Date post: | 06-Jan-2017 |
Category: |
Technology |
Upload: | ibm-security |
View: | 2,411 times |
Download: | 6 times |
© 2015 IBM Corporation
Mitigate attacks with IBM BigFix and QRadar
Rich Caponigro IBM BigFix Security Product Manager [email protected]
Don’t drown in a sea of cyber-threats
2 © 2015 IBM Corporation
Please Note: ! IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without
notice at IBM’s sole discretion.
! Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
! The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.
! The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
3 © 2015 IBM Corporation
Agenda
! Cyber security today ! BigFix and QRadar SIEM tighten endpoint security ! New! - BigFix plus QRadar close the risk management loop ! Q & A
4 © 2015 IBM Corporation
Complexity Architecture Resources
! Heavy, resource-intensive agent(s)
! Multiple point tools & agents
! Inability to maintain and prove compliance with complex and evolving regulations
What Organizations face
! Limited IT budget and staff
! Shortage of qualified personnel
! Unable to scale over widely dispersed locations
! High costs and risks associated with sophisticated threats
! Inability to remediate and report on compliance issues and vulnerabilities across the environment
5 © 2015 IBM Corporation
Vulnerabilities Will Be Exploited!
Source: Verizon Data Breach Investigation Report 2015
Hackers are capitalizing on first few week’s of CVE availability, knowing orgs can’t patch effectively
Needed – quick identification, prioritization, and remediation!
Almost half of new CVE’s are exploited in the first 4 weeks
6 © 2015 IBM Corporation
IBM is uniquely positioned to offer integrated threat protection
A dynamic, integrated system to disrupt the lifecycle of advanced attacks and prevent loss
Open Integrations Global Threat Intelligence
Ready for IBM Security Intelligence Ecosystem • Share security context
across multiple products • 100+ vendors, 400+ products
IBM Security Network Protection XGS Prevent remote network exploits and limit the use of risky web applications
Smarter Prevention Security Intelligence
IBM Emergency Response Services Assess impact and plan strategically and leverage experts to analyze data and contain threats
Continuous Response
IBM X-Force Threat Intelligence Leverage threat intelligence from multiple expert sources
IBM Trusteer Apex Endpoint Malware Protection Prevent malware installation and disrupt malware communications
IBM Security QRadar Security Intelligence
Discover and prioritize vulnerabilities Correlate enterprise-wide threats and detect
suspicious behavior
IBM Security QRadar Incident Forensics Retrace full attack activity, search for breach indicators and guide defense hardening
IBM Guardium Data Activity Monitoring Prevent power user abuse and misuse of sensitive data
IBM BigFix Automate and enforce continuous compliance of security and regulatory policies
7 © 2015 IBM Corporation
QRadar SIEM Embedded intelligence enabling automated offense identification
Suspected Incidents Servers and mainframes
Data activity
Network and virtual activity
Application activity
Configuration information
Security devices
Users and identities
Vulnerabilities and threats
Global threat intelligence
Automated Offense Identification • Unlimited data collection,
storage and analysis
• Built in data classification
• Automatic asset, service and user discovery and profiling
• Real-time correlation and threat intelligence
• Activity baselining and anomaly detection
• Detects incidents of the box
Embedded Intelligence
Prioritized Incidents
8 © 2015 IBM Corporation
IBM BigFix Bridging the Gap between Security and IT Ops
ENDPOINT SECURITY
Discovery and Patching
Lifecycle Management
Software Compliance and Usage
Continuous Monitoring
Threat Protection
Incident Response
ENDPOINT MANAGEMENT IBM BigFix®
FIND IT. FIX IT. SECURE IT.
…FAST
Shared visibility and control between IT Operations
and Security
IT OPERATIONS SECURITY
Reduce operational costs while improving your security posture
9 © 2015 IBM Corporation
Extensive Data Sources Deep Intelligence Exceptionally Accurate and Actionable Insight + =
" Near real-time patch feed from BigFix to QRadar Increases vulnerability database accuracy improving offense and risk analytics to limit potential offenses
" Establishes baseline for endpoint states and improves alerting on variations to detect threats " Represents AV/DLP alerts within consolidated enterprise security view helping correlate advanced
threat activities " Improves compliance reporting with deep endpoint state data
BigFix and QRadar tighten endpoint security
BigFix endpoint deep intelligence • Physical / Virtual • On/off network • Servers • Clients • POS, ATM, Kiosks
10 © 2015 IBM Corporation
BigFix Fixlet status visualized in QRadar
10
Patches Critical Fix Configuration Change
Record of who made change
11 © 2015 IBM Corporation
BigFix vulnerability data stored in QRadar asset database
11
12 © 2015 IBM Corporation
Complementary capabilities by use case
QRadar target use case BigFix complementary capabilities
Advanced threat detection
Full visibility of endpoint activity and state marrying anti-virus, vulnerability information, and configuration data in real-time Quickly obtain answers to unique queries to understand security incidents Rapid incident response, such as disabling DLLs being exploited
Malicious activity identification
Guards against full range of malware and scans POP3 email and Microsoft Outlook folders for threats Cross-reference threats real-time with a large, cloud-based database
User activity monitoring
Enforces security baselines, passcode policies, security configurations, anti-virus policies, patch management, and more
Compliance reporting and monitoring
Provides company-wide reports instantly without polling systems to assess the organization’s security compliance posture Continuous policy enforcement to help maintain compliance
Fraud detection and data loss prevention
Automatically determines safety of dynamically-rated websites protecting endpoints against web-based malware, data theft, lost productivity and reputation damage Block or allow data being copied to or sent to a variety of delivery channels
13 © 2015 IBM Corporation
Coming soon – Closed-loop risk management BigFix Compliance with QRadar Vulnerability Manager and Risk Manager deliver real-time endpoint intelligence for closed-loop risk management
IBM QRadar IBM BigFix
Real-time endpoint intelligence
Network anomaly detection
Provides current endpoint status
Correlates events and generates alerts
Prompts IT staff to fix vulnerabilities
• Improves asset database accuracy • Strengthens risk assessments • Enhances compliance reporting
• Accelerates risk prioritization of threats and vulnerabilities
• Increases reach of vulnerability assessment to off-network endpoints
Integrated, closed-loop
risk management
14 © 2015 IBM Corporation
IBM BigFix Compliance
Using BigFix Compliance, clients get value from: " Con$nuous real-‐$me enforcement of security policies, regardless of network connec$on
status significantly reduces overall security risk
" Supports industry and regulatory compliance benchmarks for best prac$ce protec$on
" Discovery of unmanaged endpoints and Automa$c patch and remedia$on of non-‐compliant systems reduces risk and labor costs
" Deploy, update, and health check 3rd-‐party Endpoint Protec$on solu$ons " Policy based quaran$ne of non-‐compliant systems
Lifecycle Inventory Patch Compliance Protection
BigFix Platform
More than 10,000 heterogeneous platform compliance checks based on best practice regulatory benchmarks from CIS, PCI DSS, DISA STIG, USGCB
15 © 2015 IBM Corporation
98% patch and update compliance rate on 4,000+ workstations with 50% reduced labor costs
Infirmary Health System
Continuous security configuration compliance Accurate, real-time visibility and continuous security configuration enforcement
Continuous compliance “set and forget” • No high-risk periods • Lower total cost • Continued improvement • Identify and report on any configuration drift • Library of 10,000+ compliance checks
(e.g., CIS, PCI, USGCB, DISA STIG)
Traditional compliance “out of synch” • High-risk and cost periods • Manual approach causes endpoints
to fall out of compliance again
Traditional versus Continuous
Time
Com
plia
nce
Continuous Traditional
RISK
SCAP
16 © 2015 IBM Corporation
QRadar Risk and Vulnerability Management
Discovery and Verification
Intelligent Context Driven
Prioritization
Automatic Delegation
and Assignments
• Uncovers the weaknesses • Daily vulnerability and patch updates • Proven, certified scanning • Endpoints, assets, device configuration • Passive and active discovery
• What assets are important ? • Where are the threats ? • Who is talking to who ? • What is blocked and patched already ? • What is out of compliance ?
• Who needs to action • What needs to be done • Missing patches • Signatures • Configuration changes
Reporting and
Alerting
• What needs escalation • What is in and out of compliance • Dashboards and reports • APIs
Feedback And Compliance
Discovery and verification
Intelligent Context driven Prioritization
Delegate and assign
Updated Posture
17 © 2015 IBM Corporation
BigFix Compliance plus QRadar Capability
BigFix Compliance
QRadar Vuln Mgr
QRadar Risk Mgr
BigFix + QRadar
Continuous policy monitoring ü
Endpoint ü Network üü
Endpoint quarantine / remediation
ü ü Vulnerability discovery ü
Real-time Windows ü Heterogeneous scan üü
Real-time updates Asset discovery ü ü üü Risk analysis / reporting ü
CVSS ü Correlated threat üü
Real-time updates Closed loop action delegation / assignment
üü
Vulnerabilities Will Be Exploited!
Quick identification, prioritization, and remediation!
BigFix plus QRadar address the highest security risks first!
High priority risks sent to BigFix for action • Deeper, timely endpoint data • Faster remediation of critical risks
18 © 2015 IBM Corporation
STEP ONE Provide Continuous Insight
across all endpoints. INCLUDING off-network
laptops
STEP FOUR Expedite remediation of ranked vulnerabilities, configuration drift and
irregular behavior
STEP TWO Enforce Policy Compliance of Security, Regulatory & Operational Mandates.
STEP THREE Prioritize vulnerabilities and
remediation activities by risk
• QRadar correlates assets & vulnerabilities with real-time security data
• It then sends the prioritized list to BigFix administrators
• Machine Name, OS, IP Address, Malware incidents etc.
• Provides details on physical and virtual servers, PCs, Macs, POS devices, ATMs, kiosks, etc.
• All known CVEs exposed on an endpoint
• Quarantine endpoints until they can be remediated
• Patch or reconfigure endpoints
IBM BigFix IBM BigFix
IBM BigFix
• BigFix sends vulnerability and patch data to QRadar, automatically ensuring that QRadar's asset database is updated with current data
Extending QRadar’s reach and simplifying incident response with BigFix
Legend • Avail Today • Coming Soon
19 © 2015 IBM Corporation
BF Compliance endpoint view of QRadar prioritized vulnerabilities
Endpoint info QRadar Risk Score CVEs
Relevant fixlets
Subject to change
20 © 2015 IBM Corporation
BigFix CVE Action Status
Subject to change
Action Status
21 © 2015 IBM Corporation
Prioritized CVE view
Subject to change
Endpoints affected CVE ID and risk score
22 © 2015 IBM Corporation
BigFix / QRadar Integration Use Cases 1. BigFix fixlet and vulnerability status messages passed to QRadar
– Customer value: Actions that occur and vulnerabilities that exists on endpoints can be passed to QRadar for correlation with other security events. BigFix patch status is relayed to QRadar in a very timely fashion and is stored in the asset database.
2. QRadar can generate a list of assets that do not have BigFix installed, showing how many vulnerabilities could be remediated on each asset if BigFix were installed
– Customer value: Rapid identification of rogue or unmanaged assets and improved detection and reaction time. Provides strong case for managing assets with BigFix.
3. QRadar (QVM) assigns high-risk vulnerabilities (i.e. those determined via QRM policies) to BigFix for remediation or quarantine; also allows tracking should an exploit occur
– Customer value: Typical BigFix customers don’t have a way to figure out which patches should be assigned high priority. With this integration, high-risk vulnerabilities could be easily assigned to operations personnel as needed. BigFix administrators gain a way to know which patches should be considered for high priority “out of band” patching, and can initiate remediation immediately. This reduces risk of initial exploit, exploit propagation, and improves productivity. Typical QRadar customers don’t have a way to isolate vulnerable or compromised devices to limit potential exposures. With this integration, high-risk vulnerabilities could be easily isolated form the network allowing only BigFix communications. QRadar administrators gain a way to immediately react to possible exposures and have BigFix Administrators remediate the vulnerability. This reduces risk of initial exploit, exploit propagation, and improves productivity
Ava
ilabl
e To
day
Com
ing
Soo
n
*The Informa$on regarding poten$al future products is intended to outline our general product direc$on and it should not be relied on in making a purchasing decision. The informa$on men$oned regarding poten$al future products is not a commitment, promise, or legal obliga$on to deliver any material, code or func$onality. Informa$on about poten$al future products may not be incorporated into any contract. The development, release, and $ming of any future features or func$onality described for our products remains at our sole discre$on.
Subject to IBM NDA
23 © 2015 IBM Corporation
Endpoint & Threat Focal Points Sales Leaders:
• Anthony Aurigemma, WW Director of E&M Sales [email protected] • Mark Phinick, WW Sales Leader [email protected] • Josh Stegall, WW Channel Sales Leader [email protected] • Jim Gottardi, NA Sales Leader [email protected] • Teng Sherng Lim (T.S.), AP Sales Leader [email protected] • John Seyerle, EU Sales Leader [email protected]
Technical Leaders & Product Management:
• Jim Brennan, Dir, Product Mgt & Strategy [email protected] • Murtuza Choilawala, Pgm Director, PM & Strategy [email protected] • Rich Caponigro, BigFix Compliance PM [email protected] • Lee Wei, WW Technical Sales Leader [email protected] • Alex Donatelli, CTO for Endpoint Security [email protected]
– George Mina, Product Marketing [email protected] – Rohan Ramesh, Product Marketing [email protected] – Mark Taggart, WW Sales Empowerment [email protected]
Key Contacts
24 © 2015 IBM Corporation
Website: www.bigfix.com Twitter: @IBMBigFix
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOU www.ibm.com/security