What is your protection strategy against targeted attacks, advanced persistent threats (APTs), advanced malware, unknown malware, zero-day threats and the like? The sophistication, complexity and frequency of this cyber activity can be overwhelming and are highlighted when they receive significant press recently with revelations regarding state-sponsored teams of hackers or long lists of data breaches exposing huge amounts of sensitive data. In fact, 61% of organizations say data theft and cyber crime are the greatest threats to their reputation; and the costs of those breaches continue to rise. According to the Ponemon Institute’s 2014 U.S. Cost of Data Breach study, the organizational cost of data breaches has increased from $5.4 million to $5.9 million.

A Fragmented Approach to Advanced Threat Protection Is Unsustainable

The reality is that securing an enterprise today is much tougher than it was ten or even five years ago. We have an ever-increasing attack surface, extremely motivated and well-trained and well-funded criminals targeting organizations with custom tools and a slew of new technologies that make securing the modern enterprise exponentially more difficult. This has made traditional approaches, such as defending the perimeter, only one of many techniques needed to address today’s complex security landscape. This is also the reason that any point vendor claim to block advanced persistent threats or stop targeted attacks is not accurate as multi-faceted attacks cannot be prevented by a single control point–these types of attacks require a coordinated strategy. And I do hear in meetings with clients that more of them are recognizing they must evolve their approach, but they struggle with the question of how.

To put it into perspective, the worldwide IT security products market is forecast to reach $42 billion by 2017 (IDC); yet we seem to be making little progress in significantly staying ahead of the next new threat despite increased spending, resources and focus by many organizations on security. Even organizations that have the budget, resources and expertise necessary are struggling to manage, update and understand the growing list of point solutions they have invested in.

A typical reaction to security concerns has been organizations responding by deploying a new tool to address each new risk. I spoke to a government client recently that had 145 products to manage their security environment. That alone is a security problem, not to mention the level of complexity to manage since they now have to install, configure, manage, patch, upgrade and pay for dozens of poorly integrated solutions with limited views of the landscape.

Clearly the process of continually adding new point solutions is not sustainable, and in many cases, its effect is the opposite of its intention: It makes clients less secure and creates the ever-increasing problem of “security sprawl.” Costly and complex, these fragmented security capabilities do not provide the visibility and coordination necessary to stop sophisticated attacks. It is time to realize that security approaches that rely on poorly integrated subcomponents are failing to protect against these new classes of advanced attacks.

Three Essential Components of an Effective Advanced Threat Protection Strategy

Just as it is not enough to continue to rely on point solutions to help solve this issue, simply focusing on a single point in the attack chain — such as the initial break-in or detecting a successfully penetrated network — is insufficient. It’s time to take a step back, understand the totality of these attacks and initiate action. This means:

  • Stopping or preventing the attack in the first place;
  • Disrupting and countering the subsequent attack activity;
  • Breaking the attack chain or life cycle.

And it is critical to be able to act quickly in the event that a serious incident or breach is detected.

In order to have the highest levels of protection from advanced threats, your organization must be able to do these three essential things very effectively:

  1. Prevent even the most sophisticated attacks. Although many in the industry have redirected focus on detection, prevention remains crucial to effective enterprise security. Today’s behavioral detection capabilities have come a long way from static signatures and are capable of identifying and then help prevent many previously unknown attacks, even those attempting to exploit zero-day vulnerabilities. In the same way we haven’t abandoned a sound patch management strategy because of the number of vulnerabilities, we cannot abandon the goal of prevention because of the sophistication or frequency of attacks.
  2. Detect stealthy threats across the entire infrastructure. Beyond prevention, there is a clear need to be able to detect attacks that were not preventable and stop them from causing further harm. This means disrupting the attack chain and preventing any further compromises such as lateral movement, data exfiltration and the like.
  3. Respond continuously to security incidents. Finally, we must be able to quickly respond to the attack in the event that we were not effective at preventing it in order to understand the extent of the incident and how to rectify and avoid similar issues in the future. This includes a well-defined emergency response plan and a means of conducting forensics either internally or by using outside help.

Introducing the IBM Threat Protection System

This brings me to some exciting news: We are now announcing an initiative that has been in the works for several years here at IBM.

It started with the formation of the IBM Security Systems division, which unified IBM’s extensive security offerings under a single umbrella. We then went to work identifying key integration points with the intention of building on the power of the IBM Security QRadar Security Intelligence Platform, an offering that integrates disparate technologies and their respective data sets to distill the “noise” down to a focused number of actionable offenses. Last year, we also introduced a new intrusion prevention platform with IBM Security Network Protection (XGS). These appliances detect and block a wide range of attacks, are able to disrupt targeted attacks such as spear phishing and have a unique ability to send network flow data into QRadar, providing yet another data feed. Subsequently, we acquired Trusteer, which does an excellent job of preventing malware installation on the endpoint and breaking communication from the malware back to command and control centers.

Combined with integrating the Trusteer security research team into our own X-Force Research and Development team, we went to work creating an advanced threat protection system that would bring these solutions together to bridge the gap presented by today’s siloed point solutions and give you a fighting chance of countering advanced and targeted attacks on your enterprise.We are pleased to announce the IBM Threat Protection System, a culmination of all of this effort that provides you with the unique ability to prevent, detect and respond to advanced threats in a continuous and timely fashion. As part of the announcement, IBM has also announced five new product releases as well as an extended partner ecosystem to ensure IBM’s Threat Protection System is an open platform that easily integrates with security solutions from other leading vendors such as FireEye, Trend Micro and Damballa to name a few.

IBM Threat Protection System – A dynamic, integrated system to disrupt the lifecycle of advanced attacks and prevent loss

As threats continue to evolve and become more sophisticated, IBM is committed to helping our clients stay one step ahead. The IBM Threat Protection System is only the start as IBM security researchers, developers and security analysts focus on the next innovation to help keep our clients safe now and into the future.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Trickbot rising — Gang doubles down on infection efforts to amass network footholds

11 min read - IBM X-Force has been tracking the activity of ITG23, a prominent cybercrime gang also known as the TrickBot Gang and Wizard Spider. Researchers are seeing an aggressive expansion of the gang’s malware distribution channels, infecting enterprise users with Trickbot and BazarLoader. This move is leading to more ransomware attacks — particularly ones using the Conti ransomware. As of mid-2021, X-Force observed ITG23 partner with two additional malware distribution affiliates — Hive0106 (aka TA551) and Hive0107. These and other cybercrime vendors…