Predators are lurking in the Dark Web - is your network vulnerable? Venkatesh Sadayappan (Venky) Security Portfolio Marketing Leader IBM Security - Central & Eastern Europe Venky.iss@cz.ibm.com @IBMSecurityCEE November 2015
With Security Risk evolving..we must evolve our approach! 2 2
83% of CISOs say that the challenge posed by external threats has increased in the last three years Near Daily Leaks of Sensitive Data 40% increase in reported data breaches and incidents Relentless Use of Multiple Methods 800,000,000+ records were leaked, while the future shows no sign of change Insane Amounts of Records Breached 42% of CISOs claim the risk from external threats increased dramatically from prior years. Source: IBM X-Force Threat Intelligence Quarterly 1Q 2015 and 2014 IBM Chief Information Security Officer Assessment 3 3
IBM Security has global reach IBM Security by the Numbers + monitored countries (MSS) + service delivery experts + endpoints protected + events managed per day 4
IBM X-Force Research and Development Expert analysis and data sharing on the global threat landscape Malware Analysis Zero-day Research IP Reputation URL / Web Filtering Web Application Control Vulnerability Protection Anti-Spam The IBM X-Force Mission Monitor and evaluate the rapidly changing threat landscape Research new attack techniques and develop protection for tomorrow s security challenges Educate our customers and the general public Integrate and distribute Threat Protection and Intelligence to make IBM solutions smarter 5
IBM X-Force monitors and analyzes the changing threat landscape 20,000+ devices under contract 20B+ events managed per day 133 monitored countries (MSS) 3,000+ security related patents 270M+ endpoints reporting malware 25B+ analyzed web pages and images 12M+ spam and phishing attacks daily 89K+ documented vulnerabilities 860K+ malicious IP addresses Millions of unique malware samples 6
is the foundation for advanced security and threat research across the IBM Security Framework. 7
The Dark Web is comprised of nefarious individuals and organizations participating in host-to-host anonymous encrypted communications Tor was originally designed, implemented and deployed in 2004 as a third-generation onion routing project of the US Naval Research Laboratory to protect government communications. Guard Node Relay Node Exit Node Requestor Destination Server Unencrypted link Encrypted link Relay Node Tor node 8
Usage of Tor (source: wikipedia) "Geographies of Tor" by Stefano.desabbata - Own work. Licensed under CC BY-SA 4.0 via Commons - https://commons.wikimedia.org/wiki/file:geographies_of_tor.png#/media/file:geographies_of_tor.png 9
According to IBM MSS data, Romania is counted in the top 10 countries, while the Netherlands host more exit nodes than any other countries. 10
Romania is the 3 rd largest in Malicious traffic volumes sourcing from Tor exit nodes 11
Combined attacks on Information & Communications with Manufacturing accounts for 3x the attack events as Finance and Insurance. These attacks are not after money they re attempts to steal intellectual property and/or spy on company operations 12
Tor provides an attack infrastructure allowing anonymous attackers to operate malicious botnets within the network or transport their nefarious traffic SQL injection (SQLi): SQLi makes up by far the majority of the attacks that originate with Tor exit nodes to target IBM MSS customers Vulnerability scanning: Vulnerability scanning often represents the early stages of an attack, as the adversary gets the lay of the land cloak their origin and spread their probes out across exit nodes, reducing the risk of drawing attention. Distributed denial of service (DDoS): DDoS attacks combine Tor-commanded botnets with a sheaf of Tor exit nodes. 13
Why should you be concerned? Corporate networks hosting Tor nodes open themselves to a host of issues Running a Tor relay is a donation of bandwidth. The owner of an exit node can become legally liable for the content issuing from that node even if the content belongs to someone else and is hosted somewhere else. The administrator could be an unwilling facilitator of an attack on other networks or within his or her own networks. 14
IBM X-Force recommends protecting against the hazards originating from Tor Prohibit the use of unapproved encrypted proxy services Prohibit the use of personally subscribed proxy services Prohibit the downloading and installation of unapproved software Prohibit the use of personally owned removable devices such as USB, optical media and Secure Digital (SD) cards If the use of removable media is required, mandate the use of only company-approved devices Prohibit the booting of corporate computers to any other media than the hard drive Alter the BIOS of computers to boot only to the hard drive Disable autorun for removable devices Use publicly available lists of proxy nodes to block network traffic to and from those sites Implement a comprehensive desk audit program to ensure compliance 15
Advanced Threat Protection: Comprehensive Visibility & Protection Network Traffic and Flows Employee B Employee A Employee C Good Application Prohibited Application Botnet traffic Deep Packet Inspection fully classifies network traffic, regardless of address, port, protocol, application, application action or security event 400+ Protocols and File Formats Analyzed Complete Identity Awareness associates valuable users and groups with their network activity, application usage and application actions 2,000+ Applications and Actions Identified Access Control Policies block pre-existing compromises and rogue applications as well as enforce corporate usage policies 20 Billion+ URLs classified in 70 Categories 16
Security Intelligence and Analytics Visibility into security posture and clarity around incident investigation Security devices Servers and mainframes Network and virtual activity Data activity Application activity Configuration information Vulnerabilities and threats Embedded Intelligence Real-time analytics Automated offense identification Anomaly detection Incident evidence and forensics Suspected Incidents True Offenses Users and identities Global threat intelligence Attacker defeated! 17
CEE Case Study: ABLV Bank, AS Gains 360-degree visibility into the enterprise Banking 1 million:1 data reduction ratio for security events 99% decrease in investigation time Immediate detection and notification of anomalies Solution components Software IBM QRadar Security Intelligence Platform IBM Business Partner Data Security Solutions (DSS LV) The transformation: Working with DSS and replacing an out-ofdate security monitoring solution with an advanced security platform from IBM, ABLV security staff gained superior threat detection and a much richer view of enterprise activities. The new solution integrates and analyzes data from disparate sources to help staff more quickly uncover and respond to threats. We now have a tool that gives us the visibility across our enterprise and helps us find the source of the problem quickly. Aleksejs Kudrjasovs, Head of Information Security, ABLV Bank 18
CEE Case Study: ERGO Latvia Gains actionable information in minutes to strengthen security and compliance Insurance 99% reduction in time to respond to security and IT incidents 99% reduction in compliance reporting time Uncovers threats and prioritizes risk for efficient and effective remediation Solution components Software IBM QRadar Security Intelligence Platform IBM Business Partner Data Security Solutions (DSS LV) The transformation: By replacing manual processes with an advanced security solution from IBM, ERGO Latvia IT staff can quickly uncover threats, prioritize response based on risk level, and take action before the business is affected. The new solution integrates and analyzes data from disparate data sources and provides a unified view of potential security events, operational anomalies and vulnerabilities. We can now find and address the source of a problem in minutes instead of tens of hours. Mr. Dainis Bairs, Chief Information Security Officer and Head of IT, ERGO Latvia 19
Connect with IBM Security Twitter @ibmsecuritycee and @ibmxforce IBM X-Force Threat Intelligence Quarterly and other research reports: http://www.ibm.com/security/xforce/ IBM X-Force Security Insights Blog www.securityintelligence.com/topics/x-force Find more on SecurityIntelligence.com 20
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. THANK YOU www.ibm.com/security Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.