DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence

1,289 views
1,156 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,289
On SlideShare
0
From Embeds
0
Number of Embeds
25
Actions
Shares
0
Downloads
46
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence

  1. 1. IBM Security SystemsSecurity strategies tostay out of theheadlinesQ1 Labs, an IBM CompanyAndris Soroka, Data Security SolutionsQ1 Labs 1st Certified Partner in Baltics© 2012 IBM Corporation1 © 2012 IBM Corporation
  2. 2. IBM Security SystemsWho we are – specialization security: Innovative & selected software / hardware & hybrid solutions from leading technology vendors from over 10 different countries IT Security consulting (vulnerability assessment tests, security audit, new systems integration, HR training, technical support) First in Baltics who had integrated several innovative IT Security solutions that no one before has done First Certified Q1 Labs Partner in the Baltic States and now IBM Business Partner continuing working with IBM Security Portfolio2 © 2012 IBM Corporation
  3. 3. IBM Security Systems According to the 2011 Verizon Data Breach Report, 86 percent of breached organizations failed to detect that their networks were hacked.3 © 2012 IBM Corporation
  4. 4. IBM Security Systems Headlines change, cybercrime increases 1995 – 2005 2005 – 2015 1st Decade of the Commercial Internet 2nd Decade of the Commercial Internet Motive Nation-state Actors; National Security Targeted Attacks / Advanced Persistent Threat Espionage, Competitors, Hacktivists Political Activism Monetary Gain Organized Crime, using sophisticated tools Revenge Insiders, using inside information Curiosity Script-kiddies or hackers using tools, web-based “how-to’s” Adversary4 © 2012 IBM Corporation
  5. 5. IBM Security Systems What happens in IT security world? Maze.. Around 1500 IT Security vendors for Endpoint Security Platforms and point solutions Data Security DLP suites and point solutions Network Security Gateway solutions NAC, visibility, NBA Authentication, authorization etc. Traditional and next generation’s Identity protection Virtualization and cloud security IT Security governance Operational management & Security Mobile Security5 © 2012 IBM Corporation
  6. 6. IBM Security Systems What do we propose? Security Intelligence --noun 1. the real-time collection, normalization, and analytics of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise Security Intelligence provides actionable and comprehensive insight for managing risks and threats from protection and detection through remediation.6 © 2012 IBM Corporation
  7. 7. IBM Security Systems What logs – Audit logs Transaction logs Operational IT & Network Identity Governance & Intrusion logs Security Operations Management Compliance Connection logs Log System performance records Tool Log Silo ? User activity logs ? ? ? ???? Different systems alerts and ? ? ? ?? ? ? ? ???? different other systems messages ? ? ? ? Log Jam ? ? ?? From where - ? Firewalls / Intrusion prevention ? ? ? ???? ? ? ? ? ????? Routers / Switches ? ?? ? Intrusion detection ? LOGS ?? ? Servers, desktops, mainframes Business applications Databases Network Servers Databases Homegrown Antivirus software Applications VPN’s You cannot control what You cannot see!7 © 2012 IBM Corporation
  8. 8. IBM Security Systems8 © 2012 IBM Corporation
  9. 9. IBM Security Systems9 © 2012 IBM Corporation
  10. 10. IBM Security Systems Fully Integrated Security Intelligence • Turnkey log management Log • SME to Enterprise Management • Upgradeable to enterprise SIEM One Console Security • Integrated log, threat, risk & compliance mgmt. • Sophisticated event analytics SIEM • Asset profiling and flow analytics • Offense management and workflow • Predictive threat modeling & simulation Risk • Scalable configuration monitoring and audit Management • Advanced threat visualization and impact analysis Network • Network analytics Activity & • Behavior and anomaly detection Anomaly • Fully integrated with SIEM Detection Network and Application Built on a Single Data Architecture • Layer 7 application monitoring • Content capture Visibility • Physical and virtual environments10 © 2012 IBM Corporation
  11. 11. IBM Security Systems Fully Integrated Security Intelligence • Turnkey log management Log • SME to Enterprise Management • Upgradeable to enterprise SIEM • Integrated log, threat, risk & compliance mgmt. • Sophisticated event analytics SIEM • Asset profiling and flow analytics • Offense management and workflow • Predictive threat modeling & simulation Risk • Scalable configuration monitoring and audit Management • Advanced threat visualization and impact analysis Network • Network analytics Activity & • Behavior and anomaly detection Anomaly • Fully integrated with SIEM Detection Network and • Layer 7 application monitoring Application • Content capture Visibility • Physical and virtual environments11 © 2012 IBM Corporation
  12. 12. IBM Security Systems Q1 Labs- The Security Intelligence Leader Who is Q1 Labs:  Innovative Security Intelligence software company  One of the largest and most successful SIEM vendors  Leader in Gartner Magic Quadrant (2009-2012) Award-winning solutions:  Family of next-generation Log Management, SIEM, Risk Management, Security Intelligence solutions Proven and growing rapidly:  Thousands of customers worldwide  Five-year average annual revenue growth of 70%+ Now part of IBM Security Systems:  Unmatched security expertise and breadth of integrated capabilities12 © 2012 IBM Corporation
  13. 13. IBM Security Systems Security Intelligence Use Cases13 © 2012 IBM Corporation
  14. 14. IBM Security Systems Clear & concise delivery of the most relevant information … What was the attack? Was it Who was successful? responsible? Where do I find them? How valuable are How many they to the targets business? involved? Are any of them vulnerable? Where is all the evidence?14 © 2012 IBM Corporation
  15. 15. IBM Security Systems Total Security Intelligence: How do we address the challenges?  Reduce Big Data  Detect Advanced Persistent Threats  Predict attacks  Manage risk15 © 2012 IBM Corporation
  16. 16. IBM Security Systems Big Data: Reduce your data silo down16 © 2012 IBM Corporation
  17. 17. IBM Security Systems Reducing Data Silos: How it looks in QRadar Single incident derived from ~20k events and 355 flows QRadar automatically pulls all related events and flows into a single security incident Highlights the magnitude / importance Reduction into manageable daily number17 © 2012 IBM Corporation
  18. 18. IBM Security Systems Total Security Intelligence: How do we address the challenges?  Reduce Big Data  Detect Advanced Persistent Threats  Predict attacks  Manage risk18 © 2012 IBM Corporation
  19. 19. IBM Security SystemsAnatomy of an APT: Communications Company 3rd Party Software Update Server Compromised Trojan “auto-updated” to Corporate network Port 8080 used for C&C activities 35M records stolen Attackers create Trojan 60+ Corporate computers infected Attackers w/ backdoor agentcreate Trojan –6 Months Day 0 Day 819 © 2012 IBM Corporation
  20. 20. IBM Security Systems Activity / Behaviour Monitoring, Flow Analytics, Anomaly Detection  Behaviour / activity base lining of users and processes  Helps detect day-zero attacks and covert channels that have no signature or AV / IPS detection  Provides definitive evidence of attack  Enables visibility into attacker communications Network traffic does not lie Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)20 © 2012 IBM Corporation
  21. 21. IBM Security Systems Activity and data access monitoring Visualize Data Risks Automated charting and reporting on potential database breaches Correlate Database and Other Network Activity Enrich database security alerts with anomaly detection and flow analysis Better Detect Serious Breaches 360-degree visibility helps distinguish true breaches from benign activity, in real-time21 © 2012 IBM Corporation
  22. 22. IBM Security Systems Anomaly Detection & APTs User & Application Activity Monitoring alerts to a user anomaly for Oracle database access. Identify the user, normal access behavior and the anomaly behavior with all source and destination information for quickly resolving the persistent threat.22 © 2012 IBM Corporation
  23. 23. IBM Security Systems Stealthy malware detection Potential Botnet Detected? This is as far as traditional SIEM can go IRC on port 80? QFlow detects a covert channel, using Layer 7 flows and deep packet inspection Irrefutable Botnet Communication Layer 7 flow data shows botnet command and control instructions23 © 2012 IBM Corporation
  24. 24. IBM Security Systems Total Security Intelligence: How do we address the challenges?  Reduce Big Data  Detect Advanced Persistent Threats  Predict attacks  Manage risk24 © 2012 IBM Corporation
  25. 25. IBM Security Systems The Security Intelligence Timeline: Proactive vs Headlines25 © 2012 IBM Corporation
  26. 26. IBM Security Systems Predicting an Attack: How it looks in QRadar Multiple IP’s attack an IP Drilling into one superflow record shows all IP records contributing to the attack All pulled together in one offence which is detected and raised immediately to the security team26 © 2012 IBM Corporation
  27. 27. IBM Security Systems Total Security Intelligence: How do we address the challenges?  Reduce Big Data  Detect Advanced Persistent Threats  Predict attacks  Manage risk27 © 2012 IBM Corporation
  28. 28. IBM Security SystemsManaging riskCISOs know it’s not if, it’s when they get hacked; yet there is still a gap in ability todetect breach.  Breaches are taking longer to discover  Breaches are not being discovered internally28Charts from Verizon 2011 Investigative Response Caseload Review © 2012 IBM Corporation
  29. 29. IBM Security Systems How it looks in QRadar Potential Data Loss? Who? What? Where? Who? An internal user What? Oracle data Where? Gmail29 © 2012 IBM Corporation
  30. 30. IBM Security Systems QRadar: The Most Intelligent, Integrated, Automated Security Intelligence Platform • Proactive threat management • Identifies most critical anomalies • Rapid, complete impact analysis • Eliminates silos • Easy deployment • Highly scalable • Rapid time to value • Flexible, future-proof • Operational efficiency30 © 2012 IBM Corporation
  31. 31. IBM Security Systems What to do next?  Visit our stand  Download the Gartner SIEM Critical Capabilities Report http://q1labs.com/resource-center/analyst-reports/details.aspx?id=151  Read our blog http://blog.q1labs.com/  Follow us on Twitter: @q1labs @ibmsecurity31 © 2012 IBM Corporation
  32. 32. IBM Security Systems ibm.com/security © Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will32 necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT © 2012 IBM Corporation WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

×