Open heart security reconstructing your protection strategy

Embed Size (px)


In the wake of the disclosure of the Heartbleed OpenSSL vulnerability in April, your company’s security strategy may have skipped a beat. Join us to learn more about the ramifications and recovery from Heartbleed as experts from IBM X-Force share findings from the latest IBM X-Force Threat Intelligence Quarterly 3Q report. Join the webinar to learn more about: - The Immediate Aftermath of Heartbleed: Just one day after the disclosure, IBM Managed Security Services (MSS) witnessed attacks on customer networks spiking to 300,000 attacks in a 24-hour period. Find out why, despite a patch being issued, attacks are still ongoing. - One-Day Attacks: For one-day attacks, the goal of the attacker is to take advantage of the exposure window of organizations between when the patches are announced and when the patches are actually deployed. Learn what steps you can take to prepare your network. - Declining Vulnerability Disclosures: Vulnerability disclosures in the first half of 2014 are down compared to prior years. For those that were reported, like Heartbleed, the current CVSS v2 standard doesn’t necessarily reflect the actual risk the vulnerability may pose. Learn how the industry is adapting to assess these risks more accurately. View the full on-demand webcast:

Text of Open heart security reconstructing your protection strategy


Open Heart Security: Reconstructing Your Protection Strategy

Michael HamelinLead X-Force Security Architect 2012 IBM CorporationIBM Security Systems# 2014 IBM Corporation 2014 IBM CorporationIBM Security Systems#

IBM X-Forceis the foundation for advanced security and threat research across the IBM Security Framework. 2013 IBM CorporationIBM Security SystemsAdvanced Security and Threat Research, which includes the X-Force team, is the foundation for many of the pillars in the security product portfolio.

As the team tasked with staying on top of the latest threats and vulnerabilities, the information it provides is a critical aspect of providing protection to the other parts of the framework. 2

IBM X-Force Research and DevelopmentVulnerabilityProtectionIPReputationAnti-SpamMalwareAnalysisWebApplicationControlURL / WebFilteringThe IBM X-Force MissionMonitor and evaluate the rapidly changing threat landscape Research new attack techniques and develop protection for tomorrows security challengesEducate our customers and the general publicIntegrate and distribute Threat Protection and Intelligence to make IBM solutions smarterExpert analysis and data sharing on the global threat landscapeZero-dayResearch 2013 IBM CorporationIBM Security SystemsCoverage20,000+ devices under contract15B+ events managed per day133 monitored countries (MSS)1,000+ security related patents100M+ customers protected from fraudulent transactionsDepth23B analyzed web pages & images7M spam & phishing attacks daily81K documented vulnerabilities860K malicious IP addressesMillions of unique malware samples

IBM X-Force monitors and analyzes the changing threat landscape. 2013 IBM CorporationIBM Security SystemsIBM X-Force has a long standing history as one of the best known commercial security research and development groups in the worldCan leverage security expertise across IBM to better understand what is happening in securityWork closely with IBM managed security services groupMonitor over 15B security events every day from nearly 4,000 security clients in over 133 countriesHave numerous intelligence sources: Global web crawler, probably biggest in world behind Google and BingSpam traps around the work database of more than 73k security vulnerability monitored every dayInternational spam collectorsAll of this is done to stay ahead of continuing threats for our customers

Web crawler is particularly interested in files, images, or pages that contain malicious links or content. The team in Kassel Germany who builds our web crawler also developed an anti spam productWe have spam traps around the world, receive large amounts of spam so that we can analyze and understand the different types so that we can preemptively block that spamOur work covers 4 key areas:ResearchEnginesContent DeliverIndustry/Customer deliverables such as this X-Force report, blogs, articles, presentations and speaking engagements


More thanhalf a billion recordsof personally identifiable information (PII) were leaked in 2013. 2014 IBM CorporationIBM Security Systems#5

In April 2014, the Heartbleed vulnerability in the OpenSSL software library was disclosed.The bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520), which could allow for the exfiltration of passwords, PII, and SSL certificate private keys.Source: What to Do to Protect against Heartbleed OpenSSL Vulnerability, 2014 IBM CorporationIBM Security Systems#

Heartbleed attacks surged after the vulnerability disclosure.After Heartbleed was disclosed, IBM MSS witnessed over 300,000 attacks in 24 hrs, with an average of 3.47 attacks per second across the customer base. 2014 IBM CorporationIBM Security Systems#The April disclosure of the Heartbleed vulnerability in the OpenSSL library has been the security event this year, with attack traffic towards the MSS customer base peaking at more than 300,000 attacks in a single 24-hour period. Thats an average of 3.47 attacks per second for more than hundreds of customers!

A vulnerability disclosure such as Heartbleed forces organizations to look deeper into their risk management and critical communication processes. The bug permitted unauthenticated memory leaks from servers and clients alike. While the initial impact of Heartbleed is waning, a second wave of new vulnerabilities found within open-source and reusable software merits further discussion.Servers worldwide continue to be affected by this critical vulnerability. Not only did the flaw focus the attention of researchers looking for new areas of vulnerabilities within open-source and reusable code, it also gave attackers another great opportunity to use one-day attack methods.

On 15 April 2014, MSS witnessed the largest spike in activity across the customer base with more than 300,000 attacks in a single 24-hour period. Thats an average of 3.47 attacks per second for more than hundreds of customers.

7MSS continues to average 7k attacks per day mostly from malicious hosts.

2014 IBM CorporationIBM Security Systems#As of August 2014, the current status of attacks is still significant. MSS sees an average of 7,000 attacks per day across a large attack surface. With most of these attacks coming from malicious hosts, MSS recommends first patching vulnerable systems and secondarily, blocking this traffic via Intrusion Prevention Systems (IPS).8Rather than a single IP address executing the attack repeatedly, many of the attacks used a distributed method.

This enabled attackers to have a large, diversified attack surface and the flexibility to overcome rudimentary blocking strategies. 2014 IBM CorporationIBM Security Systems#Rather than a single IP address executing the attack repeatedly, many of the attacks used a distributed method. A wide range of IP addresses across multiple autonomous system numbers (ASNs) attacked the networks monitored by MSS. In fact, entire ranges of IP addresses attacked several servers at once. This enabled attackers to have a large, diversified attack surface and the flexibility to overcome rudimentary blocking strategies. 9One-day attack methods demonstrate how quickly attackers rush to exploit a vulnerability like Heartbleed.

1-Day Attacks are those that rush to exploit a new vulnerability immediately after it is publically disclosed. 2014 IBM CorporationIBM Security Systems#Just one day after the disclosure, a proof-of-concept tool capable of exploiting the Heartbleed bug began circulating, exposing unpatched systems to skilled and unskilled attackers alike. But more troubling is the fact that also a day after the disclosure, attacks leveraging the vulnerability began to occur.For one-day attacks, the goal of the attacker is to take advantage of the exposure window of organizations between when the patches are announced and when the patches are actually deployed.

Keep up with threat intelligence: a timely source of information on the latest threats is critical to keep organizations informed and allow them to respond as soon as possible.Maintain a current and accurate asset inventory: when a critical vulnerabilities is publicized, you dont have time to try and figure out where your vulnerable and exposed assets are. Attackers are engaged in the same pursuit and effective defense should not be a race to discovery; as a defender this is one area where you should have the upper hand.Have a patching solution that covers your entire infrastructure: apply patches as soon as vendors release them, and implement a rapid burn-in procedure, including back-out plans, to make sure patches dont break operational systems.Implement mitigating controls: firewalls, IPSs, endpoint protection, all can help protect against new threats during the period between the vulnerability disclosure and when youre able to apply vendor patches.Instrument your environment with effective detection: Gain visibility by monitoring your network to understand when anomalous activity is detected. Create and practice a broad incident response plan: All activities related to vulnerability disclosures and active attacks must be guided by processes involving all levels of your organization, and guided by clear procedures for a variety of situations. Test the procedures often to make sure youre not working out the kinks when an actual emergency arises.

10X-Force noted this trend was similar to a 2012 disclosure of a Java vulnerability.

2014 IBM CorporationIBM Security Systems#Heartbleed isnt the first time one-day attacks have occurred that is, attacks leveraging an already-patched vulnerability. In fact, X-Force analysts noted this trend after the disclosure of the 2012 Java vulnerability (CVE-2012-1723), as discussed in our IBM X-Force 2012 Trend and Risk Report.

Attackers are opportunistic; they will grab every opportunity to attack when a target is in a weak state. An organizations best defense against one-day attacks is to be readyto have action plans prepared and mitigations in place when a critical vulnerability is reported.Mitigation techniques that can help:Apply workarounds: Check if the vendor provides guidance for a temporary workaround that can help prevent exploitation of the vulnerability.Block attacks: Security productssuch as intrusion detection or intrusion prevention systems and anti-virus softwarecan serve as a first line of defense against exploitation of vulnerabilities while patches are being tested and deployed.Shut down systems temporarily: Although business leaders may object, another solution is to temporarily shut down or disconnect the affected system while a patch is being tested. This option may be the best way to help prevent the loss of customers personal or financial information.