IBM Software

January 2014

Thought Leadership White Paper

Defending against malware: A holistic approach

to one of todays biggest IT risks
Understand how attacks workthen deploy comprehensive, integrated solutions to fight each step
malware takes

Defending against malware: A holistic approach to one of todays biggest IT risks

Introduction
Malware is a fact of life. A 2013 study of large US and global
companies revealed an average of two successful attacks per
company per week, 18 percent more than the previous year.1
Malware is costly. The same study found large companies
suffered an average loss of USD11.6 million per year in these
attacks.1 And malware comes from anywhere. According to the
IBM X-Force research and development team, the country
where the most malicious links are hosted42 percentis right
in many companies backyards: the United States.2
But fighting malware doesnt have to be a losing battle. Even as
their tactics evolve, malware attacks often employ familiar technologies and follow known paths through the IT environment.
The quantity and sophistication of malware may have grown,
but so have the available methods for defending against attacks.
The key is to remember that the varieties of malware on the
loose today mean no single method of defense will suffice. An
integrated portfolio of solutions, each providing strong defense
capabilities but all of them working together to enhance protection, is necessary.
This white paper will examine the changing strategies that malware has employed in recent years, explain the typical sequence
of events that occurs during an attack, and describe how an integrated defense can help keep the enterprise safe from these
advanced persistent threats. It will present IBM solutions that
are purpose-built for combating malware and that also work

together to protect the environment. These offerings provide a

comprehensive solution that is not possible using simply a
special-function, point-product approach.

Sophisticated, targeted malware is an

especially dangerous threat
Threats today arent your parents malware. They arent, for that
matter, even the malware you encountered yourself just a few
years ago. The fact is that, while malware protection has long
been a basic IT security function, many organizations still struggle to stay safe. The double whammy of rapid malware proliferation and slow manual security processes means that the typical
network still averages between 10 and 30 vulnerabilities per IP
address.2
But the danger lies not only in numbers. Malware is more
sophisticated than ever, too. The longtime practice of launching
drive-by attacks, in which purveyors of malware applications
exploit vulnerabilities in web browsers to install malware without
a users knowledge, or tactics such as spear phishing, which
count on users to hand over confidential information or download malicious code almost by chance, has given way to methods
that selectively target individual users or types of users. It is not
unusual today for an attacker to write unique designer code
that has never been seen before to disrupt operations or steal
information from only one companyand then to create additional unique code for the next target.

IBMSoftware

An attack category known as watering hole attacks, for

example, has breached a number of high-tech companies and
government agencies by injecting browser exploits onto websites
frequently visited by targeted employees. Capitalizing on the
trust that already exists between users and websites they know,
these sophisticated exploits can reach a large number of select
targets by compromising a single, centralized location.2

Endpoints are vulnerable, but detection

works best on the network
Very often, malware is designed to attack employee endpoints
not only to access information or cause disruption on the endpoints themselves, but also to infiltrate the enterprise. The malware that succeeds in infecting endpoints uses them as a gateway
to the network, where it navigates its way to valuable business
information. Keeping endpoints safe from infection therefore
remains an important function of enterprise security.
In recent years, however, protecting the network has become
an area of still greater focus. Traditional firewall approaches to
protection become less effective as mobile endpoints make the
enterprise perimeter fluid and ever-changing. And traditional
anti-virus solutions for protecting endpoints cannot keep up with
todays volumes and variants of malicious code. Whats more,
once an endpoint is infected, the compromise can no longer
be detected via the endpoint itself, as most advanced malware
employs rootkit-type techniques to hide itself from the majority
of host-based protection products.
The network, then, becomes the key battleground for stopping
malwareand the most effective place to take advantage of
capabilities that can prevent malware from doing its dirty work.
The network provides an environment where security teams can
centrally manage multiple advanced solutions for protection that
is more comprehensive than point solutions. The network is the
place where the evidence of malware infection shows itself most
clearlywhere suspicious data flows appear and where malware

communicates with its offsite command center, for example.

To discover and eliminate malware already in place, as well as
malware trying to install itself in the infrastructure, enterprisewide visibility is essential to effective protectionand possible
only on the network.
What organizations need, as a result, are solutions that provide
the most complete security, visibility and control over the
network possibleand that reduce the cost and complexity of
protection by replacing point solutions with an integrated,
extensible network security platform. They need threat protection technologies that can monitor thousands of security events
and reduce them to a manageable list of suspected offenses.
They need the ability to automatically and accurately determine
if an application action is legitimate or malicious, protect commonly exploited applications that process untrusted external
content, and restrict untrusted files from executing sensitive
operations.
An integrated portfolio that provides these and other protection
capabilities is the best way to protect against todays sophisticated malware attacks.

Anatomy of an attack: Understanding the

enemy is the key to defense
The first step to protecting against malware is to understand
what happens during an attack. From the initial overtures by
the attacker in assessing a target to stealing information and
sending it to the attackers home base, an attack can typically be
described as four steps: break in, latch on, expand, and gather
and exfiltrate.

Defending against malware: A holistic approach to one of todays biggest IT risks

Malware activity and prevention across the attack lifecycle

Attack phase

External communication

Break in

Websites
and email

Latch on

Commandand-control
center

Expand

Gather and
exfiltrate

Endpoint

Home base

Home base

Step one: Break in

Attacks can arrive in a dizzying number of ways. There can be

spear-phishing emails that try to trick the target into giving up
information voluntarily, Trojan horses that download code that
later blooms into malware, drive-by downloads that install malware without a users knowledge, or cross-site scripting that can
trick users into installing malware.
One common way to protect against break-ins is to patch endpoints to help eliminate the vulnerabilities that make these
attacks possible. But while necessary, patching can be overwhelming in a large enterprise, due to the numbers and varieties
of both endpoints and vulnerabilities. When zero-day attacks
install malware by exploiting vulnerabilities as soon as they are
known, patching seldom occurs quickly enough. Making matters
worse, fewer than 30 percent of known vulnerabilities have
vendor-supplied patches available.2

Malicious activity
Reconnaissance, spear
phishing, remote exploits
to gain access

Malware and backdoors

installed to establish
a foothold

Lateral movement to
increase access and
maintain a presence

IBM protection solution

IBM Security Network

Protection

Trusteer
Apex

IBM Endpoint
Manager

IBM Security Network

Protection

Acquisition and aggregation

IBM Security
of confidential data;
Network Protection
exfiltration to external
Trusteer
networks
Apex

A better approach is to protect against break-ins through the

network. A network-based intrusion prevention system can
discover and block attempts to exploit endpoint vulnerabilities
for malware infection, even if the endpoint is not patched.
Additionally, network-based solutions can block endpoints from
visiting websites or other locations that are known to harbor
malware.
Step two: Latch on

If malware is not caught as it enters through the networkor

if it is an advanced persistent threat that has been lurking undetected before starting its attackfinding and stopping the attack
can be difficult using anti-virus or other traditional endpoint
protection methods.

IBMSoftware

To guard against these cases, an advanced protection solution

can take a two-pronged approach. It can help prevent malware
from attaching itself by assessing the state of endpoints
determining which vulnerabilities have been patched, which have
not and which patches are most critical. It can then apply a patch
to eliminate the vulnerability. If malware escapes detection and
attempts to run malicious code, other security applications can
block the applications operation. Protection can be targeted
to guard specific assetsa server where intellectual property
resides, for exampleor it can be applied across the
infrastructure.

operation that can support blocking the attack. Malware, for

example, commonly uses certain types of application protocols
to communicate. When security administrators identify these
protocols in use on the network, they can implement policies
that monitor flows and block malware from operating.
Step four: Gather and exfiltrate

Once malware finds its target, it begins gathering information.

But the real damage is done when it sends that information to its
home base. So just as when malware is searching the network,
blocking traffic again becomes critical.

Advanced malware protection solutions offer further security by

blocking the malwares ability to communicate with the outside
world. To steal information, malware must be able to transmit to
a remote command-and-control centerbut by blocking the
malwares ability to phone home, the right protection solutions
can render the malware ineffective.

Based on the identification of protocols in use on the network,

malware protection solutions can prevent sending information
outside the organization. Based on knowledge of the intended
destination, these solutions can block outbound traffic to sites
identified with attackers, whether by previous activities, server
identity, geographical location or other reasons.

Step three: Expand

If the security team discovers through its analysis of data f low,

for example, that intellectual property is being sent to a country
where the organization does not conduct business, it can invoke
capabilities to block that traffic.

Malware in the network doesnt stay putbut neither does it

wander aimlessly. Malware is programmed to look for specific
targets, and in many instances the initial point of entry, the
endpoint, is not that target. Rather, targets are typically highervalue assets such as servers containing patents, personallyidentifiable information such as Social Security numbers, credit
card numbers or business information the attacker can steal for
financial gain.
The path the malware takes to get there, howeverand even
the target of the attackcan be revealed by the data flow that is
created in the malwares wake. By analyzing the traffic across the
network, including between endpoints and systems, advanced
malware protection solutions can provide necessary insights for
defending the infrastructure.
Integrated protection capabilities can show which systems the
malware is using and how these are functioning as part of the
attack. They can also provide an understanding of the malwares

Only integrated solutions working together

provide the necessary protection
Given the movement of malware across endpoints and through
the network, together with the variety of actions malware takes
along the way, it is clear that single-function point solutions
cannot provide the complete protection infrastructures that
organizations today need. Protection requires a combination of
capabilities and solutions that work together to complement one
another and defend against the full attack lifecycle, from breakin to exfiltration.
IBM solutions are designed to deliver both the focused strength
to block specific malware activities and the comprehensive integration to deliver the visibility and big-picture understanding
necessary to block sophisticated malware attacks.

Defending against malware: A holistic approach to one of todays biggest IT risks

IBM Security Network Protection

As a single, easy-to-use appliance based on an extensible network

security platform, IBM Security Network Protection XGS delivers threat protection, visibility and control that extend the capabilities of traditional intrusion prevention systems to better
protect against threats, provide critical insight into network
activities and enable granular application control.
At the core of the IBM Security Network Protection XGS solution is IBM Protocol Analysis Module, designed and updated by
the renowned X-Force research and development team, which
provides continuous content-and-security updates to support
granular control over common attack delivery methods and
protect against attacks at the network level.
The IBM Security Network Protection XGS appliance provides
visibility into network activity to help identify non-businesscritical activities that create risk. Delivering zero-day threat
protection, the appliance supports more than 2,000 applications
and individual actions and leverages a database of more than
20 billion URLs.
The appliance can be easily deployed into a wide variety of environments, integrating with other security technologies such as
IBM QRadar Security Intelligence Platform. Working with
QRadar solutions, IBM Security Network Protection XGS
appliances can send Internet Protocol Flow Information Export
(IPFIX) data to provide a constant data feed for sophisticated
analysis and correlation.
IBM Security QRadar SIEM

As a component of QRadar Security Intelligence Platform,

IBM Security QRadar SIEM extends the monitoring of logs and
network flow data to create security intelligence based on the
collection, normalization and correlation of years worth of
contextual insights.

A highly scalable database captures real-time log event and

network flow data, revealing the footprints of would-be
attackers. The solution supports anomaly detection capabilities
to identify changes in behavior affecting applications, hosts,
servers and specific areas of the network.
Trusteer Apex

The Apex software solution provided by Trusteer, an IBM company,3 applies a new approachStateful Application Control
to help stop zero-day application exploits and data exfiltration
by analyzing application operations (what it is doing) and the
application state (why it is doing it). Using this information,
Trusteer Apex can automatically and accurately determine
whether an application action is legitimate or malicious.
IBM Endpoint Manager

With security capabilities that include automated patching

for distributed endpoints, the IBM Endpoint Manager portfolio
provides unified, real-time visibility and enforcement to protect
against threats.

IBM delivers insight and expertise to

support malware protection
Supporting comprehensive IBM security capabilities is X-Force,
a team of security experts dedicated to protecting organizations
using an extensive knowledge base and data-collection methods
that include one of the worlds most comprehensive databases of
known security vulnerabilities. This database has more than
70,000 entries, including detailed analyses of every notable public vulnerability disclosure since 1994.
By tracking billions of security incidents daily, monitoring millions of spam and phishing attacks, and analyzing billions of web
pages and images, X-Force enables organizations to stay ahead
of the threat by not only identifying the potential for attacks, but
also providing the insight security teams can use to protect their
most valuable data and resources. Using advanced techniques
that are designed to protect a vulnerability itself (rather than
specific attempts to exploit a vulnerability), X-Force solutions
provide preemptive protection for thousands of different
security issues.

IBMSoftware

Preemptive threat protection from IBM X-Force

Pre-2009

2011

2010

2009

Java byte code exploitation

2012

2013

Java sandbox code execution

HTML browser plugin overflow

Java malicious applet
Client-based threats

JavaScript_NOOP_sled

Compound file embedded SWF

Script suspicious score

Web application attacks

Cross-site
scripting
SQL injection
= Attacks

Through integration with the IBM portfolio of security solutions, X-Force delivers proprietary threat insights, including
data on malware hosts, spam sources and anonymous proxies.
Combining worldwide intelligence from the X-Force team with
the security information and event management, log management, anomaly detection, and configuration and vulnerability
management capabilities of IBM security solutions provides
context on security incidents that helps improve prioritization of
incidentswhich enables organizations to prevent or minimize
damaging attacks.

Conclusion
The danger of malware extends beyond its sheer numbers and
the rapid distribution of malicious code. It lies in the evolution
of malware to more sophisticated forms than ever before.

= Preemptive detection

Attackers have moved far beyond relying on users to download

malware applications. Today, attacks are targetedwith code
sometimes custom-written to infiltrate specific organizations.
Attacks, however, often follow predictable patternsfour
steps: break in, latch on, expand, and gather and exfiltrate. And
modern defenses are able to recognize those patterns to more
effectively combat malware threats. To achieve the full protection available, organizations need a comprehensive solution
that goes beyond a special-function, point-product approach.
Integrated IBM solutions including IBM Security Network
Protection, IBM Security QRadar SIEM, Trusteer Apex and
IBM Endpoint Manager can deliver the granular network visibility and powerful tools necessary to help block sophisticated
malware attacks.

For more information

To learn more about IBMmalware protection solutions, please
contact your IBMrepresentative or IBMBusiness Partner, or
visit: ibm.com/security

About IBMSecurity solutions

IBMSecurity offers one of the most advanced and integrated
portfolios of enterprise security products and services. The
portfolio, supported by world-renowned X-Force research and
development, provides security intelligence to help organizations
holistically protect their people, infrastructures, data and applications, offering solutions for identity and access management,
database security, application development, risk management,
endpoint management, network security and more. These
solutions enable organizations to effectively manage risk and
implement integrated security for mobile, cloud, social media
and other enterprise business architectures. IBMoperates one of
the worlds broadest security research, development and delivery
organizations, monitors 15 billion security events per day in
more than 130 countries, and holds more than 3,000 security
patents.

Copyright IBM Corporation 2014

IBM Corporation
Software Group
Route 100
Somers, NY 10589
Produced in the United States of America
January 2014
IBM, the IBM logo, ibm.com, QRadar, and X-Force are trademarks of
International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or
other companies. A current list of IBM trademarks is available on the web at
Copyright and trademark information at ibm.com/legal/copytrade.shtml
This document is current as of the initial date of publication and may be
changed by IBM at any time. Not all offerings are available in every country
in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED
AS IS WITHOUT ANY WARRANTY, EXPRESS OR
IMPLIED, INCLUDING WITHOUT ANY WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND ANY WARRANTY OR CONDITION OF
NON-INFRINGEMENT. IBM products are warranted according to the
terms and conditions of the agreements under which they are provided.
Statement of Good Security Practices: IT system security involves protecting
systems and information through prevention, detection and response to
improper access from within and outside your enterprise. Improper access
can result in information being altered, destroyed or misappropriated or can
result in damage to or misuse of your systems, including to attack others.
No IT system or product should be considered completely secure and no
single product or security measure can be completely effective in preventing
improper access. IBM systems and products are designed to be part of a
comprehensive security approach, which will necessarily involve additional
operational procedures, and may require other systems, products or services
to be most effective. IBM does not warrant that systems and products are
immune from the malicious or illegal conduct of any party.
1 Ponemon

Institute, 2013 Cost of Cyber Crime Study: United States,

October 2013. http://media.scmagazine.com/documents/54/2013_us_ccc_

report_final_6-1_13455.pdf

2 IBM

X-Force, IBM X-Force 2013 Mid-Year Trend and Risk Report,

September 2013. https://www14.software.ibm.com/webapp/iwm/web/

signup.do?source=swg-WW_Security_Organic&S_PKG=ov16986&

S_TACT=102PW63W
3 Trusteer

was acquired by IBM in August of 2013.

Please Recycle

WGW03050-USEN-00