Highlights from the IBM X-Force 2012 Trend and Risk Report

Even though I am no longer an IBMer, this is still a great report to review trends.  The X-Force Blog has posted their highlights, with a link at the bottom to get the full report.  I’ve read through the report and here’s some bits I find interesting.

  • The distribution and installation of malware on end-user systems has been greatly enabled by the use of Web browser exploit kits built specifically for this purpose. Exploit kits first began to appear in 2006 and are provided or sold by their authors to attackers that want to install malware on a large number of systems. They continue to be popular because they provide attackers a turnkey solution for installing malware on end-user systems. Java vulnerabilities have become a key target for exploit kits as attackers take advantage of three key elements: reliable exploitation, unsandboxed code execution, and cross-platform availability across multiple operating systems. Java exploits have become key targets in 2012 and IBM X-Force predicts this attack activity to continue into 2013.
  • The 2012 bank DDoS attacks appear to be coming in part not from infected PCs, but from compromised web servers that reside in high bandwidth data centers. By using security vulnerabilities in CMS systems and other popular web frameworks, the attackers were able to create a botnet of web servers that have a much longer connected uptime, as well as having more bandwidth in general, than home PCs. Because of Section I—Threats > Rising tide of security incidents > ABC’s and DDoS’s this, they were able to use fewer bots to more effectively generate larger amounts of traffic.
  • In addition to new toolkits and botnets of infected web servers, old reliable methods such as amplification attacks are being effectively used to generate high traffic. While amplification attacks such as an Internet Control Message Protocal based (ICMP) “Smurf Attack” have been used for a decade or more, attackers continue to use the same underlying principles to generate much more traffic today. In particular, DNS Amplification has been successful due to the many open or misconfigured DNS resolver servers on the Internet.
  • Malicious code activity overall continues to grow, helped along by the combined efforts of casual attackers, insider threats, cybercrime and Advanced Persistent Threats. Figure 7 demonstrates the “arms race” that exists in
    computer security today, with the number of techniques to compromise systems constantly growing, being countered, and growing again.

Harvard-ITSecurity / qradar-seculert-push

What is it?

A way to grab Seculert’s Crime Servers and Threat Intelligence Records (via their API) and push them into QRadar’s Remote Networks, which then you can build Rules upon. The beauty of this is that in reality it shows you how to more generally push custom “BAD” IPs/Networks into QRadar and auto-deploy them. You can use any list of IPs/networks. If it’s CSV, it should be an absolute breeze to import.

How does it work?

You need to go into ‘seculert_qradar.pl’ and edit the ‘#START USER CONFIG’ section. The first variable you will see is the “seculert” api key – which you can get from your Seculert account (fantastic service http://seculert.com), but again, this can be easily be any CSV list. The idea is that you download both feeds and convert them into the “IP” format that QRadar understands with the “Network” (in this case ‘SECULERT’) ID and the Sub-ID (in this case ‘CS’ and ‘TIR’). Then you pull the existing remotenet.conf file, and prune out the old SECULERT list, and then merge in the new one that you just pulled. Then you upload the new file back to QRadar and auto-trigger the deployment (here is the real qradar magic).

Read more and get the script on GitHub.

IBM Tivoli Endpoint Manager Mobile Device Manager 1.3

IBM Tivoli Endpoint Manager (TEM), built on BigFix technology, is one of my favorite IBM products to work with.  It has an elegant architecture that makes things work so well.  I usually only deal with the security functions of the tool, but it can do so much more.  The Mobile Device Manager (MDM) is one of those features that I don’t get to deploy often, but I try to stay abreast of its capabilities.

Mobile Device Management Release Notes

Site Version 47 – Nov 1 2012

MDM Feature Release 1.3
New Features:
  1. Integrated SAFE support – Integrated Samsung Approved For Enterprise (SAFE) Phase One APIs to enabled additional management capabilities (such as selective app wipe, application blacklisting, and device encryption) to SAFE enabled android devices.
  2. Self Service Portal Redesign – Reworked the Self Service Portal (SSP) to be easier to use and much more end user friendly.
  3. Mobile Security Configuration Management Sites – MDM now includes a new batch of Center for Internet Security (CIS) Checklist sites for iOS 5.0.1, and Android 2.3, 4. These can be enabled through the normal License Overview dashboard in BES Support.
  4. Expanded Proxy Agent Capabilities – The Proxy Agent for iOS, Lotus, and MS Exchanged managed devices now supports Multiple Action Groups, Baselines, and “createfile” commands.
  5. Change Notification Dashboard – New notification dashboard to help users stay on top of the changes and improvements made to the MDM site.

IBM Security Access Manager for Cloud and Mobile

The new IBM Security Access Manager for Cloud and Mobile bundle brings together market leading capabilities of IBM Tivoli Federated Identity Manager Business Gateway (TFIM-BG) and IBM Tivoli Security Policy Manager (TSPM).

IBM Security Access Manager for Cloud and Mobile provides the following key capabilities:


  • Helps detect and prevent user access fraud by enforcing risk-based access control
  • Reduces costs and complexity by enabling single sign-on and federation for cloud and on-premise applications
  • Improves security posture and helps demonstrates compliance through centralized policy management

IBM Security Access Manager for Cloud and Mobile extends user access protection to mobile and cloud environments using federated single sign-on, user authentication, and risk scoring based on location, device, access pattern, etc.  IBM Security Access Manager for Cloud and Mobile provides risk-based access control from mobile end points such as smartphones and tablets so that users don’t inadvertently expose your sensitive IT assets in an unsafe environment.

IBM Security Access Manager for Cloud and Mobile helps enterprises adopting cloud-based services leverage single sign-on for secure information sharing across private, public and hybrid cloud environments.  Using IBM Security Access Manager for Cloud and Mobile, enterprises can implement a powerful mediation service for Cloud, SaaS and web services, while reducing administrative costs, establishing trust and facilitating compliance.
IBM Security Access Manager for Cloud and Mobile highlights:

  • Risk-based access control for anytime/anywhere access from mobile devices
  • Cloud Single Sign-On and Federation with easy onboarding of applications
  • Centralized Policy Management and Fine-grained Access Control

New features in QRadar 7.1

Stolen from the QRadar 7.1 Release notes:


  • Upgraded Operating System – QRadar 7.1 includes a substantial upgrade to the operating system. During the upgrade process on your system, the following operating system updates occur:
    • For systems that previously used the CentOS operating system, the operating system is replaced with the Red Hat Linux 6.2 operating system.
    • For systems that previously used the Red Hat Linux 5.7 operating system, the operating system is upgraded to the Red Hat Linux 6.2 operating system.

      If your system is configured with off-board storage solutions, you are required to remount your storage solutions during the upgrade process. We recommend that you carefully read the Upgrading to QRadar Release 7.1 Guide and the Reconfiguring Offboard Storage After Upgrading to QRadar 7.1 Technical Note.

  • New WinCollect Agent – QRadar 7.1 introduces WinCollect and the WinCollect agent for collecting and managing Windows-based events using the Admin tab in QRadar. For more information on WinCollect, see the WinCollect User Guide.
  • New Vulnerability Details Page on the Assets Tab – QRadar 7.1 introduces the Research Vulnerability Details window, which you can access from the Assets tab. The Research Vulnerability Details window provides information about known vulnerabilities detected by third-party scanners. Vulnerability information and identifiers are sourced from external references, such as the Open Source Vulnerability Database (OSVDB) and National Vulnerability Database (NVDB). QRadar 7.1 also includes the ability to import vulnerability data from scanners that do not store data with OSVDB or NVDB references, such as IBM Appscan Enterprise.
  • New Index Management – The Index Management feature is accessed from the Admin tab. Index Management allows you to control database indexing event properties. By enabling indexing on event properties, you can optimize the speed of your searches.
  • New Dedicated Event Collector Appliance and Supporting Store and Forward – QRadar 7.1 introduces the QRadar 1501 appliance, which is a dedicated Event Collector. This appliance is also available as the QRadar 1590 virtual appliance.
  • Using Store and Forward accessed from the Admin tab, you can now store events on your dedicated Event Collector during your business hours. These events can be forwarded to an Event Processor during periods of time when the transmission does not negatively affect your network bandwidth. For example, you can configure a dedicated Event Collector to only forward events to an Event Processor during non-business hours, such as midnight until 6 AM.
  • Updated VFlow Collector Installation Procedure – The VFlow Collector installation procedure is updated to make the process consistent with the virtual appliance installation process. For more information, see the QRadar Installation Guide.

Videos about IBM XGS 5000, NextGen IPS

It’s been interesting to watch the firewall and IPS space over the years.  First we had firewall vendors adding IPS features.  Then we had IPS vendors adding firewalls features.  Personally, I’ve always thought it made sense to use an IPS with firewall features because I’ve never seen a firewall with an IPS worth using.  Now application aware firewalls have proven useful, it’s time for IPS vendors to add more application awareness.  Hey look, I work for an IPS vendor 😉

IBM’s Security Network Protection XGS 5000 is a next generation intrusion prevention system, adding tons of features to IPS like web content, application and application action control, protocol analysis based intrusion prevention, URL filtering, Injection Logic Protection, Shell Code Heuristics, and virtual patch.

Marketing bullet points:

  • Help stop threats from compromising unpatched vulnerabilities without sacrificing high-speed network performance.
  • Help protect networks, servers, desktops, and business critical applications from malicious threats.
  • Conserve network bandwidth and provide insight into what users are doing on the corporate network. It helps control user bandwidth consumption by limiting or eliminating access to nonbusiness critical applications.
  • Help enforce compliance and internal corporate usage of nonbusiness critical applications such as social networking, peer to peer file transfers, instant messaging traffic, and streaming media.
  • Provide an extensible security platform that can grow as threats evolve, help consolidate network protection technologies, and help reduce the cost of deploying and managing point solutions.

You can get lots of print literature here, but who wants to read when you can watch videos on YouTube.

IBM Security NextGen IPS Use Case Videos

IBM Security NextGen IPS How to Videos

QRadar and QRM 7.1 are Generally Available!

The QRadar Product Management team is very glad to announce the General Availability (GA) of QRadar SIEM and Risk Manager Version 7.1.  Another major milestone of the QRadar product, QRadar 7.1 delivers several new key features to meet the needs of our current and future customers, a new appliance and new tools to provide more flexibility in deploying the QRadar solution, and great usability features to increase the visibility to more security intelligence data, as well as the ability to better optimize and tune QRadar.

The new features of QRadar SIEM 7.1 consist of:

  • Index Management:  More refined control over the creation of indexes used for searches and exposure of field and index usage statistics, enabling more efficient storage utilization and performance optimization.
  • Store and Forward: Capability of collecting and storing events by a new appliance, Event Collector (EC), in a remote location and forwarding events to an upstream Event Processor for analysis based on a pre-determined policy,  allowing effective log collection at remote network locations with unreliable network connections or bandwidth constraints.
  • Import/Export of Security Contents: Ability to export security and configuration content on a QRadar system to an external, portable format which then can be imported into another QRadar system, with a command line interface, enabling quick deployment of a new QRadar system or sharing of security contents across systems.
  • Vulnerability Details Screen – Enhanced GUI screens to display detailed vulnerability data imported from third party vulnerability scanner products, allowing customers to fully explore the nature and relevance of vulnerabilities on the hosts involved in QRadar detected incidents and offenses.
  • WinCollect: Complete centralized control of local and remote Windows event collection, with bulk adding of servers, per server troubleshooting, automated deployment and update of policy and agent itself.  Also includes tuning for different environments and support for latest capabilities like XPath queries.

The new features of QRM 7.1 consist of:

  • P2P Networks: Support for point-to-point networks, such as VPNs and serial links. This allows customers to add these links to their QRM network topology.
  • Firewall Rule Reporting: Perform comprehensive reporting on firewall rules, including shadowed, most and least used rule reports. Reports can be generated across multiple firewalls and is full integrated into the QRadar reporting engine.
  • Enhanced Policy Monitoring:  Monitor policy question passes and failures, typically required for compliance reporting. Customers can now generate reports that show that network policies have been in compliance over a given period of time, in addition to those which were not compliant.