First, while defense-in-depth might still be a useful a concept to talk about how to address sophisticated threats, it is also true that the defense-in-depth mindset is, in many ways, responsible for the massive over-deployment and fragmentation of various security technologies in many IT environments.
Today it is no longer about “securing everything” across an IT environment, but instead focusing on what really matters to the business and figuring out how to layer different, complementary security technologies in the most effective way possible.
IBM recently announced the close of the Trusteer acquisition and we are very excited to begin working with our new colleagues over the weeks and months ahead.
While Trusteer established themselves in the web fraud and financial services space, today I want to expand on how Trusteer’s newest capability (Apex), adds a critical component to IBM’s strategy for approaching the challenges associated with more sophisticated attackers and the designer malware they frequently employ during intrusions.
4 Layers of Advanced Threat Strategy
Our strategy is to tackle the challenge associated with advanced threats from the perspective of network and endpoint protection, and to do so within the context of threat and security intelligence. These are the four layers to protect against advanced threats:
A firewall is not an IPS. Time after time when we see these appliances tested and run in live environments we see the performance and efficacy of these technologies start to dramatically slip when all of the different functionality is enabled. If you think organizations don’t exist for the sake of being secure, but should be secure, then using technology that will either negatively impact network performance if fully enabled, or leave you vulnerable if practicality mandates you turn capabilities off, an IPS inside a firewall probably isn’t what you are looking for. An IPS, everything else aside, basically needs the best, most extensible, protection engine, a way to enforce application policy and control and the ability to handle mutations and network evasions.
With the acquisition of BigFix a few years ago IBM brought on a technology with an excellent set of capabilities around endpoint and configuration management and control, and Trusteer adds a critical capability around anti-malware. While it’s possible to use virtual sandboxes that execute applications as a method of doing malware detection and rapid incident response, it is simply not practical to do malware prevention on the network. With Trusteer Apex IBM adds leading anti-malware capabilities that relies on neither anti-virus and signatures (ineffective against designer malware), nor whitelisting and blacklisting (too difficult to manage and effectively maintain operationally). Instead, Trusteer Apex profiles the behavior of all endpoint applications and web browsers and blocks deviations from that behavior, effectively disrupting the way malware is installed on target machines.
Today, it is also not nearly enough to know what is going on within your own infrastructure. It is critical to also see all of that activity in the context of the broader threat landscape. The X-Force team has evolved over the years as the threat landscape has changed and today we can offer customers comprehensive vulnerability research, IP reputation, the visibility of our Managed Security Services organization and with the addition of the excellent Trusteer research organization and insights they have into malware and endpoint activity we will be able to offer our clients the ability to put the activity they are seeing in their own organization in the context of the broader, global threat landscape.
The glue that holds it all together. It is critical to be able to integrate security telemetry from across the IT infrastructure and threat landscape and then use correlation and analytics to understand context more completely than ever before. This is a space that has evolved a great deal over the last decade and one where IBM is aggressively innovating. Earlier this year we introduced Security Intelligence with Big Data for the most sophisticated security and data analysts and this summer we announced QRadar Vulnerability Manager, which, for the first time, put vulnerability information (including application and database vulnerabilities) in the context of other security data in order to more effectively prioritize vulnerabilities that required immediate response and remediation while simultaneously excluding vulnerabilities that posed limited risk because access to them could be blocked by other methods and network controls or a patch was available and/or scheduled for deployment.
While we agree that complete protection is impossible, thus making requirements associated with incident response and network forensics a necessity, more prevention can be done around advanced threats than is happening today. Our strategy is to force an increasingly high bar around the types of attacks that can penetrate an IT environment and then provide the tools and intelligence required to respond to the threats that do get through.