Latest NSS Labs Testing Results

© 2013 IBM Corporation

IBM Security Systems

1 IBM Security Systems © 2013 IBM Corporation

The Results are in: IBM’s Capabilities Shine in Latest NSS Labs Testing

December 10th 2013

Jim BrennanProgram Director of Strategy & Product ManagementInfrastructure Security



2 IBM Security Systems

A brief primer to get started …

Vulnerability vs Exploit

• A potential weakness in a system• Not a danger on its own• May be multiple ways of breaking in

• A tool used to gain entry• Many different exploits can

target a single weakness

?? ?




Two different protection approaches, yielding very different results

Focus on the Vulnerability Focus on the Exploits

?? ?

Prevent everything from breaking the windowPre-emptive protection

Prevent a crowbar from breaking the windowPrevent a rock from breaking the windowPrevent a cannonball from breaking the windowNew exploit, new signature




Mutated threats evade exploit-focused defense mechanisms

Vulnerability Mutated ExploitExploit

email

password

Submit

Form input direct to Database query without proper validation or sanitization

' OR username IS NOT NULL OR username = '

Common SQL Injection In plaint text to dumpusernames from table

JyBPUiB1c2VybmFtZSBJUyBOT1QgTlVMTCBPUiB1c2VybmFtZSA9ICc=

The same SQL Injection encoded with Base64 canevade pattern matching

BLUE CROWBAR RED CROWBAR




IBM’s multiple intrusion prevention technologies work in tandem

Vulnerability DecodesFocused algorithms for mutating threats

Protocol Anomaly DetectionProtection against misuse, unknown vulnerabilities, and tunneling across over 230+ protocols

Spectrum of Vulnerability and Exploit Coverage

Application Layer HeuristicsProprietary algorithms to block malicious useWeb Injection Logic

Patented protection against web attacks - e.g. SQL Injection and Command InjectionShellcode HeuristicsBehavioral approach to blocking exploit payloads

Content AnalysisFile and document inspection

IBM stays ahead of the threat with these protection engines

Exploit SignaturesAttack specific pattern

matching

Some IPS solutionsstop at pattern matching




Pre-2009 2009 2010 2011 2012 2013

The Result = Preemptive protection for today’s threats

HTML_Browser_Plugin_Overflow

Java Plug-in for IERemote Code Java_Sandbox_Code_Execution

Oracle Java ExploitCVE-2012-4681

JavaScript_NOOP_Sled

CompoundFile_Embedded_SWF

Cross_Site_Scripting

SQL_Injection

Adobe Flash Code ExecCVE-2011-0611

Gong Da ExploitCVE-2013-0633

Java Byte Code Exploitation

Client-based Threats

Web Application Attacks EasyMedia ScriptXSS

MS SharePointCVE-2012-1859

MS SQL ServerCVE-2012-2552

PHP-Fusion SQLi Oracle DB SQLi

Lizamoon Lilupophilupop

The signatures and examples shown in this slide are for representation of the heuristic coverage available and do not demonstrate the entire listing of attacks from the time the signature was created.

Red = AttacksBlue = Preemptive Heuristic Detection

(IPS)

MS IE Remote Exploit CVE-2012-4781

Oracle Java ExploitCVE-2013-2465 and 2463

Java_Malicious_Applet

MS IE Remote ExploitCVE-2013-3893

Script_Suspicious_ScoreJavaScript_Msvcrt_ROP_Detected




2012 Tolly Group Report demonstrated IBM’s adaptive protection

Delivers superior protection from evolving threats with high levels of performance

Stops 99% of tested, publicly available attacks Is nearly twice as effective as Snort at stopping "mutated" attacks Protects streams of 100% HTTP traffic at speeds of 20 Gbps and mixed

traffic loads of 35 Gbps+Source: Tolly Test Report October 2012

http://ibm.co/Tolly

http://ibm.co/Tolly




Simple mutations rendered signature matching engines useless

A simple change to a variable name allows the attack to succeed, while rendering the protection of a signature matching engines useless

A simple change to the HTML code in a compromised web page makes the attack invisible to signature protection

Simply adding a comment to a web page results in an attack successfully bypassing signature IPS

Original Variable Names Mutated Variable Names

Shellcode somecode

Block brick

heapLib badLib

Original Class Reference Mutated Class Reference

<html><head></head><body><applet archive="jmBXTMuv.jar" code="msf.x.Exploit.class" width="1" height="1"><param name="data" value=""/><param name="jar">

<html><head></head><body><applet archive="eXRZLr.jar" code="msf.x.badguy.class" width="1" height="1"><param name="data" value=""/><param name="jar">

Original Code Mutated Code

var t = unescape; var t = unescape <!— Comment -->;




NSS Labs

Independent information security research and testing organization

Pioneered third party intrusion detection and prevention system testing with the publication of the first such test criteria in 1999

Evaluates firewall, unified threat management, anti-malware, encryption, web application firewall, and other technologies on a regular basis




NSS Labs 2013 Group IPS Test:Shows IBM’s solutions are especially effective against mutating threats

[IBM’s score] speaks to the ability of the IBM IPS to perform against the types of constantly evolving threats that are often seen in today’s networks.” –Vikram Phatak

Chairman and CEO, NSS Labs

“

PASS All tests related to “Stability & Reliability”

PASS All tests related to “Evasions”

95.7% Exploit Block Rate

97.7% Block Rate for Server Attacks

94.1% Block Rate for Client Attacks




Coverage by Attack Vector

Attacker Initiated: Executed remotely against a vulnerable application or operating system

Target Initiated: Initiated by user behavior (clicking on a link, opening an attachment, etc)




Coverage by Target Vendor

“This graph highlights the coverage offered by the IBM GX7800 for some of the top vendor targets (out of more than 70) represented in this round of testing”




Evasion Results in Detail“The device proved effective against all evasion techniques tested. The IBM

GX7800 successfully blocked all evasions, resulting in an overall PASS.”




Stability & Reliability in Detail

“The IBM GX7800 is required to remain operational and stable throughout the tests, and to block 100% of previously blocked traffic, raising an alert for each.”




Performance Throughput Details




Adaptive deployment and superior integration with

the full line of IBM security solutions

Helps discover and block existing infections and rogue applications while enforcing access policies

Proven adaptive protection from

sophisticated and constantly evolving threats, powered by

X-Force®

IBM Security Network Protection XGSThe Next Generation of IBM intrusion prevention solutions

ADVANCED THREAT PROTECTION

COMPREHENSIVEVISIBILITY & CONTROL

SEAMLESS DEPLOYMENT & INTEGRATION




Cross-domain awareness

of targeted assets

Integrated platform for distribution of threat intelligence

Cross-domain awareness of threat activity

IBM’s Vision for Integrated Advanced Threat Protection

On the Network

On the Endpoint

In the Wild Intrusion prevention URL filtering Application control Malware detection

Malware analysis Vulnerability analysis URL classification Reputation

Malware prevention Configuration management




Cross-domain awareness

of targeted assets

Integrated platform for distribution of threat intelligence

Cross-domain awareness of threat activity

Executing on the Vision

On the Network

On the Endpoint

In the Wild

IBM Network Protection

Endpoint Manager

Trusteer Apex




Summary

Vulnerability-focused intrusion prevention systems offer pre-emptive protection that cannot be easily evaded by mutating threats

IBM’s score of 95.7% exploit block rate in NSS Labs 2013 IPS Group Test speaks to its ability to perform against the types of constantly evolving threats often seen in today’s networks

IBM’s Network Protection platform builds upon IBM’s proven adaptive protection to include robust application visibility and control, and is part of a comprehensive platform that defends against threats




Download the 2013 NSS Labs IPS Group Test : http://ibm.co/IBM_NSS

Visit our:

Blog: www.securityintelligence.comWebsite : www.ibm.com/security

Learn about Forrester’s Zero Trust Model : http://ibm.co/Forrester

Learn more about IBM’s IPS offerings:

Read the Tolly Test report on IBM :http://ibm.co/Tolly

http://ibm.co/IBM_NSS

http://www.securityintelligence.com/

http://www.securityintelligence.com/

http://www.ibm.com/security

http://ibm.co/Forrester

http://ibm.co/Tolly




ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Latest NSS Labs Testing Results

Technology

Transcript of Latest NSS Labs Testing Results