October 2, 2013 By Jim Brennan 3 min read

First, while defense-in-depth might still be a useful a concept to talk about how to address sophisticated threats, it is also true that the defense-in-depth mindset is, in many ways, responsible for the massive over-deployment and fragmentation of various security technologies in many IT environments.

Today it is no longer about “securing everything” across an IT environment, but instead focusing on what really matters to the business and figuring out how to layer different, complementary security technologies in the most effective way possible.

IBM recently announced the close of the Trusteer acquisition and we are very excited to begin working with our new colleagues over the weeks and months ahead.

While Trusteer established themselves in the web fraud and financial services space, today I want to expand on how Trusteer’s newest capability (Apex), adds a critical component to IBM’s strategy for approaching the challenges associated with more sophisticated attackers and the designer malware they frequently employ during intrusions.

 

4 Layers of Advanced Threat Strategy

Our strategy is to tackle the challenge associated with advanced threats from the perspective of network and endpoint protection, and to do so within the context of threat and security intelligence. These are the four layers to protect against advanced threats:

Network Protection

A firewall is not an IPS.  Time after time when we see these appliances tested and run in live environments we see the performance and efficacy of these technologies start to dramatically slip when all of the different functionality is enabled.  If you think organizations don’t exist for the sake of being secure, but should be secure, then using technology that will either negatively impact network performance if fully enabled, or leave you vulnerable if practicality mandates you turn capabilities off, an IPS inside a firewall probably isn’t what you are looking for.  An IPS, everything else aside, basically needs the best, most extensible, protection engine, a way to enforce application policy and control and the ability to handle mutations and network evasions.

Endpoint Protection

With the acquisition of BigFix a few years ago IBM brought on a technology with an excellent set of capabilities around endpoint and configuration management and control, and Trusteer adds a critical capability around anti-malware.  While it’s possible to use virtual sandboxes that execute applications as a method of doing malware detection and rapid incident response, it is simply not practical to do malware prevention on the network.  With Trusteer Apex IBM adds leading anti-malware capabilities that relies on neither anti-virus and signatures (ineffective against designer malware), nor whitelisting and blacklisting (too difficult to manage and effectively maintain operationally).  Instead, Trusteer Apex profiles the behavior of all endpoint applications and web browsers and blocks deviations from that behavior, effectively disrupting the way malware is installed on target machines.

Threat Intelligence

Today, it is also not nearly enough to know what is going on within your own infrastructure. It is critical to also see all of that activity in the context of the broader threat landscape.  The X-Force team has evolved over the years as the threat landscape has changed and today we can offer customers comprehensive vulnerability research, IP reputation, the visibility of our Managed Security Services organization and with the addition of the excellent Trusteer research organization and insights they have into malware and endpoint activity we will be able to offer our clients the ability to put the activity they are seeing in their own organization in the context of the broader, global threat landscape.

Security Intelligence

The glue that holds it all together.  It is critical to be able to integrate security telemetry from across the IT infrastructure and threat landscape and then use correlation and analytics to understand context more completely than ever before.  This is a space that has evolved a great deal over the last decade and one where IBM is aggressively innovating.  Earlier this year we introduced Security Intelligence with Big Data for the most sophisticated security and data analysts and this summer we announced QRadar Vulnerability Manager, which, for the first time, put vulnerability information (including application and database vulnerabilities) in the context of other security data in order to more effectively prioritize vulnerabilities that required immediate response and remediation while simultaneously excluding vulnerabilities that posed limited risk because access to them could be blocked by other methods and network controls or a patch was available and/or scheduled for deployment.

 

While we agree that complete protection is impossible, thus making requirements associated with incident response and network forensics a necessity, more prevention can be done around advanced threats than is happening today.  Our strategy is to force an increasingly high bar around the types of attacks that can penetrate an IT environment and then provide the tools and intelligence required to respond to the threats that do get through.

 

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today