[RakutenTechConf2013] [A-0] Security Meets Analytics


Published on

Rakuten Technology Conference 2013
"Security Meets Analytics"
Service Computing, IBM Research – Tokyo
Naohiko Uramoto

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

[RakutenTechConf2013] [A-0] Security Meets Analytics

  1. 1. 10/30/13 Rakuten Technical Conference 2013 26 Oct 2013 Security Meets Analytics Service Computing, IBM Research – Tokyo IPSJ Director Naohiko Uramoto © 2013 IBM Corporation Self introduction – My four hats as a tech person § My business as IBMer –  Leading Cloud and security projects in IBM Research – Tokyo § Internal tech community –  Member of Academy of Technology (AoT), IBM’s crossorganizational technical community § External Tech community –  Secretariat of “Cloud Kenkyu-kai” § Academia – Director of Information Processing Society in Japan 2 © 2013 IBM Corporation 1
  2. 2. 10/30/13 Information Processing Society of Japan (IPSJ) § Founded in 1960 § More than 20,000 members (from academia & industry) § Board of Directors –  President: Masaru Kitsuregawa (Director of NII and Prof. of U-Tokyo) –  25 board members (including me) § Tight relationship with international communities –  Long term relationship with IEEE-CS, ACM etc. –  Organizing and supporting international conferences §  Activities –  40 SIGs in 3 Domains –  Many conferences, seminars, events not only for academia but also engineers and students –  e.g. Digital Practice Papers which focus on best practice NII: National Institute of Informatics Japan IFIP: International Federation of Information Processing © 2013 IBM Corporation IBM Academy of Technology (AoT) AoT Goal The inspiring and inclusive academy of eminent technology thought leaders that have an enduring impact on the IT industry that makes the world better. 100 AoT leadership members n  1,000 AoT members with selection n  44 affiliates with 5,500 members n  TEC-J in Japan Client Value Career Development n  Networking Consultancies Studies Conferences Technical Advocate Programme Mentoring Skills Development Technology Impact Leadership Skills Think Time www.ibm.com/ibm/academy‎ 4 © 2013 IBM Corporation 2
  3. 3. 10/30/13 5 © 2013 IBM Corporation What is the good balance? Internal Tech Community Personal Life External Academia Tech Community Daily Job 6 © 2013 IBM Corporation 3
  4. 4. 10/30/13 World is changing… 7 © 2013 IBM Corporation New security technology is required to support transformation of the world New IT New Data New World 8 §  Social, Mobile, §  Blurred boundaries Analytics, and Cloud §  New types of (SMAC) vulnerabilities §  Internet of Things (IoT) §  Big Data §  Data Economy §  Social Business §  Data protection for Security and Privacy §  Logs and events as Big Data §  Cyberspace §  Globalization and emerging market §  Cyber crime across geos and organizations © 2013 IBM Corporation 4
  5. 5. 10/30/13 The sophistication of Cyber threats, attackers and motives is rapidly escalating © 2013 IBM Corporation Global Security Trends 10 SOCs IBM X-Force 2013 Mid-Year Trend and Risk Report is available §  Analyzed 4,100 new security vulnerabilities §  Analyzed 900 million new web pages and images §  Created 27 million new or updated entries in the IBM web filter database §  Created 180 million new, updated, or deleted signatures in the IBM spam filter database http://www.ibm.com/security/xforce/ 10 © 2013 IBM Corporation 5
  6. 6. 10/30/13 11 © 2013 IBM Corporation 12 © 2013 IBM Corporation 6
  7. 7. 10/30/13 13 © 2013 IBM Corporation 14 © 2013 IBM Corporation 7
  8. 8. 10/30/13 Why are we losing the game? 15 © 2013 IBM Corporation Attacker can prepare with enough time to know about the target –  What is the target company or organization? –  What kinds of topics are employees interested in? –  What sites do employees often visit? –  Which web browser is used in the target comapny? –  Which anti virus product used? –  … 16 © 2013 IBM Corporation 8
  9. 9. 10/30/13 Why traditional defense is not enough? Some insights: n  n  n  n  n  Break in a trusted partner and then loading malware onto the target’s network Creating designer malware tailored to only infect the target organization, preventing identification by security vendors Using social networking and social engineering to perform reconnaissance on spear-phishing targets, leading to compromised hosts and accounts Exploiting zero-day vulnerabilities to gain access to data, applications, systems, and endpoints Communicating over accepted channels such as port 80 to exfiltrate data from the organization 17 © 2013 IBM Corporation Enterprise network is evolving Servers Applications VMs on Private Cloud Switch FW IPS/IDS Client PCs Internet Anti Virus Mobile Devices 18 © 2013 IBM Corporation 9
  10. 10. 10/30/13 Traditional Perimeter based defense Protect corprate network and endpoints from attacks Servers Applications VMs on Private Cloud Switch FW Internet Client PCs IPS/IDS Anti Virus Mobile Devices 19 © 2013 IBM Corporation Now we need to assume invasion of malware Servers Applications VMs on Private Cloud Attacker’s FW Command & Control Internet Server Switch Protect outgoing connections to prevent from data leakage, assuming that malware exists in the network. 20 Client PCs IPS/IDS Anti Virus Mobile Devices © 2013 IBM Corporation 10
  11. 11. 10/30/13 Now we need to assume invasion of malware Servers Applications VMs on Private Cloud Attacker’s FW Command & Control Internet Server Switch Client PCs IPS/IDS Anti Virus Mobile Devices Monitor network & endpoints and detect malware’s and attacker’s activities 21 © 2013 IBM Corporation How can we do it? 22 © 2013 IBM Corporation 11
  12. 12. 10/30/13 Security information and Event Management (SIEM) Security Operation Center (SOC) System audit trails Business process data Configuration information Network flows and anomalies External threat intelligence feeds Middileware log Full packet and DNS captures Internet Application log Switch Access log IPS/IDS FW Web page text OS level log E-mail and social activity Mobile device information Download from app stores Endpoint information 23 © 2013 IBM Corporation Security Intelligence Security Information and Event Management (SIEM) Extensive Data Sources + Deep Intelligence = Exceptionally Accurate and Actionable Insight © 2013 IBM Corporation 12
  13. 13. 10/30/13 QRadar: Intelligent Event Management and Attack Detection Provide information on attack with a comprehensive and integrated view What kind of attack? Who is attacking? From where? What is the business value? What are the attacked assets? Does the asset have vulnerability? What is the evidence of attack? 25 © 2013 IBM Corporation Flow of Security Analytics Machine learning and near real-time monitoring enables continuous refinement and tracking of ‘normal’ Filtering Correlation Network Events Behavior Model 異常検知 予兆監視 Login Information Alerting Access Log Social Events Analysis Engine Transformation © 2013 IBM Corporation 13
  14. 14. 10/30/13 Security Analytics is built on a common platform and applied to multiple areas Network & Device Analytics Analyze network packets and events for anomaly detection and risk prediction Asset Analytics Classify and visualize enterprise assets to protect them from information leakage User Access Analytics Anomaly detection and risk prediction from user / group access log Security Analytics Platform Business Process Analytics Clarify business process and detect security and compliance issues Social Network Analytics Detect potential risk from social graphs on SNS such as Facebook and Twitter © 2013 IBM Corporation Event Correlation Correlation of Logs across middleware and application stacks •  Heuristics on time sequence •  Pattern extraction Middleware1 Middleware3 Middleware4 App1 Middleware2 28   © 2013 IBM Corporation 14
  15. 15. 10/30/13 Process-File Dependency Visualization Detect dependency between processes and files on a PC Process File 29   © 2013 IBM Corporation Integration Architecture of QRadar, DLP and IBM Endpoint Manager QFlow monitors network Trafic QFlow QRador correlates network and endpoint information Network events Endpoint log (e.g. file access, process start) DLP   Server IEM Agent Endpoint  (PC)   Endpoint Manager dispatch policies to be enforced Endpoint DLP monitors user’s behavior 30 © 2013 IBM Corporation 15
  16. 16. 10/30/13 31 © 2013 IBM Corporation 16