© 2015 IBM Corporation

2015 IBM Cyber Security

Intelligence Index

July 2015

2© 2015 IBM Corporation

Today’s panelists

Nick Bradley

Practice Lead Threat

Research Group

IBM Security

nwbradley@us.ibm.com

@bradleyv20

Nick Coleman

Global Head Cyber

Security Intelligence

IBM Security

coleman@uk.ibm.com

@colemansec

Adam Trunkey

Global Marketing

Security Services

IBM Security

atrunkey@us.ibm.com

@atrunkey

3© 2015 IBM Corporation

Agenda – about this session

Our goal is to help you better understand the current

threat landscape:

1. Looking at the volume of attacks, the industries most

affected, the most prevalent types of attacks, using

the newly released Cyber Security Intelligence Index

2. Sharing some deeper insights into the Cyber Security

threat landscape – what it means to companies and

how can you, as a Security leader, better equip your

organization for success against the evolving global

threat landscape

3. Provide some example use cases that are meaningful

to customers that can help better understand key

threats that are occurring and how to use threat

intelligence to help you minimize risks in your

organization

4© 2015 IBM Corporation

What is happening in the threat landscape - The challenges of keeping up with a perpetually evolving cyber security environment.

61%

data theft and cybercrimeare the greatest threatsto their reputation

of organizations say

Average data

breach in the

US cost

$6.5million2015 Cost of Data Breach Study: Global Analysis

Ponemon Institute

2012 IBM Global Reputational Risk & IT Study

80%

of enterpriseshave difficulty finding the security skills they need

tools from

vendors

85

45IBM client example

2013 Forrester Consulting, “Surviving theTechnical Security Skills Crisis”

70%

11.6M

2013 IBM CISO Survey

IBM X-Force® Threat Intelligence Quarterly 1Q 2015

Mobile malware is affecting

of security execs are concerned about cloud

and mobile security

mobile devices

5© 2015 IBM Corporation

How we see the threat landscape

6© 2015 IBM Corporation

2014 was the year the Internet fell apart, with data breaches making regular front-page headlines. And has continued into 2015…

2014

January August September

Large U.S. arts and

crafts retailer reveals

long-running

malware-related

breach affecting

several million

payment cards

In one of the largest

healthcare data

breaches in the U.S.,

the Social Security

numbers and other

data for millions of

patients was

compromised

A major U.S. home

goods retailer fell

victim to a point-of-

sale attack that

affected thousands of

stores, exposed

millions of payment

card data records and

resulted in theft of

millions of email

addresses

7© 2015 IBM Corporation

The IBM 2015 Cyber Security Intelligence Index is a key way IBM sheds light on what is happening across the threat landscape.

Source of data for the Index

Cyber security event data collected in the

course of monitoring client security

devices

Data derived from responding to and

performing forensics on client cyber

security incidents

Date range for this report:

1 January 2014 – 31 December 2014

Key questions addressed

What’s happening across the threat

landscape?

What kinds of attacks are being launched?

How many of those attacks result in

incidents requiring investigation?

Billions of security events every year

A sample of over 1,000 clients

133 monitored countries

Worldwide IBM Cyber Security

Intelligence Index based upon:Between 1,000 and 5,000 employees

Approximately 500 security devices

deployed within the network

“Average” client described in this

report:

Designed to complement the

IBM X-Force® Quarterly Report

8© 2015 IBM Corporation

Two industries were targeted in over 50 percent of all incidents observed by IBM.

2013

2014

20.80%

25.33%

21.70%

19.08%

18.60%

17.79%

6.20%

9.37%

5.80%

5.08%

Finance and

insurance

Finance and

insurance

Manufacturing Information and

communication

Information and

communicationManufacturing

Retail and

wholesale

Health and

social

services

Retail and

wholesale

Electric and

utilities

Incident rates across monitored industries

9© 2015 IBM Corporation

For the average client, IBM filters 81,342,747 security events to identify the 109 security incidents that can potentially do harm.

Annual security events, attacks and incidents

2013 2014

109

Incidents

18,856

Attacks

91,765,453

Events109

Incidents

12,017

Attacks

81,342,747

Events

.91%incident-

to-attack

ratio

.65%incident-

to-attack

ratio

Incident Attack serious enough

to warrant deeper

investigation

Attack Malicious activity attempting to

collect, disrupt or destroy

information or system resources

Event Activity on a system or network

detected by a security device or

application

10© 2015 IBM Corporation

Unauthorized access, malicious code and sustained probes or scans dominate the threat landscape.

Categories of security incidents among the top five industries

38% Malicious code

37% Unauthorized access

20% Sustained probe/scan

19% Unauthorizedaccess

12% Suspiciousactivity

9% Access or credentials abuse

2% Denial ofservice

20% Maliciouscode

20% Sustained probe/scan

11% Suspiciousactivity

8% Access orcredentials abuse

4% Denial ofservice

2013 2014

11© 2015 IBM Corporation

Three “malware-less” threats emerged that exploit existing but unknown vulnerabilities.

ShellShock Heartbleed Unicorn

Attackers targeted

existing vulnerabilities

in the UNIX shell

Rapid response by

cyber criminals

following news of

vulnerabilities

Example of “malware-

less” attack—more

difficult to detect

Exploits vulnerability in

OpenSSL protocol

Allows attackers to

access and read

memory of systems

thought to be protected

IBM has tracked over

1.8M Heartbleed

attacks against

customers

Discovered by IBM,

Unicorn is a complex

vulnerability in

Microsoft Internet

Explorer

Allows remote code to

gain control access to

programs via a data-

only attack

12© 2015 IBM Corporation

Who are the bad guys?

Outsiders

Malicious

insiders Inadvertent

actors

38%31.5%

23.5%

55% of attacks came from people

who had insider access to an

organization’s systems

13© 2015 IBM Corporation

Where are these attackers located, and what are the threat levels by country?

14© 2015 IBM Corporation

And from the IBM sponsored work of the Ponemon Institute, we can see the cost of a data breach is on the rise.

NEW DATA from the

2015 Cost of Data Breach Study: Global Analysis

Independently conducted by Ponemon Institute,

Sponsored by IBM

$154Average global cost

per record

compromised

$1.57 million

up 12%

over 2

years

Average cost of lost

business per data breach

up 23%

over 2

years

$3.8 millionAverage global total

cost per data breach

15© 2015 IBM Corporation

Global and country-specific averages show key data breach costs.

Cost per record*

Cost per incident*

*Currencies converted to US dollars

$136$154Highest countries

Lowest countries

$217

$211

$78

$56in Brazil

in India

in the U.S.

in Germany

$136$3.8M $6.5M

$4.9M

$1.8M

$1.5Min Brazil

in India

in the U.S.

in Germany23%

Global average

12%

Global average

increase over two years

Highest countries

Lowest countries

increase over two years

16© 2015 IBM Corporation

Per-record data breach costs vary widely, with a significant year-to-year increase in several industries.

Healthcare Financial

Consumer Energy

Retail

Technology

$363 $215

$136 $132

$165

$127* Currencies converted to US dollars

Industrial

$155

Public

$68

17© 2015 IBM Corporation

With threats and costs of a breach increasing, optimizing threat prevention and response can be a challenge for any organization.

Firewall

logs

Proxy

logs

IDS/IPS1

logs

Web

logs

Application

logs

Authent-

ication

logs

Malware

detection

logs

Email logsNetwork

security

logs

Building

access

logs

Fraud

payment

logs

CSIRT3

incidents

Vulner-

ability

patch

mgmt

DNS/

DHCP4

logs

Call/

IVR5

logs

Endpoint

security

logs

Employee

directory

SSO/

LDAP2

context

Application

inventory

Website

marketing

analytics

1Intrusion detection system / intrusion prevention system (IDS/IPS); Single sign-on (SSO) / lightweight directory access protocol (LDAP); 3Computer security

incident response team (CSIRT); 4Domain name system (DNS) / dynamic host configuration protocol (DHCP); 5Interactive voice response (IVR); 5Information

sharing and analysis center; (ISAC) 6Intellectual property; (IP) 7Open source intelligence (OSI); Malware detection or defense system (MDS)8

Ever-increasingproliferation of data sources

Malware

Hashes /

MD58

Brand

abuse

phishing

indicators

Malware

campaigns/

indicators

Fraud

payment

logs

Top tier

phishing

indicators

Customer asset

/ credentialsThreat

landscap

e intel

Intel as a

service

(IaaS)

Staff asset

/

credentials

Industry

threat

intel

sharing

Public

sector

threat

intel

ISAC5

threat

intel

Law

enforcemt

threat

intel

Passive

DNS4

intel

OSINT7

sentiment

analysis

Undergd/dar

k Web intel

6IP

reputation

intel

Human

Intel

Technical

Intel

Actor

intel/indic

ators

Human

Intel

(HUMINT)

Technical

Intel

(TECHINT)

• Threats and exposures

that affect a specific

organization

• Third party insight

• Industry- and geography-

specific threats and trends

Internal External

18© 2015 IBM Corporation

Operationalizing intelligence enables organizations to answer the most critical questions about today’s threats.

Who are the

adversaries I

should be most

concerned about? What campaigns are

targeting organizations

like mine?

Who is vulnerable to their

kinds of attacks? Have

others already been

attacked? How is attacker

behavior trending?How can I better adapt my

defense posture to

counter these adversaries?

How have other victims

reacted?

What is the nature of

my adversary?

Criminal? Industrialized

or highly focused?What kinds of tools,

techniques & practices

are adversaries using &

how serious are they?

19© 2015 IBM Corporation

But many organizations still lack a comprehensive approach to put their security intelligence strategy into action.

• What tradecraft are others seeing?

• What findings are most relevant?

• How can I utilize this intel?

• What is the fastest route to

containment and controlled loss?

• Are my people in the right place,

doing the right things?

• How should incidents and

response shape strategy?

• How can I expand my strategy to

address cloud-based risk?

• How can I optimize visibility with

intelligence and SIEM?

• How can I better plan, allocate and

respond with expertise?

• How can I learn from and apply

experience with real-world threats?

PLANNING AND BUILDING

CAPABILITY

LEVERAGING INTELLIGENCE

MANAGING RESPONSE

How can I strengthen and

extend my current

investment in security

operations?

Security Intelligence

Platform

How do I address phases

of an attack lifecycle?

20© 2015 IBM Corporation

Security intelligence underpins the overall security challenge. It is core to IBM’s approach with clients.

Buyers

CISO, CIO, and Line-of-Business

Deliver a broad portfolio of solutions differentiated

through their integration and innovation to address the latest trends

Key Security Trends

Advanced Threats

Skills Shortage

Cloud Mobile andInternet of Things

Compliance Mandates

IBM Security Portfolio

Strategy, Risk and Compliance Cybersecurity Assessment and Response

Security Intelligence and Operations

Advanced Fraud

Protection

Identity and Access

Management

Data Security

Application Security

Network, Mobileand Endpoint

Protection

Advanced Threat and Security Research

Support the

CISO agenda1

Innovate around

megatrends2

Lead in selected

segments3

21© 2015 IBM Corporation

What makes IBM Security different – global view of threat.

monitored countries (MSS)

service delivery experts

devices under contract+

endpoints protected+

events managed per day+

IBM Security by the Numbers

+

+

22© 2015 IBM Corporation

How can the Index help you? Key questions to ask about your organization’s exposure.

What level of events, attacks,

incidents are you seeing?

• Events – what is the tuning and how efficient is your

SOC / SIEM working for you?

• Are you getting the right use cases and data to allow

you to manage and see the threats?

• Do you have the right intelligence processing and

insight you need today to see?

Are you prepared and able to

respond to the incidents?

• Do you have the intelligence to be able to see what

is happening out there?

• How many incidents are you facing a year, do you

have the support and preparation you need?

23© 2015 IBM Corporation

Cybersecurity Awareness Executive Briefing – Security Services

Behind the scenes illustration

of modern cyber attacks

Cyber attacks happen on a daily basis – we see

them on the news but how do they happen and why?

A 2 hour briefing that goes behind the scenes, using

real-world scenarios, illustrative examples, and

interactive demonstrations to examine the anatomy

of modern cyber attacks:

The 5-stage chain attackers typically follow

Common methods and attack surfaces

The role of social media

Technological advancement and operational

sophistication

Generate executive level awareness on current

threat level, cyber risk profile, global trends, potential

attack impact and essential practices

Discuss key actions that can be taken today to

better protect yourself and your organization

Data

Infrastructure

People

24© 2015 IBM Corporation

IBM can help you chart the course to a more secure organization.

Learn more! Download the

2015 Cyber Security Intelligence Index

Contact your IBM sales representative for a discussion on:

Cyber Security Assessment and Response Services

Advanced Threat Intelligence or other IBM Security offerings

Download the

2015 Cost of Data Breach Study

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any

kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor

shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use

of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or

capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product

or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries

or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside

your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks

on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.

IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other

systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE

IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOUwww.ibm.com/security