Latest NSS Labs Testing Results
-
date post
14-Sep-2014 -
Category
Technology
-
view
934 -
download
5
description
Transcript of Latest NSS Labs Testing Results
© 2013 IBM Corporation
IBM Security Systems
1 IBM Security Systems © 2013 IBM Corporation
The Results are in: IBM’s Capabilities Shine in Latest NSS Labs Testing
December 10th 2013
Jim BrennanProgram Director of Strategy & Product ManagementInfrastructure Security
© 2013 IBM Corporation
IBM Security Systems
2 IBM Security Systems
A brief primer to get started …
Vulnerability vs Exploit
• A potential weakness in a system• Not a danger on its own• May be multiple ways of breaking in
• A tool used to gain entry• Many different exploits can
target a single weakness
?? ?
© 2013 IBM Corporation
IBM Security Systems
3 IBM Security Systems
Two different protection approaches, yielding very different results
Focus on the Vulnerability Focus on the Exploits
?? ?
Prevent everything from breaking the windowPre-emptive protection
Prevent a crowbar from breaking the windowPrevent a rock from breaking the windowPrevent a cannonball from breaking the windowNew exploit, new signature
© 2013 IBM Corporation
IBM Security Systems
4 IBM Security Systems
Mutated threats evade exploit-focused defense mechanisms
Vulnerability Mutated ExploitExploit
password
Submit
Form input direct to Database query without proper validation or sanitization
' OR username IS NOT NULL OR username = '
Common SQL Injection In plaint text to dumpusernames from table
JyBPUiB1c2VybmFtZSBJUyBOT1QgTlVMTCBPUiB1c2VybmFtZSA9ICc=
The same SQL Injection encoded with Base64 canevade pattern matching
BLUE CROWBAR RED CROWBAR
© 2013 IBM Corporation
IBM Security Systems
5 IBM Security Systems
IBM’s multiple intrusion prevention technologies work in tandem
Vulnerability DecodesFocused algorithms for mutating threats
Protocol Anomaly DetectionProtection against misuse, unknown vulnerabilities, and tunneling across over 230+ protocols
Spectrum of Vulnerability and Exploit Coverage
Application Layer HeuristicsProprietary algorithms to block malicious useWeb Injection Logic
Patented protection against web attacks - e.g. SQL Injection and Command InjectionShellcode HeuristicsBehavioral approach to blocking exploit payloads
Content AnalysisFile and document inspection
IBM stays ahead of the threat with these protection engines
Exploit SignaturesAttack specific pattern
matching
Some IPS solutionsstop at pattern matching
© 2013 IBM Corporation
IBM Security Systems
6 IBM Security Systems
Pre-2009 2009 2010 2011 2012 2013
The Result = Preemptive protection for today’s threats
HTML_Browser_Plugin_Overflow
Java Plug-in for IERemote Code Java_Sandbox_Code_Execution
Oracle Java ExploitCVE-2012-4681
JavaScript_NOOP_Sled
CompoundFile_Embedded_SWF
Cross_Site_Scripting
SQL_Injection
Adobe Flash Code ExecCVE-2011-0611
Gong Da ExploitCVE-2013-0633
Java Byte Code Exploitation
Client-based Threats
Web Application Attacks EasyMedia ScriptXSS
MS SharePointCVE-2012-1859
MS SQL ServerCVE-2012-2552
PHP-Fusion SQLi Oracle DB SQLi
Lizamoon Lilupophilupop
The signatures and examples shown in this slide are for representation of the heuristic coverage available and do not demonstrate the entire listing of attacks from the time the signature was created.
Red = AttacksBlue = Preemptive Heuristic Detection
(IPS)
MS IE Remote Exploit CVE-2012-4781
Oracle Java ExploitCVE-2013-2465 and 2463
Java_Malicious_Applet
MS IE Remote ExploitCVE-2013-3893
Script_Suspicious_ScoreJavaScript_Msvcrt_ROP_Detected
© 2013 IBM Corporation
IBM Security Systems
7 IBM Security Systems
2012 Tolly Group Report demonstrated IBM’s adaptive protection
Delivers superior protection from evolving threats with high levels of performance
Stops 99% of tested, publicly available attacks Is nearly twice as effective as Snort at stopping "mutated" attacks Protects streams of 100% HTTP traffic at speeds of 20 Gbps and mixed
traffic loads of 35 Gbps+Source: Tolly Test Report October 2012
http://ibm.co/Tolly
© 2013 IBM Corporation
IBM Security Systems
8 IBM Security Systems
Simple mutations rendered signature matching engines useless
A simple change to a variable name allows the attack to succeed, while rendering the protection of a signature matching engines useless
A simple change to the HTML code in a compromised web page makes the attack invisible to signature protection
Simply adding a comment to a web page results in an attack successfully bypassing signature IPS
Original Variable Names Mutated Variable Names
Shellcode somecode
Block brick
heapLib badLib
Original Class Reference Mutated Class Reference
<html><head></head><body><applet archive="jmBXTMuv.jar" code="msf.x.Exploit.class" width="1" height="1"><param name="data" value=""/><param name="jar">
<html><head></head><body><applet archive="eXRZLr.jar" code="msf.x.badguy.class" width="1" height="1"><param name="data" value=""/><param name="jar">
Original Code Mutated Code
var t = unescape; var t = unescape <!— Comment -->;
© 2013 IBM Corporation
IBM Security Systems
9 IBM Security Systems
NSS Labs
Independent information security research and testing organization
Pioneered third party intrusion detection and prevention system testing with the publication of the first such test criteria in 1999
Evaluates firewall, unified threat management, anti-malware, encryption, web application firewall, and other technologies on a regular basis
© 2013 IBM Corporation
IBM Security Systems
10 IBM Security Systems
NSS Labs 2013 Group IPS Test:Shows IBM’s solutions are especially effective against mutating threats
[IBM’s score] speaks to the ability of the IBM IPS to perform against the types of constantly evolving threats that are often seen in today’s networks.” –Vikram Phatak
Chairman and CEO, NSS Labs
“
PASS All tests related to “Stability & Reliability”
PASS All tests related to “Evasions”
95.7% Exploit Block Rate
97.7% Block Rate for Server Attacks
94.1% Block Rate for Client Attacks
© 2013 IBM Corporation
IBM Security Systems
11 IBM Security Systems
Coverage by Attack Vector
Attacker Initiated: Executed remotely against a vulnerable application or operating system
Target Initiated: Initiated by user behavior (clicking on a link, opening an attachment, etc)
© 2013 IBM Corporation
IBM Security Systems
12 IBM Security Systems
Coverage by Target Vendor
“This graph highlights the coverage offered by the IBM GX7800 for some of the top vendor targets (out of more than 70) represented in this round of testing”
© 2013 IBM Corporation
IBM Security Systems
13 IBM Security Systems
Evasion Results in Detail“The device proved effective against all evasion techniques tested. The IBM
GX7800 successfully blocked all evasions, resulting in an overall PASS.”
© 2013 IBM Corporation
IBM Security Systems
14 IBM Security Systems
Stability & Reliability in Detail
“The IBM GX7800 is required to remain operational and stable throughout the tests, and to block 100% of previously blocked traffic, raising an alert for each.”
© 2013 IBM Corporation
IBM Security Systems
15 IBM Security Systems
Performance Throughput Details
© 2013 IBM Corporation
IBM Security Systems
16 IBM Security Systems
Adaptive deployment and superior integration with
the full line of IBM security solutions
Helps discover and block existing infections and rogue applications while enforcing access policies
Proven adaptive protection from
sophisticated and constantly evolving threats, powered by
X-Force®
IBM Security Network Protection XGSThe Next Generation of IBM intrusion prevention solutions
ADVANCED THREAT PROTECTION
COMPREHENSIVEVISIBILITY & CONTROL
SEAMLESS DEPLOYMENT & INTEGRATION
© 2013 IBM Corporation
IBM Security Systems
17 IBM Security Systems
Cross-domain awareness
of targeted assets
Integrated platform for distribution of threat intelligence
Cross-domain awareness of threat activity
IBM’s Vision for Integrated Advanced Threat Protection
On the Network
On the Endpoint
In the Wild Intrusion prevention URL filtering Application control Malware detection
Malware analysis Vulnerability analysis URL classification Reputation
Malware prevention Configuration management
© 2013 IBM Corporation
IBM Security Systems
18 IBM Security Systems
Cross-domain awareness
of targeted assets
Integrated platform for distribution of threat intelligence
Cross-domain awareness of threat activity
Executing on the Vision
On the Network
On the Endpoint
In the Wild
IBM Network Protection
Endpoint Manager
Trusteer Apex
© 2013 IBM Corporation
IBM Security Systems
19 IBM Security Systems
Summary
Vulnerability-focused intrusion prevention systems offer pre-emptive protection that cannot be easily evaded by mutating threats
IBM’s score of 95.7% exploit block rate in NSS Labs 2013 IPS Group Test speaks to its ability to perform against the types of constantly evolving threats often seen in today’s networks
IBM’s Network Protection platform builds upon IBM’s proven adaptive protection to include robust application visibility and control, and is part of a comprehensive platform that defends against threats
© 2013 IBM Corporation
IBM Security Systems
20 IBM Security Systems
Download the 2013 NSS Labs IPS Group Test : http://ibm.co/IBM_NSS
Visit our:
Blog: www.securityintelligence.comWebsite : www.ibm.com/security
Learn about Forrester’s Zero Trust Model : http://ibm.co/Forrester
Learn more about IBM’s IPS offerings:
Read the Tolly Test report on IBM :http://ibm.co/Tolly
© 2013 IBM Corporation
IBM Security Systems
21 IBM Security Systems © 2013 IBM Corporation
Questions?
© 2013 IBM Corporation
IBM Security Systems
22 IBM Security Systems
ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.