© 2014 IBM Corporation
IBM Security Systems
1 © 2012 IBM Corporation
IBM Security Systems
1© 2014 IBM Corporation
IBM X-Force Heartbleed3Q 2014
Thomas DahlbeckSenior Security Consultant
© 2014 IBM Corporation
IBM Security Systems
2
Agenda
§ IBM X-Force
§ An era of continuous breatches
§ Heartbleed attack activity
§ Attackers rush to exploit
§ Heartbleed and CVSS
§ Mittigations
§ A proactive approch
© 2014 IBM Corporation
IBM Security Systems
3
IBM X-Force® Research and Development
VulnerabilityProtection
IPReputation
Anti-Spam
MalwareAnalysis
WebApplication
Control
URL / WebFiltering
The IBM X-Force Mission§ Monitor and evaluate the rapidly changing threat landscape
§ Research new attack techniques and develop protection for tomorrow’s security challenges
§ Educate our customers and the general public
§ Integrate and distribute Threat Protection and Intelligence to make IBM solutions smarter
Expert analysis and data sharing on the global threat landscape
Zero-dayResearch
© 2014 IBM Corporation
IBM Security Systems
4
Coverage
20,000+ devices under contract
3,700+ managed clients worldwide
15B+ events managed per day
133 monitored countries (MSS)
1,000+ security related patents
100M+ customers protected from
fraudulent transactions
Depth
22B analyzed web pages & images
7M spam & phishing attacks daily
73K documented vulnerabilities
860K malicious IP addresses
1000+ malware samples collected daily
Millions of unique malware samples
IBM X-Force:Monitors and Analyzes the changing threat landscape
© 2014 IBM Corporation
IBM Security Systems
5
We are in an era of continuous breaches.
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2014
Operational Sophistication
IBM X-Force declared Year of the
Security Breach
Near Daily Leaks of Sensitive Data
40% increase in reported data
breaches and incidents
Relentless Use of Multiple Methods
500,000,000+ records were leaked, while the future
shows no sign of change
2011 2012 2013
SQL injection
Spear phishing
DDoS Third-party software
Physical access
Malware XSS Watering hole
Undisclosed
Attack types
Note: Size of circle estimates relative impact of incident in terms of cost to business.
© 2014 IBM Corporation
IBM Security Systems
6
After Heartbleed was disclosed, MSS witnessed over 300,000 attacks in 24 hrs, and average of 3.47 attacks per second for more than hundreds of customers!
© 2014 IBM Corporation
IBM Security Systems
7
And it continues to average 7.000 attacks per day – mostly from malicious hosts.
© 2014 IBM Corporation
IBM Security Systems
8
One-day attack methods demonstrate how quickly attackers rush to exploit a vulnerability such as Heartbleed.
© 2014 IBM Corporation
IBM Security Systems
9
X-Force noted this trend was similar to a 2012 disclosure of the Java vulnerability.
© 2014 IBM Corporation
IBM Security Systems
10
Plug-ins are responsible for 90% of total CMS vulnerabilities disclosed.
© 2014 IBM Corporation
IBM Security Systems
11
Disclosures decline in 2014 – could be first reduction since 2011.
Decreasing number of vendors consistently reporting vulnerabilities might be contributing to the recent decline in total overall vulnerabilities disclosed.
© 2014 IBM Corporation
IBM Security Systems
12
Does current CVSS scoring represent actual risk to networks and systems?
Heartbleed existed for two years and received a CVSS medium base score of 5.0.
© 2014 IBM Corporation
IBM Security Systems
13
What can you do to mitigate these threats?
- Apply workaroundsCheck if the vendor providesguidance for temporary workaroundor disabling modules.
- Block attacksIntrusion detection or intrusionprevention systems and anti-virussoftware can serve as first line of defense.
- Shut down systems temporarilyThis option may be the best way to help prevent the loss of customers’ personal or financial information.
© 2014 IBM Corporation
IBM Security Systems
14
A proactive approach
Threat Intelligence ahead of Attackersidentify critical assets, analyze behavior, spot anomalies
Defragment your Mobile postureconstantly apply updates and review policies
Social Defense needs Socializationeducate users and engender suspicion
And Don’t forget the basicsscanning, patching, configurations, passwords
© 2014 IBM Corporation
IBM Security Systems
15
IBM X-Force Research & Development
IBM X-Force Security Insights blog at www.SecurityIntelligence.com/topics/x-force
Download IBM X-Force Threat Intelligence Quarterly Reports
http://www.ibm.com/security/xforce/Follow us at @ibmsecurity
and @ibmxforce
© 2014 IBM Corporation
IBM Security Systems
16
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.