Security Intelligence


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security Intelligence

  1. 1. IBM Security SystemsTake the Red Pill: Becoming Onewith Your Computing Environmentusing Security IntelligenceChris PoulinSecurity Strategist, IBMReboot Privacy & SecurityConference 2013© 2012 IBM Corporation1 © 2012 IBM Corporation
  2. 2. IBM Security SystemsSecuring Information Resources is a Multi-Dimensional Puzzle Employees Hackers Outsourcers Outsourcers Suppliers People Consultants Terrorists Customers Customers Data Structured Structured Unstructured Unstructured At rest In motion In motion Systems Systems Web Mobile Applications Applications Web2.0 Web 2.0 Mobile apps applications Applications Applications Infrastructure It is no longer possible to define and protect the perimeter, but demands a focus on JK 2012-04-26 protecting data. Point products are not sufficient to protect the enterprise.2 © 2012 IBM Corporation
  3. 3. IBM Security SystemsGetting Intimate with Your Computing Environment How well do you know: Applications? Owners? Activity patterns? Where sensitive data resides? Network activity patterns?3 © 2012 IBM Corporation
  4. 4. IBM Security SystemsWhy Take the Red Pill? What’s normal? what’s suspect?4 © 2012 IBM Corporation
  5. 5. IBM Security SystemsHow to Get There: Security Intelligence Users & Identities Security Devices Event Correlation Servers & Hosts • Logs • IP Reputation • Flows • Geo Location Network & Virtual Activity Offense Identification Activity Baselining & Anomaly • Credibility Vulnerability Info Detection • Severity • Relevance • User Activity Application Activity • Database Activity • Application Activity Database Activity • Network Activity Configuration Info Suspected Incidents Extensive Data Deep Exceptionally Accurate and Sources + Intelligence = Actionable Insight5 © 2012 IBM Corporation
  6. 6. IBM Security SystemsWhat is Security Intelligence? Security Intelligence --noun 1.the real-time collectionnormalization andanalytics of the collection,normalization collectionnormalization, analytics analytics data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise Security Intelligence provides actionable and comprehensive insight for managing risks and threats from protection and detection through remediation6 © 2012 IBM Corporation
  7. 7. IBM Security SystemsActivity and Data Access Monitoring Visualize Data Risks Automated charting and reporting on potential attacks Correlate System, Application, & Network Activity Enrich security alerts with anomaly detection and flow analysis Detect suspicious activity before it leads to a breach 360-degree visibility helps distinguish true breaches from benign activity, in real time7 © 2012 IBM Corporation
  8. 8. IBM Security SystemsTop Events by Log Type and Count8 © 2012 IBM Corporation
  9. 9. IBM Security SystemsTop Flows by Application and Total Bytes9 © 2012 IBM Corporation
  10. 10. IBM Security Systems…and Bottom Flows10 © 2012 IBM Corporation
  11. 11. IBM Security SystemsData Leakage Who is responsible for the data leak? Alert on data patterns, such as credit card number, in real time.11 © 2012 IBM Corporation
  12. 12. IBM Security SystemsPassively Discover & Profile Assets with NetFlow & QFlow12 © 2012 IBM Corporation
  13. 13. IBM Security SystemsEnrich the Asset Database with VA Scans, Manually, CMDB Import13 © 2012 IBM Corporation
  14. 14. IBM Security SystemsUpdate Rules Automatically14 © 2012 IBM Corporation
  15. 15. IBM Security SystemsCustomize Your Network Landscape for Contextual Visibility Customize Segment & System Names for Quick Identification15 © 2012 IBM Corporation
  16. 16. IBM Security SystemsPivot by Geography16 © 2012 IBM Corporation
  17. 17. IBM Security SystemsDashboards & Reporting, Customized per Role17 © 2012 IBM Corporation
  18. 18. IBM Security SystemsUser Activity Monitoring to Combat Advanced Persistent Threats User & Application Activity Monitoring alerts on a user anomaly for Oracle database access. Identify the user, normal access behavior, and the anomaly behavior – with all source & destination information to quickly resolve the threat.18 © 2012 IBM Corporation
  19. 19. IBM Security SystemsBaselining Complex Patterns Complex patterns can be baselined Anomalies take into account historical data—continuously May incorporate seasonality19 © 2012 IBM Corporation
  20. 20. IBM Security SystemsConfiguration & Risk Network topology and open paths of attack add context Rules can take exposure into account to: • Prioritize offenses and remediation • Enforce policies • Play out what-if scenarios20 © 2012 IBM Corporation
  21. 21. IBM Security SystemsSecurity Intelligence Timeline Prediction & Prevention Reaction & Remediation Risk Management. Vulnerability Management. SIEM. Log Management. Incident Response. Configuration Monitoring. Patch Management. Network and Host Intrusion Prevention. X-Force Research and Threat Intelligence. Network Anomaly Detection. Packet Forensics. Compliance Management. Reporting and Scorecards. Database Activity Monitoring. Data Loss Prevention.21 © 2012 IBM Corporation
  22. 22. IBM Security SystemsSecurity Intelligence Wrap-Up Monitor all activity and correlate in real time Reduce cost & complexity, lower TCO, compliance Detect policy violations Baseline against reality (CMDB) Social media, P2P, etc. Detect suspicious behavior Privileged actions from a contractor’s workstation DNS communications with external system Detect APTs File accesses out of the norm—behavior anomaly detection Least used applications or external systems; occasional traffic Detect fraud Baseline credit pulls or trading volumes, and detect anomalies Correlate eBanking PIN change with large money transfers Forensic evidence for prosecution Impact analysis Change & configuration management22 © 2012 IBM Corporation
  23. 23. IBM Security SystemsIBM’s Security Intelligence, Analytics and Big Data portfolio IBM SPSS IBM i2 4 unified product family to 3 Analyst Notebook help capture, predict, helps analysts investigate discover trends, and fraud by discovering automatically deliver patterns and trends high-volume, optimized across volumes of data decisions IBM QRadar 1 Security Intelligence unified architecture for collecting, storing, IBM Big Data Platform (Streams, Big Insights, Netezza) analyzing and querying log, threat, 2 addresses the speed and flexibility required for customized data vulnerability and risk related data exploration, discovery and unstructured analysis23 © 2012 IBM Corporation
  24. 24. IBM Security Systems Thank You!24 © 2012 IBM Corporation
  25. 25. IBM Security Systems © Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will25 necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT © 2012 IBM Corporation WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.