big vulnerabilities + big data = big intelligence

© 2013 IBM Corporation

Big Vulnerabilities + Big Data = Big IntelligenceJason Keirstead / Rory Bray

IBM Security Systems

● Too many vulnerability disclosures coming in daily

● Too many vulnerable assets reported daily

● Not enough time / money to re-mediate them all

● Prioritization needs to be a priority!

2012 Sampling of Security Incidents by Attack Type, Time and ImpactConjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses

Vulnerabilities Today - I Got 99 Problems...


3

Non-Traditional Security Data Sources Can Help

● Traditional Sources - Security logs, network flows, scanned vulnerabilities, endpoint configurations, device configurations...

● Non-traditional Sources – Browser log data, employee directory information, proprietary corporate data,”Big Data”...

● These non-traditional data sources that already exist can be leveraged to significantly improve upon and add to traditional data sources to help separate the “vulnerability wheat” from the “vulnerability chaff”

● Examples:

– Evaluate user browsing history correlated with website attributes to determine if a user is more likely to visit risky domains, if so increase risk of assets said user accesses

– Evaluate email activity correlated with browsing history to determine if a user is likely to click on suspicious links in emails, if so increase risk of said user's asset

– Evaluate VPN activity correlated with external user directory data to determine if an unauthorized remote log-in is likely due to time of day vs. employee location, if so, increase risk of said assets

– … and more!


QRadar Risk and Vulnerability Managers enable customers to interpret the ‘sea’ of vulnerabilities

CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE

Inactive

Inactive: QFlow Collector data helps QRadar Vulnerability Manager sense application activity

Blocked

Blocked: QRadar Risk Manager helps QVM understand which vulnerabilities are blocked by firewalls and IPSs

PatchedPatched: IBM Endpoint Manager helps QVM understand which vulnerabilities will be patched

Critcal

Critical: Vulnerability knowledge base, external data, and QRM policies inform QVM about business critical vulnerabilities

At Risk: X-Force Threat and SIEM security incident data, coupled with QFlow network traffic visibility, help QVM see assets communicating with potential threats

At Risk! Exploited!

Exploited: SIEM correlation and IPS data help QVM reveal which vulnerabilities have been exploited


Sounds Great!

But.... How Does This Work?

A Big Data Use Case Using IBM Big Insights


6

I I . . ,,,

IBM Secu r"rqr QRad.ar

" Data, oollootion arnd emiohrnernt

" Evernt corredaliorn " Real-1iime a rnalytios " Offernse prioliiUza1io111

t R,a1dar

T 1raditionall data sorurces

D.ata i nges·t

lnsig1hts.

[�[

-=--=---=. = ,�' 1 , �

---- - --- . - - - ---==-= i:-=�

Big D.ata Pl.atfo·rm

llBM I llfoS pltte re Bi1glns g1hts.

" Hadoop-based " Enterpnise-g rade " Any data. I volume " Data. mi rnirng " Ad hoo a rnalytios

Cu.sto·m An.allytiics

No·n-tr.adition.al

Pulse 2014 The Premier Cloud Conference


7

QRadar Reference Data Model

Dynamic Data containers are consumed by the QRadar Correlation Engine and other components in the

Security Intelligence Platform including Risk Manager and

Vulnerability Manager.

Sets MapsMaps

of Sets

Tables


8

QRadar Policy Monitor● Component of QRadar Risk Manager that calculates asset and vulnerability policies

among many disparate data sources● Allows feeding of asset and vulnerability risk calculations to QRadar Vulnerability

Manager● Risk Calculations enable risk reporting and vulnerability remediation prioritization

Policy Monitor

Asset / VulnerabilityData

Reference DataNetwork Topology

(Reach-ability) Flow Connections

Firewall / SwitchConfiguration

VulnerabilityCatalogs

Scan Results External Data

Asset Risk Reports

Vulnerability RiskReports


9

Workflow to analyze Domains in Network Traffic and Cross Reference with External Data.

.

ProxyLogs

Domain Registration Data

(whoisxmlapi.com)

XForce Security Feeds

(Known Risky Domains)

Big Insights Platform

RawProxy Logs

JSONEnrichedNormalizedLogs

JSON FormattedWhois RegistrationData

Lists of knownMalware Domains

Sets of Identified Risky Users, Src IPs and Domains


10

QRadar and Big Insights Data Links

Big Insights

• Forwarding Destinations

• Routing Rules

• Flume Receivers (Syslog TCP)

QRadar Reference Data APIs

JSON Event/Flow Forwarding


Domain Risk Scores

IP Set

User Set

User Browsing History

Risk Modeler

JSON Browser Logs

External Registrar Data

Threat Feeds

Domain Risk

Calculator

IP, User Set Generation

Custom Risk Calculator

White List

External Data

Risky IPs / Users

Policy Monitor Custom Rule Engine

Asset / Vulnerability Risk Scores

Reports / Saved Searches

QRadar SIEM

QRadar Log / Flow Data


Use Case - Example RulesAnd Policies


13

QRadar Reference Sets


14

QRadar Reference Sets


15

QRadar Reference Set Example – (Risky Users)


16

QRadar – Create Rule On Risky Users


17

QRadar – Risky User Rule Response – Track Risky Asset Use


18

QRadar Risk Manager – Policy On Risky Asset Usage


19

Acknowledgements and Disclaimers:

© Copyright IBM Corporation 2012. All rights reserved.

– U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM, the IBM logo, ibm.com, QRadar, and Big Insights are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml

Other company, product, or service names may be trademarks or service marks of others.

Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.

The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are

provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

http://www.ibm.com/legal/copytrade.shtml


20

ibm.com/security

© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

big vulnerabilities + big data = big intelligence

Software