don’t drown in a sea of cyberthreats: mitigate attacks with ibm bigfix & qradar

© 2015 IBM Corporation

Mitigate attacks with IBM BigFix and QRadar

Rich Caponigro IBM BigFix Security Product Manager [email protected]

Don’t drown in a sea of cyber-threats

2 © 2015 IBM Corporation

Please Note: !  IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without

notice at IBM’s sole discretion.

!  Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.

!  The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.

!  The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.


Agenda

!  Cyber security today !  BigFix and QRadar SIEM tighten endpoint security !  New! - BigFix plus QRadar close the risk management loop !  Q & A


Complexity Architecture Resources

!  Heavy, resource-intensive agent(s)

!  Multiple point tools & agents

!  Inability to maintain and prove compliance with complex and evolving regulations

What Organizations face

!  Limited IT budget and staff

!  Shortage of qualified personnel

!  Unable to scale over widely dispersed locations

!  High costs and risks associated with sophisticated threats

!  Inability to remediate and report on compliance issues and vulnerabilities across the environment


Vulnerabilities Will Be Exploited!

Source: Verizon Data Breach Investigation Report 2015

Hackers are capitalizing on first few week’s of CVE availability, knowing orgs can’t patch effectively

Needed – quick identification, prioritization, and remediation!

Almost half of new CVE’s are exploited in the first 4 weeks


IBM is uniquely positioned to offer integrated threat protection

A dynamic, integrated system to disrupt the lifecycle of advanced attacks and prevent loss

Open Integrations Global Threat Intelligence

Ready for IBM Security Intelligence Ecosystem •  Share security context

across multiple products •  100+ vendors, 400+ products

IBM Security Network Protection XGS Prevent remote network exploits and limit the use of risky web applications

Smarter Prevention Security Intelligence

IBM Emergency Response Services Assess impact and plan strategically and leverage experts to analyze data and contain threats

Continuous Response

IBM X-Force Threat Intelligence Leverage threat intelligence from multiple expert sources

IBM Trusteer Apex Endpoint Malware Protection Prevent malware installation and disrupt malware communications

IBM Security QRadar Security Intelligence

Discover and prioritize vulnerabilities Correlate enterprise-wide threats and detect

suspicious behavior

IBM Security QRadar Incident Forensics Retrace full attack activity, search for breach indicators and guide defense hardening

IBM Guardium Data Activity Monitoring Prevent power user abuse and misuse of sensitive data

IBM BigFix Automate and enforce continuous compliance of security and regulatory policies


QRadar SIEM Embedded intelligence enabling automated offense identification

Suspected Incidents Servers and mainframes

Data activity

Network and virtual activity

Application activity

Configuration information

Security devices

Users and identities

Vulnerabilities and threats

Global threat intelligence

Automated Offense Identification •  Unlimited data collection,

storage and analysis

•  Built in data classification

•  Automatic asset, service and user discovery and profiling

•  Real-time correlation and threat intelligence

•  Activity baselining and anomaly detection

•  Detects incidents of the box

Embedded Intelligence

Prioritized Incidents


IBM BigFix Bridging the Gap between Security and IT Ops

ENDPOINT SECURITY

Discovery and Patching

Lifecycle Management

Software Compliance and Usage

Continuous Monitoring

Threat Protection

Incident Response

ENDPOINT MANAGEMENT IBM BigFix®

FIND IT. FIX IT. SECURE IT.

…FAST

Shared visibility and control between IT Operations

and Security

IT OPERATIONS SECURITY

Reduce operational costs while improving your security posture


Extensive Data Sources Deep Intelligence Exceptionally Accurate and Actionable Insight + =

"  Near real-time patch feed from BigFix to QRadar Increases vulnerability database accuracy improving offense and risk analytics to limit potential offenses

"  Establishes baseline for endpoint states and improves alerting on variations to detect threats "  Represents AV/DLP alerts within consolidated enterprise security view helping correlate advanced

threat activities "  Improves compliance reporting with deep endpoint state data

BigFix and QRadar tighten endpoint security

BigFix endpoint deep intelligence •  Physical / Virtual •  On/off network •  Servers •  Clients •  POS, ATM, Kiosks


BigFix Fixlet status visualized in QRadar

10

Patches Critical Fix Configuration Change

Record of who made change


BigFix vulnerability data stored in QRadar asset database

11


Complementary capabilities by use case

QRadar target use case BigFix complementary capabilities

 Advanced threat detection

  Full visibility of endpoint activity and state marrying anti-virus, vulnerability information, and configuration data in real-time   Quickly obtain answers to unique queries to understand security incidents   Rapid incident response, such as disabling DLLs being exploited

 Malicious activity identification

  Guards against full range of malware and scans POP3 email and Microsoft Outlook folders for threats   Cross-reference threats real-time with a large, cloud-based database

 User activity monitoring

  Enforces security baselines, passcode policies, security configurations, anti-virus policies, patch management, and more

 Compliance reporting and monitoring

  Provides company-wide reports instantly without polling systems to assess the organization’s security compliance posture   Continuous policy enforcement to help maintain compliance

  Fraud detection and data loss prevention

  Automatically determines safety of dynamically-rated websites protecting endpoints against web-based malware, data theft, lost productivity and reputation damage   Block or allow data being copied to or sent to a variety of delivery channels


Coming soon – Closed-loop risk management BigFix Compliance with QRadar Vulnerability Manager and Risk Manager deliver real-time endpoint intelligence for closed-loop risk management

IBM QRadar IBM BigFix

Real-time endpoint intelligence

Network anomaly detection

Provides current endpoint status

Correlates events and generates alerts

Prompts IT staff to fix vulnerabilities

•  Improves asset database accuracy •  Strengthens risk assessments •  Enhances compliance reporting

•  Accelerates risk prioritization of threats and vulnerabilities

•  Increases reach of vulnerability assessment to off-network endpoints

Integrated, closed-loop

risk management


IBM BigFix Compliance

Using BigFix Compliance, clients get value from: "  Con$nuous real-‐$me enforcement of security policies, regardless of network connec$on

status significantly reduces overall security risk

"  Supports industry and regulatory compliance benchmarks for best prac$ce protec$on

"  Discovery of unmanaged endpoints and Automa$c patch and remedia$on of non-‐compliant systems reduces risk and labor costs

"  Deploy, update, and health check 3rd-‐party Endpoint Protec$on solu$ons "  Policy based quaran$ne of non-‐compliant systems

Lifecycle Inventory Patch Compliance Protection

BigFix Platform

More than 10,000 heterogeneous platform compliance checks based on best practice regulatory benchmarks from CIS, PCI DSS, DISA STIG, USGCB


98% patch and update compliance rate on 4,000+ workstations with 50% reduced labor costs

Infirmary Health System

Continuous security configuration compliance Accurate, real-time visibility and continuous security configuration enforcement

Continuous compliance “set and forget” •  No high-risk periods •  Lower total cost •  Continued improvement •  Identify and report on any configuration drift •  Library of 10,000+ compliance checks

(e.g., CIS, PCI, USGCB, DISA STIG)

Traditional compliance “out of synch” •  High-risk and cost periods •  Manual approach causes endpoints

to fall out of compliance again

Traditional versus Continuous

Time

Com

plia

nce

Continuous Traditional

RISK

SCAP


QRadar Risk and Vulnerability Management

Discovery and Verification

Intelligent Context Driven

Prioritization

Automatic Delegation

and Assignments

•  Uncovers the weaknesses •  Daily vulnerability and patch updates •  Proven, certified scanning •  Endpoints, assets, device configuration •  Passive and active discovery

•  What assets are important ? •  Where are the threats ? •  Who is talking to who ? •  What is blocked and patched already ? •  What is out of compliance ?

•  Who needs to action •  What needs to be done •  Missing patches •  Signatures •  Configuration changes

Reporting and

Alerting

•  What needs escalation •  What is in and out of compliance •  Dashboards and reports •  APIs

Feedback And Compliance

Discovery and verification

Intelligent Context driven Prioritization

Delegate and assign

Updated Posture


BigFix Compliance plus QRadar Capability

BigFix Compliance

QRadar Vuln Mgr

QRadar Risk Mgr

BigFix + QRadar

Continuous policy monitoring ü

Endpoint ü Network üü

Endpoint quarantine / remediation

ü ü Vulnerability discovery ü

Real-time Windows ü Heterogeneous scan üü

Real-time updates Asset discovery ü ü üü Risk analysis / reporting ü

CVSS ü Correlated threat üü

Real-time updates Closed loop action delegation / assignment

üü

Vulnerabilities Will Be Exploited!

Quick identification, prioritization, and remediation!

BigFix plus QRadar address the highest security risks first!

High priority risks sent to BigFix for action • Deeper, timely endpoint data • Faster remediation of critical risks


STEP ONE Provide Continuous Insight

across all endpoints. INCLUDING off-network

laptops

STEP FOUR Expedite remediation of ranked vulnerabilities, configuration drift and

irregular behavior

STEP TWO Enforce Policy Compliance of Security, Regulatory & Operational Mandates.

STEP THREE Prioritize vulnerabilities and

remediation activities by risk

•  QRadar correlates assets & vulnerabilities with real-time security data

•  It then sends the prioritized list to BigFix administrators

•  Machine Name, OS, IP Address, Malware incidents etc.

•  Provides details on physical and virtual servers, PCs, Macs, POS devices, ATMs, kiosks, etc.

•  All known CVEs exposed on an endpoint

•  Quarantine endpoints until they can be remediated

•  Patch or reconfigure endpoints

IBM BigFix IBM BigFix

IBM BigFix

•  BigFix sends vulnerability and patch data to QRadar, automatically ensuring that QRadar's asset database is updated with current data

Extending QRadar’s reach and simplifying incident response with BigFix

Legend •  Avail Today •  Coming Soon


BF Compliance endpoint view of QRadar prioritized vulnerabilities

Endpoint info QRadar Risk Score CVEs

Relevant fixlets

Subject to change


BigFix CVE Action Status

Subject to change

Action Status


Prioritized CVE view

Subject to change

Endpoints affected CVE ID and risk score


BigFix / QRadar Integration Use Cases 1. BigFix fixlet and vulnerability status messages passed to QRadar

–  Customer value: Actions that occur and vulnerabilities that exists on endpoints can be passed to QRadar for correlation with other security events. BigFix patch status is relayed to QRadar in a very timely fashion and is stored in the asset database.

2. QRadar can generate a list of assets that do not have BigFix installed, showing how many vulnerabilities could be remediated on each asset if BigFix were installed

–  Customer value: Rapid identification of rogue or unmanaged assets and improved detection and reaction time. Provides strong case for managing assets with BigFix.

3. QRadar (QVM) assigns high-risk vulnerabilities (i.e. those determined via QRM policies) to BigFix for remediation or quarantine; also allows tracking should an exploit occur

–  Customer value: Typical BigFix customers don’t have a way to figure out which patches should be assigned high priority. With this integration, high-risk vulnerabilities could be easily assigned to operations personnel as needed. BigFix administrators gain a way to know which patches should be considered for high priority “out of band” patching, and can initiate remediation immediately. This reduces risk of initial exploit, exploit propagation, and improves productivity. Typical QRadar customers don’t have a way to isolate vulnerable or compromised devices to limit potential exposures. With this integration, high-risk vulnerabilities could be easily isolated form the network allowing only BigFix communications. QRadar administrators gain a way to immediately react to possible exposures and have BigFix Administrators remediate the vulnerability. This reduces risk of initial exploit, exploit propagation, and improves productivity

Ava

ilabl

e To

day

Com

ing

Soo

n

*The Informa$on regarding poten$al future products is intended to outline our general product direc$on and it should not be relied on in making a purchasing decision. The informa$on men$oned regarding poten$al future products is not a commitment, promise, or legal obliga$on to deliver any material, code or func$onality. Informa$on about poten$al future products may not be incorporated into any contract. The development, release, and $ming of any future features or func$onality described for our products remains at our sole discre$on.

Subject to IBM NDA


Endpoint & Threat Focal Points Sales Leaders:

•  Anthony Aurigemma, WW Director of E&M Sales [email protected] •  Mark Phinick, WW Sales Leader [email protected] •  Josh Stegall, WW Channel Sales Leader [email protected] •  Jim Gottardi, NA Sales Leader [email protected] •  Teng Sherng Lim (T.S.), AP Sales Leader [email protected] •  John Seyerle, EU Sales Leader [email protected]

Technical Leaders & Product Management:

•  Jim Brennan, Dir, Product Mgt & Strategy [email protected] •  Murtuza Choilawala, Pgm Director, PM & Strategy [email protected] •  Rich Caponigro, BigFix Compliance PM [email protected] •  Lee Wei, WW Technical Sales Leader [email protected] •  Alex Donatelli, CTO for Endpoint Security [email protected]

–  George Mina, Product Marketing [email protected] –  Rohan Ramesh, Product Marketing [email protected] –  Mark Taggart, WW Sales Empowerment [email protected]

Key Contacts


Website: www.bigfix.com Twitter: @IBMBigFix

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOU www.ibm.com/security

don’t drown in a sea of cyberthreats: mitigate attacks with ibm bigfix & qradar

Technology