five critical conditions to maximizing security intelligence investments
Post on 19-Oct-2014
421 views
DESCRIPTION
In today's high tech, highly mobile, everything connected , data is everywhere world we need to look at security very differently than we did just a few years ago In the good ole days good strong perimeter defense and some end point protection was pretty much all that was needed to protect a companies digital environment. There are however many indicators highlighting the fact we need to do something different. Learn more: http://securityintelligence.comTRANSCRIPT
© 2013 IBM Corporation
IBM Security Systems
1© 2013 IBM Corporation
Ray Menard Senior Security Architect IBM Security Systems
October 24, 2013
Five Critical Conditions for Maximizing Security Intelligence Investments
© 2013 IBM Corporation
IBM Security Systems
2
Bring your own IT
Social business
Cloud and virtualization
1 billion mobile workers
1 trillion connected
objects
Innovative technology changes everything
© 2013 IBM Corporation
IBM Security Systems
3
M O
T I
V A
T I
O N
Attacks continue as perpetrators sharpen skills
S O P H I S T I C A T I O N
National Security, Economic Espionage
Notoriety, Activism, Defamation
HacktivistsLulzsec, Anonymous
Monetary Gain
Organized crimeZeus, ZeroAccess, Blackhole Exploit Pack
Nuisance,Curiosity
Insiders, Spammers, Script-kiddiesNigerian 419 Scams, Code Red
Nation-state actors, APTsStuxnet, Aurora, APT-1
© 2013 IBM Corporation
IBM Security Systems
4
Targeted attacks remain top of mind
Saudi Arabia Says Aramco Cyberattack Came From Foreign States
– Bloomberg, Dec 2012
How to Hack Facebook In 60 Seconds
– InformationWeek, June 2013
Hackers in China Attacked The Times for the Last 4 Months
– The New York Times, Jan 2013
Fed Acknowledges Cybersecurity Breach– The Wall Street Journal, Feb 2013
South Carolina taxpayer server hacked, 3.6 million Social Security numbers compromised
– CNN, Oct 2012
Facebook hacked in 'sophisticated attack'
– The Guardian, Feb 2013
Adobe Systems Reports Attack on Its Computer Network
– The Wall Street Journal, Oct 2013
Apple Hacked: Company Admits Development Website Was Breached
– Huffington Post, July 2013
Chinese hacking of US media is 'widespread phenomenon‘– Wired, Feb 2013
© 2013 IBM Corporation
IBM Security Systems
5 IBM Security X-Force® 2011 Trend and Risk Report, IBM Security X-force 2013 Mid Year Trend and Risk Report
© 2013 IBM Corporation
IBM Security Systems
6 IBM Security Systems
SIEM/Log Management
The Security Division of EMC
DAM
RM/CM
NBAITGRC
DLP
VM
Despite proliferation of security solutions
© 2013 IBM Corporation
IBM Security Systems
7
What is Security Intelligence?
Security Intelligence--noun A methodology of analyzing millions and billions of security,
network and application records across the organization’s entire network in order to gain insight into what is actually happening in that digital world.
--verbCombining internal, locally collected security intelligence, with
external intelligence feeds for the application of correlation rules to reduce huge volumes of data into a handful of high probability ‘offense’ records requiring immediate investigation to prevent or minimize the impact of security incidents
Delivers actionable, comprehensive insight for managing risks, combatting threats, and meeting compliance mandates.
© 2013 IBM Corporation
IBM Security Systems
8 IBM Security Systems © 2013 IBM Corporation
1. It's what you don't know that can hurt you
© 2013 IBM Corporation
IBM Security Systems
9
Security Intelligence Timeline
Prediction & Prevention Reaction & Remediation
• Firewalls• IDS• Syslog Events• Application Logs• Windows Events• Authentication Logs• Network Device Logs• Database activity Logs• Vulnerabilities (Active)
• Devices and applications having no logging capabilities
• Anomalous activity• Disabled Logging • Network Noise• Vulnerabilities (Passive)• Virtual Activity• User Activity
© 2013 IBM Corporation
IBM Security Systems
10
Point solutions lack 360 degree network visibilityIBM X-Force® ThreatInformation Center
Real-time Security Threatsand Prioritized ‘Offenses’
Identity and User Context
Real-time Network Visualizationand Application Statistics
InboundSecurity Events
© 2013 IBM Corporation
IBM Security Systems
11 IBM Security Systems
ProactiveIntelligencePrevention
Potential Damage effect
ReactiveResponseForensics
Actual businessImpact
Business interruptionCritical Threshold
Time
BusinessImpact
Incident
Proactive business impact:Blocking of legitimate traffic
Business value of security intelligence
© 2013 IBM Corporation
IBM Security Systems
12 IBM Security Systems © 2013 IBM Corporation
2. Force Multipliers are key to winning the battle
© 2013 IBM Corporation
IBM Security Systems
13
LogsEvents Alerts
Configuration information
System audit trails
Externalthreat feeds
E-mail and social activity
Network flows and anomalies
Identity context
Business process data
Malware information
Now: Intelligence
•Real-time monitoring
•Context-aware anomaly detection
•Automated correlation and analytics
Then: Collection
•Log collection
•Signature-based detection
Early solutions captured only tip of data iceberg
© 2013 IBM Corporation
IBM Security Systems
14
QRadar’s wide spectrum of security intelligence feeds
© 2013 IBM Corporation
IBM Security Systems
15 IBM Security Systems
Backed by broad R&D organization collecting real world insights
6,000 researchers, developers and subject matter experts working security 6,000 researchers, developers and subject matter experts working security initiatives worldwideinitiatives worldwide
3,000+ IBM security patents3,000+ IBM security patents
HerzliyaSecurity Operations Centers
Security Research and Development Labs
Institute for Advanced Security Branches
© 2013 IBM Corporation
IBM Security Systems
16
To further increase accuracy of analytics
Security Intelligence Feeds
Internet ThreatsGeo Location Vulnerabilities
© 2013 IBM Corporation
IBM Security Systems
17
Constantly injecting SI platform intelligence updates
• QRadar Security Intelligence modules receive nightly content updates or fresh “Intelligence”
• Updated content includes: Device Support Modules (Log Parsers) Event Mapping / QID (Log Meta Data) X-Force threat and vulnerability data Custom properties, rules, searches, reports QFlow Application Signatures (Layer 7) Functional Software Patches
• Delivered to Console and subsequently consumed by all managed hosts
• No waiting weeks or months for new releases; protection that adapts in concert with changes in security landscape
© 2013 IBM Corporation
IBM Security Systems
18 IBM Security Systems © 2013 IBM Corporation
3. Reduce incident investigations with more available data
© 2013 IBM Corporation
IBM Security Systems
19 IBM Security Systems
Automation accelerates time-to-value, preserves currency
Simplified deployment delivers results in days Syslog device detection configures log data sources Passive flow asset detection populates asset
database Out-of-the-box rules and reports reduce incident
investigations and meet compliance mandates
Real time events keep information current Immediate discovery of network asset additions
triggers proactive vulnerability scans, configuration comparisons and policy compliance checks
Daily and weekly updates to rules, reports, vulnerabilities, patches, searches, support modules, protocols and signatures
© 2013 IBM Corporation
IBM Security Systems
20 IBM Security Systems
Intuitive rules engine interface reduces false positives
Tune the system or create your own rules in three simple steps without professional services:
2) Build customized rule
3) Save for future use
1) Choose the action
© 2013 IBM Corporation
IBM Security Systems
21
Log management products collect subset of available data Netflows enable visibility into attacker communications
Stored as aggregated, bi-directional records of IP addresses, ports, and protocols Offer advanced detection and forensics via flow pivoting, drill-down and data
mining
QFlow Collectors dig deeper, adding Layer 7 application insights
Network flow analysis is fundamental capability
© 2013 IBM Corporation
IBM Security Systems
22
Detecting the Undetectable
© 2013 IBM Corporation
IBM Security Systems
23
Detecting the Undetectable
© 2013 IBM Corporation
IBM Security Systems
24
The Bigger Picture
© 2013 IBM Corporation
IBM Security Systems
25
Baselining and anomaly detection complete picture
Correlation of log and flow data creates profiles of user, application and data access patterns
Anomaly Detection uses multiple measurements to signal change Thresholds – above or below normal
range Anomaly – Detects appearance of
new objects Behavior – Reveals deviations from
established ‘seasonal’ patterns Large Window Small Window
5 Hours 1 Hour
© 2013 IBM Corporation
IBM Security Systems
26 IBM Security Systems © 2013 IBM Corporation
4. Further reduce blind spots using non-traditional event sources
© 2013 IBM Corporation
IBM Security Systems
27
Integrated vulnerability management narrows the actions
QRadar Vulnerability Manager
Your Vulnerabilities
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
Patched
CriticalBlocked
Inactive
Exploited!
At risk!
Questions remain:•Has that been patched?•Has it been exploited? •Is it likely to be exploited ?•Does my firewall block it?•Does my IPS block it?•Does it matter?
Existing vulnerability management tools
Improves visibility– Intelligent, event-driven
scanning, asset discovery, asset profiling and more
Reduces data load
– Bringing rich context to Vulnerability Management
Breaks down silos– Leveraging all QRadar
integrations and data– Unified vulnerability view
across all products
Your Vulnerabilities
CVE CVE CVE CVECVE CVE CVE CVE CVECVE CVECVE
CVE CVECVE CVECVE CVECVE CVE CVECVE CVECVE
CVE CVECVE CVE CVE CVECVE CVE CVECVE CVECVE
CVE CVECVE CVECVE CVECVE CVE CVECVE CVECVE
CVE CVECVECVE CVE CVECVE CVE CVECVE CVECVE
CVE CVECVE CVE CVECVE CVE CVE CVECVECVECVE
CVE CVE CVECVE CVE CVE CVE CVECVECVECVECVE
CVE CVECVE CVE CVE CVE CVE CVE CVECVE CVECVE
CVE CVECVECVE CVECVE CVE CVE CVECVECVECVE
CVE CVECVE CVE CVE CVECVE CVE CVECVE CVECVE
CVE CVECVE CVE CVE CVE CVE CVE CVECVE CVECVE
CVE CVECVE CVE CVE CVE CVE CVE CVECVE CVECVE
CVE CVECVECVE CVE CVE CVE CVE CVECVE CVECVE
CVE CVECVE CVECVECVE CVE CVE CVECVECVECVE
Your Vulnerabilities
CVE CVECVECVECVE CVE CVE CVE CVECVECVECVE
CVE CVECVE CVECVE CVECVE CVECVECVE CVECVE
CVE CVECVE CVECVE CVECVE CVE CVECVECVECVE
CVE CVECVE CVE CVE CVECVE CVECVECVE CVECVE
CVE CVECVE CVE CVE CVECVE CVECVECVE CVECVE
CVE CVECVE CVE CVE CVECVE CVE CVECVECVE CVE
CVE CVECVE CVE CVE CVE CVE CVECVECVE CVECVE
CVE CVECVE CVECVE CVECVE CVE CVECVE CVECVE
CVE CVECVECVE CVE CVE CVE CVE CVECVECVECVE
CVE CVECVE CVECVE CVECVE CVECVECVE CVECVE
CVE CVECVE CVE CVECVE CVE CVE CVECVE CVECVE
CVE CVECVE CVECVECVE CVE CVECVECVE CVECVE
CVE CVECVE CVE CVE CVE CVE CVE CVECVE CVECVE
CVE CVECVE CVE CVECVE CVE CVE CVECVECVECVE
Your Vulnerabilities
CVE CVE CVECVE CVE CVE CVE CVE CVECVE CVECVE
CVE CVECVE CVECVE CVECVE CVE CVECVE CVECVE
CVE CVECVE CVECVE CVECVE CVE CVECVECVECVE
CVE CVECVE CVECVE CVE CVE CVECVECVE CVECVE
CVE CVECVECVE CVE CVECVE CVE CVECVE CVECVE
CVE CVECVE CVE CVE CVE CVE CVECVECVECVE CVE
CVE CVECVECVE CVE CVE CVE CVE CVECVE CVECVE
CVE CVECVE CVE CVE CVE CVE CVE CVECVE CVECVE
CVE CVECVECVE CVE CVE CVE CVE CVECVECVECVE
CVE CVECVE CVE CVE CVECVE CVECVECVE CVECVE
CVE CVECVE CVE CVECVE CVE CVE CVECVE CVECVE
CVE CVECVE CVE CVECVE CVE CVE CVECVE CVECVE
CVE CVECVE CVE CVE CVE CVE CVE CVECVE CVECVE
CVE CVECVE CVE CVECVE CVE CVE CVECVECVE CVE
Answers delivered:•Real-time scanning•Early warning capabilities•Advanced pivoting and filtering
Security Intelligence Integration
© 2013 IBM Corporation
IBM Security Systems
28
‘Big Data’ adds more structured and even unstructured data
Real-time Processing Security Operations
Big Data Warehouse Big Data Analytics and Forensics
AnalyzeStore & ProcessCollect
Data Sources
Security and Infrastructure Data Sources
External Threat Intelligence Feeds
Email, Web, Blogs, and Social Activity
Relational Store• High-value Information
Hadoop Store• Raw Data
InfoSphereBigInsights
i2 IntelligenceAnalysis
InfoSphereBigSheets
QRadar Console (Web interface)
2 Real-time insights (HOT)
3 Forward (HOT) & Store(HOT, Warm, cold) data
6 Enrich / Adapt / Improve
5 Advanced Visualizations andInvestigation – (Warm and cold)
4
1 Data Collection &Enrichment (HOT)Flow of data/information
Flow of knowledge
• Watch List• Custom Rules
QRadar SecurityIntelligence Platform
Big Data Analysis, Trends & History (Warm and cold)
Two major roles QRadar can play in the IBM Big Data Solution:
1) Collects SI data and feeds to BigInsights to enrich data sources
2) Provides a dashboard to display, organize, and query the data generated by Big Data Analytics and Forensics
© 2013 IBM Corporation
IBM Security Systems
29
Virtual appliances see inside the cloud
IBM Security QRadar VFlow Collectors– Use deep packet inspection to provide visibility to
application layer virtual network traffic in the cloud– Detect new security threats, malware, viruses,
anomalies through behavior profiling of network traffic without relying on vulnerability signatures
– Support VMware virtual environments and profile more than 1,000 applications
– Run on virtual server and require no additional hardware
© 2013 IBM Corporation
IBM Security Systems
30
QRadar Risk Manager adds pro-active capabilities
Normalized device configurations are gathered and stored either on-demand or via scheduled activities
Performs firewall rule analysis, configuration error detection (e.g. shadowed rules), and rule activity correlation with ‘offenses’
Shadowed rules
© 2013 IBM Corporation
IBM Security Systems
31 IBM Security Systems © 2013 IBM Corporation
5. Importance of solution integration
© 2013 IBM Corporation
IBM Security Systems
32 IBM Security Systems
Integrations critical to success and differentiation of IBM Security and Customers
Infrastructure protection to block specific vulnerability types using scan results
Converge access management with web service gateways
Link identity information with database security
Stay ahead of the changing threat landscape
Detect the latest vulnerabilities, exploits and malware
Add security intelligence to non-intelligent systems
Consolidate siloed information from hundreds of sources
Detect, notify and respond to threats missed by other security solutions
Automate compliance tasks and assess risks
© 2013 IBM Corporation
IBM Security Systems
33 IBM Security Systems
Using fully integrated architecture and interface
• Turn-key log management and reporting• SME to Enterprise• Upgradeable to enterprise SIEM
• Log, flow, vulnerability & identity correlation• Sophisticated asset profiling• Offense management and workflow
• Network security configuration monitoring• Vulnerability prioritization• Predictive threat modeling & simulation
SIEM
Log Management
Configuration & Vulnerability Management
Network Activity & Anomaly Detection
Network and Application
Visibility
• Network analytics• Behavioral anomaly detection• Fully integrated in SIEM
• Layer 7 application monitoring• Content capture for deep insight & forensics• Physical and virtual environments
One Console Security
Built on a Single Data Architecture
© 2013 IBM Corporation
IBM Security Systems
34
Summary of five conditions and best practices
1. It's what you don't know that can hurt you2. Force multipliers are key to winning the battle3. Reduce incident investigations with more
available data4. Further reduce blind spots using non-
traditional event sources5. Importance of solution integration
© 2013 IBM Corporation
IBM Security Systems
35
Watch executive Steve Robinson (VP) discuss the next era for Security Intelligence :
http://ibm.co/nextera
Visit our:
Blog www.securityintelligence.com
Website: http://ibm.co/QRadar
Read our IT Executive Guide to Security Intelligence White Paper: ibm.co/11HQdfc
Learn more about IBM QRadar Security Intelligence
Download the 2013 Gartner Magic Quadrant for SIEM : http://ibm.co/GMQ
© 2013 IBM Corporation
IBM Security Systems
36 IBM Security Systems
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.