Avoiding data breach using security intelligence and big data to stay out of the headlines


Published on

Attackers and exploits are becoming increasingly sophisticated, and the pressure to protect business critical data is only getting more and more intense. Security Intelligence transforms the playing field by adding analytics and context, and shifts the balance in favor of the good guys. Today forward thinking organizations are looking at extending Security Intelligence even further by combining it with Big Data to form a solution that allows them to analyze new types of information, and data that travels at higher velocity, and in larger volume. This powerful combination yields new insights that can more effectively identify threats and fraud than ever before.

In this session, attendees will learn how to combine Security Intelligence and Big Data, and deploy a solution that is well suited for structured, repeatable tasks. We will also cover the addition of complementary new technologies that address speed and flexibility, and are ideal for analyzing unstructured data. This session will also highlight how organizations are using Security Intelligence to pro-actively detect advanced threats before they cause damage, and take effective corrective action if a compromise succeeds.

View the On-demand webinar: https://www2.gotomeeting.com/register/657029698

Published in: Business, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Avoiding data breach using security intelligence and big data to stay out of the headlines

  1. 1. IBM Security Systems AMPLIFYING SECURITY INTELLIGENCE WITH BIG DATA AND ADVANCED ANALYTICS Vijay Dheap Global Product Manager, Master Inventor Big Data Security Intelligence & Mobile Security vdheap@us.ibm.com 1 IBM Security Systems © 2012 IBM Corporation © 2012 IBM Corporation
  2. 2. IBM Security Systems Welcome to a Not So Friendly Cyber World… Biggest Bank Heist in History Nets $45Million All without setting foot in a Bank… CYBER ESPIONAGE VIA SOCIAL NETWORKING SITES TARGET: US DOD OFFICIALS Hidden Malware Steals 3000 Confidential Documents – Japanese Ministry 2 IBM Security Systems © 2012 IBM Corporation
  3. 3. IBM Security Systems Playing Defense… Traditional Approach to Security Predicated on a Defensive Mindset  Assumes explicit organizational perimeter  Optimized for combating external threats  Presumes standardization mitigates risk  Dependent on general awareness of attack methodologies  Requires monitoring and control of traffic flows Origins of Security Intelligence Layered Defenses Essential for Good Security Hygiene and Addressing Traditional Security Threats…but attackers adapting too 3 IBM Security Systems © 2012 IBM Corporation
  4. 4. IBM Security Systems Business Change is Coming…If Not Already Here Enterprises are Undergoing Dynamic Transformations The Organization’s Cyber Perimeter is Being Blurred…It can no longer be assumed 4 IBM Security Systems © 2012 IBM Corporation
  5. 5. IBM Security Systems Evolving Attack Tactics…Focus on Breaching Defenses 5 IBM Security Systems © 2012 IBM Corporation
  6. 6. IBM Security Systems A Look at the Emerging Threat Landscape Targeted, Persistent, Clandestine Concealed, Motivated, Opportunistic Situational, Subversive, Unsanctioned 6 IBM Security Systems Topical, Disruptive, Public Focused, Well-Funded, Scalable © 2012 IBM Corporation
  7. 7. IBM Security Systems Questions CISO Want to be Able to Answer… 7 IBM Security Systems © 2012 IBM Corporation
  8. 8. IBM Security Systems Incorporating a More Proactive Mindset to Enterprise Security Audit, Patch & Block Detect, Analyze & Remediate Think like a defender, defense-in-depth mindset Think like an attacker, counter intelligence mindset Protect all assets Emphasize the perimeter Patch systems Use signature-based detection Scan endpoints for malware Read the latest news Collect logs Conduct manual interviews Shut down systems Protect high value assets Emphasize the data Harden targets and weakest links Use anomaly-based detection Baseline system behavior Consume threat feeds Collect everything Automate correlation and analytics Gather and preserve evidence Broad 8 IBM Security Systems Targeted © 2012 IBM Corporation
  9. 9. IBM Security Systems Greater Need for Security Intelligence… • Visibility across organizational security systems • Improved response times • Adaptability/flexibility required for early detection of threats and risky behaviors 9 IBM Security Systems Log Manager SIEM Network Activity Monitor Risk Manager Vulnerability Manager © 2012 IBM Corporation
  10. 10. IBM Security Systems Evolution of Security Intelligence nti de /I ers es Us  Initial Visibility  Facilitates Compliance  Attackers adapt not to leave a trace t s e ry A s ve o is c D ork tw Ne low F t og men L e g na Ma t og men L e g na Ma ti  Network Does Not Lie  Greater Coverage across organization  Attackers adapt to hide in the noise SIEM ti nti de s/I r se es U g nt Lo eme g na Ma 10 IBM Security Systems t s e ry A s ve o i sc D ork etw N Flow …other relevant data red a Sh l nte I t ke c Pa ure ll Fu apt C  Filters out the noise, improves incident and offense identification  Proactive to detect targeted and zero-day attacks  Needs scalability to add more data sources and extensibility to support additional security analytics Security Intelligence © 2012 IBM Corporation
  11. 11. IBM Security Systems Amplifying Security Intelligence with Big Data Analytics The Triggers That Motivate Big Data Analytics for Security Intelligence: 11 IBM Security Systems © 2012 IBM Corporation
  12. 12. IBM Security Systems Extending the IQ of a Security Intelligence Solution to Big Data Need to derive security relevant semantics from syntactic elements contained in raw data. Distilling Analytical functions, tools and workflows that can be employed to deliver insights Availability of codified human know-how and understanding to enable machine processing and progressively automate manual processes 12 IBM Security Systems © 2012 IBM Corporation
  13. 13. Confidential – for division executives only IBM Security Strategy Use Cases 13 IBM Confidential © 2011 IBM Corporation
  14. 14. IBM Security Systems Security Intelligence From Real-time Processing of Big Data Behavior monitoring and flow analytics Activity and data access monitoring Stealthy malware detection 14 IBM Security Systems Network Traffic Network Traffic Doesn‘t Lie Doesn‘t Lie Attackers can stop logging and Attackers can stop logging and erase their tracks, but can’t cut off erase their tracks, but can’t cut off the network (flow data) the network (flow data) Improved Improved Breach Detection Breach Detection 360-degree visibility helps 360-degree visibility helps distinguish true breaches from distinguish true breaches from benign activity, in real-time benign activity, in real-time Irrefutable Botnet Irrefutable Botnet Communication Communication Layer 7 flow data shows botnet Layer 7 flow data shows botnet command and control instructions command and control instructions © 2012 IBM Corporation
  15. 15. IBM Security Systems Security Intelligence Amplified by Advanced Analytics Hunting for External Command & Control (C&C) Domains of an Attacker Historical analysis of DNS activity within organization Automate correlation against external DNS registries Advanced analytics identify suspicious domains Why only a few hits across the entire organization to these domains? Correlating to public DNS registry information increases suspicions Pursue Active Spear-Phishing Campaigns Targeting the Organization Employ Big Data Analytics on email to identify patterns to identify targets and redirects Build visualizations, such as heat maps, to view top targets of a spear-phishing attacks Load Spear-Phishing targets and redirect URLs into realtime security intelligence analysis to thwart the attack 15 IBM Security Systems © 2012 IBM Corporation
  16. 16. IBM Security Systems Security Intelligence Amplified by Advanced Analytics Tracking Multiple Unrelated Identities Who am I? Who are you? Who do we communicate with? What devices do we own? Name: John Smith Corporate ID: John.Smith@us.ibm.com Google analytics: jsmith22@gmail.com Mobile: 613-334-6572, MAC, IP Public Community: BigPipes11 Laptop: Several IPs, MAC Addresses, HostNames Tablet: IP Address, MAC Address Employ Big Data Analytics on structured attributes and un structured communications to link identities Other linking attributes: Fonts installed, language, user agent, installed software, web sites commonly visited, people who are communicated with, etc… Attributes have a tendency to cross identities, similar problems with device profiles 16 IBM Security Systems © 2012 IBM Corporation
  17. 17. IBM Security Systems Security Intelligence Amplified by Advanced Analytics Today’s Knowledge Applied to Yesterday’s Problems Today breached organizations go weeks or months un-aware of someone who has already infiltrated their network Why not use today’s knowledge to analyze yesterday’s data? Capture all traffic from for a period of time.. As Security Detection technics are updated (AV, IPS Signatures, BlackLists, MD5s, etc…) run them against yesterdays data… Big Data not only allows us to store everything, we can extract the attributes used for detection up front to speed up analysis of old data: PCAP Data -> •List of all IPs and Domains •All File MD5s •All Links in email and social communications Host Inventory Data -> •Registry Values •Patches Applied •File System Audit Quickly check for new indicators in yesterday’s values 17 IBM Security Systems © 2012 IBM Corporation
  18. 18. Confidential – for division executives only IBM Security Strategy Designing a Purpose-Built Security Intelligence Solution with Big Data Analytics 18 IBM Confidential © 2011 IBM Corporation
  19. 19. IBM Security Systems IBM QRadar: More than a SIEM it is a Security Intelligence Platform QRadar: Filters out the noise, improves incident & offense identification Enables proactive detection of targeted & zeroday attacks Is scalable to add more data sources and extensible to incorporate logic to detect new attack patterns Log Management SIEM Configuration & Vulnerability Management Network Activity & Anomaly Detection Network and Application Visibility  Purpose-Built Security Intelligence Solution  Pre-built support for 100s of scenarios  Capability to ingest security data from 1000s of IT devices and numerous data feeds including XForce  Single Console with Unified Data Architecture  Powerful correlation engine to add security context to data  Rich Asset Database with profiles of assets, applications, vulnerabilities and other security related content © 2012 IBM Corporation
  20. 20. IBM Security Systems QRadar uses Big Data capabilities to identify critical security events High Volume Security Events and Network Activity High Priority Security Offenses IBM QRadar Big Data Capabilities Customer Results  New SIEM appliances with massive scale  Payload indexing for rapid ad hoc query leveraging a purpose-built data store  Search 7M+ events in <0.2 sec  Google-like Instant Search of large data sets (both logs and flows)  Instant, free-text searching for easier and faster forensics  Intelligent data policy management  Granular management of log and flow data  Advanced Threat Visualization and Impact Analysis 20  Quickly find critical insights among 1000s of devices and years of data  Attack path visualization and device / interface mapping IBM Security Systems © 2012 IBM Corporation
  21. 21. IBM Security Systems Integrated analytics and exploration in a new architecture Security Intelligence Platform Real-time Processing • Real-time network data correlation • Anomaly detection • Event and flow normalization • Security context & enrichment • Distributed architecture Big Data Platform Big Data Processing •Long-term, multi-PB storage •Unstructured and structured •Distributed Hadoop infrastructure •Real-time stream computing •Preservation of raw data •Enterprise Integration Security Operations Analytics and Forensics •Pre-defined rules and reports • Advanced visuals and interaction •Offense scoring & prioritization • Predictive & decision modeling • Ad hoc queries •Activity and event graphing •Compliance reporting •Workflow management • Interactive visualizations • Collaborative sharing tools • Pluggable, intuitive UI 21 IBM Security Systems © 2012 IBM Corporation
  22. 22. IBM Security Systems Design Pattern: Security Intelligence Employing Big Data Visualizations & Reporting Operational Management Security IQ 22 IBM Security Systems Data Exploration © 2012 IBM Corporation
  23. 23. IBM Security Systems IBM’s Purpose-Built Security Intelligence with Big Data Solution  Coupling Real-time Security Analysis With Asymmetric Big Data Analytics  Broaden use cases supported while enabling ad hoc analysis – – – – – – 23 IBM Security Systems Establish a Baseline Counter Cyber Attacks Qualify Insider Threats Protect against Advanced Persistent Threats Mitigate Fraud Predict Hacktivism © 2012 IBM Corporation
  24. 24. IBM Security Systems Cyber Intelligence 4 1 unified product family to help capture, predict, discover trends, and automatically deliver highvolume, optimized decisions 3 IBM i2 Analyst Notebook helps analysts investigate fraud by discovering patterns and trends across volumes of data IBM QRadar Security Intelligence unified architecture for collecting, storing, analyzing and querying log, threat, vulnerability and risk related data 24 IBM SPSS IBM Security Systems 2 IBM Big Data Platform (Streams, Big Insights, Netezza) addresses the speed and flexibility required for customized data exploration, discovery and unstructured analysis © 2012 IBM Corporation
  25. 25. IBM Security Systems New architecture to leverage all data and analytics Streams Data in Motion     Video/Audio Network/Sensor Entity Analytics Predictive Information Ingestion and Operational Information Data at Rest Data in Many Forms 25 25 IBM Security Systems Intelligence Analysis Real-time Analytics  Stream Processing  Data Integration  Master Data Landing Area, Analytics Zone and Archive  Raw Data  Structured Data  Text Analytics  Data Mining  Entity Analytics  Machine Learning Security Intelligence Platform • Data collection and enrichment • Event correlation • Real-time analytics • Offense prioritization Decision Management BI and Predictive Analytics Navigation and Discovery Information Governance, Security and Business Continuity © 2012 IBM Corporation
  26. 26. IBM Security Systems Customizing & Extending IBM’s Security Intelligence with Big Data Solution Triggers for Specific Capabilities to Augment Core Security Intelligence with Big Data Solution: Ingesting and Pre-processing Domain or Industry Specific Very High Velocity Data Streams for correlation with cyber security data Example Data Sources: Telecom: Customer Data Records Energy & Utilities: Grid Sensor Data Surveillance: Video/Audio content Performing Advanced Statistical, Predictive and/or Identity Analytics on all data captured to yield security insights Example Analysis: •Visualize linkages of users to privileged identities •Which user group has the highest propensity for insider fraud? Executing Frequently Repeated Queries and other Analytical workloads best suited for massive parallel processing on Warehoused Security-enriched data Example Queries: •Quarterly reporting on historical warehoused security data 26 IBM Security Systems © 2012 IBM Corporation
  27. 27. IBM Security Systems Learn more about Security Intelligence with Big Data : Watch a demonstration http://ibm.co/1cn4O6Z Download the latest ESG report : on Big Data Security Analytics http://ibm.co/early_leader : Read our White Paper http://ibm.co/Big_Data www. :Blog securityintelligence.com http://ibm.co/SIBD : Website 27 IBM Security Systems © 2012 IBM Corporation
  28. 28. IBM Security Systems Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. ibm.com/security 28 © Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. IBM Security Systems © 2012 IBM Corporation