Advanced Threat Protection: End-to-End, Coordinated Defenses Against Advanced Threats

As you’re reading this article and touching your mouse or mobile phone, a complex network of specialized cells inside your body is hard at work protecting you from infection-causing organisms such as bacteria and viruses. In simple terms, I’m describing your immune system, a remarkable collection of layered defenses. Skin provides a physical barrier to block and expel foreign organisms; a second line of protection detects and eliminates invaders with a cellular counterattack; and if unsuccessful, a third layer of tailored responses or antibodies quickly eliminate the threat based on intelligence from earlier infections. In order for this system to work successfully — protecting you from sickness or disease — immune cells must not only communicate, but also cooperate effectively. Individual defenses are no match for advanced diseases, but taken as a whole, you have an amazing protection system enabling your body to operate as intended.

Why the lesson in biology? With the introduction of the IBM Threat Protection System, we are going after the same level of end-to-end, coordinated defenses — in this case, with technology to limit the success of cyber attacks. The IBM Threat Protection System is the result of a laser-focused effort two years in the making, bringing together innovative security capabilities to prevent, detect and respond to advanced threats in a continuous and coordinated fashion. It’s designed to help disrupt the entire life cycle of an attack — from the initial break-in to the final exfiltration of sensitive data — with preemptive defenses, powerful analytics and open integrations. This is the level of protection required to stop today’s extremely motivated and well-trained attackers.

Up to now, many organizations have responded to security concerns by deploying separate new tools to address each new risk, and the heightened awareness caused by high-profile security breaches has only intensified this trend. I spoke to a government client recently that has 85 different security products across their environment. That alone is a security problem, not to mention the level of complexity as they try to make sense of dozens of disconnected solutions with limited views of the threat landscape. Adding more and more point solutions is unsustainable and, in many cases, has the opposite effect of what was intended. We call this “security sprawl,” and the IBM approach is designed to help drive this complexity down over time.

At the same time, organizations must also evolve their defenses to deal with new breeds of attack. To help our customers build an effective advanced threat protection strategy, the IBM Threat Protection System delivers unique capabilities in three integrated layers of defense:

  • Prevent even the most sophisticated attacks. Real-time prevention is essential to stop advanced attacks from penetrating the organization. This is no easy task, but with behavioral-based defenses working together, the IBM system can block the initial phases of an attack at the endpoint and network. An innovative product called Trusteer Apex disrupts exploits leading to advanced malware on users’ computers, while IBM Security Network Protection (XGS) prevents attacks from reaching vulnerable hosts; they also work in tandem to block attackers from establishing external control channels. With new integrations linking these components to other IBM and third-party security technologies, we’re helping customers achieve coordinated defense today.
  • Detect advanced threats across the entire infrastructure. Even the strongest immune system cannot prevent 100 percent of invaders from getting inside, making it essential to quickly detect active threats before they cause damage. We solve this problem with data. Working as the central nervous system of our approach, the IBM QRadar Security Intelligence Platform includes new processing horsepower to combine massive amounts of data from network traffic, user behavior, security events and numerous other sources to automatically identify unknown or previously undetected threats. Real-time analytics find stealthy attackers lurking within the enterprise, while pre-attack analytics predict and prioritize security weaknesses before someone else does. This is the meaning of security intelligence.
  • Respond continuously to security incidents. Finally, in the event of a successful security breach, it’s important to quickly minimize its impact, understand exactly how the intrusion occurred and learn from findings to prevent another incident. This is exactly why we recently announced IBM Security QRadar Incident Forensics, a brand new offering enabling security teams to quickly retrace breaches step-by-step, often in hours instead of days. This new solution, coupled with the expertise of our IBM Emergency Response Services, helps organizations mount a strong and adaptive response to future occurrences of attack.

Open Integration Is Key: Real-Time Threat Intelligence Sharing to Block Advanced Attacks

To help our customers combine the power of numerous new and existing security investments, we have also expanded our highly successful “Ready for IBM Security Intelligence Partner Program” with new open integrations for real-time intelligence sharing with the IBM Security Network Protection (XGS) product. We are initially working with partners including Trend Micro, FireEye, and Damballa to share real-time threat indicators for immediate quarantine and blocking of advanced attacks. This further complements the hundreds of existing integrations we’ve built across the security community — including solutions from the partners mentioned above — with QRadar and other IBM Security products.

Finally, the IBM Threat Protection System is built on an extensive global threat intelligence network driven by our X-Force team and recently enhanced with incredible Trusteer intelligence on advanced malware and cyber crime campaigns. This means QRadar and XGS customers can now take advantage of Trusteer insights on malware, leveraging an installed base of more than 100 million endpoints.

Like any evolving system, the IBM Threat Protection System is comprised of new and existing capabilities; in fact, customers are taking advantage of its components today. With this announcement, we are introducing a new, coordinated approach optimized specifically to address advanced threats. Furthermore, this launch represents a rigorous series of efforts within IBM to deliver the innovative defenses, analytics and integrations making it all possible. We are committed to continue this journey along with our customers and partners. The introduction of the IBM Threat Protection System is a decisive step along that path.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

How to Report Scam Calls and Phishing Attacks

With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…