IBM Global Services
© Copyright IBM Corporation 2008
IBM Internet Security Systems™
Ahead of the threat®
Technology Innovation and Adoption:
Security Trends in a Changing World
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
Vulnerabilities are at a High Plateau
■ 13.5% increase from 2007, totaling 7,406 new vulnerabilities
• From 2001-2006 the average annual growth was 36.5%, from 2006-2008 growth tapered to 2%
• Vulnerability disclosures appear to be reaching a permanently high plateau
■ June 2008 was the highest month for disclosures (692)
• Busiest week statistics are below• Tuesday remains busiest day of the week
for disclosures due to multiple vendor-released advisories
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
Vendors not Patching Vulnerabilities
■ 53% of all vulnerabilities disclosed in 2008 had no ven dor-supplied patches to remedy the vulnerability
• 44% of vulnerabilities from 2007 and 46% from 2006 still have no patches
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
Web App Vulnerabilities Continue to Rise
■ 54.9% of all vulnerabilities are Web application vulnerabilities
■ SQL injection attacks increased by 30x within the last six months
■ 74% of Web application vulnsdisclosed in 2008 had no patch by year end
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
Attackers Remotely Gain Access & Data■ 2008 marks the 3 rd straight year where the
percentage of remotely exploitable vulnerabilities has reached a record high
• Represented 90.2% of all vulns in 2008, up from 89.4% in 2007 and 88.4% in 2006
• Growing number of Web application vulnerabilities
■ “Gain access” remains the primary consequence of vulnerability exploitation
• “Data manipulation” percentages doubled
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
Hackers Target Unpatched PCs
■ PC vulnerabilities decreased overall for the first time in 2008, although some categories increased
• Document readers & editors increased 162%
• Multimedia applications were up by 127%
■ Web Browser vulnerabilities make up 52%
• Hackers rely on users not patching browsers
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
Exploits Hide in Documents like PDFs■ In addition to browser and ActiveX,
exploits hiding in documents (like PDFs) became much more significant in the last quarter of 2008
■ In 2008 China surpassed the US as being the largest source of malicious Web sites
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
■ Pre-packaged exploit toolkits with easy-to-use management interfaces are available to attackers
■ It is not known how many toolkit installations are actually purchased versus leased or pirated
■ 89% of public exploits were released on the same day or before the official vulnerability disclosure in 2008
■ Up from 79% in 2007
Exploits are Easy When you Have the Tools
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection9
Virtualization Vulnerabilities by Year
9
XFDB Search: VMware, Xen, Virtual PC, QEMU, Paralle ls, etc.CVE-1999-0733
“Buffer overflow in VMWare 1.0.1 for Linux via a long HOME environmental variable. Since VMWare is installed with binaries that are setuid root, local users can exploit the hole allowing for arbitrary code to be executed as root. The consequences are a local root compromise.”
CVECVE--19991999--07330733
“Buffer overflow in VMWare 1.0.1 for Linux via a long HOME environmental variable. Since VMWare is installed with binaries that are setuid root, local users can exploit the hole allowing for arbitrary code to be executed as root. The consequences are a local root compromise.”
CVE-2002-0814
“Buffer overflow in VMware Authorization Service for VMware GSX Server allows remote authenticated users to execute arbitrary code via a long GLOBAL argument. The code likely executes on the underlying, native system and may compromise the host entirely (including all virtual systems).”
CVECVE--20022002--08140814
“Buffer overflow in VMware Authorization Service for VMware GSX Server allows remote authenticated users to execute arbitrary code via a long GLOBAL argument. The code likely executes on the underlying, native system and may compromise the host entirely (including all virtual systems).”
CVE-2005-3618
“Cross-site request forgery (CSRF) vulnerability in the management interface for VMware ESX Server allows remote attackers to perform unauthorized actions as the administrator via URLs, as demonstrated using the setUsroperation to change a password.”
CVECVE--20052005--36183618
“Cross-site request forgery (CSRF) vulnerability in the management interface for VMware ESX Server allows remote attackers to perform unauthorized actions as the administrator via URLs, as demonstrated using the setUsroperation to change a password.”
CVE-2007-0948
“Heap-based buffer overflow in Microsoft Virtual PC 2004 and PC for Mac 7.1 and 7, and Virtual Server 2005 and 2005 R2, allows local guest OS administrators to execute arbitrary code on the host OS via unspecified vectors related to interaction and initialization of components."
CVECVE--20072007--09480948
“Heap-based buffer overflow in Microsoft Virtual PC 2004 and PC for Mac 7.1 and 7, and Virtual Server 2005 and 2005 R2, allows local guest OS administrators to execute arbitrary code on the host OS via unspecified vectors related to interaction and initialization of components."
CVE-2007-5906
“Xen 3.1.1 allows virtual guest system users to cause a denial of service (hypervisor crash) by using a debug register (DR7) to set certain breakpoints.”
CVECVE--20072007--59065906
“Xen 3.1.1 allows virtual guest system users to cause a denial of service (hypervisor crash) by using a debug register (DR7) to set certain breakpoints.”
CVE-2008-0923
“Directory traversal vulnerability in the Shared Folders feature for VMWareACE 1.0.2 and 2.0.2, Player 1.0.4 and 2.0.2, and Workstation 5.5.4 and 6.0.2 allows guest OS users to read and write arbitrary files on the host OS via a multibyte string that produces a wide character string containing .. (dot dot) sequences.”
CVECVE--20082008--09230923
“Directory traversal vulnerability in the Shared Folders feature for VMWareACE 1.0.2 and 2.0.2, Player 1.0.4 and 2.0.2, and Workstation 5.5.4 and 6.0.2 allows guest OS users to read and write arbitrary files on the host OS via a multibyte string that produces a wide character string containing .. (dot dot) sequences.”
IBM Global Services
© Copyright IBM Corporation 2008
IBM Internet Security Systems™
Ahead of the threat®
Real Deep Packet Inspection:
Protocol Analysis Module
The X-Force Advantage
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
Why PAM?
� Many DPI solutions must remove protection as time prog resses in order to keep performance from degrading
� New technologies and techniques aren’t possible wit h a non-extensible solution
� Pattern matching is a very old technology and is reac tive in nature
– There must always be a ‘patient zero’
� Obfuscation is well practiced and easily done against pattern matching technologies
– This is especially simple when the signatures are open source and reviewable before the exploit is crafted
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
Protocol and Content Analysis as the Foundation
PAM is the engine behind the preemptive protection af forded by many of the solutions in the IBM Proventia product family.
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
Protocol/Content Analysis at ALL levels
IPv4
IPv6
TCP
HTTP
FTP
SMTP
Instant
Messenger
Content
Layer 8?
HTML
Javascript
GIF
WMF
JPG
XML
Body
� Simulate the protocol/content stacks in the vulnera ble systems� Normalize at each protocol and content layer
� Ability to shim in new technologies and grow with n ot only evolving threats but additional market needs
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
Converging the Security PlatformA Holistic Security Architecture
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
IBM Virtual Patch Technology
� At the end of 2008, 53% of all vulnerabilities disclosed during the year had no vendor-supplied patches available to remedy the vulnerability
� Shielding a vulnerability from exploitation independent of a software patch
� Enables a responsible patch management process that can be adhered to without fear of a breach
� IBM is a MAPP (Microsoft Active Protections Program) partner
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
Yes, via rewrite
150 daysNov 13, 2007 Multimedia_File_Overflow
April 8, 2008 APSB08-11CVE-2007-0071
9.3 / 6.9X-ForceAdobe Flash Player Invalid Pointer Vulnerability
22 months
~ 5 yrs
240 days –present
1 year
Days Ahead of Threat
10/8.7
6.4 / 5.3
10 / 7.4
CVSS Base Score
Yes, drop packet
Yes, drop packet
Jan 8, 2007 SSM_List_BO
Aug 16, 2007 ICMP_Router_Advertisement_DOS
Jan 8, 2008 MS08-001 – CriticalCVE-2007-0066CVE-2007-0069
X-ForceMultiple (3) Microsoft Windows TCP/IP Remote Code Execution and DoSVulnerabilities
Block connection
Aug 8, 2006MSRPC_Srvcs_Bo
Oct 27, 2008MSRPC_Srvsvc_Path_Bo
Oct 23, 2008*MS08-067 – Critical CVE-2008-4250
In the wild*Microsoft Windows Server Service RPC Code Execution
Yes, Block connection
Yes, Drop Packet
Yes, drop packet
May 29, 2003HTTP_GET_SQL_UnionSelectNov 13, 2007 – July 17 2008DNS_Cache_PoisonAug 12, 2008DNS_Cache_Poison_Subdomain_Attack
July, 2008 (Several)2006 CVE-2008-1447
Dan KaminskiMultiple Vendors Vulnerable to DNS Cache Poisoning
Block by default?
ISS Protection ShippedVendor DisclosureDiscovered
by:Vulnerability
Ahead Of The Threat In 2008
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
Threat Detection and Prevention
The ability to detect and prevent entire classes of threats as opposed to a specific exploit or vulnerability:
� Provides a scalable solution instead of requiring constant signature updates� Obfuscation detection� Malmedia (Malicious Multimedia)
� New technologies adding value to our customers security investment� Shell Code Heuristics (SCH)� Injection Logic Engine (ILE)
� Researching and safeguarding immature areas of infrastructure� VoIP� SCADA
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
The SCH Advantage
� X-Force developed Shellcode Heuristics (SCH) to addr ess the attack payload regardless of the vulnerability
� It is proprietary to IBM X-Force� Available in all PAM-based products� Has an unbeatable track record of protecting agains t zero
day vulnerabilities:� More than 80% Microsoft Office 0day payload detection rate� Discovered multiple Internet Explorer vulnerabilities in-the-wild as
0days (in conjunction with MSS)• VML(MS06-055)• XML(MS06-071)
� Discovered and protected against numerous payloads in-the-wild relating to other web browser attacks since March 2006
� Incredibly low false positive rate – only 2 known false positives in 22 million mixed-media files in malware zoo
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
IBM Proventia Content Analyzer
Addressing Industry Challengesthrough Data Awareness:
� Monitors and identifies unencrypted personally identifiable information (PII) and other confidential information
� Provides capability to explore data flow through the network to help determine if any potential risks exist
� Flexible and scalable customized data search criteria
� Complement to data security strategy
� Create compound data-set search string inspection (e.g., name AND social_security_number AND User defined)
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
*Provides for inline inspection of attached files.
U.S.
Security Effectiveness | Data AwarenessIBM Proventia Content Analyzer
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
Web Application SecurityProtect web applications against sophisticated
application-level attacks such as:
� SQL (Structured Query Language) Injection
� XSS (Cross-site scripting)
� PHP (Hypertext Preprocessor) file-includes
� CSRF (Cross-site request forgery)
� Expands security capabilities to meet both compliance requirements and threat evolution
Web Threats Will BecomeIncreasingly Complex…
Web Protection Doesn’t Have To
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
The ILE (Injection Logic Engine) Advantage
� Injection attacks are typically made up of unique p atterns that are not commonly seen in valid web application requests
– By totaling and scoring these specific keywords and symbols, we can accurately detect and block SQL injection attacks
� Tracks an extremely comprehensive list of SQL keywo rds, operators, and symbols and correlates them based on valid SQL synt ax
– Parameter values will be evaluated and scored based on particular keywords and symbols that it may contain
– Parameter values that exceed the configurable scoring threshold should be considered SQL injection and the request blocked
– Flagging of particular combinations of classes of keywords can determine what type of SQL injection is occuring� query injection� store procedure execution� login bypass� blind sql injection
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
Network Policy Enforcement
Manage security policy and risks within defined segments of the network:
� ActiveX fingerprinting
� Peer To Peer
� Instant Messaging
� Tunneling
� Enforces network application and service access based on corporate policy and governance
IBM Global Services
© Copyright IBM Corporation 2008
IBM Internet Security Systems™
Ahead of the threat®
Wrap Up
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
Converging threats force a change in our security mindset – and technology
� Thus protection technology effectiveness is reliant o n truly researching new approaches and must be a focus!!
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
X-Force Trends ReportThe IBM X-Force Trend Statistics Report provides statistical information about all
aspects of threats that affect Internet security,. Find out more at http://www-935.ibm.com/services/us/iss/xforce/trendreports/
X-Force Security Alerts and AdvisoriesOnly IBM X-Force can deliver preemptive security due to our unwavering
commitment to research and development and 24/7 global attack monitoring. Find out more at http://xforce.iss.net/
X-Force Blogs and FeedsFor a real-time update of Alerts, Advisories, and other security issues,
subscribe to the X-Force RSS feeds. You can subscribe to the X-Force alerts and advisories feed at http://iss.net/rss.php or the Frequency X Blog
at http://blogs.iss.net/rss.php
X- Force Threat Analysis ServiceStay up-to-date on the latest threats customized for your environment:http://www-935.ibm.com/services/us/index.wss/offering/iss/a1026943
For More IBM X-Force Security Leadership
IBM Internet Security Systems
© Copyright IBM Corporation 2009IBM Internet Security Systems X-Force Preemptive Pr otection
X-Force Trends ReportThe IBM X-Force Trend Statistics Report provides statistical information about all
aspects of threats that affect Internet security,. Find out more athttp://www-935.ibm.com/services/us/iss/xforce/trendreports/
X-Force Security Alerts and AdvisoriesOnly IBM X-Force can deliver preemptive security due to our unwavering
commitment to research and development and 24/7 global attack monitoring. Find out more at http://xforce.iss.net/
X-Force Blogs and FeedsFor a real-time update of Alerts, Advisories, and other security issues,
subscribe to the X-Force RSS feeds. You can subscribe to the X-Force alerts and advisories feed at http://iss.net/rss.php or the Frequency X Blog
at http://blogs.iss.net/rss.php
X- Force Podcasts and WebcastsJoin IBM X-Force and Burton Group for a discussion on how new computing
technologies are driving increased risk in an web-centric world. Find out more athttp://www.kingfishmedia.net/emails/IBM/10.8_Xforce.html
For More IBM X-Force Security Leadership