Five critical conditions to maximizing security intelligence investments


Published on

In today's high tech, highly mobile, everything connected , data is everywhere world we need to look at security very differently than we did just a few years ago In the good ole days good strong perimeter defense and some end point protection was pretty much all that was needed to protect a companies digital environment. There are however many indicators highlighting the fact we need to do something different.

Learn more:

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • In todays high tech, highly mobile, everything connected , data is everywhere world we need to look at security very differently than we did just a few years ago In the good ole days good strong perimeter defense and some end point protection was pretty much all that was needed to protect a companies digital environment. There are however many indicators highlighting the fact we need to do something different.
  • History however has taught us s we change tactics the threat doesn’t stand still, they continue to become increasingly more sophisticated. And they can do so unhindered by budget and procurement processes which enables them to be much more nimble than most organizations. We have also seen the motivations that drive them have become all the more complex. It’s gone from mere nuisance or curiosity, script kiddies to very specific targeted attacks and even arguably, state sponsored attacks against companies and government organizations
  • All you have to do is turn on the TV, pick up a newspaper or magazine to see how well we are doing in our efforts to counter these more sophisticated threats. Hardly a day goes by where there isn't some new headline indicating new security breach. Chances are most people on this call have been effected or no someone that has been effected by some sort of security breach
  • If we take a look at the number and relative or estimated cost of breaches this is also increasing at an alarming rate. Now as a caveat I do acknowledge there is some subjectivity here as we have seen in most reports of these types. I think as more and more organization's are feeling the pain the are more willing to talk about it than they have been in the past. I also think just the shear number makes them more public. That said if we compare 2011 to the half year point of 2013 we see there is a significant increase in the number of attacks, the cross section of organizations being targeted and of course the relative costs associated with attacks is going up. But the real takeaway from this is the number of attacks being classified as unknown. This is important (next slide)
  • Because in spite of having all kinds of technology trying to counter the threat from almost every angle there is huge number of attacks falling into the unknown category. And yes, there are probably some showing up in this category that are known they just didn’t want to identify the actual type of attack for whatever reason. Might be it was an insider attack and they don’t want it to get out or maybe just human error and again it is not something they want exposed, but none the less there are a lot of attacks where the outcome is known, but how they got there is a mystery. This is where true Security Intelligence comes into play
  • Several years ago, we introduced the term “Security Intelligence” to describe the value organizations can gain from their security data and the term has caught on.
    We’re seeing this term being used more and more by customers, vendors, pundits and industry experts -  but what’s interesting is how no one seems to be describing the same concept.
    In a recent discussion I had with around 20 analysts in in the security and networking space I found no one has really defined the term.
    To set the record straight, we are explicitly stating our own definition as:
    Security Intelligence (SI) is A methodology of analyzing millions and billions of security, network and application records across the organizations entire network in order to gain insight into what is actually happening in the organizations digital world.
    We further define Security intelligence as : Combining internal, locally collected security intelligence, with external intelligence feeds for the application of correlation rules that reduce huge volumes of data into a handful of high probability ‘offense’ records requiring immediate investigation.
  • So keeping the Security Intelligence definition in mind, lets take at how this actually plays out technologically. If we take a look at the Security Intelligence time line, most organizations are going about their day to day business and as long as there are no indicators of anything going wrong they proceed in doing what it is they do day in and day out. Then an alarm goes off, the alarm might be an alarm triggered by some technology, or as is often the case a sudden wave of customer complaints. Let’s assume for the sake of argument the alert is triggered by a highly tuned highly effective SIEM solution taking in information from all of the usual suspects. What becomes clear is this does not really meet our definition of security intelligence. It really falls more under the definition of Forensics. A crime has been committed and now the effort is focused on finding out what happened with the intent to prevent it from happening again. The problem with this is the bad guys are always in the lead. To get ahead of the threat requires a different approach. You cannot rely on forensics only if you want to get ahead of the threat. To do that, you have to close some of the information gaps found in traditional SIEM and log management solutions. Much of the activity and data feeds listed on the pre-exploit side are challenges for traditional SIEM solutions that are focused in forensics. Keep in mind here, technology is critically important but does not remove the human requirement, but does to a certain extent, change their focus as we will talk about here in a few minutes.
  • As I mentioned at the start of this presentation there are a lot of security products out there all trying to focus in on trying to prevent bad things from happening in an organizations network. None of the individual point solutions give full visibility into what is happening in the network and they don’t claim to. The full view however is what the security and network professional need in order to quickly identify and prevent the threat from having an impact on the organization. Time here is on the side of the bad guys. The longer something goes un-noticed the more likely it is to have a critical impact on the business and at the very least require more resources to extract and make the network whole again. One bewildering observation I have made over the past several years is organizations purchase best of breed point solutions based on how well they defend within their area of expertise. This same sort of thinking doesn’t seem to always carry over when they are looking at SiEM or Security Intelligence solutions. Many organizations, for whatever reason buy into a framework they have to tune to meeting their specific needs thinking their requirements are so much different than others in their space.
  • The impact of this can be shown graphically. The longer it takes to identify and resolve an incident the more impact, translate cost, to the organization. The longer you don’t know about it the more expensive it gets. So I am an instant gratification kind of guy. I will pay a bit extra to go to the store to buy my toys, whatever they may, so I can go home and start playing with them rather than save a few dollars or euros to order them on line and have to wait a week for them to be delivered. I am always a bit amazed when organizations go the framework approach where they deploy a solution knowing it will most likely be months before they get to the point where the output is useful.
  • Another way of looking at this is SIEM technology tends to really focus on the tip of the iceberg. Though there are some that dabble a bit deeper including Identity and flows, albeit more for show rather than function. Flows for instance cannot be correlated in the same was as an event. Flows need to be looked at as a session to add true intelligence value. So in the interest of time, I want to point out one toward the bottom of the iceburg, that is Business Process. This really reflects the changes that need to take place in order to get ahead of the threat. It is becoming more and more critical that the security practitioner understand the organizations business process in order to tune the security environment and effect appropriate response. This again begs the question should the security team be spending time tuning the tool or securing the network. Obviously both can be done with an unlimited budget.
  • Assuming a best case scenario, there is a lot of information being thrown at the security team. All of this information has to be correlated in real time because as I mentioned earlier, time is not on the side of the good guys. Again, I want to point out the security team needs to be focusing higher up the stack looking for activity that might indicate something undesirable is about to happen. Even if all the correlation is spot on, significant improvements can be made when including data from external intelligence sources. This data coupled with the business related data incorporated by the security team has a significant impact on overall security posture.
  • Since there is not IT Security organization yet I have talked to that says they don’t have enough to do, incorporating external threat data that is already weaved into the inner workings of the solution serves as a force multiplier. With more than 6,000 researchers, developers and subject matter experts engaged in security initiatives, IBM operates one of the world’s broadest enterprise security research, development and delivery organizations. This powerful combination of expertise is made up of the award-winning X-Force research and development team—with one of the largest vulnerability databases in the industry—and includes nine security operations centers, nine IBM Research centers, 14 software security development labs and the IBM Institute for Advanced Security with chapters in the United States, Europe and the Asia Pacific region. Not a bad addition to add to your security team.
    Security Operations Centers: Atlanta, Georgia; Detroit, Michigan; Boulder, Colorado; Toronto, Canada; Brussels, Belgium; Tokyo, Japan; Brisbane, Australia; Hortolandia, Brazil; Bangalore, India; Wroclaw, Poland 
    Security Research Centers: Yorktown Heights, NY; Atlanta, GA; Almaden, CA; Ottawa, Canada; Zurich, CH; Kassel, DE; Herzliya, IL; Haifa, IL; New Delhi, IN; Tokyo, JP
    Security Development Labs: Littleton, MA; Raleigh, NC; Atlanta, GA; Austin, TX; Costa Mesa, CA; Fredericton, Canada; Toronto, CAN; Ottowa, CAN; Belfast, NIR; Delft, NL; Pune, IN; Bangalore, IN, Taipei, TW; Singapore, SG; Gold Coast, AU
    Note: IBM patent search performed by Paul Landsberg, IBM IP Office
  • Automatically including this up to date threat intelligence has many benefits. It can take some of the important, but lower level everyday tasks, like looking for BoT C&C, top targeted port and known hostile networks off the plate of the security team again allowing them to focus on those tasks that must be done internally?
  • Another key area where a fully integrated Security Solution can help significantly reduce pressure on the security team over a Framework solution is in the day to day care and feeding of the solution. In many cases a fully integrated intelligent Security intelligence solution can help take care of itself. Parsers, rules, device and event mappings are easily updated. This again reduces the time spent tuning the security solution allowing more time solving security issues.
  • While log events are critical, they leave gaps in visibility. Many of our competitors openly state they believe there is no value in flow, We vehemently disagree. A great example, the first thing an attacker will do when they compromise a system is to turn off logging and erase their tracks. Traditional SIEMs are blind at this point. However, the attacker can’t turn off the network or they cut themselves off as well.
    In addition to filling in the visibility picture, network activity can also be used to passively build up an asset database and profile your assets. A machine that has received and responded to a connection on port 53 UDP is obviously a DNS server. Or a machine that’s accepted connections on 139 or 445 TCP is a Windows server. Adding application detection can confirm this not only at a port level, but the application data level.
  • A great example of where flows fill in the gap. A user logs in successfully to a system and creates a new user account. They then elevate the rights on that account and logon to another system. All of this activity is clearly visible to any Security Intelligence, SIEM and even pure log management solutions.
  • Most of these systems can generate an alert when the user logins in with the elevated privileges. But lets assume the individual wants to do something and doesn’t want anyone to know about it so disables logging. Again, most systems have the ability to alert if a system stops sending events. At this point event based SIEM solutions are blind. By including session based flow monitoring to the Security Intelligence exposes activity others can’t see. Though the individual can turn off events they can’t turn off flow.
  • I like to equate event information to still photography. An event is a mere snapshot of the activity going on. For example and IPS inspects a packet, sees nothing wrong with it so just drops it. If it does see something in it, and event gets generated and sent on to the console and or SI, SIEM or LM system if one is being used. All it knows is what is contained in that event. Yes it can correlate information from other devices which may tell a different story. But what about devices that don’t log or if for whatever reason an event is not generated. Looking at flow data is more like looking at video tape. When you include flow data in to your Security Intelligence your forensic work becomes much easier and faster because you can see everything they have touched with some level of understanding of what they were doing. You can’t hide from flows!
  • In starting out this presentation I suggested that the old method of protecting an organizations digital self is not working. There needs to be a new approach. I put for the argument the role of the security expert is changing. They have to better understand the business and what normal is so even the slightest change raises an eyebrow and is investigated, Having the ability to incorporate this into the Security intelligence solution across all attack vectors is essential. The days of hoping the bad guys won’t find a vulnerability are gone. You have to ensure you have all aspects of the digital world covered. Visibility into this world simplifies your life which then makes it easier for you to make the bad guys life much harder.
  • Through out this presentation I have acknowledged the IT teams are over extended. There is every chance that at the end of the day they are not going to get to resolve every issue that comes their way. It is however important they focus on the issues that are critical to the business. By including Vulnerability data into the solution the security team can do just that. IBM Security’s QRadar Vulnerability Manager delivers exceptional insight to guide the proactive efforts of IT security teams helping them fortify their defenses against persistent adversaries. It presents vulnerability scanning results within the context of an enterprise SIEM, and produces an actionable plan for addressing the largest risks. It can be triggered to immediately scan whenever abnormal behavior is detected or a new asset is seen on the network, giving security teams near real-time visibility of weaknesses that could otherwise remain hidden for some time.
  • Another buzz phrase in the Security space is Big Data. This is another area that may hold yet undiscovered clues as to what may be at the root of network issues. Traditional security solutions rely primarily on structured data. We however recognize the value of analyzing this data for many reasons security being one of them. This by the way works both ways. Remember looking for a potential security indicator this could be a couple of packets worth of data out of millions and millions of records. These types of indicators could be easily missed if the event information has to be filtered in order for the security solution can keep up. Integrating security enriched data into the Big data warehouse ensures all data is probably analyzed without compromising security.
  • Protect and track user activities
    Provide effective administrative access control
    Track suspicious role changes, unauthorized user actions, failed and potentially harmful logins
    User activities on the VMs or ESX server like create, delete or move VMs or physical servers
    Meet audit and compliance requirements
    Generate reports (daily, weekly, monthly) for VMs, hypervisors activities per organization
    Meet Industry specific compliance – PCI, HIPAA, ISO27002, FISMA – for virtualization layer
    Comply with security advisories for virtual infrastructure and address platform hardening
    Improve visibility
    Ability to correlate events from VMware components e.g., storage, routers, firewall, switches
    Track issues such as duplicate IPs, virtual machine connectivity
    Track security and statistics as virtual machines are migrated / moved
  • This is the core of the value that QRM provides from a configuration perspective. To get to these views, you can either right-click on a device from topology and select ‘view configuration’ (I suggest you view the ‘datacenter’ firewall to show rules with events and the ‘QA’ firewall under the multi-context device to view shadowed rules).
    Be sure to show that the user can hover over the shadowed rule indicators to get a pop-up that indicates which rule(s) are doing the overshadowing. Also be sure to mention that it is possible to generate firewall configuration reports, like shadowed rule reports, most/least used rule reports, etc., for one firewall for groups of firewalls. QRM uses the standard QRadar reporting mechanism, so if the customer is interested, you can show the reporting capabilities.
    One key QRM differentiator should be noted here when you’re discussing rule counting. The way that QRM counts firewall rule activity is by correlating the actual firewall events, which are received by QRadar (assuming the customer has pointed the device logs at QRadar). QRM automatically maps these log sources, and then correlates the firewall rule accept/deny events with the specific rules. This is different than most competitive products, which typically rely on the ACL counters in the firewall. ACL counters are unreliable as they can be reset if the device is rebooted, updated, etc. QRM, on the other hand, keeps a historical record from the time that rule counting is initially enabled onward.
  • No matter how many QRadar products/applications are leveraged, or how many appliances constitute a customer deployment, all capabilities are leveraged through a single console – with all the associated benefits that a common interface delivers in terms of speed of operation, transference of skills, ease of adoption and a universal learning curve. The industry has accepted that Log Management and SIEM are not separate problems, and IBM Security QRadar Platform was designed from scratch with this in mind. This is a different approach than offering disparate products by a vendor.
    Before now if you wanted intelligence, a standalone SIEM was the answer, but there were significant scaling concerns which limited log management functions. Log Mangers can scale, but deliver little intelligence, so volumes of useless events continue to be generated. QRadar provides a solution that, no matter what the scale requirement, offers a common platform and User Interface for all security intelligence tasks from searching and filtering, to reporting and response. Logs are stored once, and correlated in real-time; the customer does not have to selectively forward logs to the analytics engine. Bi-directional flows are also analyzed in real-time and stored to the database as a single entry—rather than an outbound record and an in-bound record—for pairs of IP addresses along with cumulative bandwidth usage totals, protocols in-use, and other helpful statistics.
    This integration delivers security operations teams and administrators value they see every day as they create searches and perform forensics and run reports.
  • Mandatory Thank You Slide (available in English only).
  • Five critical conditions to maximizing security intelligence investments

    1. 1. IBM Security Systems Five Critical Conditions for Maximizing Security Intelligence Investments Ray Menard Senior Security Architect IBM Security Systems October 24, 2013 © 2013 IBM Corporation 1 © 2013 IBM Corporation
    2. 2. IBM Security Systems Innovative technology changes everything 1 trillion connected objects 1 billion mobile workers Social business Bring your own IT Cloud and virtualization 2 © 2013 IBM Corporation
    3. 3. IBM Security Systems Attacks continue as perpetrators sharpen skills Nation-state actors, APTs Stuxnet, Aurora, APT1 MOTIVATION National Security, Economic Espionage Hacktivists Lulzsec, Anonymous Notoriety, Activism, Defamation Monetary Gain Nuisance, Curiosity Organized crime Zeus, ZeroAccess, Blackhole Exploit Pack Insiders, Spammers, Script-kiddies Nigerian 419 Scams, Code Red SOPHISTICATION 3 © 2013 IBM Corporation
    4. 4. IBM Security Systems Targeted attacks remain top of mind Saudi Arabia Says Aramco Cyberattack Came From Foreign States How to Hack Facebook In 60 Seconds – InformationWeek, June 2013 Facebook hacked in 'sophisticated attack' – The Guardian, Feb 2013 – Bloomberg, Dec 2012 Hackers in China Attacked The Times for the Last 4 Months Fed Acknowledges Cybersecurity Breach – The Wall Street Journal, Feb 2013 – The New York Times, Jan 2013 Adobe Systems Reports Attack on Its Computer Network – The Wall Street Journal, Oct 2013 Apple Hacked: Company Admits Development Website Was Breached – Huffington Post, July 2013 South Carolina taxpayer server hacked, 3.6 million Social Security numbers compromised – CNN, Oct 2012 Chinese hacking of US media is 'widespread phenomenon‘ – Wired, Feb 2013 4 © 2013 IBM Corporation
    5. 5. IBM Security Systems 5 IBM Security X-Force® 2011 Trend and Risk Report, IBM Security X-force 2013 Mid Year Trend and Risk Report © 2013 IBM Corporation
    6. 6. IBM Security Systems Despite proliferation of security solutions The Security Division of EMC IT GR C M DA SIEM/Log Management A NB VM DLP RM/CM 6 IBM Security Systems © 2013 IBM Corporation
    7. 7. IBM Security Systems What is Security Intelligence? Security Intelligence --noun A methodology of analyzing millions and billions of security, network and application records across the organization’s entire network in order to gain insight into what is actually happening in that digital world. --verb Combining internal, locally collected security intelligence, with external intelligence feeds for the application of correlation rules to reduce huge volumes of data into a handful of high probability ‘offense’ records requiring immediate investigation to prevent or minimize the impact of security incidents Delivers actionable, comprehensive insight for managing risks, combatting threats, and meeting compliance mandates. 7 © 2013 IBM Corporation
    8. 8. IBM Security Systems 1. It's what you don't know that can hurt you 8 IBM Security Systems © 2013 IBM Corporation © 2013 IBM Corporation
    9. 9. IBM Security Systems Security Intelligence Timeline Prediction & Prevention • Devices and applications having no logging capabilities • Anomalous activity • Disabled Logging • Network Noise • Vulnerabilities (Passive) • Virtual Activity • User Activity 9 Reaction & Remediation • • • • • • • • • Firewalls IDS Syslog Events Application Logs Windows Events Authentication Logs Network Device Logs Database activity Logs Vulnerabilities (Active) © 2013 IBM Corporation
    10. 10. IBM Security Systems Point solutions lack 360 degree network visibility IBM X-Force® Threat Information Center Identity and User Context 10 Real-time Security Threats and Prioritized ‘Offenses’ Real-time Network Visualization and Application Statistics Inbound Security Events © 2013 IBM Corporation
    11. 11. IBM Security Systems Business value of security intelligence Business Impact Potential Damage effect Business interruption Critical Threshold Proactive business impact: Blocking of legitimate traffic Actual business Impact Time Proactive Intelligence Prevention 11 IBM Security Systems Incident Reactive Response Forensics © 2013 IBM Corporation
    12. 12. IBM Security Systems 2. Force Multipliers are key to winning the battle 12 IBM Security Systems © 2013 IBM Corporation © 2013 IBM Corporation
    13. 13. IBM Security Systems Early solutions captured only tip of data iceberg Then: Collection Logs Events Alerts Configuration information System audit trails Network flows and anomalies External threat feeds Business process data 13 Identity context E-mail and social activity Malware information •Log collection •Signature-based detection Now: Intelligence •Real-time monitoring •Context-aware anomaly detection •Automated correlation and analytics © 2013 IBM Corporation
    14. 14. IBM Security Systems QRadar’s wide spectrum of security intelligence feeds 14 © 2013 IBM Corporation
    15. 15. IBM Security Systems Backed by broad R&D organization collecting real world insights Security Operations Centers Herzliya Security Research and Development Labs Institute for Advanced Security Branches  6,000 researchers, developers and subject matter experts working security initiatives worldwide  3,000+ IBM security patents 15 IBM Security Systems © 2013 IBM Corporation
    16. 16. IBM Security Systems To further increase accuracy of analytics Security Intelligence Feeds Geo Location 16 Internet Threats Vulnerabilities © 2013 IBM Corporation
    17. 17. IBM Security Systems Constantly injecting SI platform intelligence updates • QRadar Security Intelligence modules receive nightly content updates or fresh “Intelligence” • Updated content includes:       Device Support Modules (Log Parsers) Event Mapping / QID (Log Meta Data) X-Force threat and vulnerability data Custom properties, rules, searches, reports QFlow Application Signatures (Layer 7) Functional Software Patches • Delivered to Console and subsequently consumed by all managed hosts • No waiting weeks or months for new releases; protection that adapts in concert with changes in security landscape 17 © 2013 IBM Corporation
    18. 18. IBM Security Systems 3. Reduce incident investigations with more available data 18 IBM Security Systems © 2013 IBM Corporation © 2013 IBM Corporation
    19. 19. IBM Security Systems Automation accelerates time-to-value, preserves currency  Simplified deployment delivers results in days  Syslog device detection configures log data sources  Passive flow asset detection populates asset database  Out-of-the-box rules and reports reduce incident investigations and meet compliance mandates  Real time events keep information current  Immediate discovery of network asset additions triggers proactive vulnerability scans, configuration comparisons and policy compliance checks  Daily and weekly updates to rules, reports, vulnerabilities, patches, searches, support modules, protocols and signatures 19 IBM Security Systems © 2013 IBM Corporation
    20. 20. IBM Security Systems Intuitive rules engine interface reduces false positives Tune the system or create your own rules in three simple steps without professional services: 2) Build customized rule 1) Choose the action 3) Save for future use 20 IBM Security Systems © 2013 IBM Corporation
    21. 21. IBM Security Systems Network flow analysis is fundamental capability  Log management products collect subset of available data  Netflows enable visibility into attacker communications  Stored as aggregated, bi-directional records of IP addresses, ports, and protocols  Offer advanced detection and forensics via flow pivoting, drill-down and data mining  QFlow Collectors dig deeper, adding Layer 7 application insights 21 © 2013 IBM Corporation
    22. 22. IBM Security Systems Detecting the Undetectable 22 © 2013 IBM Corporation
    23. 23. IBM Security Systems Detecting the Undetectable 23 © 2013 IBM Corporation
    24. 24. IBM Security Systems The Bigger Picture 24 © 2013 IBM Corporation
    25. 25. IBM Security Systems Baselining and anomaly detection complete picture  Correlation of log and flow data creates profiles of user, application and data access patterns  Anomaly Detection uses multiple measurements to signal change  Thresholds – above or below normal range  Anomaly – Detects appearance of new objects  Behavior – Reveals deviations from established ‘seasonal’ patterns Large Window 5 Hours 25 Small Window 1 Hour © 2013 IBM Corporation
    26. 26. IBM Security Systems 4. Further reduce blind spots using nontraditional event sources 26 IBM Security Systems © 2013 IBM Corporation © 2013 IBM Corporation
    27. 27. IBM Security Systems Integrated vulnerability management narrows the actions Existing vulnerability management tools Yo ur CV E CV CV CVE CV E CV CV E E E EC CV CV CV CVE CV V EC E C C E E CVE CV CV CVE CVE VE VE C VE C CV C C V E E E CV CV CV CVE CVE VE C VE CVE C E CV E CV CV EC E C C C E VE VE VE E CV CV EC E CVE CV E CV CVE CVE VE CVE C VE C VE C CV CVECVE CVE C E E E E VE V V C CV CV CV CCVECVE VE C VE C VEC E CV E CV CVE CVE CVE VE V E E C E C C CV CV E CVE E E E V V C C C C C E V VE C CV CV CVECVE VE VE C VE C E C E CV CV CVE VE VE CVE C VE C VE E C CV V E C E C CCVECV CCV VE CVE VE C VEC E C C CV VE VE VE V CV E C CC CV VE VE VE C EEC E C EECV CV CVE VE VE VE VE E C C CV CV C E V CVE VE E CC C C CVE CV CV CVE VE CVECVVEC E C ECV C V CVE CVE CVE VE C VE C E CV E C V E VE C C V C E E E CV C VE V VE CV E CV CV CCVECVE VVE CVECVVE C E C E CV CVECVE CVE VE VE C E CVE C V V V E VE E C E CV EC E C ECV CVV CV CVVE VE VE C C ECV ECV CV VE E V E E E C CE VE C E E C C V E C E CV CV V CV CV CVE CVE VVE E C EECC E C E CCV CV CVE VE VE VE C E C CV E VE VE E E E E C EC CCV CV CCV VE VVE VVE VEE C E C ECV CV CCV VE VE E CV V CV CVE VEE CV EC C C CV CV VE VE VEE C E C EE C CVV CCV CVE CVE VE E C EC V CV VE E E VE CVE C EC C C V C E VE E C V CV CVE CV CV CCVE VVE VE CVVE C E C EE CVECV CV ECVE CVE VE C VE C E CV E E V E C C E E E V E C CC C E CV V VV VE C VE C E C C C E V CV CV CV CCVE VVE VVE CVECCE E CEE CV E CV CVE CVE VE CVVE VE C E CVE CVV CV CVEE V E VE E C E CC E C V V E E CV CV C E E C CV VE E VE C VE C C EC V CV CV CV CV CVE CVE VVE C VE CVE C EE C E CV CVE CVE CVE VE VE C E CV E C E EC E C E C E C CV CCV CVVE VE E VVE VVE C E C EC CV CV CV VE E V E C E C VE C V V CV V V VE E VEE E CC CC C E VE E VE E C VE CV E C E C E C CV CV CCV VVE VE E VE CVVE C E C E CV CVE CV CVE VE VEE E V C VE C E C V V V VE VE VE C E C E C CC CCV CV VE VEE E C E C E C E CV CV V V CV C C V CV CV VE VE VE VE E EE C EE CVECV CV VE CVE VE E C E CV E E E C E C CV CV CV CVE VVE VEE CVE C E C CV E CV CV VE C C C VE VE E C E C E C E C CVV CVVE VE VEC VE C E C E CV E CV V V VE VVE EE C E C C V E CV E C E C E C C CCV CVE VE VE CVE VE C E CV E VE EC V VE E VE VE VE VE CVE C EE CV CV CVE VE C CV CV CV CVE VE VE VE C E C CV E E E C E C C CV CV VE VE E CV CVE VE VE VE C E C E EC CV CV VE VE VE E C E C CV VE VE C E CV V EC E VE Yo ur Yo u Vu ln rV uln era bil it era Vu ln bil it era ies ies bil itie s Security Intelligence Integration  Improves visibility – Intelligent, event-driven scanning, asset discovery, asset profiling and more  Reduces data load – Bringing rich context to Vulnerability Management  Breaks down silos Questions remain: •Has that been patched? •Has it been exploited? •Is it likely to be exploited ? •Does my firewall block it? •Does my IPS block it? •Does it matter? 27 – Leveraging all QRadar integrations and data – Unified vulnerability view across all products QRadar Vulnerability Manager CV E CV CV Yo E EC ur CV CV V E EC E C Vu CV V VE CV lne E EC E C C V CV CV VEIn E VE ra b E E C a CV C CV CV CVE VEct E VE C i e E E ilitie EC C CVvCV V E CV CV V VE E s C C C CV E E E CV CV CV CVE VE VE CVE C E C E C C CV V V VE E E CV CV CVE VE VE E C E C E CV CV V V C C E E E E CV CV CVE CVE VE VE C E C E CV CV CV E E C Pa V CV CV VE VE E E C E C CV CV V Ctc C C E E V V E E E Eh V C C CV V VE E E C CV CV CV CVE eE VE CVE C E C ECV CV CVE dC E E E E E V V CV CV CV CVE CVE VE C VE C E C EC CV CVE E EC E C C CV VE VE VE VE EC CV CV V VE VE E Cr E E C C CV CV CVE CVECVE CVECVE E i C CVi V VE VE E E B CV C V t Ec E C C C CV lo E VE E a CVl CV CVE VE VE VE EC ck V CV C E C C C CV CV VE e E E EC VE VE VE C VE C E C EC CV dCVE CV CV VE VE VE VE C E C AC E CV CV CV CVE VE VE E t VE E E E C C ris C C CV V VE Ck V VE E E VE E ! C C C CV CVE V E VE VE C EC CE CV VE VE VE E xCV CV CVE plE E oCt CV iVe E Ed CV !E Answers delivered: •Real-time scanning •Early warning capabilities •Advanced pivoting and filtering © 2013 IBM Corporation
    28. 28. IBM Security Systems ‘Big Data’ adds more structured and even unstructured data Data Sources Real-time Processing QRadar Security Intelligence Platform Security and Infrastructure Data Sources QRadar Console (Web interface) Two major roles QRadar can play in the IBM Big Data Solution: Big Data Analytics and Forensics 1) Collects SI data and feeds to BigInsights to enrich data sources Security Operations • Watch List • Custom Rules Big Data Warehouse InfoSphere BigInsights External Threat Intelligence Feeds InfoSphere BigSheets Hadoop Store • Raw Data Relational Store • High-value Information Email, Web, Blogs, and Social Activity Collect Collect Flow of data/information Flow of knowledge i2 Intelligence Analysis Store & Process Store & Process 2) Provides a dashboard to display, organize, and query the data generated by Big Data Analytics and Forensics Analyze Analyze 1 Data Collection & Enrichment (HOT) 3 Forward (HOT) & Store (HOT, Warm, cold) data 5 2 Real-time insights (HOT) 4 Big Data Analysis, Trends & History 6 Advanced Visualizations and Investigation – (Warm and cold) Enrich / Adapt / Improve (Warm and cold) 28 © 2013 IBM Corporation
    29. 29. IBM Security Systems Virtual appliances see inside the cloud  IBM Security QRadar VFlow Collectors – Use deep packet inspection to provide visibility to application layer virtual network traffic in the cloud – Detect new security threats, malware, viruses, anomalies through behavior profiling of network traffic without relying on vulnerability signatures – Support VMware virtual environments and profile more than 1,000 applications – Run on virtual server and require no additional hardware 29 © 2013 IBM Corporation
    30. 30. IBM Security Systems QRadar Risk Manager adds pro-active capabilities  Normalized device configurations are gathered and stored either on-demand or via scheduled activities  Performs firewall rule analysis, configuration error detection (e.g. shadowed rules), and rule activity correlation with ‘offenses’ Sh ad o 30 we d ru les © 2013 IBM Corporation
    31. 31. IBM Security Systems 5. Importance of solution integration 31 IBM Security Systems © 2013 IBM Corporation © 2013 IBM Corporation
    32. 32. IBM Security Systems Integrations critical to success and differentiation of IBM Security and Customers  Consolidate siloed information from hundreds of sources  Detect, notify and respond to threats missed by other security solutions  Automate compliance tasks and assess risks 32 IBM Security Systems  Stay ahead of the changing threat landscape  Detect the latest vulnerabilities, exploits and malware  Add security intelligence to non-intelligent systems  Infrastructure protection to block specific vulnerability types using scan results  Converge access management with web service gateways  Link identity information with database security © 2013 IBM Corporation
    33. 33. IBM Security Systems Using fully integrated architecture and interface Log Management SIEM Configuration & Vulnerability Management Network Activity & Anomaly Detection Network and Application Visibility 33 IBM Security Systems • Turn-key log management and reporting One ConsoleEnterprise • SME to Security • Upgradeable to enterprise SIEM • Log, flow, vulnerability & identity correlation • Sophisticated asset profiling • Offense management and workflow • Network security configuration monitoring • Vulnerability prioritization • Predictive threat modeling & simulation • Network analytics • Behavioral anomaly detection • Fully integrated in SIEM • Layer 7 application monitoring • Content capture for deep insight & forensics • Physical and virtual environments Built on a Single Data Architecture © 2013 IBM Corporation
    34. 34. IBM Security Systems Summary of five conditions and best practices 1. It's what you don't know that can hurt you 2. Force multipliers are key to winning the battle 3. Reduce incident investigations with more available data 4. Further reduce blind spots using nontraditional event sources 5. Importance of solution integration 34 © 2013 IBM Corporation
    35. 35. IBM Security Systems Learn more about IBM QRadar Security Intelligence Watch executive Steve Robinson (VP) discuss the next era for Security Intelligence : Download the 2013 Gartner Magic Quadrant for SIEM : Read our IT Executive Guide to Security Intelligence White Paper: :Visit our Blog Website: 35 © 2013 IBM Corporation
    36. 36. IBM Security Systems Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 36 IBM Security Systems © 2013 IBM Corporation