Pulse2014 1064

305 views
209 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
305
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Pulse2014 1064

  1. 1. © 2013 IBM Corporation Big Vulnerabilities + Big Data = Big Intelligence Jason Keirstead / Rory Bray
  2. 2. IBM Security Systems ● Too many vulnerability disclosures coming in daily ● Too many vulnerable assets reported daily ● Not enough time / money to re-mediate them all ● Prioritization needs to be a priority! 2012 Sampling of Security Incidents by Attack Type, Time and Impact Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses Vulnerabilities Today - I Got 99 Problems...
  3. 3. IBM Security Systems 3 Non-Traditional Security Data Sources Can Help ● Traditional Sources - Security logs, network flows, scanned vulnerabilities, endpoint configurations, device configurations... ● Non-traditional Sources – Browser log data, employee directory information, proprietary corporate data,”Big Data”... ● These non-traditional data sources that already exist can be leveraged to significantly improve upon and add to traditional data sources to help separate the “vulnerability wheat” from the “vulnerability chaff” ● Examples: – Evaluate user browsing history correlated with website attributes to determine if a user is more likely to visit risky domains, if so increase risk of assets said user accesses – Evaluate email activity correlated with browsing history to determine if a user is likely to click on suspicious links in emails, if so increase risk of said user's asset – Evaluate VPN activity correlated with external user directory data to determine if an unauthorized remote log-in is likely due to time of day vs. employee location, if so, increase risk of said assets – … and more!
  4. 4. IBM Security Systems QRadar Risk and Vulnerability Managers enable customers to interpret the ‘sea’ of vulnerabilities CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE Inactive Inactive: QFlow Collector data helps QRadar Vulnerability Manager sense application activity Blocked Blocked: QRadar Risk Manager helps QVM understand which vulnerabilities are blocked by firewalls and IPSs Patched Patched: IBM Endpoint Manager helps QVM understand which vulnerabilities will be patched Critcal Critical: Vulnerability knowledge base, external data, and QRM policies inform QVM about business critical vulnerabilities At Risk: X-Force Threat and SIEM security incident data, coupled with QFlow network traffic visibility, help QVM see assets communicating with potential threats At Risk! Exploited! Exploited: SIEM correlation and IPS data help QVM reveal which vulnerabilities have been exploited
  5. 5. © 2013 IBM Corporation Sounds Great! But.... How Does This Work? A Big Data Use Case Using IBM Big Insights
  6. 6. IBM Security Systems 6
  7. 7. IBM Security Systems 7 QRadar Reference Data Model Dynamic Data containers are consumed by the QRadar Correlation Engine and other components in the Security Intelligence Platform including Risk Manager and Vulnerability Manager. Sets Maps Maps of Sets Tables
  8. 8. IBM Security Systems 8 QRadar Policy Monitor ● Component of QRadar Risk Manager that calculates asset and vulnerability policies among many disparate data sources ● Allows feeding of asset and vulnerability risk calculations to QRadar Vulnerability Manager ● Risk Calculations enable risk reporting and vulnerability remediation prioritization Policy Monitor Asset / Vulnerability Data Reference Data Network Topology (Reach-ability) Flow Connections Firewall / Switch Configuration Vulnerability Catalogs Scan Results External Data Asset Risk Reports Vulnerability Risk Reports
  9. 9. IBM Security Systems 9 Workflow to analyze Domains in Network Traffic and Cross Reference with External Data. . Proxy Logs Domain Registration Data (whoisxmlapi.com) XForce Security Feeds (Known Risky Domains) Big Insights Platform Raw Proxy Logs JSON Enriched Normalized Logs JSON Formatted Whois Registration Data Lists of known Malware Domains Sets of Identified Risky Users, Src IPs and Domains
  10. 10. IBM Security Systems 10 QRadar and Big Insights Data Links Big Insights • Forwarding Destinations • Routing Rules • Flume Receivers (Syslog TCP) QRadar Reference Data APIs JSON Event/Flow Forwarding
  11. 11. IBM Security Systems Domain Risk Scores IP Set User Set User Browsing History Risk Modeler JSON Browser Logs External Registrar Data Threat Feeds Domain Risk Calculator IP, User Set Generation Custom Risk Calculator White List External Data Risky IPs / Users Policy Monitor Custom Rule Engine Asset / Vulnerability Risk Scores Reports / Saved Searches QRadar SIEM QRadar Log / Flow Data
  12. 12. © 2013 IBM Corporation Use Case - Example Rules And Policies
  13. 13. IBM Security Systems 13 QRadar Reference Sets
  14. 14. IBM Security Systems 14 QRadar Reference Sets
  15. 15. IBM Security Systems 15 QRadar Reference Set Example – (Risky Users)
  16. 16. IBM Security Systems 16 QRadar – Create Rule On Risky Users
  17. 17. IBM Security Systems 17 QRadar – Risky User Rule Response – Track Risky Asset Use
  18. 18. IBM Security Systems 18 QRadar Risk Manager – Policy On Risky Asset Usage
  19. 19. IBM Security Systems 19 Acknowledgements and Disclaimers: © Copyright IBM Corporation 2012. All rights reserved. – U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo, ibm.com, QRadar, and Big Insights are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml Other company, product, or service names may be trademarks or service marks of others. Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
  20. 20. IBM Security Systems 20 ibm.com/security © Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

×