Reboot Communications | Home - Reboot Communications - … · 2018-04-03 · #1-3 from “Effective...

IBM Security Systems

Effectively Using Security Intelligence to

Detect Threats and Exceed Compliance

© 2012 IBM Corporation1© 2012 IBM Corporation

Chris PoulinSecurity Strategist, IBM

Reboot Conference 2012


Security Threats Affect the Business

Business Supply chain Legal Impact of Audit riskBrand image

© 2012 IBM Corporation2

Business results

Sony estimates potential $1B long term impact –$171M / 100 customers*

Supply chain

Epsilon breach impacts 100 national brands

Legal exposure

TJX estimates $150M class action settlement in release of credit / debit card info

Impact of hacktivism

Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony …

Audit risk

Zurich Insurance PLc fined £2.275M ($3.8M) for the loss and exposure of 46K customer records

Brand image

HSBC data breach discloses 24K private banking customers

*Sources for all breaches shown in speaker notes


Attacks from All Sides

Cyber vandalsCyber vandals

Cyber crimeCyber crimeHacktivistsHacktivists

Cyber warfareCyber warfare

Nation statesNation statesTargets of opportunityTargets of opportunity

Targets of choiceTargets of choice


Cyber terrorismCyber terrorism

Cyber espionageCyber espionage

Corporate espionageCorporate espionage

InsidersInsiders

Targets of choiceTargets of choice

APTsAPTsData Data exfiltrationexfiltration

ClientClient--side vulnerabilitiesside vulnerabilities


Sophistication of Threats, Attackers, & Motives is Escalating

National Security

Espionage,Competitors, Hacktivists

Nation-state Actors; Targeted Attacks /

Advanced Persistent Threat

1995 – 20051st Decade of the Commercial Internet

2005 – 20152nd Decade of the Commercial Internet

Motive


Adversary

Monetary Gain

Espionage,Political Activism

Revenge

Curiosity Script-kiddies or hackers using tools, web-based “how-to’s”

Insiders, using inside information

Organized Crime, using sophisticated tools

Competitors, Hacktivists


And Yet the Compromises are Mostly Avoidable


Source: IBM X-Force® 2011 Trend and Risk Report – March 2012


Not If, but When

� Breaches are taking longer to discover

� Breaches are not being discovered internally

© 2012 IBM Corporation6 Charts from Verizon 2011 Investigative Response Caseload Review


92% of Breaches Are Undetected by Breached Organization


Source: 2012 Data Breach Investigations Report


…but all is not lost…

© 2012 IBM Corporation8 © 2012 IBM Corporation8


Choose the Right Technology

Protection technology is critical, but choose wisely


There is no magic security technology


People and Processes First

A lesson from airport security:

Instead of expensive equipment, use what works

In Israel

• No plane departing Ben Gurion Airport has ever been hijacked

• Use human intelligence


• Use human intelligence

• “Questioning” looks for suspicious behavior

• Simple metal detectors

Scotland Yard

• 24+ men planned to smuggle explosive liquids

• Foiled beforehand because of intelligence

• Before they even got to the airport


80%20% Security

No Perfect Protection: Asymptotes Never Reach Zero


80%THREATS

20% Security Technology Budget


Security is a Complex, Four-Dimensional Puzzle

People

Data

Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers

Structured Unstructured At rest In motion


Applications

Infrastructure

Systems applications Web applications Web 2.0 Mobile apps

It is no longer enough to protect the perimeter –siloed point products will not secure the enterprise


What Gartner is Saying About the Need for Context

� “The rapid discovery of a breach is key to minimizing the damage of a targeted attack, but most organizations do not have adequate breach detection capabilities.”

Mark Nicollet, Managing VP, Gartner Security, Risk &

Compliance


detection capabilities.”

� “Since perfect defenses are not practical or achievable, organizations need to augment vulnerability management and shielding with more-effective monitoring.”

� “The addition of context, such as user, application, asset, data and threat, to security event monitoring will increase the likelihood of early discovery of a targeted attack.”

� “We need to get better at discovering the changes in normal activity patterns that are the early signal of an attack or breach.”

#1-3 from “Effective Security Monitoring Requires Context,” Gartner, 16 January 2012, G00227893

#4 from “Using SIEM for Targeted Attack Detection,” Gartner, 20 March 2012, G00227898


What is Security Intelligence?

Security Intelligence

--noun

1.the real-time collection, normalization, and analytics of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise


Security Intelligence provides actionable and comprehensive insight for managing risks and threats from protection and

detection through remediation


Security Intelligence Timeline


Prediction & Prevention

Risk Management. Vulnerability Management. Configuration Monitoring. Patch Management.

X-Force Research and Threat Intelligence. Compliance Management. Reporting and Scorecards.

Reaction & Remediation

SIEM. Log Management. Incident Response.Network and Host Intrusion Prevention.

Network Anomaly Detection. Packet Forensics. Database Activity Monitoring. Data Loss Prevention.


Context and Correlation Drive Deep Insight

Event Correlation

Activity Baselining & Anomaly

• Logs• Flows

• IP Reputation• Geo Location

Offense Identification

• Credibility

Database Activity

Servers & Hosts

Security Devices

Network & Virtual Activity


Extensive Data Sources

Deep Intelligence

Exceptionally Accurate and Actionable Insight+ =

Suspected Incidents

Activity Baselining & Anomaly Detection

• User Activity

• Database Activity

• Application Activity

• Network Activity

• Credibility• Severity• Relevance

Users & Identities

Vulnerability Info

Configuration Info

Application Activity


Security IntelligenceUse Cases


Use Cases


How Security Intelligence Can Help

� Continuously monitor all activity and correlate in real time

� Change & configuration management

� Gain visibility into unauthorized or anomalous activities

– High number of failed logins to critical servers -- brute-force password attack

– Query by DBA to credit card tables during off-hours – possible SQL injection attack


– Spike in network activity -- high download volume from SharePoint server

– Server (or thermostat) communicating with IP address in China

– Inappropriate use of protocols -- sensitive data being exfiltrated via P2P

– Configuration change -- unauthorized port being enabled for exfiltration

– Unusual Windows service -- backdoor or spyware program

� Automation => reduced cost & complexity, simplified compliance, lower TCO


Activity and Data Access Monitoring

Visualize Data Risks

Automated charting and reporting on potential attacks


Correlate System, Application, & Network Activity

Enrich security alerts with anomaly detection and flow analysis

Detect suspicious activity before it leads to a breach

360-degree visibility helps distinguish true breaches from benign activity, in real time


User Activity Monitoring to Combat Advanced Persistent Threats

User & Application Activity Monitoring alerts on a user anomaly for Oracle database access.

Identify the user, normal access behavior, and the


access behavior, and the anomaly behavior – with all source & destination information to quickly resolve the threat.


� Behaviour / activity base lining of users and processes

� Helps detect day-zero attacks and covert channels that have no signature or AV / IPS detection

� Provides definitive evidence of attack

� Enables visibility into attacker

Activity / Behavior Monitoring, Flow Analytics, Anomaly Detection


� Enables visibility into attacker communications

Network traffic does not lieAttackers can stop logging and erase their tracks, but can’t cut off the network (flow data)


Potential Botnet Detected?

This is as far as traditional SIEM can go

IRC on port 80?

IBM Security QRadar QFlow

Application and Threat Detection with Forensic Evidence


IBM Security QRadar QFlow detects a covert channel

Irrefutable Botnet Communication

Layer 7 flow data contains botnet command control instructions

Application layer flow analysis can detect threats others miss


Who is responsible for the data leak?

Data Leakage


Alert on data patterns, such as credit card

number, in real time.


Configuration & Risk

Network topology and open

paths of attack add context

Rules can take exposure

into account to:

• Prioritize offenses and

remediation


• Enforce policies

• Play out what-if scenarios


Detecting Insider Fraud and Data Loss

Who?

An internal user

Potential Data Loss

Who? What? Where?

What?


What?

Oracle data

Where?

Gmail

Threat detection in the post-perimeter world

User anomaly detection and application level visibility are criticalto identify inside threats


Other Use Cases

� Detect suspicious behavior

– Privileged actions being conducted from a contractor’s workstation

– DNS communications with external system flagged as malicious

� Detect policy violations

– Baseline against reality (CMDB)

– Social media, P2P, etc.

� Detect APTs

– File accesses out of the norm—behavior anomaly detection


– File accesses out of the norm—behavior anomaly detection

– Least used applications or external systems; occasional traffic

� Detect fraud

– Determine baselines on credit pulls or trading volumes, and detect anomalies

– Correlate eBanking PIN change with large money transfers

� Forensic evidence for prosecution

� Impact analysis

� Compliance

– Change & configuration management


Security Intelligence, Analytics &

GRC

People

Intelligent solutions provide the DNA to secure a Smarter Planet


Data

Applications

Infrastructure


Thank You!


Thank You!


ibm.com/security


© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Date post:	15-Jul-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Reboot Communications | Home - Reboot Communications - … · 2018-04-03 · #1-3 from “Effective...

Documents