© 2015 IBM Corporation

October 13, 2015 Enterprise Resilience & Crisis Management Workshop

Desiree Riboldi – IT ConsultantBusiness Development Manager ItaliaIBM SecurityeMail: riboldi_d@it.ibm.com mobile: +39 335 7446066

CyberSecurity e i nuovi approcci per mitigare i rischi contenendo i costi

2© 2015 IBM Corporation

What’s at risk?

Information Confidentiality, Integrity, and Availability

Corporate Reputation and Brand Image

Theft of business and customer data, product design IP, sales

& pricing strategies, cash, etc.

Safety—injury or loss of life

Supply chain information integrity or disruptions

3© 2015 IBM Corporation

Service disruption due to security incidents or breaches poses the greatest risk to reputation and brand value

Source: Forbes Insights in association with IBM “The reputational impact of IT Risk” (2014)

The overall Business costs related to disruptions are higher than IT costs (75% vs 25%)

The estimation of the costs in terms of business impact is crucial to building a business case

for the value of IT investments and to define the proper improvement initiatives

4© 2015 IBM Corporation

Security and Resilience affect nearly every part of an organization in the «always-on» world

The Internet was built in a way that favoured

resiliency over security (1)

(1) Source:Global Risk 2014, Ninth Edition World Economic Forum(2) Source: Forbes Insights in association with IBM “The reputational impact of IT Risk” (2014)

An attacker needs to find only one weak point in a

system’s defenses, while a system’s protectors need

to defend all vulnerable points forever (2)

5© 2015 IBM Corporation

The consequences of data breach can be positively impacted by Business Continuity Management

MTTI and MTTC for organizations that involve or fail to involve BCM in the

incident response process

Percentage difference for MTTI = 27%; percentage difference for MTTC = 41%

Consolidated view (FY 2015 = 350, FY 2014 = 315)

Source: Ponemon Institute “2015 Cost of Data breach Study: impact of Business Continuity Management” – Sponsored By IBM, June 2015 – To download the report click: here

Security & Business Continuity:

Making risk-managed decisions align with business, balancing and optimizing security efforts.

When? Continuously !

Impact of 11 factors on the per capita cost of data breach

Measured in US$ consolidated view (n = 350)

6© 2015 IBM Corporation

Ransomware has evolved to reach a broader range of attackers through service kits to provide “infection as a service”

1989 2015

2015

Tox “ransom-

ware as a

service” kit

released in the

wild

1989

1st known

ransomware

"PC

Cyborg“

created

2010

WinLock ransomware, a

non-encrypted variant,

demands premium-rate

SMS messages to unlock

target machines

2013

CryptoLock,

ZeroLocker and

CryptoWall require

ransom be paid in

anonymous crypto-

currencies

2014

Ransomweb attacks

target web applications

through vulnerable

web servers

Source: IBM X-Force Threat Intelligence Report 3Q 2015 . To download the report click : link

7© 2015 IBM Corporation

Preparedness is the key to protect against ransomware, and routine data backups are imperative

Ensure you have at least one copy of your data that is not directly mapped visibly as a drive on your computer.

Technologies thatprevent “phone home” operations can help stop earlier iterations of certain ransomware.

Do not assume that if you are infected with encryption-based ransomware you can simply pay the ransom and reliably get your data back.

• Technical defenses are not

sufficient

• They must be managed in

conjunction with people, processes

and organization Source: IBM X-Force Threat Intelligence Report 3Q 2015 . To download the report click : link

8© 2015 IBM Corporation

The Dark Web is comprised of nefarious individuals and organizations participating in host-to-host anonymous encrypted communications

Tor was originally designed, implemented and deployed in 2004 as a third-generation onion

routing project of the US Naval Research Laboratory to protect government communications.

Because it allows private, encrypted communication, it’s now used for nefarious purposes.

Encrypted link

Unencrypted link

Tor node

Requestor

Exit

Node

Relay

Node

Relay Node

Guard

Node

Destination

Server

Source: IBM X-Force Threat Intelligence Report 3Q 2015 . To download the report click : link

9© 2015 IBM Corporation

The Dark Web and Tor can disguise the geographic location of the requestor, allowing anonymity for nefarious actors

Common attacks from Tor:

• SQL injection (SQLi): SQLi makes

up by far the majority of the attacks

that originate with Tor exit nodes to

target IBM MSS customers

• Vulnerability scanning:

Vulnerability scanning often

represents the early stages of an

attack, as the adversary gets the lay

of the land cloak their origin and

spread their probes out across exit

nodes, reducing the risk of drawing

attention.

• Distributed denial of service

(DDoS): DDoS attacks combine Tor-

commanded botnets with a sheaf of

Tor exit nodes. Source: IBM X-Force Threat Intelligence Report 3Q 2015 . To download the report click : link

10© 2015 IBM Corporation

Corporate networks hosting Tor nodes open themselves to a host of issues

Running a Tor relay is a donation of bandwidth.

The owner of an exit node can become legally liable for the content issuing from that node even if he content belongs to someone else and is hosted somewhere else.

The administrator could be an unwilling facilitator of an attack on other networks or within his or her own networks.

11© 2015 IBM Corporation

Effective security programs encompass a strategic view of people, process and technology

Define Security Principles & Vision necessary to

achieve objectives

Define process model for continuously managing

security risk

Establish an organizational and operational

model to execute the process and aid in decision

support

Implement an integrated set of security

capabilities to inform, rapidly detect and enable

rapid response

1

2

3

4

12© 2015 IBM Corporation

Level 1Heightened

Awareness

Level 2Possible

Malicious

Activity

Level 3Confirmed

Malicious

Activity

Level 4Active

Defensive

Response

Level 0Business As Usual

• Reported breach within

industry

• Regional disruption (political,

…)

• Aggressive chatter in Darknet

• Threats of an impending

attack

• Suspicious activity detected

• Zero-day released

• Attack detected and

underway

• Discovery of previous breach

• “Shots Fired” on substation

• Law Enforcement informing

you of a breach

• Attack occurring and

defenses breached

• Imminent threat of a

sophisticated attack

becomes known via threat

intelligence

Severity of Threat

Level 1 Playbook

• Physical access restricted

• Monitoring increased

• User-awareness bulletins

Level 2 Playbook

• IPS/IDS Thresholds

Adjusted

• Initiate and secure backups

• SOC extended hours

Level 3 Playbook

• Physical access restricted

• SOC 2x staffing; 24x7

• More roaming security guards

Level 4 Playbook

• Admin remote access only

• Mobile devices denied

• Enterprise password change

A more elastic and agile defense capability is required

13© 2015 IBM Corporation

Security Operations Center is becoming responsible for enterprise security monitoring, coordinates threat defense, detection and response for all security domains

Analytics/Dashboards

Overall Security Posture

EP Dashboard

Crown Jewel Dashboard

LOB Dashboard

Cost of Service Quality

SOC Operational Reports

Accountability for Performance

Feedback for Improvement

Operational Outputs

Closed Security Incidents

Closed SI Research Req.

Closed CSIRT Tickets

Use Case/Rule Updates

Threat Defense,

Detection, Mitigation,

Remediation

Enterprise Security Data

Enterprise Risk Data

Crown Jewel Data

Fraud / Investigations

Enterprise Risk Data

LOB Risk Assessments

Physical Security

Enterprise Security/Risk Monitoring

IBM Security Operation Hybrid Model

Conduct Enterprise Security Monitoring

Operationalize Security Intelligence

Coordinate Enterprise threat defense

Centralize threat detection

Prioritize security incidents

Manage threat response (mitigate/remediate)

Produce dashboards on business impact/ value

Security Intelligence

X-Force Threat Analysis

IBM Advanced Cyber Intell

(CrowdStrike)

ISAC, Gov, InfoSec

14© 2015 IBM Corporation

Around-the-clock management, monitoring and protectionProtect networks, servers and endpoints from the Internet’s most critical threats

IBM Managed Security Services

Firewall Management

Unified Threat Management

Intrusion Detection and Prevention System Management

Managed Protection Services

Secure Web Gateway Management

Malware Defense Management

• Better secure informationassets from Internet attacks

• Reduce security investment and management costs

• Better manage compliance

• Improve system uptime and performance

• Simplify management of multiple security device types

Managed Web Defense (DDoSProtection)

15© 2015 IBM Corporation

Immediate access to incident response and forensics expertsProactively prepare for, and instantly respond to, cyber attacks

IBM helps clients combat a significant intrusion, sophisticated attack,

or other security incident for faster recovery and forensic analysis

24x7 Worldwide, around-the-clock coverage can enable faster recovery

and reduce business impact from incidents

Periodic

Reviews

Proactive

Preparation

Incident

Planning

Post-

Incident

Analysis

Containment,

Eradication

and Recovery

Incident

Triage

IBM Emergency Response Services

16© 2015 IBM Corporation

IBM Security QRadar and Managed Security Services

Help develop SOC that can monitor cyber

threats and manage incidents

Maturity analysis of the existing security

operations

Strategy and planning services that

create a SOC model, optimizing existing

staff skills and technologies

Design and build services that size the

SOC to the organization’s risk management

requirements and budget

Implementation of IBM QRadar® or other

security information and event

management (SIEM) technologies that

can provide leading security intelligence

capabilities

Leverages IBM’s depth of experience in

building and managing its own global SOCs

OPTIMIZE YOUR SECURITY OPERATIONS:

• protect mission-critical data and assets

• prepare for and respond to cyber emergencies

• help provide continuity and efficient recovery

• fortify the business infrastructure

monitored countries

(MSS)

service delivery

experts

endpoints protected+

events managed

per day+

IBM Security by the Numbers

+

+

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any

kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor

shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use

of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or

capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product

or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries

or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside

your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks

on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.

IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other

systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE

IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOUwww.ibm.com/security

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.

Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at “Copyright and trademark information” www.ibm.com/legal/copytrade.shtml

Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity.

IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.

Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.

Legal notices and disclaimers