avoiding data breach using security intelligence and big data to stay out of the headlines
Post on 14-Sep-2014
673 views
DESCRIPTION
Attackers and exploits are becoming increasingly sophisticated, and the pressure to protect business critical data is only getting more and more intense. Security Intelligence transforms the playing field by adding analytics and context, and shifts the balance in favor of the good guys. Today forward thinking organizations are looking at extending Security Intelligence even further by combining it with Big Data to form a solution that allows them to analyze new types of information, and data that travels at higher velocity, and in larger volume. This powerful combination yields new insights that can more effectively identify threats and fraud than ever before. In this session, attendees will learn how to combine Security Intelligence and Big Data, and deploy a solution that is well suited for structured, repeatable tasks. We will also cover the addition of complementary new technologies that address speed and flexibility, and are ideal for analyzing unstructured data. This session will also highlight how organizations are using Security Intelligence to pro-actively detect advanced threats before they cause damage, and take effective corrective action if a compromise succeeds. View the On-demand webinar: https://www2.gotomeeting.com/register/657029698TRANSCRIPT
© 2012 IBM Corporation
IBM Security Systems
1 IBM Security Systems1 IBM Security Systems © 2012 IBM Corporation
AMPLIFYING SECURITY INTELLIGENCEWITH BIG DATA AND ADVANCED ANALYTICS
Vijay DheapGlobal Product Manager, Master InventorBig Data Security Intelligence & Mobile [email protected]
© 2012 IBM Corporation
IBM Security Systems
2 IBM Security Systems2 IBM Security Systems
Welcome to a Not So Friendly Cyber World…
Biggest Bank Heist in History Nets $45MillionAll without setting foot in a Bank…
CYBER ESPIONAGE VIA SOCIAL NETWORKING SITESTARGET: US DOD OFFICIALS
Hidden Malware Steals 3000 Confidential Documents – Japanese Ministry
© 2012 IBM Corporation
IBM Security Systems
3 IBM Security Systems3 IBM Security Systems
Playing Defense…
Traditional Approach to Security Predicated on a Defensive Traditional Approach to Security Predicated on a Defensive MindsetMindset Assumes explicit organizational perimeter
Optimized for combating external threats
Presumes standardization mitigates risk
Dependent on general awareness of attack methodologies
Requires monitoring and control of traffic flows
Layered Defenses Essential for Good Security Hygiene and Addressing Traditional Security Threats…but attackers adapting too
Origins of Security Intelligence
© 2012 IBM Corporation
IBM Security Systems
4 IBM Security Systems4 IBM Security Systems
Business Change is Coming…If Not Already Here
Enterprises are Undergoing Dynamic TransformationsEnterprises are Undergoing Dynamic Transformations
The Organization’s Cyber Perimeter is Being Blurred…It can no longer be assumed
© 2012 IBM Corporation
IBM Security Systems
5 IBM Security Systems5 IBM Security Systems
Evolving Attack Tactics…Focus on Breaching Defenses
© 2012 IBM Corporation
IBM Security Systems
6 IBM Security Systems6 IBM Security Systems
A Look at the Emerging Threat Landscape
Targeted, Persistent, Clandestine
Situational, Subversive, Unsanctioned
Focused, Well-Funded, ScalableTopical, Disruptive, Public
Concealed, Motivated, Opportunistic
© 2012 IBM Corporation
IBM Security Systems
7 IBM Security Systems7 IBM Security Systems
Questions CISO Want to be Able to Answer…
© 2012 IBM Corporation
IBM Security Systems
8 IBM Security Systems8 IBM Security Systems
Incorporating a More Proactive Mindset to Enterprise Security
Detect, Analyze & RemediateThink like an attacker, counter intelligence mindset
Protect high value assets
Emphasize the data
Harden targets and weakest links
Use anomaly-based detection
Baseline system behavior
Consume threat feeds
Collect everything
Automate correlation and analytics
Gather and preserve evidence
Audit, Patch & BlockThink like a defender, defense-in-depth mindset
Protect all assets
Emphasize the perimeter
Patch systems
Use signature-based detection
Scan endpoints for malware
Read the latest news
Collect logs
Conduct manual interviews
Shut down systems
Broad Targeted
© 2012 IBM Corporation
IBM Security Systems
9 IBM Security Systems9 IBM Security Systems
Greater Need for Security Intelligence…
• Visibility across organizational security systems
• Improved response times
• Adaptability/flexibility required for early detection of threats and risky behaviors
Log Manager SIEM
Network Activity Monitor
Risk Manager
Vulnerability Manager
© 2012 IBM Corporation
IBM Security Systems
10 IBM Security Systems10 IBM Security Systems
Evolution of Security Intelligence
Log
ManagementLog
Management
Network
Flow
Asset
Discovery
SIEM
Log
Management
Network
Flow
Users/
Identities
Asset
Discovery
Users/
Identities
Full Packet
Capture
Shared Intel
…other relevant data
Security Intelligence
Initial Visibility Facilitates Compliance Attackers adapt not to leave a trace
Network Does Not Lie Greater Coverage across
organization Attackers adapt to hide in the
noise
Filters out the noise, improves incident and offense identification
Proactive to detect targeted and zero-day attacks Needs scalability to add more data sources and
extensibility to support additional security analytics
© 2012 IBM Corporation
IBM Security Systems
11 IBM Security Systems11 IBM Security Systems
Amplifying Security Intelligence with Big Data Analytics
The Triggers That Motivate Big Data Analytics for Security Intelligence:
© 2012 IBM Corporation
IBM Security Systems
12 IBM Security Systems12 IBM Security Systems
Extending the IQ of a Security Intelligence Solution to Big Data
Distilling
Need to derive security relevant semantics from syntactic elements contained in raw data.
Availability of codified human know-how and understanding to enable machine processing and progressively automate manual processes
Analytical functions, tools and workflows that can be employed to deliver insights
© 2011 IBM Corporation13 IBM Confidential13 IBM Confidential
IBM Security Strategy
Confidential – for division executives only
IBM Security Strategy
Use Cases
© 2012 IBM Corporation
IBM Security Systems
14 IBM Security Systems14 IBM Security Systems
Security Intelligence From Real-time Processing of Big Data
Behavior monitoring and flow analytics
Activity and data access monitoring
Stealthy malware detection
Irrefutable Botnet CommunicationLayer 7 flow data shows botnetcommand and control instructions
Irrefutable Botnet CommunicationLayer 7 flow data shows botnetcommand and control instructions
Improved Breach Detection360-degree visibility helps distinguish true breaches from benign activity, in real-time
Improved Breach Detection360-degree visibility helps distinguish true breaches from benign activity, in real-time
Network Traffic Doesn‘t Lie Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)
Network Traffic Doesn‘t Lie Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)
© 2012 IBM Corporation
IBM Security Systems
15 IBM Security Systems15 IBM Security Systems
Security Intelligence Amplified by Advanced Analytics
Hunting for External Command & Control Hunting for External Command & Control (C&C) Domains of an Attacker(C&C) Domains of an Attacker
Advanced analytics identify suspicious domainsWhy only a few hits across the entire organization to these domains? Correlating to public DNS registry information increases suspicions
Historical analysis of DNS activity within organization
Automate correlation against external DNS registries
Pursue Active Spear-Phishing Campaigns Pursue Active Spear-Phishing Campaigns Targeting the Organization Targeting the Organization
Employ Big Data Analytics on email to identify patterns to identify targets and redirects
Build visualizations, such as heat maps, to view top targets of a spear-phishing attacks
Load Spear-Phishing targets and redirect URLs into real-time security intelligence analysis to thwart the attack
© 2012 IBM Corporation
IBM Security Systems
16 IBM Security Systems16 IBM Security Systems
Security Intelligence Amplified by Advanced Analytics
Employ Big Data Analytics on structured attributes and un structured communications to link identities
Attributes have a tendency to cross identities, similar problems with device profiles
Who am I? Who are you? Who do we communicate with? What devices do we own?
Name: John SmithCorporate ID: [email protected] analytics: [email protected]: 613-334-6572, MAC, IPPublic Community: BigPipes11Laptop: Several IPs, MAC Addresses,
HostNamesTablet: IP Address, MAC Address
Other linking attributes: Fonts installed, language, user agent, installed software, web sites commonly visited, people who are communicated with, etc…
Tracking Multiple Unrelated Identities Tracking Multiple Unrelated Identities
© 2012 IBM Corporation
IBM Security Systems
17 IBM Security Systems17 IBM Security Systems
Security Intelligence Amplified by Advanced Analytics
Big Data not only allows us to store everything, we can extract the attributes used for detection up front to speed up analysis of old data:
PCAP Data -> •List of all IPs and Domains•All File MD5s•All Links in email and social communicationsHost Inventory Data ->•Registry Values•Patches Applied•File System Audit
Quickly check for new indicators in yesterday’s values
Today breached organizations go weeks or months un-aware of someone who has already infiltrated their network
Why not use today’s knowledge to analyze yesterday’s data?
Capture all traffic from for a period of time.. As Security Detection technics are updated (AV, IPS Signatures, BlackLists, MD5s, etc…) run them against yesterdays data…
Today’s Knowledge Applied to Yesterday’s ProblemsToday’s Knowledge Applied to Yesterday’s Problems
© 2011 IBM Corporation18 IBM Confidential18 IBM Confidential
IBM Security Strategy
Confidential – for division executives only
IBM Security Strategy
Designing a Purpose-Built Security Intelligence Solution with Big Data Analytics
© 2012 IBM Corporation
IBM Security Systems
IBM QRadar: More than a SIEM it is a Security Intelligence Platform
SIEMLog Management
Configuration &
Vulnerability Management
Network Activity & Anomaly Detection
Network and Application
Visibility
Purpose-Built Security Intelligence Solution Pre-built support for 100s of scenarios Capability to ingest security data from 1000s of IT devices and numerous data feeds including
XForce Single Console with Unified Data Architecture
Powerful correlation engine to add security context to data Rich Asset Database with profiles of assets, applications, vulnerabilities and other security
related content
QRadar: Filters out the noise, improves incident & offense identificationEnables proactive detection of targeted & zero-day attacks Is scalable to add more data sources and extensible to incorporate logic to detect new attack patterns
© 2012 IBM Corporation
IBM Security Systems
20 IBM Security Systems20 IBM Security Systems
High Volume
Security Events
and Network Activity
IBM QRadar Big Data Capabilities Customer Results
New SIEM appliances with massive scale Quickly find critical insights among 1000s of devices and years of data
Payload indexing for rapid ad hoc query leveraging a purpose-built data store
Search 7M+ events in <0.2 sec
Google-like Instant Search of large data sets (both logs and flows)
Instant, free-text searching for easier and faster forensics
Intelligent data policy management Granular management of log and flow data
Advanced Threat Visualization and Impact Analysis Attack path visualization and device / interface mapping
High PrioritySecurity Offenses
QRadar uses Big Data capabilities to identify critical security events
© 2012 IBM Corporation
IBM Security Systems
21 IBM Security Systems21 IBM Security Systems
Big Data Processing
•Long-term, multi-PB storage
•Unstructured and structured
•Distributed Hadoop infrastructure
•Real-time stream computing
•Preservation of raw data
•Enterprise Integration
Big DataPlatform
Analytics and Forensics
• Advanced visuals and interaction
• Predictive & decision modeling
• Ad hoc queries
• Interactive visualizations
• Collaborative sharing tools
• Pluggable, intuitive UI
Security IntelligencePlatform
Real-time Processing
•Real-time network data correlation
•Anomaly detection
•Event and flow normalization
•Security context & enrichment
•Distributed architecture
Security Operations
•Pre-defined rules and reports
•Offense scoring & prioritization
•Activity and event graphing
•Compliance reporting
•Workflow management
Integrated analytics and exploration in a new architecture
© 2012 IBM Corporation
IBM Security Systems
22 IBM Security Systems22 IBM Security Systems
Design Pattern: Security Intelligence Employing Big Data
Visualizations & Reporting
Operational Management
Data Exploration
Security IQ
© 2012 IBM Corporation
IBM Security Systems
23 IBM Security Systems23 IBM Security Systems
IBM’s Purpose-Built Security Intelligence with Big Data Solution
Coupling Real-time Security Analysis With Asymmetric Big Data Analytics Broaden use cases supported while enabling ad hoc analysis
– Establish a Baseline– Counter Cyber Attacks– Qualify Insider Threats– Protect against Advanced Persistent Threats– Mitigate Fraud– Predict Hacktivism
© 2012 IBM Corporation
IBM Security Systems
24 IBM Security Systems24 IBM Security Systems
Cyber Intelligence
1 IBM QRadar Security Intelligenceunified architecture for collecting, storing, analyzing and querying log, threat, vulnerability and risk related data
2 IBM Big Data Platform (Streams, Big Insights, Netezza)addresses the speed and flexibility required for customized data exploration, discovery and unstructured analysis
3 IBM i2 Analyst Notebookhelps analysts investigate fraud by discovering patterns and trends across volumes of data
4 IBM SPSSunified product family to help capture, predict, discover trends, and automatically deliver high-volume, optimized decisions
© 2012 IBM Corporation
IBM Security Systems
25 IBM Security Systems25 IBM Security Systems25
New architecture to leverage all data and analytics
Data inMotion
Data atRest
Data inMany Forms
Information Ingestion and Operational Information
Information Ingestion and Operational Information
Decision Management
BI and Predictive Analytics
Navigation and Discovery
IntelligenceAnalysis
Landing Area,Analytics Zoneand Archive
Landing Area,Analytics Zoneand Archive
Raw Data Structured Data Text Analytics Data Mining Entity Analytics Machine Learning
Real-timeAnalyticsReal-timeAnalytics Video/Audio Network/Sensor Entity Analytics Predictive
Stream Processing Data Integration Master Data
StreamsStreams
Information Governance, Security and Business Continuity Information Governance, Security and Business Continuity
Security IntelligencePlatform
• Data collection and enrichment
• Event correlation• Real-time analytics• Offense prioritization
© 2012 IBM Corporation
IBM Security Systems
26 IBM Security Systems26 IBM Security Systems
Customizing & Extending IBM’s Security Intelligence with Big Data SolutionTriggers for Specific Capabilities to Augment Core Security Intelligence with Big Data Solution:
Ingesting and Pre-processing Domain or Industry Specific Very High Velocity Data Streams for correlation with cyber security data
Example Data Sources:Telecom: Customer Data RecordsEnergy & Utilities: Grid Sensor DataSurveillance: Video/Audio content
Performing Advanced Statistical, Predictive and/or Identity Analytics on all data captured to yield security insights
Example Analysis:•Visualize linkages of users to privileged identities•Which user group has the highest propensity for insider fraud?
Executing Frequently Repeated Queries and other Analytical workloads best suited for massive parallel processing on Warehoused Security-enriched data
Example Queries:•Quarterly reporting on historical warehoused security data
© 2012 IBM Corporation
IBM Security Systems
27 IBM Security Systems27 IBM Security Systems
Watch a demonstration :http://ibm.co/1cn4O6Z
Blog: www.securityintelligence.com
Website : http://ibm.co/SIBD
Read our White Paper :http://ibm.co/Big_Data
Learn more about Security Intelligence with Big Data
Download the latest ESG report on Big Data Security Analytics :http://ibm.co/early_leader
© 2012 IBM Corporation
IBM Security Systems
28 IBM Security Systems28 IBM Security Systems
ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.