Five critical conditions to maximizing security intelligence investments

© 2013 IBM Corporation

IBM Security Systems

1© 2013 IBM Corporation

Ray Menard Senior Security Architect IBM Security Systems

October 24, 2013

Five Critical Conditions for Maximizing Security Intelligence Investments



2

Bring your own IT

Social business

Cloud and virtualization

1 billion mobile workers

1 trillion connected

objects

Innovative technology changes everything



3

M O

T I

V A

T I

O N

Attacks continue as perpetrators sharpen skills

S O P H I S T I C A T I O N

National Security, Economic Espionage

Notoriety, Activism, Defamation

HacktivistsLulzsec, Anonymous

Monetary Gain

Organized crimeZeus, ZeroAccess, Blackhole Exploit Pack

Nuisance,Curiosity

Insiders, Spammers, Script-kiddiesNigerian 419 Scams, Code Red

Nation-state actors, APTsStuxnet, Aurora, APT-1



4

Targeted attacks remain top of mind

Saudi Arabia Says Aramco Cyberattack Came From Foreign States

– Bloomberg, Dec 2012

How to Hack Facebook In 60 Seconds

– InformationWeek, June 2013

Hackers in China Attacked The Times for the Last 4 Months

– The New York Times, Jan 2013

Fed Acknowledges Cybersecurity Breach– The Wall Street Journal, Feb 2013

South Carolina taxpayer server hacked, 3.6 million Social Security numbers compromised

– CNN, Oct 2012

Facebook hacked in 'sophisticated attack'

– The Guardian, Feb 2013

Adobe Systems Reports Attack on Its Computer Network

– The Wall Street Journal, Oct 2013

Apple Hacked: Company Admits Development Website Was Breached

– Huffington Post, July 2013

Chinese hacking of US media is 'widespread phenomenon‘– Wired, Feb 2013



5 IBM Security X-Force® 2011 Trend and Risk Report, IBM Security X-force 2013 Mid Year Trend and Risk Report



6 IBM Security Systems

SIEM/Log Management

The Security Division of EMC

DAM

RM/CM

NBAITGRC

DLP

VM

Despite proliferation of security solutions



7

What is Security Intelligence?

Security Intelligence--noun A methodology of analyzing millions and billions of security,

network and application records across the organization’s entire network in order to gain insight into what is actually happening in that digital world.

--verbCombining internal, locally collected security intelligence, with

external intelligence feeds for the application of correlation rules to reduce huge volumes of data into a handful of high probability ‘offense’ records requiring immediate investigation to prevent or minimize the impact of security incidents

Delivers actionable, comprehensive insight for managing risks, combatting threats, and meeting compliance mandates.



8 IBM Security Systems © 2013 IBM Corporation

1. It's what you don't know that can hurt you



9

Security Intelligence Timeline

Prediction & Prevention Reaction & Remediation

• Firewalls• IDS• Syslog Events• Application Logs• Windows Events• Authentication Logs• Network Device Logs• Database activity Logs• Vulnerabilities (Active)

• Devices and applications having no logging capabilities

• Anomalous activity• Disabled Logging • Network Noise• Vulnerabilities (Passive)• Virtual Activity• User Activity



10

Point solutions lack 360 degree network visibilityIBM X-Force® ThreatInformation Center

Real-time Security Threatsand Prioritized ‘Offenses’

Identity and User Context

Real-time Network Visualizationand Application Statistics

InboundSecurity Events




ProactiveIntelligencePrevention

Potential Damage effect

ReactiveResponseForensics

Actual businessImpact

Business interruptionCritical Threshold

Time

BusinessImpact

Incident

Proactive business impact:Blocking of legitimate traffic

Business value of security intelligence




2. Force Multipliers are key to winning the battle



13

LogsEvents Alerts

Configuration information

System audit trails

Externalthreat feeds

E-mail and social activity

Network flows and anomalies

Identity context

Business process data

Malware information

Now: Intelligence

•Real-time monitoring

•Context-aware anomaly detection

•Automated correlation and analytics

Then: Collection

•Log collection

•Signature-based detection

Early solutions captured only tip of data iceberg



14

QRadar’s wide spectrum of security intelligence feeds




Backed by broad R&D organization collecting real world insights

6,000 researchers, developers and subject matter experts working security 6,000 researchers, developers and subject matter experts working security initiatives worldwideinitiatives worldwide

3,000+ IBM security patents3,000+ IBM security patents

HerzliyaSecurity Operations Centers

Security Research and Development Labs

Institute for Advanced Security Branches



16

To further increase accuracy of analytics

Security Intelligence Feeds

Internet ThreatsGeo Location Vulnerabilities



17

Constantly injecting SI platform intelligence updates

• QRadar Security Intelligence modules receive nightly content updates or fresh “Intelligence”

• Updated content includes: Device Support Modules (Log Parsers) Event Mapping / QID (Log Meta Data) X-Force threat and vulnerability data Custom properties, rules, searches, reports QFlow Application Signatures (Layer 7) Functional Software Patches

• Delivered to Console and subsequently consumed by all managed hosts

• No waiting weeks or months for new releases; protection that adapts in concert with changes in security landscape




3. Reduce incident investigations with more available data




Automation accelerates time-to-value, preserves currency

Simplified deployment delivers results in days Syslog device detection configures log data sources Passive flow asset detection populates asset

database Out-of-the-box rules and reports reduce incident

investigations and meet compliance mandates

Real time events keep information current Immediate discovery of network asset additions

triggers proactive vulnerability scans, configuration comparisons and policy compliance checks

Daily and weekly updates to rules, reports, vulnerabilities, patches, searches, support modules, protocols and signatures




Intuitive rules engine interface reduces false positives

Tune the system or create your own rules in three simple steps without professional services:

2) Build customized rule

3) Save for future use

1) Choose the action



21

Log management products collect subset of available data Netflows enable visibility into attacker communications

Stored as aggregated, bi-directional records of IP addresses, ports, and protocols Offer advanced detection and forensics via flow pivoting, drill-down and data

mining

QFlow Collectors dig deeper, adding Layer 7 application insights

Network flow analysis is fundamental capability



22

Detecting the Undetectable



23

Detecting the Undetectable



24

The Bigger Picture



25

Baselining and anomaly detection complete picture

Correlation of log and flow data creates profiles of user, application and data access patterns

Anomaly Detection uses multiple measurements to signal change Thresholds – above or below normal

range Anomaly – Detects appearance of

new objects Behavior – Reveals deviations from

established ‘seasonal’ patterns Large Window Small Window

5 Hours 1 Hour




4. Further reduce blind spots using non-traditional event sources



27

Integrated vulnerability management narrows the actions

QRadar Vulnerability Manager

Your Vulnerabilities

CVE CVECVECVECVECVECVE CVECVECVECVECVE














Patched

CriticalBlocked

Inactive

Exploited!

At risk!

Questions remain:•Has that been patched?•Has it been exploited? •Is it likely to be exploited ?•Does my firewall block it?•Does my IPS block it?•Does it matter?

Existing vulnerability management tools

Improves visibility– Intelligent, event-driven

scanning, asset discovery, asset profiling and more

Reduces data load

– Bringing rich context to Vulnerability Management

Breaks down silos– Leveraging all QRadar

integrations and data– Unified vulnerability view

across all products


CVE CVE CVE CVECVE CVE CVE CVE CVECVE CVECVE

CVE CVECVE CVECVE CVECVE CVE CVECVE CVECVE

CVE CVECVE CVE CVE CVECVE CVE CVECVE CVECVE


CVE CVECVECVE CVE CVECVE CVE CVECVE CVECVE

CVE CVECVE CVE CVECVE CVE CVE CVECVECVECVE

CVE CVE CVECVE CVE CVE CVE CVECVECVECVECVE

CVE CVECVE CVE CVE CVE CVE CVE CVECVE CVECVE

CVE CVECVECVE CVECVE CVE CVE CVECVECVECVE

CVE CVECVE CVE CVE CVECVE CVE CVECVE CVECVE



CVE CVECVECVE CVE CVE CVE CVE CVECVE CVECVE

CVE CVECVE CVECVECVE CVE CVE CVECVECVECVE


CVE CVECVECVECVE CVE CVE CVE CVECVECVECVE

CVE CVECVE CVECVE CVECVE CVECVECVE CVECVE

CVE CVECVE CVECVE CVECVE CVE CVECVECVECVE

CVE CVECVE CVE CVE CVECVE CVECVECVE CVECVE


CVE CVECVE CVE CVE CVECVE CVE CVECVECVE CVE

CVE CVECVE CVE CVE CVE CVE CVECVECVE CVECVE


CVE CVECVECVE CVE CVE CVE CVE CVECVECVECVE

CVE CVECVE CVECVE CVECVE CVECVECVE CVECVE

CVE CVECVE CVE CVECVE CVE CVE CVECVE CVECVE

CVE CVECVE CVECVECVE CVE CVECVECVE CVECVE


CVE CVECVE CVE CVECVE CVE CVE CVECVECVECVE


CVE CVE CVECVE CVE CVE CVE CVE CVECVE CVECVE


CVE CVECVE CVECVE CVECVE CVE CVECVECVECVE

CVE CVECVE CVECVE CVE CVE CVECVECVE CVECVE

CVE CVECVECVE CVE CVECVE CVE CVECVE CVECVE

CVE CVECVE CVE CVE CVE CVE CVECVECVECVE CVE

CVE CVECVECVE CVE CVE CVE CVE CVECVE CVECVE


CVE CVECVECVE CVE CVE CVE CVE CVECVECVECVE





CVE CVECVE CVE CVECVE CVE CVE CVECVECVE CVE

Answers delivered:•Real-time scanning•Early warning capabilities•Advanced pivoting and filtering

Security Intelligence Integration



28

‘Big Data’ adds more structured and even unstructured data

Real-time Processing Security Operations

Big Data Warehouse Big Data Analytics and Forensics

AnalyzeStore & ProcessCollect

Data Sources

Security and Infrastructure Data Sources

External Threat Intelligence Feeds

Email, Web, Blogs, and Social Activity

Relational Store• High-value Information

Hadoop Store• Raw Data

InfoSphereBigInsights

i2 IntelligenceAnalysis

InfoSphereBigSheets

QRadar Console (Web interface)

2 Real-time insights (HOT)

3 Forward (HOT) & Store(HOT, Warm, cold) data

6 Enrich / Adapt / Improve

5 Advanced Visualizations andInvestigation – (Warm and cold)

4

1 Data Collection &Enrichment (HOT)Flow of data/information

Flow of knowledge

• Watch List• Custom Rules

QRadar SecurityIntelligence Platform

Big Data Analysis, Trends & History (Warm and cold)

Two major roles QRadar can play in the IBM Big Data Solution:

1) Collects SI data and feeds to BigInsights to enrich data sources

2) Provides a dashboard to display, organize, and query the data generated by Big Data Analytics and Forensics



29

Virtual appliances see inside the cloud

IBM Security QRadar VFlow Collectors– Use deep packet inspection to provide visibility to

application layer virtual network traffic in the cloud– Detect new security threats, malware, viruses,

anomalies through behavior profiling of network traffic without relying on vulnerability signatures

– Support VMware virtual environments and profile more than 1,000 applications

– Run on virtual server and require no additional hardware



30

QRadar Risk Manager adds pro-active capabilities

Normalized device configurations are gathered and stored either on-demand or via scheduled activities

Performs firewall rule analysis, configuration error detection (e.g. shadowed rules), and rule activity correlation with ‘offenses’

Shadowed rules




5. Importance of solution integration




Integrations critical to success and differentiation of IBM Security and Customers

Infrastructure protection to block specific vulnerability types using scan results

Converge access management with web service gateways

Link identity information with database security

Stay ahead of the changing threat landscape

Detect the latest vulnerabilities, exploits and malware

Add security intelligence to non-intelligent systems

Consolidate siloed information from hundreds of sources

Detect, notify and respond to threats missed by other security solutions

Automate compliance tasks and assess risks




Using fully integrated architecture and interface

• Turn-key log management and reporting• SME to Enterprise• Upgradeable to enterprise SIEM

• Log, flow, vulnerability & identity correlation• Sophisticated asset profiling• Offense management and workflow

• Network security configuration monitoring• Vulnerability prioritization• Predictive threat modeling & simulation

SIEM

Log Management

Configuration & Vulnerability Management

Network Activity & Anomaly Detection

Network and Application

Visibility

• Network analytics• Behavioral anomaly detection• Fully integrated in SIEM

• Layer 7 application monitoring• Content capture for deep insight & forensics• Physical and virtual environments

One Console Security

Built on a Single Data Architecture



34

Summary of five conditions and best practices

1. It's what you don't know that can hurt you2. Force multipliers are key to winning the battle3. Reduce incident investigations with more

available data4. Further reduce blind spots using non-

traditional event sources5. Importance of solution integration



35

Watch executive Steve Robinson (VP) discuss the next era for Security Intelligence :

http://ibm.co/nextera

Visit our:

Blog www.securityintelligence.com

Website: http://ibm.co/QRadar

Read our IT Executive Guide to Security Intelligence White Paper: ibm.co/11HQdfc

Learn more about IBM QRadar Security Intelligence

Download the 2013 Gartner Magic Quadrant for SIEM : http://ibm.co/GMQ




www.ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

www.ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Date post:	19-Oct-2014
Category:	Technology
View:	415 times
Download:	5 times

Five critical conditions to maximizing security intelligence investments

Technology