From custom malware to zero-day exploits, advanced security threats are exploding worldwide—and the sophistication of these attacks is higher than ever. Today’s cybercriminals are adept at finding victims to target via email or web-based threats, as well as exploiting vulnerabilities in the endpoints themselves. Large, coordinated, operationally sophisticated attacks are now executed across broad swaths of the Internet, bypassing traditional security mechanisms. And the number of malware strains just keeps growing.
How can an organization stay ahead of these advanced threats? Maintaining a high level of security by consistently enforcing security policies and patch levels on endpoints and servers is a good start. But when networks can have up to 30 vulnerabilities per IP address at scan time,1 the slow process of mitigating and patching these weaknesses can result in dangerous security gaps. Today’s IT personnel have to make difficult, risk-based decisions on where to focus their efforts—often without having a complete picture of the security environment. In addition to being able to find vulnerabilities, organizations need to be able to understand the network context of those vulnerabilities so they can direct their remediation efforts at the areas of greatest risk.
Closing the gaps in vulnerability management
Today’s complex IT environments are more challenging than ever to secure—and thus, more attractive than ever to financially motivated attackers and politically motivated “hacktivists.” In fact, IBM X-Force® researchers have found that security incidents are on an upward trend.1 Efforts to identify potential victims, deploy a range of attacks and exploit vulnerabilities are increasingly organized. What’s more, exploit kits are now made publicly available for use by other attackers within hours of a vulnerability disclosure, spawning a phenomenon known as “zero-day” attacks.
To defend against security threats, organizations need an integrated way to identify and mitigate high-priority risks across an ever-changing IT environment. They need to:
- Understand the up-to- the- minute status of diverse endpoints.
- View this endpoint information within the context of other vulnerability data.
- Prioritize which vulnerabilities should be addressed first.
- Take action quickly to remediate or mitigate endpoint vulnerabilities that have been prioritized as urgent.
- Confirm that the corrective action has been successfully completed.
IBM can help organizations bring endpoint intelligence into the “big picture” of security information and event management (SIEM). By combining BigFix with QRadar Security Intelligence Platform, organizations can be proactive about vulnerability management. They can identify weaknesses in systems, software or the network that attackers can exploit—and then remediate those vulnerabilities to prevent an attack or minimize the impact to the organization.
Leveraging real- time endpoint intelligence for closed-lo op risk management
With today’s advanced threats growing stealthier, more dynamic and more damaging, the need for integrated, intelligent, automated resources has never been greater. BigFix and QRadar Security Intelligence Platform can help meet this need. They empower IT operations and security teams to work together to protect assets from increasingly sophisticated attacks.
BigFix can provide the real-time endpoint status and rapid response needed to fight the latest advanced threats—especially unexpected zero-day attacks. The BigFix intelligent agent continually assesses compliance with policies, which provides critical input needed for security information and event management.
The following examples show how BigFix and IBM Security QRadar solutions can be used together to strengthen security.
Advanced threat detection
Cyber criminals are continuously using new tactics to attack endpoints, and these advanced threats can often go unnoticed by traditional security approaches such as anti-virus and antispyware solutions. But with granular visibility into endpoint properties, BigFix enables organizations to see “stealthy” configuration changes and automate remedial action. Similarly, BigFix can discover suspicious applications. When a piece of malicious code attempts to install unauthorized applications, BigFix has the ability to identify that behavior in real time and automatically remediate it.
Malicious activity identification
When unusual activities are taking place anywhere on the network, QRadar users can correlate that suspicious behavior with other threat data and assign the high-risk vulnerabilities to BigFix for remediation. This way, IT personnel can not only know which updates, changes or patches are considered high priority, but can also take action on them—helping reduce the risk of the initial exploit, lowering exploit propagation and improving productivity. Closed-loop verification helps ensure that changes are completed and the status is reported to the management console.
User activity monitoring
BigFix can accurately interrogate any aspect of an endpoint and provide a real-time view into problems that exist in the environment. For example, BigFix can detect when users are using modified “jail-broken” devices or have installed suspicious applications, and can then quarantine the device from the network. This enables organizations to discover issues quickly, and it provides an additional layer of defense when traditional security defenses either fail or provide fixes too late to prevent an incident.
In addition, QRadar users can easily combine mobile events from BigFix with network activity for offense identification, forensics investigations and compliance reporting. With more accurate asset information, IT staff can rapidly identify rogue or unmanaged endpoints, improving detection and response time. QRadar also maintains a current network view of all discovered vulnerabilities, including which vulnerabilities are currently blocked from exploitation by firewall and intrusion prevention system (IPS) rules, and which are still at risk of being exploited.
Compliance reporting and monitoring
QRadar solutions and BigFix can work together to provide continuous policy enforcement to help maintain compliance. In fact, BigFix provides organization-wide reports instantly— without having to poll systems to assess the overall security compliance posture. This data can then be included within out-of- the- box QRadar compliance reports, including historic views of daily, weekly and monthly trends, as well as long-term trending reports required by many security regulations.
Fraud detection and data loss prevention
With the help of QRadar solutions and BigFix, IT operations and IT security teams can more easily collaborate on suspected offenses, initiating investigations and corrective actions from the same console. This can help speed the response to web-based malware and other types of advanced threats.
IBM BigFix and IBM Security QRadar solutions can work together to help organizations stay ahead of advanced threats. This intelligent, automated and integrated approach can deliver strategic value by enabling consolidated management and more efficient use of resources devoted to security. Incident response times, including the delays between vulnerability exposure and detection, can be streamlined by combining the real-time end – point status details from BigFix with the security intelligence of QRadar solutions—reducing millions of security events into a manageable list of prioritized weaknesses. This way, organizations can take a proactive approach to strengthening their IT resources against the most persistent threats, significantly reducing their risk.