IBM Security Verify Threat Detection and Mitigation
Introduction
IBM Security Verify SaaS offers native threat detection and remediation, identifying credential stuffing or compromised credential attacks, brute force attacks. For example, IBM Security X-Force detected multiple first and second failed logins, login deviation attacks, and actionable IP address that are considered suspicious.
Admins can set their Verify SaaS environment to alert and/or proactively block login traffic that results from identified attacks. The attacks can originate from attacks on your specific IBM Security Verify SaaS environment or attacks that are identified from other Verify SaaS tenants in which your tenant can take proactive mitigation. IBM Security Verify detects suspicious traffic with indicators of attack to generate a threat event. Admin can review threat events by using Threat Events report, taking manual proactive actions such as blocking a user. This blog covers how admins can define threat detection and remediation policy.
Prerequisites
To enable the Threat intelligence feature in the IBM Security Verify tenant, contact the IBM support. https://www.ibm.com/mysupport/s/topic/0TO500000002XbyGAE/security-verify?language=en_US
Threat Detection and Remediation policy enablement
The blog covers how admins can create threat detection and remediation policy and enable it to be evaluated during the first factor login flow. After the Threat detection and remediation policy is created and enabled, it gets evaluated during each login flow, including Cloud directory, W3, or any other login type supported by Verify.
Refer to the following steps for policy configuration and its usage:
- Create the threat detection and remediation policy.
- Enable the threat detection and remediation policy
- Evaluate threat detection and remediation policy during first factor login flow.
Creation of the threat detection and remediation policy
The Threat detection and remediation policy contains different types of indicators of attacks that are listed as follows. The administrator can determine the ones to proactively remediate by enabling or disabling threat rules.
- XFE known bad IPs
- Multiple failed logins
- Use of common credentials – Compromised Credentials
- Credential stuffing
- Login deviations
The admin can define the rule actions and alert type for each policy. For example, the suspicious IP address can be blocked for an hour or the admin can receive an alert. Suspicious IPs might be based on indicators of attack that are seen in another tenant as well.
Refer to the following steps for creation of threat policy using UI
- Login to Verify tenant and go to security -> Threat detection section
- Click Create threat policy.
- Specify the threat detection and remediation policy name and description and click Next.
- Under the Contacts section, select the Verify group to be notified during detection flow if IP is suspicious of any specific Threat policy rule and click Next.
- After the groups are selected, the screen displays the records in tabular format that are listed by Group name and Number of users. Click Next to continue.
- The Critical level section gets displayed as follows
- User can configure critical level setting for each of the rules, either they want to get notified (alerted) or want to block IP for 1 hour, as follows
- Click Next to continue. The Warning level section displays settings similar to Critical level as follows
- Here, the user can opt if they want to get alerted or block the suspicious traffic or both or none.
- Click Next to continue. In the IP filter section, the user can include list of IP address to be allowed or denied during each login flow.
- Click Save to create the threat detection and remediation policy as follows
- Here the threat detection and remediation policy is created.
After the Threat detection and remediation policy is created, the next step is to enable this policy to use it in the login flow.
Enable Threat detection and remediation policy
- The created threat detection and remediation policy is still not active or enabled. To enable the policy, click Edit.
- The threat policy screen gets displayed as follows. Click Enable to activate the policy.
- A confirmation message gets displayed as follows
- After the policy is enabled, a confirmation message gets displayed as follows
- In the Threat detection screen, the status of the Policy is shown as Active.
Now, during each login flow Threat detection and remediation policy is evaluated and during detection, users are alerted if rules are configured.
Evaluate threat detection and remediation policy during first factor login flow
As threat detection and remediation policy is enabled, this policy is evaluated during each login flow. Login to Verify tenant using CD or IBMid or any other supported login with Verify. The threat detection and remediation policy is evaluated during login flow.
If source machine IP is suspicious
- According to threat detection and remediation policy evaluation, a user is either blocked or allowed to login.
- If the threat detection and remediation policy decision is to block the traffic, the user isn't able to see the login page and is blocked during pre-authentication (First factor).
The following screen gets displayed in case of block.
- If IP is not suspicious, then the user is prompted with login page and allowed to continue further.
- In case the notification is set for any threat detection and remediation policy rule,
- The Verify groups that are selected in the Threat detection and remediation policy configuration are able to receive the notification.
- The group members are sent an email message during threat detection.
Conclusion
Now, in IBM Security Verify SaaS with enabled Threat detection policy, admins can set environments
- To proactively block login traffic that results from identified attacks and
- Notification alert are sent to the admin during such attacks.
Authors
Nagesh Bhagwat – IBM Security Verify Analytics
M Krishnakant Achary - IBM Security Verify Analytics
Priti Patil – IBM Security Verify Analytics