Defining Security Intelligence for the Enterprise - What CISOs Need to Know

839 views
657 views

Published on

In this presentation with Chris Poulin, you'll gain the insight you need to stay ahead of the threats and to be prepared to respond before, during and after an attempted breach. Chris Poulin is Industry Security Systems Strategist and former CISO for Q1 Labs.

CONTENT:

• What is Security Intelligence?
• Why do we need Security Intelligence?
• What are the benefits of Security Intelligence in the enterprise?

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
839
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
45
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Defining Security Intelligence for the Enterprise - What CISOs Need to Know

  1. 1. Defining Security Intelligence for the Enterprise: What Today’s CISOs Need to Know Chris Poulin Industry Security Systems Strategist IBM Institute for Advanced Security © 2012 IBM Institute for Advanced Security
  2. 2. IBM Institute for Advanced Security You will get hacked, but… CISOs know it’s not if, it’s when they get hacked; yet there is still a gap in ability to detect breach.  Breaches are taking longer to discover  Breaches are not being discovered internally Charts from Verizon 2011 Investigative Response Caseload Review © 2012 IBM Institute for Advanced Security
  3. 3. IBM Institute for Advanced Security 92% of Breaches Are Undetected by Breached Organization Source: 2012 Data Breach Investigations Report © 2012 IBM Institute for Advanced Security
  4. 4. IBM Institute for Advanced Security SQL Injection Still #1 © 2012 IBM Institute for Advanced Security
  5. 5. IBM Institute for Advanced Security Sophistication of cyber threats, attackers and motives is rapidly escalating 1995 – 2005 1st 2005 – 2015 Decade of the Commercial Internet 2nd Decade of the Commercial Internet Motive National Security Espionage, Political Activism Monetary Gain Revenge Curiosity Nation-state Actors; Targeted Attacks / Advanced Persistent Threat Competitors, Hacktivists Organized Crime, using sophisticated tools Insiders, using inside information Script-kiddies or hackers using tools, web-based “how-to’s” Adversary © 2012 IBM Institute for Advanced Security
  6. 6. IBM Institute for Advanced Security Solving a security issue is a complex, four-dimensional puzzle People Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers Data Structured Unstructured At rest In motion Applications Systems applications Web applications Web 2.0 Mobile apps Infrastructure It is no longer enough to protect the perimeter – siloed point products will not secure the enterprise © 2012 IBM Institute for Advanced Security
  7. 7. IBM Institute for Advanced Security Choose the Right Technology Protection technology is critical, but choose wisely There is no magic security technology © 2012 IBM Institute for Advanced Security
  8. 8. IBM Institute for Advanced Security People and Processes First A lesson from airport security: Instead of expensive equipment, use what works In Israel • No plane departing Ben Gurion Airport has ever been hijacked • Use human intelligence • “Questioning” looks for suspicious behavior • Simple metal detectors Scotland Yard • 24+ men planned to smuggle explosive liquids • Foiled beforehand because of intelligence • Before they even got to the airport © 2012 IBM Institute for Advanced Security
  9. 9. IBM Institute for Advanced Security What is Security Intelligence? Security Intelligence --noun 1.the real-time collection, normalization, and analytics of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise Security Intelligence provides actionable and comprehensive insight for managing risks and threats from protection and detection through remediation © 2012 IBM Institute for Advanced Security
  10. 10. IBM Institute for Advanced Security What Gartner is Saying About the Need for Context Mark Nicollet, Managing VP, Gartner Security, Risk & Compliance  “The rapid discovery of a breach is key to minimizing the damage of a targeted attack, but most organizations do not have adequate breach detection capabilities.”  “Since perfect defenses are not practical or achievable, organizations need to augment vulnerability management and shielding with moreeffective monitoring.”  “The addition of context, such as user, application, asset, data and threat, to security event monitoring will increase the likelihood of early discovery of a targeted attack.”  “We need to get better at discovering the changes in normal activity patterns that are the early signal of an attack or breach.” #1-3 from “Effective Security Monitoring Requires Context,” Gartner, 16 January 2012, G00227893 © 2012 IBM Institute for Advanced Security #4 from “Using SIEM for Targeted Attack Detection,” Gartner, 20 March 2012, G00227898
  11. 11. IBM Institute for Advanced Security Context and correlation Deep visibility into users, data, applications, and assets Sources + Intelligence = Most Accurate & Actionable Insight © 2012 IBM Institute for Advanced Security
  12. 12. IBM Institute for Advanced Security Solving complex problems that point solutions cannot Improving threat detection Discovered 500 hosts with “Here You Have” virus, which all other security products missed Consolidating data silos 2 billion log and events per day reduced to 25 high priority offenses Predicting risks against your business Automating the policy monitoring and evaluation process for configuration changes in the infrastructure Addressing regulatory mandates Real-time monitoring of all network activity, in addition to PCI mandates © 2012 IBM Institute for Advanced Security
  13. 13. IBM Institute for Advanced Security How Security Intelligence Can Help  Continuously monitor all activity & correlate in real-time  Gain visibility into unauthorized or anomalous activities – Server (or thermostat) communicating with IP address in China. – Unusual Windows service -- backdoor or spyware program – Query by DBA to credit card tables during off-hours – possible SQL injection attack – Spike in network activity -- high download volume from SharePoint server – High number of failed logins to critical servers -- brute-force password attack – Configuration change -- unauthorized port being enabled for exfiltration – Inappropriate use of protocols -- sensitive data being exfiltrated via P2P © 2012 IBM Institute for Advanced Security
  14. 14. IBM Institute for Advanced Security Why Should a CISO Care?  Detect suspicious behavior – Privileged actions being conducted from a contractor’s workstation – DNS communications with external system flagged as C&C  Detect policy violations – Baseline against reality (CMDB) – Social media, P2P, etc  Detect APTs – File accesses out of the norm—behavior anomaly detection – Least used applications or external systems; occasional traffic  Detect fraud – Baseline credit pulls or trading volumes and detect anomalies – Correlate eBanking PIN change with large money transfers  Forensic evidence for prosecution  Impact analysis  Compliance – Change & configuration management  Metrics 14 © 2012 IBM Institute for Advanced Security
  15. 15. IBM Institute for Advanced Security Network Activity for Total Visibility • Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data) • Helps detect day-zero attacks that have no signature • Provides definitive evidence of attack • Enables visibility into all attacker communications • Passively builds up asset profiles—and keeps them up to date © 2012 IBM Institute for Advanced Security
  16. 16. IBM Institute for Advanced Security Application Detection & Forensic Evidence Botnet Detected? This is/ as far as traditional SIEM can go. IRC on port 80? QFlow enables detection of a covert channel. Irrefutable Layer 7 data contains botnet command and control instructions. © 2012 IBM Institute for Advanced Security
  17. 17. IBM Institute for Advanced Security Data Leakage Who is responsible for the data leak? Alert on data patterns, such as credit card number, in real time. © 2012 IBM Institute for Advanced Security
  18. 18. IBM Institute for Advanced Security Insider Fraud Potential Data Loss? Who? What? Where? Who? An internal user What? Oracle data Where? Gmail © 2012 IBM Institute for Advanced Security
  19. 19. IBM Institute for Advanced Security User Behavior Monitoring & APTs User & Application Activity Monitoring alerts to a user anomaly for Oracle database access. Identify the user, normal access behavior and the anomaly behavior with all source and destination information for quickly resolving the persistent threat. © 2012 IBM Institute for Advanced Security
  20. 20. IBM Institute for Advanced Security Configuration & Risk Network topology and open paths of attack add context Rules can take exposure into account to: • Prioritize offenses and remediation • Enforce policies • Play out what-if scenarios © 2012 IBM Institute for Advanced Security
  21. 21. IBM Institute for Advanced Security Real-Time Activity for Prioritized Response Network monitoring + configuration management = deeper level of forensics & accurate impact analysis © 2012 IBM Institute for Advanced Security
  22. 22. IBM Institute for Advanced Security Integration: Increasing Security, Collapsing Silos, and Reducing Complexity Increased Awareness and Accuracy  Prevent advanced threats with real-time intelligence correlation across security domains  Increase situational awareness by leveraging real-time feeds of X-Force Research and Global Threat Intelligence across IBM security products, such as QRadar Security Intelligence Platform and Network Security appliances  Conduct complete incident investigations with unified identity, database, network and endpoint activity monitoring and log management Ease of Management  Simplify risk management and decision-making with automated reporting though a unified console  Enhance auditing and access capabilities by sharing Identity context across multiple IBM security products  Build automated, customized application protection policies by feeding AppScan results into IBM Network Intrusion Prevention Systems Reduced Cost and Complexity  Deliver faster deployment, increased value and lower TCO by working with a single strategic partner © 2012 IBM Institute for Advanced Security
  23. 23. IBM Institute for Advanced Security Security Intelligence Timeline Prediction & Prevention Reaction & Remediation Risk Management. Vulnerability Management. Configuration Monitoring. Patch Management. X-Force Research and Threat Intelligence. Compliance Management. Reporting and Scorecards. SIEM. Log Management. Incident Response. Network and Host Intrusion Prevention. Network Anomaly Detection. Packet Forensics. Database Activity Monitoring. Data Loss Prevention. © 2012 IBM Institute for Advanced Security
  24. 24. IBM Institute for Advanced Security In 1996 Gartner Group said….. “Making business decisions based on accurate and current information takes more than intuition. Data analysis, reporting and query tools can help business users wade through a sea of data to synthesize valuable information from it. Today these tools collectively fall into a category called “Business Intelligence”’ © 2012 IBM Institute for Advanced Security
  25. 25. IBM Institute for Advanced Security In 1958 IBM … …researcher Hans Peter Luhn used the term business intelligence. He defined business intelligence as: "the ability to apprehend the interrelationships of presented facts in such a way as to guide action towards a desired goal.“ © 2012 IBM Institute for Advanced Security
  26. 26. IBM Institute for Advanced Security Security and Business Intelligence Parallels IBM Security Intelligence Security Intelligence DASCOM Security as a Service Application Security Database Monitoring SOA Security Decision Management Market Changes Managed Security Services Network Intrusion Prevention Simplified Delivery (i.e., Cloud ) Compliance Management BI Convergence with Collaboration Identity and Access Management Text & Social Media Analytics Mainframe and Server Security - RACF Predictive Analytics IOD Business Optimization IBM Business Intelligence Performance Management Business Intelligence Suite Enterprise Reporting Time © 2012 IBM Institute for Advanced Security
  27. 27. Thank you © 2012 IBM Institute for Advanced Security

×