Trends in Security Intelligence Jonathan Fraleigh
 

Trends in Security Intelligence Jonathan Fraleigh

on

  • 545 views

 

Statistics

Views

Total Views
545
Views on SlideShare
545
Embed Views
0

Actions

Likes
0
Downloads
36
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • All you have to do is turn on the TV, pick up a newspaper or magazine to see how well we are doing in our efforts to counter these more sophisticated threats. Hardly a day goes by where there isn&apos;t some new headline indicating new security breach. Chances are most people on this call have been effected or no someone that has been effected by some sort of security breach <br />
  • If we take a look at the number and relative or estimated cost of breaches this is also increasing at an alarming rate. Now as a caveat I do acknowledge there is some subjectivity here as we have seen in most reports of these types. I think as more and more organization&apos;s are feeling the pain the are more willing to talk about it than they have been in the past. I also think just the shear number makes them more public. That said if we compare 2011 to the half year point of 2013 we see there is a significant increase in the number of attacks, the cross section of organizations being targeted and of course the relative costs associated with attacks is going up. But the real takeaway from this is the number of attacks being classified as unknown. This is important (next slide) <br />
  • Several years ago, we introduced the term “Security Intelligence” to describe the value organizations can gain from their security data by treating and analyzing security information in much the same way they do the outputs produced from other business functions, such as marketing.  The term has caught on!  <br /> We’re seeing this term being used more and more by customers, vendors, pundits and industry experts -  but what’s interesting is how no one seems to be describing the same concept. <br /> To avoid confusion, we are explicitly stating our own definition.  So here it is: <br /> Security Intelligence (SI) is the real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise. <br /> The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any organization, no matter what their size. <br /> Data collected and warehoused by security intelligence solutions includes logs, events, network flows, user identities and activities, asset profiles and locations, vulnerabilities, asset configurations and external threat data.  <br /> Security Intelligence provides analytics to answer fundamental questions that cover the full “before-during-and-after” timeline of risk and threat management. <br /> New customer reference: <br /> Equifax, a large credit reporting agency, started working with Q1 shortly before it was bought by I.B.M. With 572 million consumer records in its data centers, Equifax must stay at the leading edge of security technology, said Tony Spinelli, its chief security officer. He said security was a never-ending race to stay ahead of modern hackers, whom he called “artful and creative guys.” <br /> The appeal of I.B.M.’s strategy, Mr. Spinelli said, is that it focuses on “security intelligence.” The traditional approach to security, he explained, has focused on “detection and reaction.” But today, he added, the need is for automated tools that mine data flows to spot threats and issue alerts to security professionals. <br />
  • Security intelligence, like business intelligence, enables organizations to make smarter decisions. It enables organizations to process information more efficiently across the entire IT infrastructure. Applying business intelligence technology enables organizations to do more with less: Instead of having analysts devote expensive hours manually poring over a fraction of the available data, business intelligence automates analysis across all available data and delivers role-based information specific to the task. <br /> Security intelligence is about automating security, including understanding risk, monitoring the infrastructure for threats and vulnerabilities, and prioritizing remediation. By centralizing security tools and data from the IT infrastructure, security intelligence enables consolidated management and more efficient use of resources devoted to security. Organizations can improve their security posture without additional operational and personnel costs or the expense of purchasing, maintaining and integrating multiple point products. <br />
  • While we are widely known for our Security Information and Event Management or SIEM, and for our Log Management solutions, QRadar actually delivers a complete set of solutions that span the vulnerability timeline that all IT organizations wrestle with. <br /> Our SIEM, Log Management and Network behavioral analysis solutions lead the market in helping customers react and respond to exploits as they occur in a network. But we also provide much needed value to customers as they seek to predict and prevent incidents in the first place through our solutions that help to model risk, evaluate configurations and prioritize vulnerabilities. <br /> “Security Intelligence” is the actionable information derived from the sum of all security data available to an organization, which improves accuracy and provides context throughout the entire security event timeline – from detection and protection through remediation. QRadar supports the entire security intelligence timeline. What you want in these sorts of situations is to recognize the attack as early as possible, flag it to the appropriate manager and activate your incident response processes, aimed at stopping the attack on the one hand and identifying the culprit on the other. <br />
  • How have we been able to deliver the value of One Console Security to our customers? Through a long planned and carefully developed strategy to build an operating system approach to Security Intelligence. <br /> QRadar SIOS - the Security Intelligence Operating System - powers the QRadar family of security intelligence products. QRadar SIOS is the foundation of the industry&apos;s first total Security Intelligence Platform, a common framework for collecting, warehousing, filtering, analyzing and reporting on all security intelligence telemetry. This integrated solution is the platform for risk management, SIEM , log management , and network and application activity monitoring, as well as new products to be delivered. <br /> The benefits of the Security Intelligence Operating System include: <br /> Convergence: consolidation of previously siloed monitoring and analysis capabilities <br /> Simplicity: multiple functions delivered within a common user experience <br /> Scalability: simplified expansion capabilities for the largest infrastructures <br />
  • For security threat management the key challenge is to reduce millions of logs to actionable intelligence that identify key threats. Traditional first Gen SIEMs achieve this by leveraging correlation – ‘five failed logins followed by a successful login’ for example – to identify suspected security incidents. Event correlation is a very, very important tool, but it’s not enough. <br /> There are two problems. Firstly, consider a 100,000 to 1 reduction ratio of events to correlated incidents. On the surface, this sounds impressive, but for companies generating 2 billion events per day (and you don’t need to be a massive company to do that), it will leave that company’s security team with 20,000 incidents per day to investigate. Traditional SIM correlation can’t get the data reduced enough and of course Log Managers can’t even get a 10,000 to 1 reduction ratio. Secondly, an exclusive reliance on event correlation assumes that the criminals intent on attacking your company will not figure out ways to disable or bypass logging infrastructure – but that’s practically their entire focus and you can’t correlate logs that are not there!!! This limitation results in missed threats or a very poor understanding of the impact of a breach. <br /> QRadar vastly expands the capabilities of traditional SIEMs by incorporating new analytics techniques and broader intelligence. Unlike any other SIEM in the market today, QRadar captures all activity on the network for assets, users and attackers before, during, and after an exploit and analyzes all suspected incidents in this context. New analytical techniques like behavioral analysis are applied. QRadar notifies analysts about ‘offenses’ . . . Where an “offense” is a correlated set of incidents with all of the essential, associated network, asset, vulnerability and identity context. By adding business and historical context to suspected incidents and applying new analytic techniques, massive data reduction is realized and threats otherwise missed will be detected. <br />
  • As anyone in security knows, any portfolio of security offerings is only as good as the currency research feeding into it. Consider that there are an average 7,000 vulnerabilities reported each year, which means there are new ones every day. IBM differentiates its Security Intelligence capabilities by offering an X-Force Threat Intelligence feed that includes vulnerabilities, known bad URLs, histories of past attacks, etc. <br /> QRadar employs a number of threat and security sources to provide eternal security context and geographical context. This is integrated into all views and capabilities within the product. Sources include but are not limited to: <br /> *IBM&apos;s X-Force Intelligence Threat Feed (via subscription) based on the real-time monitoring of 13 billion security events per day, on average, for nearly 4,000 clients in more than 130 countries. <br /> *Geographic: maxmind http://www.maxmind.com <br /> *Top Targeted Ports: D-Shield http://www.dshield.org <br /> *Botnets: Emerging threats. http://www.emergingthreats.net/rules/emerging-botcc.rules <br /> *Bogon IPs: http://www.cymru.com/Documents/bogon-bn-nonagg.txt <br /> *Hostile Nets: http://www.emergingthreats.net/rules/emerging-botcc.rules <br /> *Smurf: http://www.emergingthreats.net/rules/emerging-botcc.rules <br /> These services are updated out to our customers through a free auto-update service. This update service also includes updates for event mappings, vulnerability mappings (e.g. CVE, OSBDB ID), applications mappings, new Device Support Modules and updates. <br />
  • Security Intelligence can be delivered through a family of QRadar products <br /> For many customers the starting point has to be solving their log management challenge, which is why we offer a family of log management only appliances. Even here though there are benefits to the integration we described earlier. Unlike any other solution in the market today, these log management appliances can be upgraded to full SIEM capability by the simple addition of a license key. <br /> Full SIEM provides complete integration of log management with threat, fraud, network and security intelligence. Network activity data, vulnerability assessment and external threat data are added as data sources along with sophisticated correlation and behavioral analytics. <br /> For some customers full SIEM scale can be met with a single appliance…for others who have higher scale, or remote collection and storage requirements, QRadar processors enable massive deployments. This horizontal, stackable expansion supports massive scale and geographic distribution – while maintaining exactly the same user experience. <br /> For application layer visibility and forensic content capture, Flow collectors we call QFlow and VFlow can be deployed in customers’ physical or virtual infrastructures. These monitors provide extensive application-level surveillance of all activity at key locations. <br />
  • No matter how many QRadar products/applications are leveraged, or how many appliances constitute a customer deployment, all capabilities are leveraged through a single console – with all the associated benefits that a common interface delivers in terms of speed of operation, transference of skills, ease of adoption and a universal learning curve. <br />
  • While log events are critical, they leave gaps in visibility. Many of our competitors openly state they believe there is no value in flow, We vehemently disagree. A great example, the first thing an attacker will do when they compromise a system is to turn off logging and erase their tracks. Traditional SIEMs are blind at this point. However, the attacker can’t turn off the network or they cut themselves off as well. <br /> In addition to filling in the visibility picture, network activity can also be used to passively build up an asset database and profile your assets. A machine that has received and responded to a connection on port 53 UDP is obviously a DNS server. Or a machine that’s accepted connections on 139 or 445 TCP is a Windows server. Adding application detection can confirm this not only at a port level, but the application data level. <br />
  • In starting out this presentation I suggested that the old method of protecting an organizations digital self is not working. There needs to be a new approach. I put for the argument the role of the security expert is changing. They have to better understand the business and what normal is so even the slightest change raises an eyebrow and is investigated, Having the ability to incorporate this into the Security intelligence solution across all attack vectors is essential. The days of hoping the bad guys won’t find a vulnerability are gone. You have to ensure you have all aspects of the digital world covered. Visibility into this world simplifies your life which then makes it easier for you to make the bad guys life much harder. <br />
  • In summary, Q1 Labs is uniquely qualified to provide you with solutions to address your growing compliance and security intelligence needs, before—during—and after threats take place. Now. Let’s talk about your specific issues that we can work on together. <br />
  • As you can see from this view, QRM summarizes all of the network activity into connections. This is done once an hour, so the most out-of-date the connection data will ever be is one hour. QRM summarizes the traffic in a table (seen at the bottom), as well as using an interactive radial graph. <br /> One of the more useful use cases for connections is in doing research to support firewall rule changes, particularly for new ‘deny’ rules where admins are concerned with making sure the new rule will not adversely affect existing traffic. In the connection viewer it is possible to quickly search all connections that match the pattern of the new rule, and users can then quickly drill down all the way to the flow level if they’d like (which can tell what applications are being used, by whom, etc). <br />
  • Upgrading Log Manager to QRadar SIEM adds additional security telemetry data and rules-based correlation analysis engine; part of the ‘magic’ that creates manageable list of daily forensic research investigations distilled from millions or even billions of raw events. <br /> Adding QRadar Risk Manager to the equation, our security intelligence solution performs pre-exploit investigations, discovering where attacks are most likely to occur. <br /> Now QRadar Vulnerability Manager further extends our clients’ pre-exploit analysis activities by adding integrated, vulnerability insights helping measure the exposure of identified vulnerabilities to outside threats. QRadar Vulnerability Manager reduces burden of addressing pre-exploit conditions just as QRadar SIEM does for post-exploit conditions. <br /> IBM X-Force research provides intelligence feed to QRadar based on the real-time monitoring of 13 billion security events per day. Whether the newest strain of malware or an advanced exploit technique first being seen halfway around the world, QRadar will monitor this intelligence and correlate it with what’s happening in your own environment, large or small. <br />
  • Increased investigation capacity by 6x with existing staff <br /> Dramatically improved visibility for better security posture <br /> Saved over 50 percent in licensing and maintenance costs over competitive solution <br /> “The QRadar Risk Manager and QRadar QFlow Collector features separated IBM’s solution from the others. This advanced SIEM functionality has driven many productivity gains and gives us a very good understanding of our network topology and configurations so we can assess potential vulnerabilities. As soon as we saw IBM offered these features out of the box, the decision was a no-brainer. We’ve implemented use cases in one to two weeks that would have taken six months with a competitor’s product.” <br />
  • Anonymous (Euronet) <br />

Trends in Security Intelligence Jonathan Fraleigh Trends in Security Intelligence Jonathan Fraleigh Presentation Transcript

  • IBM Security Trends in Security and Security Intelligence Jon Fraleigh Security Intelligence World Wide Sales Leader November, 2013 © 2013Confidential 1 IBM IBM Corporation © 2013 IBM Corporation
  • IBM Security Targeted attacks remain top of mind Saudi Arabia Says Aramco Cyberattack Came From Foreign States How to Hack Facebook In 60 Seconds – InformationWeek, June 2013 Facebook hacked in 'sophisticated attack' – The Guardian, Feb 2013 – Bloomberg, Dec 2012 Hackers in China Attacked The Times for the Last 4 Months Fed Acknowledges Cybersecurity Breach – The Wall Street Journal, Feb 2013 – The New York Times, Jan 2013 Adobe Systems Reports Attack on Its Computer Network – The Wall Street Journal, Oct 2013 Apple Hacked: Company Admits Development Website Was Breached – Huffington Post, July 2013 South Carolina taxpayer server hacked, 3.6 million Social Security numbers compromised – CNN, Oct 2012 Chinese hacking of US media is 'widespread phenomenon‘ – Wired, Feb 2013 2 IBM Confidential © 2013 IBM Corporation
  • IBM Security 3 IBM Confidential IBM Security X-Force® 2011, 2012 Trend and Risk Report, IBM Security X-Force 2013 Mid Year Trend and Risk Report © 2013 IBM Corporation
  • IBM Security What is Security Intelligence? Security Intelligence --noun 1.The real-time collection, normalization, and analysis of the data generated by users, applications, and infrastructure that impacts the IT security and risk posture of an enterprise. 2.A complete approach to defending an organization’s critical assets, intellectual property, and private data using advanced anomaly detection capabilities balanced with preventative risk and vulnerability management activities. Delivers actionable and comprehensive insight for managing risks and combatting threats, from protection and detection through remediation and mitigation 4 IBM Confidential © 2013 IBM Corporation
  • IBM Security Security Intelligence & Business Intelligence offer insightful parallels IBM Security Intelligence Security Intelligence DASCOM Security as a Service Application Security BI Convergence with Security Market Changes Database Monitoring SOA Security Decision Management Managed Security Services Simplified Delivery (i.e., Cloud ) Network Intrusion Prevention BI Convergence with Collaboration Compliance Management Text & Social Media Analytics Identity and Access Management Mainframe and Server Security - RACF Predictive Analytics IOD Business Optimization IBM Business Intelligence Performance Management Platform Business Intelligence Suite Enterprise Reporting Time 5 IBM Confidential © 2013 IBM Corporation
  • IBM Security Systems Solutions for the full Security Intelligence timeline What are the external and internal threats? Are we configured to protect against these threats? Prediction & Prevention Risk Management. Vulnerability Management. Configuration and Patch Management. X-Force Research and Threat Intelligence. Compliance Management. Reporting and Scorecards. 6 What is happening right now? What was the impact? Reaction & Remediation Network and Host Intrusion Prevention. Network Anomaly Detection. Packet Forensics. Database Activity Monitoring. Data Leak Prevention. Security Information and Event Management. Log Management. Incident Response. © 2013 IBM Corporation
  • IBM Security Systems Built upon common foundation of QRadar SIOS New Security Intelligence Solutions QRadar SIEM QRadar Log Manager Reporting Engine QRadar Risk Manager Workflow QRadar QFlow and VFlow QRadar Vulnerability Manager Real-Time Viewer Rules Engine Reporting API Analytics Engine Security Intelligence Operating System (SIOS) Warehouse Archival Forensics API Normalization LEEF 7 AXIS Configuration NetFlow Offense © 2013 IBM Corporation
  • IBM Security Systems Taking in data from wide spectrum of feeds 8 © 2013 IBM Corporation
  • IBM Security Systems And continually adding context for increased accuracy Security Intelligence Feeds Geo Location 9 Internet Threats Vulnerabilities © 2013 IBM Corporation
  • IBM Security Systems Deployed upon scalable appliance architecture Log Management SIEM Configuration & Vulnerability Management Network Activity & Anomaly Detection Network and Application Visibility Scale 10 • Turn-key log management and reporting • SME to Enterprise • Upgradeable to enterprise SIEM • Log, flow, vulnerability & identity correlation • Sophisticated asset profiling • Offense management and workflow • Network security configuration monitoring • Vulnerability scanning & prioritization • Predictive threat modeling & simulation • Network analytics • Behavioral anomaly detection • Fully integrated in SIEM • Layer 7 application monitoring • Content capture for deep insight & forensics • Physical and virtual environments • • • • Event Processors Network Activity Processors High Availability & Disaster Recovery Stackable Expansion © 2013 IBM Corporation
  • IBM Security Systems Security Intelligence Use Case Examples © 2013 IBM Corporation 11 © 2013 IBM Corporation
  • IBM Security Systems Overview of use cases Detecting threats • Arm yourself with comprehensive security intelligence Consolidating data silos • Collect, correlate and report on data in one integrated solution Detecting insider fraud • Next-generation SIEM with identity correlation Better predicting risks to your business • Full life cycle of compliance and risk management for network and security infrastructures Addressing regulation mandates • Automated data collection and configuration audits 12 © 2013 IBM Corporation
  • IBM Security Systems Challenge 1: Detecting Threats Potential Botnet Detected? This is as far as traditional SIEM can go IRC on port 80? IBM Security QRadar QFlow detects a covert channel Irrefutable Botnet Communication Layer 7 flow data contains botnet command control instructions Application layer flow analysis can detect threats others miss 13 © 2013 IBM Corporation
  • IBM Security Systems Challenge 2: Consolidating Data Silos Analyzing both flow and event data. Only IBM Security QRadar fully utilizes Layer 7 flows. Data Reduction Ratio 1153571 : 1 Reducing big data to manageable volumes Advanced correlation for analytics across silos 14 © 2013 IBM Corporation
  • IBM Security Systems Challenge 3: Detecting Insider Fraud Potential Data Loss Who? What? Where? Who? An internal user What? Oracle data Where? Gmail Threat detection in the post-perimeter world User anomaly detection and application level visibility are critical to identify inside threats 15 © 2013 IBM Corporation
  • IBM Security Systems Challenge 4: Better Predicting Risks to Your Business Assess assets with high-risk input manipulation vulnerabilities Which assets are affected? How should I prioritize them? What are the details? Vulnerability details, ranked by risk score How do I remediate the vulnerability? Pre-exploit Security Intelligence Monitor the network for configuration and compliance risks, and prioritize them for mitigation 16 © 2013 IBM Corporation
  • IBM Security Systems Challenge 5: Addressing Regulatory Mandates PCI compliance at risk? Real-time detection of possible violation Unencrypted Traffic IBM Security QRadar QFlow saw a cleartext service running on the Accounting server PCI Requirement 4 states: Encrypt transmission of cardholder data across open, public networks Compliance Simplified Out-of-the-box support for major compliance and regulatory standards Automated reports, pre-defined correlation rules and dashboards 17 © 2013 IBM Corporation
  • IBM Security Systems Thank you © 2013 IBM Corporation 18 © 2013 IBM Corporation
  • IBM Security Systems Using fully integrated architecture and interface Log Management SIEM Configuration & Vulnerability Management Network Activity & Anomaly Detection Network and Application Visibility 19 • Turn-key log management and reporting One ConsoleEnterprise • SME to Security • Upgradeable to enterprise SIEM • Log, flow, vulnerability & identity correlation • Sophisticated asset profiling • Offense management and workflow • Network security configuration monitoring • Vulnerability prioritization • Predictive threat modeling & simulation • Network analytics • Behavioral anomaly detection • Fully integrated in SIEM • Layer 7 application monitoring • Content capture for deep insight & forensics • Physical and virtual environments Built on a Single Data Architecture © 2013 IBM Corporation
  • IBM Security Systems Employing automation to accelerate time-to-value, preserve currency  Simplified deployment delivers results in days  Syslog device detection configures log data sources  Passive flow asset detection populates asset database  Out-of-the-box rules and reports reduce incident investigations and meet compliance mandates  Real time events keep information current  Immediate discovery of network asset additions triggers proactive vulnerability scans, configuration comparisons and policy compliance checks  Daily and weekly updates to rules, reports, vulnerabilities, patches, searches, support modules, protocols and signatures 20 © 2013 IBM Corporation
  • IBM Security Systems Differentiated by network flow analytics  Log management products collect subset of available data  Netflows enable visibility into attacker communications  Stored as aggregated, bi-directional records of IP addresses, ports, and protocols  Offer advanced detection and forensics via flow pivoting, drill-down and data mining  QFlow Collectors dig deeper, adding Layer 7 application insights 21 © 2013 IBM Corporation
  • IBM Security Systems Including baselining and anomaly detection capabilities  Correlation of log and flow data creates profiles of user, application and data access patterns  Anomaly Detection uses multiple measurements to signal change  Thresholds – above or below normal range  Anomaly – Detects appearance of new objects  Behavior – Reveals deviations from established ‘seasonal’ patterns Large Window 5 Hours 22 Small Window 1 Hour © 2013 IBM Corporation
  • IBM Security Systems Strengthened by integrated vulnerability insights Existing vulnerability management tools Yo ur CV E CV CV CVE CV E CV CV E E E EC CV CV CV CVE CV V EC E C C E E CVE CV CV CVE CVE VE VE C VE C CV C C V E E E CV CV CV CVE CVE VE C VE CVE C E CV E CV CV EC E C C C E VE VE VE E CV CV EC E CVE CV E CV CVE CVE VE CVE C VE C VE C CV CVECVE CVE C E E E E VE V V C CV CV CV CCVECVE VE C VE C VEC E CV E CV CVE CVE CVE VE V E E C E C C CV CV E CVE E E E V V C C C C C E V VE C CV CV CVECVE VE VE C VE C E C E CV CV CVE VE VE CVE C VE C VE E C CV V E C E C CCVECV CCV VE CVE VE C VEC E C C CV VE VE VE V CV E C CC CV VE VE VE C EEC E C EECV CV CVE VE VE VE VE E C C CV CV C E V CVE VE E CC C C CVE CV CV CVE VE CVECVVEC E C ECV C V CVE CVE CVE VE C VE C E CV E C V E VE C C V C E E E CV C VE V VE CV E CV CV CCVECVE VVE CVECVVE C E C E CV CVECVE CVE VE VE C E CVE C V V V E VE E C E CV EC E C ECV CVV CV CVVE VE VE C C ECV ECV CV VE E V E E E C CE VE C E E C C V E C E CV CV V CV CV CVE CVE VVE E C EECC E C E CCV CV CVE VE VE VE C E C CV E VE VE E E E E C EC CCV CV CCV VE VVE VVE VEE C E C ECV CV CCV VE VE E CV V CV CVE VEE CV EC C C CV CV VE VE VEE C E C EE C CVV CCV CVE CVE VE E C EC V CV VE E E VE CVE C EC C C V C E VE E C V CV CVE CV CV CCVE VVE VE CVVE C E C EE CVECV CV ECVE CVE VE C VE C E CV E E V E C C E E E V E C CC C E CV V VV VE C VE C E C C C E V CV CV CV CCVE VVE VVE CVECCE E CEE CV E CV CVE CVE VE CVVE VE C E CVE CVV CV CVEE V E VE E C E CC E C V V E E CV CV C E E C CV VE E VE C VE C C EC V CV CV CV CV CVE CVE VVE C VE CVE C EE C E CV CVE CVE CVE VE VE C E CV E C E EC E C E C E C CV CCV CVVE VE E VVE VVE C E C EC CV CV CV VE E V E C E C VE C V V CV V V VE E VEE E CC CC C E VE E VE E C VE CV E C E C E C CV CV CCV VVE VE E VE CVVE C E C E CV CVE CV CVE VE VEE E V C VE C E C V V V VE VE VE C E C E C CC CCV CV VE VEE E C E C E C E CV CV V V CV C C V CV CV VE VE VE VE E EE C EE CVECV CV VE CVE VE E C E CV E E E C E C CV CV CV CVE VVE VEE CVE C E C CV E CV CV VE C C C VE VE E C E C E C E C CVV CVVE VE VEC VE C E C E CV E CV V V VE VVE EE C E C C V E CV E C E C E C C CCV CVE VE VE CVE VE C E CV E VE EC V VE E VE VE VE VE CVE C EE CV CV CVE VE C CV CV CV CVE VE VE VE C E C CV E E E C E C C CV CV VE VE E CV CVE VE VE VE C E C E EC CV CV VE VE VE E C E C CV VE VE C E CV V EC E VE Yo ur Yo u Vu ln rV uln era bil it era Vu ln bil it era ies ies bil itie s Security Intelligence Integration  Improves visibility – Intelligent, event-driven scanning, asset discovery, asset profiling and more  Reduces data load – Bringing rich context to Vulnerability Management  Breaks down silos Questions remain: •Has that been patched? •Has it been exploited? •Is it likely to be exploited ? •Does my firewall block it? •Does my IPS block it? •Does it matter? 23 – Leveraging all QRadar integrations and data – Unified vulnerability view across all products QRadar Vulnerability Manager CV E CV CV Yo E EC ur CV CV V E EC E C Vu CV V VE CV lne E EC E C C V CV CV VEIn E VE ra b E E C a CV C CV CV CVE VEct E VE C i e E E ilitie EC C CVvCV V E CV CV V VE E s C C C CV E E E CV CV CV CVE VE VE CVE C E C E C C CV V V VE E E CV CV CVE VE VE E C E C E CV CV V V C C E E E E CV CV CVE CVE VE VE C E C E CV CV CV E E C Pa V CV CV VE VE E E C E C CV CV V Ctc C C E E V V E E E Eh V C C CV V VE E E C CV CV CV CVE eE VE CVE C E C ECV CV CVE dC E E E E E V V CV CV CV CVE CVE VE C VE C E C EC CV CVE E EC E C C CV VE VE VE VE EC CV CV V VE VE E Cr E E C C CV CV CVE CVECVE CVECVE E i C CVi V VE VE E E B CV C V t Ec E C C C CV lo E VE E a CVl CV CVE VE VE VE EC ck V CV C E C C C CV CV VE e E E EC VE VE VE C VE C E C EC CV dCVE CV CV VE VE VE VE C E C AC E CV CV CV CVE VE VE E t VE E E E C C ris C C CV V VE Ck V VE E E VE E ! C C C CV CVE V E VE VE C EC CE CV VE VE VE E xCV CV CVE plE E oCt CV iVe E Ed CV !E Answers delivered: •Real-time scanning •Early warning capabilities •Advanced pivoting and filtering © 2013 IBM Corporation
  • IBM Security Security Intelligence portfolio components © 2013 IBM Corporation 24 IBM Confidential © 2013 IBM Corporation
  • IBM Security Systems QRadar Log Manager: Foundation for Security Intelligence  Employs intuitive, browser-based UI  Presents customizable dashboards (work spaces) per user  Delivers real-time & historical visibility and reporting  Provides easy to use rules engine with out-of-the-box security intelligence  Allows advanced data mining and drill down  Contains role-based access to information & functions 25 © 2013 IBM Corporation
  • IBM Security Systems Establishes security capability to exceed compliance requirements  Automatically discovers log sources simplifying deployment and speeding ROI  Performs distributed log collection, analysis, archival, searching and reporting that scales to any size network  Provides fast, free-text search and analysis of normalized data  Contains reliable, tamper-proof log storage for forensic investigations and evidentiary use  Includes compliance-driven report templates for regulatory reporting and auditing  Shares common architecture with QRadar SIEM for seamless upgrade 26 © 2013 IBM Corporation
  • IBM Security Systems Best practices compliance rules and reports speed ROI  Out-of-the-box templates for specific regulations and best practices: - COBIT, SOX, GLBA, NERC, FISMA, PCI, HIPAA, UK GCSx  Easily modified to include new definitions  Extensible to include new regulations and best practices  Can leverage existing correlation rules 27 © 2013 IBM Corporation
  • IBM Security Systems QRadar SIEM: Command console for Security Intelligence  Provides full visibility and actionable insight to protect against advanced threats  Adds network flow capture and analysis for deep application insight  Employs sophisticated correlation of events, flows, assets, topologies, vulnerabilities and external data to identify & prioritize threats  Contains workflow management to fully track threats and ensure resolution  Uses scalable hardware, software and virtual appliance architecture to support the largest deployments 28 © 2013 IBM Corporation
  • IBM Security Systems Data reduction and correlation analysis identify top threats Previous 24hr period of network and security activity (2.7M logs) QRadar correlation & analysis of data creates ‘offenses’ Offenses include complete history of threat or violation with full context including network, asset and user identity information  Focuses security teams and eliminates false positives  Reduces millions/billions of events to dozens requiring further investigation 29 Offenses further prioritized by business impact © 2013 IBM Corporation
  • IBM Security Systems Intelligent offense scoring further directs security team investigations QRadar judges “magnitude” of offenses: 1. Credibility: A false positive or true positive? 2. Severity: Alarm level contrasted with target vulnerability 3. Relevance: Priority according to asset or network value Priorities can change over time based on situational awareness 30 © 2013 IBM Corporation
  • IBM Security Systems Flows provide context for true network intelligence      31 Helps detect zero-day attacks that have no signature Enables policy monitoring and rogue server identification Provides visibility into all attacker communications Uses passive monitoring to build asset profiles and classify hosts Improves network visibility and helps resolve traffic problems © 2013 IBM Corporation
  • IBM Security Systems QRadar Risk Manager: Visualize network, configurations and risks  Depicts network topology views and helps visualize current and alternative network traffic patterns  Identifies active attack paths and assets at risk of exploit  Collects network device configuration data to assess vulnerabilities and facilitate analysis and reporting  Discovers firewall configuration errors and improves performance by eliminating ineffective rules  Analyzes policy compliance for network traffic, topology and vulnerability exposures 32 © 2013 IBM Corporation
  • IBM Security Systems Fully integrated risk management solution  Compiles comprehensive risk assessments covering network usage, configuration data, vulnerability posture, and current threat environment  Provides powerful, visualizations of network usage and attack paths simplifying risk and incident response actions  Simplifies configuration change comparisons and alerts users to risky or out-of-compliance configurations  Improves consistency of firewall rules, including detection of shadowed rules and other configuration errors  Delivers reduced total cost of ownership through product consolidation 33 © 2013 IBM Corporation
  • IBM Security Systems Connections view shows and records network traffic activity  Drastically reduces time required to conduct offense forensics  Correlates events and flows with source and destination IPs  Identifies active vs. inactive applications and associated hosts  Enables connection searches between hosts and networks using specific protocols and applications or traffic analysis to/from specific geo regions 34 © 2013 IBM Corporation
  • IBM Security Systems Investigating offense attack path  Clicking ‘attack path’ button for an offense performs search showing precise path (and all permutations) between involved source and destination IPs  Firewall rules enabling the attack path can then be quickly analyzed to understand the exposure  Allows “virtual patch” to be applied by quickly showing which firewall rules may be changed to immediately shut down attack path—before patching or other configuration changes can typically be implemented 35 © 2013 IBM Corporation
  • IBM Security Systems QRadar Vulnerability Manager: Scan, assess and remediate vulnerabilities  Employs embedded, well proven, scalable, PCI-certified scanner  Provides complete vulnerability view including 3rd party vulnerability system data feeds  Supports exception and remediation processes with seamlessly integrated reporting and dash boarding  Leverages QRadar log and flow collectors and processors to conduct scans  Includes hosted external scanning service  Tracks National Vulnerability Database (CVE) and detects 70,000+ vulnerabilities 36 © 2013 IBM Corporation
  • IBM Security Systems Fully integrated vulnerability management solution  Analyses data stored in QRadar asset model database, so includes all vulnerability sources  Displays vulnerability posture by asset, network, open service, vulnerability type and vulnerability instances  Provides powerful filtering & pivoting functionality similar to flow and event viewer  Offers saved searches, quick searches and a Google’esq quick filter 37 © 2013 IBM Corporation
  • IBM Security Systems QVM enables customers to interpret ‘sea’ of vulnerabilities Inactive: QFlow Collector data helps QRadar Vulnerability Manager sense application activity Patched: IBM Endpoint Manager helps QVM understand which vulnerabilities will be patched Critical: Vulnerability knowledge base, remediation flow and QRM policies inform QVM about business critical vulnerabilities 38 CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE Inactive Blocked Patched Critcal At Risk! Blocked: QRadar Risk Manager helps QVM understand which vulnerabilities are blocked by firewalls and IPSs Exploited! At Risk: X-Force Threat and SIEM security incident data, coupled with QFlow network traffic visibility, help QVM see assets communicating with potential threats Exploited: SIEM correlation and IPS data help QVM reveal which vulnerabilities have been exploited © 2013 IBM Corporation
  • IBM Security Systems Security Intelligence platform summary © 2013 IBM Corporation 39 © 2013 IBM Corporation
  • IBM Security Systems Continued journey towards Total Security Intelligence 40 © 2013 IBM Corporation
  • IBM Security Systems QRadar Security Intelligence customer roadmap  Upgrade Log Manager to QRadar SIEM – Additional security telemetry data – Rules-based correlation analysis engine – Data overload reduction ‘magic’ compressing millions or even billions of daily raw events to manageable list of issues  Add QRadar Risk Manager – Enables pre-exploit configuration investigations – Simplifies security policy reviews for compliance tests – Provides network topology depictions and permits attack simulations  Implement QRadar Vulnerability Manager – Extends pre-exploit analysis activities by adding integrated, vulnerability insights – Reduces magnitude of pre-exploit conditions as QRadar SIEM does for post-exploit conditions – Helps identify and measure exposures to external threats  Inject IBM X-Force Threat Research Intelligence – Provides intelligence feed to QRadar – Includes vulnerabilities, IP reputations, malware reports and attack histories 41 © 2013 IBM Corporation
  • IBM Security Systems QRadar’s unique advantages  Scalability for largest deployments, using an embedded database and unified data architecture  Impact: QRadar supports your business needs at any scale  Real-time correlation and anomaly detection based on broadest set of contextual data  Impact: More accurate threat detection, in real-time  Intelligent automation of data collection, asset discovery, asset profiling, vulnerability scanning and more  Impact: Reduced manual effort, fast time to value, lower-cost operation  Integrated flow analytics with Layer 7 content (application) visibility  Impact: Superior situational awareness and threat identification  Flexibility and ease of use enabling “mere mortals” to create and edit correlation rules, reports and dashboards  Impact: Maximum insight, business agility and lower cost of ownership 42 © 2013 IBM Corporation
  • IBM Security Systems Learn more about IBM QRadar Security Intelligence Watch executive Interview Video with Steve Robinson (VP) Visit our Website Read new blog posts: securityintelligence.com Review latest solution announcement Follow us on Twitter: @q1labs @ibmsecurity 43 © 2013 IBM Corporation
  • IBM Security Systems ibm.com/security © Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United © 2013 IBM Corporation 44 States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
  • IBM Security Systems Case study: An international energy company reduces billions of events per day to find those that should be investigated Optimize threat analysis An international energy firm analyzes 2,000,000,000 events per day to find 20 – 25 potential offences to investigate Business challenge: Reducing huge number of events to find the ones that need to be investigated Automating the process of analyzing security data Solution: (QRadar SIEM, QFlow, Risk Manager) Real-time correlation of hundreds of data sources, anomaly detection to help identify “low and slow” threats, flexibility for easy customization and expansion 45 © 2013 IBM Corporation
  • IBM Security Systems Case Study: A financial information provider hardens defenses against threats and fraud Optimize risk management Tracks 250 activity baselines dynamically adjusted over time Saved 50-80% on staffing vs. alternative solutions 46 Business challenge: Detect wide range of security threats affecting public-facing Web applications Help identify subtle changes in user behavior that could indicate fraud or misuse Exceed ISO 27001 standard Solution: (QRadar SIEM, QFlow, X-Force, Network IPS) Combine analysis of historical data with real-time alerts to gain a ‘big picture’ view and uncover patterns of unusual activity humans miss and immediately block suspected traffic © 2013 IBM Corporation
  • IBM Security Systems Case Study: Financial services firm uses real-time analysis to defend against rising DDoS attacks Optimize staff resources Canadian-based international financial services firm analyzes 30,000,000 events per day to find 30 potential offences to investigate Business challenge: Dealing with 500% increase in cyber threats and a 527% increase in denial of service attacks in the past two years Gaining 24x7 visibility without hiring additional analysts Solution: (QRadar SIEM, QFlow, Risk Manager, X-Force, IPS) Real-time correlation, anomaly detection and X-Force Intelligence to help improve visibility and generate more than 50% in annual licensing and maintenance costs 47 © 2013 IBM Corporation
  • IBM Security Systems Case Study: A credit card firm simplifies complexity, reduces costs and optimizes resources Optimize security ROI 50% reduction in cost of deployment, tuning and maintenance vs. competitor Business challenge: 8-year old SIEM technology did not provide visibility into and protection from current threats High cost of tuning and maintenance of incumbent SIEM product Solution: (QRadar SIEM) Advanced security analytics engine for real-time threat detection and analysis and scalable architecture to meet client’s large data and infrastructure requirements 48 © 2013 IBM Corporation
  • IBM Security Systems Case Study: Growth markets payments processor achieves PCI compliance / exceeds regulatory mandates Re-engineer profitable growth Global electronic payments firm operates in 32 countries and processes over 2 billion transactions per year Business challenge: Protect client data at the heart of this business PCI compliance for processing of >$25 billion in annual transactions Rapidly implement proven solution, 0 tolerance for delays or errors Solution: (QRadar SIEM, IBM Security Network IPS) Integrated solution to provide visibility into PCI and data exposure risks with expert implementation services helping client pass PCI audit four weeks after purchase 49 © 2013 IBM Corporation