides business intelligence using state-of-the-art data mining and analysis tools focused at an enterprise-level data set of security events (e.g., firewall logs, intrusion detection sensor data, system logs, etc.). Attack Source Profiling: Attack Source Profiling (ASP) is used to profile and track historical attacks from over 3.5 million Internet protocol (IP) addresses across the globe.

8 Page 8 The impact of natural disasters and other potentially disruptive events are also monitored from an IT security perspective. IBM Research: Security-specific technology and analysis from IBM Research provides unique and timely insight into threats and events. IBM Business Continuity and Recovery Services: Analysts from around the world monitor the impact of natural disasters and other potentially disruptive events. This expertise helps the security intelligence service report on any threat to IT operations. Additionally, IBM gathers information from a wider global community using sources such as: Analysts review information from the IT security community as well as information gathered from traditional media. Information security community: IBM works with the wider information security industry by participating in various security teams such as the Forum of Incident Response and Security Team (FIRST; the Anti-Virus Information Exchange Network (AVIEN; and others. Human intelligence: International human intelligence collectors listen for rumors, gossip and other potentially valuable intelligence information about IT threats. Traditional media: The following information sources are also analyzed for intelligence items: Security advisories and bulletins Security-related newsgroups and Web sites U.S. and international governmental alerts International and local news

9 Page 9 Threat analysis The threat analysis process is broken into two distinct phases: evaluation and investigation. The evaluation phase uses a structured, standardized and repeatable method for analyzing gathered information, determining if a threat exists, and if so, assigning a Threat Score. The investigation phase consists of a more in-depth analysis and emergency response to a pervasive threat. Each IT threat is evaluated in terms of its probability, the ease with which it could spread, its potential for inflicting damage, and how widespread the threat is likely to be. Evaluation Using the intelligence gathered during the intelligence collection phase, the team then rates each threat using the Network Threat Risk Assessment Tool (patent pending). The Risk Assessment Tool generates a Threat Score from 0 to 10 using the following criteria: Threat Score = w1 * Probability + w2 * Propulsion + w3 * Potential + w4 * Pervasiveness Note: wx is the given weight assigned to each category. The Probability score indicates how likely it is that the IT threat will materialize into an incident or attack. The Propulsion score indicates how easily an attack could spread. The Potential score indicates how much damage this IT threat may realize on its target(s). The Pervasiveness score outlines how widespread this IT threat could be.

10 Page 10 Each category is rated using the matrix below: Low 0 Probability Propulsion Potential No intelligence indicates that a pervasive IT threat is imminent. Intelligence indicates: Detailed instructions on how to carry out the IT threat do not exist, or Malware does not propagate on its own (e.g., Trojan). An attack could result in: Malicious activity from an existing system or security administrator, or Unauthorized access to data from an authorized user ID, or Denial of service (DoS). Pervasiveness The IT threat has the potential to affect a single company or minimal number of systems (e.g., target is a niche application or operating system). IBM uses the Network Threat Risk Assessment Tool to quantify the properties of an IT security threat. Medium 1 Reconnaissance or other activity indicates that a pervasive IT threat may materialize. Intelligence indicates: Various groups have instructions on how to carry out the IT threat, or Malware propagates with human intervention only (e.g., Virus). An attack could result in: Access to system or security administrative privileges from an existing authorized user ID, or Unauthorized access to data without the need for an authorized user ID, or Physical damage to IT assets. The IT threat has the potential to affect pockets of IT assets (e.g., target is a popular application or operating system). High 2 Intelligence indicates that a pervasive attack has occurred. Intelligence indicates: Detailed instructions (e.g., exploit code or proof-of-concept) on how to carry out the IT threat have been made public, or Malware propagates on its own (e.g., Worm). An attack could result in: A complete bypass of access control systems, or Access to system, or Security administrative privileges without the need for an authorized user ID, or Physical destruction of IT assets. The IT threat has the potential to affect entire regions or geographies (e.g., target is a ubiquitous application or operating system). Figure 2: The Network Threat Risk Assessment Tool quantifies the properties of an IT threat. For example, the SQL Slammer worm generated a Probability of 2, a Propulsion of 2, a Potential of 2, and a Pervasiveness of 2. After weighting each score, the overall Threat Score equaled a 10 making it the worst possible score for a particular IT threat.

11 Page 11 The information used to generate the Threat Score may be incomplete early in the evaluation phase. This type of early warning may have a degree of uncertainty, but is still critically important to communicate to our clients. Therefore, also during the evaluation phase, each IT threat is also assigned a Reliability Rating. This allows IBM to inform our clients of our confidence in the information received. This is documented on a scale from 1 to 5. Reliability Rating Information Source Reliability Rating Scale Examples In addition to a Threat Score, each IT threat is assigned a Reliability Rating to convey the level of confidence IBM has in the information about the threat Information was reported by IBM (i.e., first-hand knowledge) Information was reported by a trusted source (i.e., second-hand knowledge) Information was reported by an untrusted source but was verified by another source Intrusion detection/prevention systems Honeypots Anti-virus systems Network monitoring tools System logs Sniffers NISCC SANS US-CERT FIRST IT-ISAC AVIEN Software/ hardware vendor Popular media Newsgroup posting Mailing list Web site 2 1 Information was collected by an untrusted source and has not yet been verified No trusted intelligence source involved Popular media Newsgroup posting Mailing list Web site Rumors Figure 3: Helps to convey the level of confidence IBM has in the intelligence communicated to customers.

12 Page 12 The action that IBM takes with respect to each IT threat is determined by the severity of the threat as reflected in its Threat Score. Investigation The Threat Score determines what action IBM takes on behalf of its clients. Threats with lower scores are simply communicated, while higher scores initiate the more in-depth threat analysis in the investigation phase. The investigation process is used as an emergency response to a pervasive threat. IBM teams convene to disassemble malware, analyze vulnerabilities and investigate the circumstances surrounding the threat. (For details on specific intelligence products delivered, please see the section below regarding intelligence dissemination.) Intelligence dissemination, deliverables and reports After collecting the raw information and analyzing it for potential threats, IBM provides polished IT intelligence to clients using the following communication vehicles and service deliverables: IBM uses various means of disseminating IT security intelligence to its clients. Threat Catalog: IBM offers a Web portal where clients consume the intelligence information. One important aspect of the portal is the overall catalog listing of known IT vulnerabilities, attacks and threats with Threat Scores 0 through 10. The entry for each threat includes the Threat Score, a summary description, the potential impact and recommendations for defending against the threat. Daily Radar: The Daily Radar Report is the main vehicle for information distribution. The report is delivered every workday and is posted to the Web portal. This report provides a daily brief outlining the current attacks and threats that have Threat Scores of 4 or above, as well as an overall Index Score for the day. An archive of these reports is maintained on the Web portal.

13 Page 13 Events with a Threat Score of 7 or above result in prompt notification to clients, via either an emergency or emergency paging. IBM prepares in-depth analysis reports on high-severity threats. Emergency notification: IBM will promptly notify clients upon the discovery of an event with a Threat Score of 7 or above. Those threats rating 7 or above initiate emergency regarding the threat and its impact. Those threats rating 8 or above initiate emergency paging to client contacts. Emergency notification provides the client with the ability to respond and react before a threat can affect the client infrastructure. Out-of-band hotline: The out-of-band hotline is a voice recording that is updated during the course of high-severity threat conditions to provide clients with a description of the threat, the impact of the threat and the necessary remediation steps. It is important to have an out-of-band communication medium for obtaining information in the event that communication issues prevent clients from accessing IBM intelligence online. Clue Sheets: In-depth analysis reports, called Clue Sheets, are completed on pervasive high-severity threats, and culminate in a white paper detailing the threat. These reports give clients current information on up-to-date threats and possible emerging threats in a take-away format. An archive of these reports is maintained on the Web portal. Security Threats and Attack Trends: The Security Threats and Attack Trends is a monthly report providing an overview of the global IT threat landscape for a particular month. Each month marks the trend of the Global Security Business Index, which quantifies the threats posed to IT environments on any given day. Security advisories: IBM will also send information and redistributions of security advisories to our client contacts via . These informational s cover communication of lower-level threats and include a brief description and links to additional information.

14 Page 14 Global Business Security Index The IBM Managed Security Services for security intelligence teams track current and previous threats in order to display the Security Index for any given day. Over time, that trend shows major points where IT environments faced the greatest risks. The trend below in Figure 4 shows the period from February 1, 2004 to March 1, The largest spike in that time frame is attributed to the outbreaks of a number of -based worms and the Witty worm in the winter of Global Business Security Index Critical High Medium Low Security Index Rolling Trend The Global Business Security Index provides an overview of the overall threat landscape on any given day. 2/04 3/04 4/04 5/04 6/04 7/04 8/04 9/04 10/04 11/04 12/04 1/05 2/05 3/05 Figure 4: Quantifies the threat landscape on any given day. The Index is separated into four bands of color: the red zone highlights those days when the Security Index was at a critical level. At Critical, IBM recommends that IT organizations make threat remediation their top priority. The orange zone indicates High. At High, IBM recommends that organizations make threat remediation one of their top three priorities. At the yellow or Medium level, organizations should address threats at part of their top five priorities. The green zone indicates those days where the risk from threats is business as usual, and threat remediation can continue to be within the top ten priorities.

15 Page 15 For more information To learn more about IBM Managed Security Services for security intelligence, please contact the following: David Mackey security intelligence team Ed Salm Service Owner

16 Copyright IBM Corporation 2005 IBM Global Services Route 100 Somers, NY U.S.A. Produced in the United States of America All Rights Reserved IBM and the IBM logo are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries or both. Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. G