cio ciso security_strategyv1.1

© 2011 IBM Corporation

IBM Security Systems

The Security Landscape

Security Capabilities

Strategic Direction

• Security Intelligence

• Advanced Threats

• Mobile Security

• Cloud Computing

Agenda



Solving a security issue is a complex, four-dimensional puzzle

People

Data

Applications

Infrastructure

Hackers Outsourcers Suppliers

Systems applications

Web Applications Web 2.0 Mobile apps

Structured Unstructured At rest In motion

Attempting to protect the perimeter is not enough – siloed point products and traditional defenses cannot adequately secure the enterprise

Consultants Terrorists Customers

JK 2012-04-26

In motion

Employees

Systems Applications

Outsourcers

Unstructured

Web 2.0

Customers

Mobile Applications

Structured



Security teams must shift from a conventional “defense-in-depth” mindset and begin thinking like an attacker…

Detect, Analyze & RemediateThink like an attacker,

counter intelligence mindset

Protect high value assets

Emphasize the data

Harden targets and weakest links

Use anomaly-based detection

Baseline system behavior

Consume threat feeds

Collect everything

Automate correlation and analytics

Gather and preserve evidence

Audit, Patch & BlockThink like a defender,

defense-in-depth mindset

Protect all assets

Emphasize the perimeter

Patch systems

Use signature-based detection

Scan endpoints for malware

Read the latest news

Collect logs

Conduct manual interviews

Shut down systems

Broad Targeted



Spear phishing and 0-day attack

User behaves in risky manner Receives enterprise e-mail from

personal social network

Backdoor or malware is installed

Anomalous device and network behavior

DNS query to known malicious hosts

Abnormal traffic patterns

Lateral movement Anomalous user behavior Device is contacting new hosts Anomalous network pattern

Data acquisition and aggregation

Anomalous user behavior Data access patterns abnormal Data rapidly aggregating

Data exfiltration

Movement of valuable data Users accessing too many

resources Device contacting unknown hosts

Command & Control (CnC)

Command & Control (CnC)

1

2

3

4

5

…By identifying and combining subtle indicators of targeted attacks




IBM Security: Delivering intelligence, integration and expertise across a comprehensive framework

IBM Security Framework built on the foundation of COBIT and ISO standards

End-to-end coverage of the security domains

Managed and Professional Services to help clients secure the enterprise



Intelligence: A comprehensive portfolio of products and services across all domains



Customize protection capabilities to block specific vulnerabilities using scan results

Converge access management with web service gateways

Link identity information with database security

Stay ahead of the changing threat landscape

Designed to help detect the latest vulnerabilities, exploits and malware

Add security intelligence to non-intelligent systems

Consolidate and correlate siloed information from hundreds of sources

Designed to help detect, notify and respond to threats missed by other security solutions

Automate compliance tasks and assess risks

Integration: Increase security, collapse silos, and reduce complexity

JK 2012-04-26



IBM Identity and Access Management Vision

Key Themes

Standardized IAM and Compliance ManagementExpand IAM vertically to provide identity and access intelligence to the business; Integrate horizontally to enforce user access to data, app, and infrastructure

Secure Cloud, Mobile, Social InteractionEnhance context-based access control for cloud, mobile and SaaS access, as well as integration with proofing, validation and authentication solutions

Insider Threat and IAM GovernanceContinue to develop Privileged Identity Management (PIM) capabilities and enhanced Identity and Role management



Across MultipleDeployment Models

Key Themes

Reduced Total Cost of OwnershipExpanded support for databases and unstructured data, automation, handling and analysis of large volumes of audit records, and new preventive capabilities

Enhanced Compliance Management Enhanced Database Vulnerability Assessment (VA) and Database Protection Subscription Service (DPS) with improved update frequency, labels for specific regulations, and product integrations

Dynamic Data Protection Data masking capabilities for databases (row level, role level) and for applications (pattern based, form based) to safeguard sensitive and confidential data

Data Security Vision



Key Themes

Coverage for Mobile applications and new threatsContinue to identify and reduce risk by expanding scanning capabilities to new platforms such as mobile, as well as introducing next generation dynamic analysis scanning and glass box testing

Simplified interface and accelerated ROINew capabilities to improve customer time to value and consumability with out-of-the-box scanning, static analysis templates and ease of use features

Security IntelligenceIntegrationAutomatically adjust threat levels based on knowledge of application vulnerabilities by integrating and analyzing scan results with SiteProtector and the QRadar Security Intelligence Platform

Application Security Vision



Advanced Threat Protection PlatformHelps to prevent sophisticated threats and detect abnormal network behavior by using an extensible set of network security capabilities - in conjunction with real-time threat information and Security Intelligence

Expanded X-Force Threat IntelligenceIncreased coverage of world-wide threat intelligence harvested by X-Force and the consumption of this data to make smarter and more accurate security decisions

Security Intelligence IntegrationTight integration between the Advanced Threat Protection Platform and QRadar Security Intelligence platform to provide unique and meaningful ways to detect, investigate and remediate threats

Log Manager SIEMNetwork Activity Monitor

Risk Manager

Vulnerability Data Malicious Websites Malware Information

Intrusion Prevention

Content and DataSecurity

Web ApplicationProtection

IBM Network Security

SecurityIntelligencePlatform

Threat Intelligenceand Research

Advanced Threat ProtectionPlatform

Future

FutureNetwork Anomaly Detection

IP Reputation

Threat Protection Vision



Key Themes

Security for Mobile DevicesProvide security for and manage traditional endpoints alongside mobile devices such as Apple iOS, Google Android, Symbian, and Microsoft Windows Phone - using a single platform

Expansion of Security ContentContinued expansion of security configuration and vulnerability content to increase coverage for applications, operating systems, and industry best practices

Security Intelligence IntegrationImproved usage of analytics - providing valuable insights to meet compliance and IT security objectives, as well as further integration with SiteProtector and the QRadar Security Intelligence Platform

Infrastructure Protection – Endpoint and Server Vision



The 10 Security Essentials for the CIO are customer on-ramps building a more optimized security posture

Expertise: New services organization designed to help the CISO

Essential Practices

Managed and Professional Services to help clients assess their security maturity, identify areas of vulnerability, and

design and deploy internal and/or managed security solutions



Prediction & Prevention Reaction & RemediationNetwork and Host Intrusion Prevention.

Network Anomaly Detection. Packet Forensics. Database Activity Monitoring. Data Leak Prevention.

SIEM. Log Management. Incident Response.

Risk Management. Vulnerability Management. Configuration and Patch Management.

X-Force Research and Threat Intelligence. Compliance Management. Reporting and Scorecards.

What are the external and internal threats?

Are we configuredto protect against

these threats?

What is happening right now? What was the impact?

Solutions for the full Security Intelligence timeline



Security Intelligence: Integrating across IT silos withSecurity Intelligence solutions

Extensive Data Sources

Deep Intelligence

Exceptionally Accurate and Actionable Insight+ =

Event Correlation

Activity Baselining & Anomaly Detection

• Logs• Flows

• IP Reputation• Geo Location

• User Activity• Database Activity• Application Activity• Network Activity

Database Activity

Servers & Hosts

User Activity

Vulnerability Info

Configuration Info

Suspected Incidents

Offense Identification• Credibility• Severity• Relevance

Security Devices

Network & Virtual Activity

Application Activity

JK 2012-04-26



IBM X-Force® ThreatInformation Center

Real-time Security Overvieww/ IP Reputation Correlation

Identity and User Context

Real-time Network Visualizationand Application Statistics Inbound

Security Events

Security Intelligence: QRadar provides security visibility





Strategic Direction



• Mobile Security

• Cloud Computing

Agenda



Advanced Persistent Threat (APT) is different

Advanced

– Exploiting unreported vulnerabilities

– Advanced, custom malware is not detected by antivirus products

– Coordinated, researched attacks using multiple vectors

Persistent

– Attacks lasting for months or years

– Attackers are dedicated to the target – they will get in

Threat

– Targeted at specific individuals and groups within an organization, aimed at compromising confidential information

– Not random attacks – they are “out to get you”

Responding is different too – Watch, Wait, Plan … and call the FBI

1

2

3

4



Advanced Threat: The challenging state of network security

Social media sites present productivity, privacy and security risks including new threat vectors

SOCIAL NETWORKING

Streaming media sites are consuming large amounts of bandwidth

STREAMING MEDIA

Point solutions are siloed with minimal integration or data sharing

POINT SOLUTIONSURL Filtering • IDS / IPS

IM / P2P • Web App Protection Vulnerability Management

Increasingly sophisticated attacks are using multiple attack vectors and increasing risk exposure

SOPHISTICATED ATTACKS

Stealth Bots • Targeted Attacks Worms • Trojans • Designer Malware



Network Defenses: Not up to today’s challenges

Internet

Firewall/VPN – port and protocol filtering

Web Gateway – securing web traffic only, port 80 / 443

Email Gateway – message and attachment security only

Threats continue to evolve and standard methods of detection are not enough

Streaming media sites and Web applications introduce new security challenges

Basic “Block Only” mode limits innovative use of streaming and new Web apps

Poorly integrated solutions create “security sprawl”, lower overall levels of security, and raise cost and complexity

Requirement: Multi-faceted Protection 0-day threat protection tightly integrated with

other technologies i.e. network anomaly detection

Ability to reduce costs associated with non-business use of applications

Controls to restrict access to social media sites by a user’s role and business need

Eliminate point solutions to reduce overall cost and complexity

Stealth Bots

Worms, Trojans

Targeted Attacks

Designer Malware

Current Limitations

Everything Else

Multi-faceted Network Protection– security for all traffic, applications and users



IBM Advanced Threat Protection

InfrastructureUsers

1

3

2

Our strategy is to protect our customers with advanced threat protection at the network layer - by strengthening and integrating network security, analytics and threat Intelligence capabilities

1. Advanced Threat Protection PlatformEvolves Intrusion Prevention to become a Threat Protection Platform – providing packet, content, file and session inspection to stop threats from entering the network

2. QRadar Security Intelligence Platform Builds tight integration between the Network Security products, X-Force intelligence feeds and QRadar Security Intelligence products with purpose-built analytics and reporting for threat detection and remediation

3. X-Force Threat IntelligenceIncreases aperture of threat intelligence information and feedback loops for our products. Leverages the existing X-Force web and email filtering data, but also expands into additional IP Reputation data sets



Advanced Threat Protection Platform• Leverage extensible set of

network security capabilities

• Granular application control

• Combine with real-time threat information and Security Intelligence

Expanded X-Force Threat Intelligence• World-wide threat intelligence

harvested by X-Force®

• Consumption of this data to make smarter and more accurate security decisions

Security Intelligence Integration• Tight integration between the

Advanced Threat Protection Platform and QRadar Security Intelligence platform to provide unique and meaningful ways to help detect, investigate and remediate threats

VulnerabilityData

Malicious Websites

Malware Information

IP Reputation

Intrusion Prevention

Content and DataSecurity

Web ApplicationProtection

Network Anomaly Detection IBM Network

Security

Threat Intelligenceand Research

Advanced Threat ProtectionPlatform

Application Control

Advanced Threats: IBM’s vision for Threat

Log Manager SIEM Network Activity Monitor Risk Manager

SecurityIntelligencePlatform



Ultimate Visibility: Understanding Who, What and When

Immediately discover which applications and web sites are being accessed

Identify misuse by application, website, and user

Understand who and what are consuming bandwidth

SIEM integration for anomaly detection and event correlation

Netw

ork Tra

ffic

and F

lows

Em

ployee B

Em

ployee C

Em

ployee A

Good Application

Good Application

Bad Application

“We were able to detect the Trojan “Poison Ivy” within the first three hours of deploying IBM Security Network Protection”

– Australian Hospital

Network flows can be sent to QRadar for enhanced analysis, correlation and anomaly detection

Identity context ties users and groups with their network activity - going beyond IP address only policies

Application context fully classifies network traffic, regardless of port, protocol or evasion techniques

Increase Security Reduce Costs Enable Innovation





Strategic Direction



• Mobile Security

• Cloud Computing

Agenda



Mobile OS Vulnerabilities and Exploits

Continued interest in Mobile vulnerabilities as enterprise users bring smartphones and tablets into the work place

Attackers finally warming to the opportunities

these devices represent



Enterprises face mobile security challenges

Enabling secure transactions to enterprise applications and data

Identity of user and devices Authentication, authorization and federation User policies Secure connectivity

Developing secure applications

Application life-cycle Vulnerability and penetration testing Application management Application policies

Designing and instituting an adaptive security posture

Policy management: location, geo, roles, response, time policies

Security Intelligence Reporting

Adapting to BYOD and the consumerization of IT

Multiple device platforms and variants Managed devices (B2E) Data separation and protection Threat protection



A simplified view of mobile device lifecycle management

Build Secure Mobile AppsIBM WorklightIBM Security

AppScan

ApplicationDevelopers

Develop Mobile Apps

Mobile User

Signs Up for On-line

Access

Register the Device

Tivoli Endpoint Manager for Mobile

Monitor / Patchthe Device

Tivoli Endpoint Manager for Mobile

Mobile User

Accesses Corporate

E-mail

Securely Connectthe DeviceIBM Mobile

Lotus Connect

Mobile User Loses

Device

Lock / Wipe the Device

Tivoli EndpointManager for Mobile

Mobile Client Gets

Updates



Manage deviceSet appropriate security policies • Register • Compliance • Wipe • Lock

Secure DataData separation • Leakage • Encryption

Application SecurityOffline authentication • Application level controls

Mobility: Thinking through mobile security

Secure AccessProperly identify mobile users and devices • Allow or deny access • Connectivity

Monitor & ProtectIdentify and stop mobile threats • Log network access, events, and anomalies

Secure ConnectivitySecure Connectivity from devices

Secure ApplicationUtilize secure coding practices • Identify application vulnerabilities • Update applications

Integrate SecurelySecure connectivity to enterprise applications and services

Manage ApplicationsManage applications and enterprise app store

At the Device Over the Network and Enterprise For the Mobile App

Corporate Intranet

Internet

Safe usage of smartphones and tablets in the enterprise Secure transactions enabling customer confidence Visibility and security of enterprise mobile platformIB

M

Mo

bil

e S

ecu

rity

an

d

Man

ag

em

ent

Str

ateg

y



Securing the Mobile Enterprise with IBM Solutions





Strategic Direction



• Mobile Security

• Cloud Computing

Agenda



Cloud: Clients are concerned about changes that cloud adoption brings to their visibility and risk posture

Private cloud Public cloudHybrid IT

Network & workload isolation

Virtual infrastructure protection & integrity

Identity integration & privileged access

Vulnerability management & compliance

Auditing & logging

Compliance & certifications

Data jurisdiction & data security

Visibility & transparency into security posture

Identity federation & access

Need for Service Level Agreements (SLAs)

In a cloud environment, access expands, responsibilities change, control shifts, and the speed of provisioning IT resources increases

– affecting all aspects of security

Clients want more visibility, confidence in their compliance posture, and integration with existing security infrastructure



Capabilities provided to consumers for using a provider’s applications

Integrated service management, automation, provisioning, self service

Pre-built, pre-integrated IT infrastructures tuned to application-specific needs

Advanced platform for creating, managing, and monetizing cloud services

Cloud: Each pattern has its own set of key security concerns

Cloud Enabled Data Center

Cloud Platform Services

Cloud Service Provider

Business Solutions on Cloud

Infrastructure as a Service (IaaS): Cut IT expense and complexity through cloud data centers

Platform-as-a-Service (PaaS): Accelerate time to market with cloud platform services

Innovate business models by becoming a cloud service provider

Software as a Service (SaaS): Gain immediate access with business solutions on cloud

Security Intelligence – threat intelligence, user activity monitoring, real time insights

Key security focus:Infrastructure & Identity

Manage identities Secure virtual machines Patch default images Monitor all logs Network isolation

Key security focus:Applications & Data

Secure shared databases Encrypt private information Build secure applications Keep an audit trail Integrate existing security

Key security focus:Data & Compliance

Isolate cloud tenants Policy and regulations Manage operations Build secure data

centers Offer backup and

resiliency

Key security focus:Compliance & Auditing

Harden applications Securely federate identity Deploy access controls Encrypt communications Manage app policies



Cloud: Our focus is in two areas of cloud security

Security from the Cloud Security for the Cloud

Public cloud Off premise

Private cloud On premise

Cloud-based Security Services

Securing the Private Cloud stack – focusing on building security into the cloud infrastructure and its workloads

Use cloud to deliver security

as-a-Service – focusing on services such as vulnerability scanning, web and email security, etc.

Secure usage of Public Cloud applications – focusing on Audit, Access and Secure Connectivity

1 2



IBM QRadar Security Intelligence

Total visibility into virtual and cloud

environmentsIBM AppScan SuiteScan cloud deployed

web services and applications for

vulnerabilities

IBM Endpoint ManagerPatch and configuration

management of VMs

IBM Virtual Server Protection for VMware

Protect VMs from advanced threats

IBM InfoSphere Guardium Suite

Protect and monitor access to shared

databases

IBM Identity and Access Management Suite

Identity integration, provision users to SaaS applications

Desktop single sign on supporting desktop

virtualization

IBM Network IPS

Protect and monitor access to shared

databases

Securing Cloud with IBM Security Systems

People ● Data ● Apps ● InfrastructureSecurity Intelligence

Cloud: Leverage solutions in each area of cloud risk



Security Intelligence is enabling progress to optimized security

Optimized

Security Intelligence:Information and event management

Advanced correlation and deep analyticsExternal threat research

Role based analytics

Identity governance

Privileged user controls

Data flow analytics

Data governance

Secure app engineering processes

Fraud detection

Advanced network monitoring

Forensics / data mining

Secure systems

Proficient

User provisioning

Access mgmt

Strong authentication

Database vulnerability monitoring

Access monitoring

Data loss prevention

Application firewall

Source code scanning

Virtualization security

Asset mgmt

Endpoint / network security management

Basic Centralized directoryEncryption

Access controlApplication scanning

Perimeter security

Anti-virus

People Data Applications Infrastructure

SecurityIntelligence



Security Intelligence

People

Data

Applications

Infrastructure

Intelligent solutions provide the DNA to secure a Smarter Planet




Thank You

cio ciso security_strategyv1.1

Documents

ibm security systemsagenda

ibm security systemssolving

ibm security systemsby

ibm corporation

database security

security domains

security solutions

security issue