1 / 18

IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework Summary

IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework Summary Full Details: http://ibm.biz/ISNP_ATP_API. Advanced Threat Protection ( ATP) Integration Framework.

saeran
Download Presentation

IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework Summary

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework Summary Full Details: http://ibm.biz/ISNP_ATP_API

  2. Advanced Threat Protection (ATP) Integration Framework • ATP Integration Framework is mechanism for IBM Security Network Protection (ISNP) to receive external alerts and act on these alerts using Quarantine • Two integrations methods • User instigated via QRadar GUI Right-Click tool • Automated via direct XML API on the ISNP Appliance

  3. Advanced Threat Protection Policy • An alert will be mapped to one of five types • Compromise • a successful breach of security, currently active within the environment. This could range from subversive human behavior to automated command and control exploits. • Reputation • describes characteristics tied to an address or web URI and related to geography or observed content behavior. • Intrusion • an instance of an in progress network attack attempt • Malware • represents malicious software in flight on the network or at risk on a disk.

  4. Advanced Threat Protection Policy (cont.) • Exposure/vulnerability • represents an identified network weaknesses which, if successfully exploited, could result in compromises • The classification of the alert into one of 3 severities • High • Medium • Low

  5. Advanced Threat Protection Policy (cont.)

  6. Sandbox Malware Detection Integration example • Web Security Appliance • Uses sandboxing to execute and profile files to identify Command & Control (C&C) hosts • Can monitor traffic and identify internal hosts that are compromised (through calls to known C&C sites) • Although Malware Detection systems can raise alerts, they are not enforcement devices • ISNP can provide the enforcement for Malware Detection • i

  7. Malware Detection / ISNP Network Topology

  8. Typical Use Cases • There are three supported Quarantine use cases: • Compromise: A machine infected with malware, transmitting data to a Command & Control Server represents a Compromised Host in an enterprise network. • Reputation: A Command & Control Server contacted by a Compromised Host or a Web Server Hosting A Web Exploit represents a Malicious Server with a poor reputation. • Malware: A Malware Object being transmitted over the network to a Target Host from a Hosting Server represents a Threat-In-Flight.

  9. Event Log: Advanced Threat Events

  10. Active Quarantines

  11. IBM Security QRadar Right Click Integration with IBM Security Network Protection

  12. QRadar “right click” Integration (source address) “on the glass” integration

  13. QRadar “right click” Integration (source address)

  14. QRadar Advanced Threat Events

  15. QRadar 'right click' Integration (destination port) “on the glass” integration

  16. QRadar 'right click' Integration (destination port)

  17. QRadar Advanced Threat Events

  18. ibm.com/security

More Related