DSS and Security Intelligence @IBM_Connect_2014_April


Published on

DSS participated in this year's "IBM Connect" event organized by regional IBM's VAD - ALSO Baltics. DSS spoke about importance of IT Security in new - digital world that is developing. New technologies bring new business opportunities but as well bring also new security threats and risks that have to be considered in first place.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

DSS and Security Intelligence @IBM_Connect_2014_April

  1. 1. Quantify value of IT Security for business with IBM tools Andris Soroka 17th of April, 2014 Riga, Latvia
  2. 2. The Saga Begins – Scared vs. Informed
  3. 3. “Data Security Solutions” business card Specialization – IT Security IT Security services (consulting, audit, pen-testing, market analysis, system testing and integration, training and technical support) Solutions and experience portfolio with more than 20 different technologies – cyber-security global market leaders from more than 10 countries Trusted services provider for banks, insurance companies, government and private companies (critical infrastructure etc.)
  4. 4. Role of DSS in Cyber-security Development in Baltics Cyber-Security Awareness Raising Technology and knowledge transfer Most Innovative Portfolio Trusted Advisor to its Customers
  5. 5. Cybersecurity Awareness Raising Own organized conference “DSS ITSEC” 5th annual event this year (30.10.2014) More than 400 visitors + more than 250 online live streaming watchers from LV, EE, LT 4 parallel sessions with more than 40 international speakers, including Microsoft, Oracle, Symantec, IBM, Samsung and many more – everything free of charge (EVENT.DSS.LV) Participation in other events & sponsorship CERT & ISACA conferences & events RIGA COMM, HeadLight, IBM Pulse Las vegas Roadshows and events in Latvia / Lithuania / Estonia (f.i. Vilnius Innovation Forum, Devcon, ITSEC HeadLight, SFK, business associations) Participation in cyber security discussions, strategy preparations, seminaries, publications etc.
  6. 6. Innovations – technology & knowledge transfer Innovative Technology Transfer Number of unique projects done with different technology global leadership vendors Knowledge transfer (own employees, customers – both from private & public, other IT companies in LV, EE, LT) Specialization areas include: Endpoint Security Network Security Security Management Application Security Mobile Security Data Security Cyber-security Security Intelligence
  7. 7. Some just basic ideas
  8. 8. AGENDA (hopefully 60mins..) Introduction of DSS and speaker Prologue – Digital world & trends The Saga begins – Cybercrime Introduction & types Business behind Examples Value of Information Security for business Risk management Technology IBM SIEM, Risk Manager, Forensics What it is and what for Architecture Use cases Q&A (if time allows)
  9. 9. Prologue
  10. 10. Prologue: Some new technologies 3D Printers Google Glasses (“glassh**es) Cloud Computing Big Data & Supercomputers Mobile Payment & Virtual Money Robotics and Intraday Deliveries Internet of things Augmented Reality Extreme development of Aps Digital prototyping Gadgets (devices) & Mobility Technology replaced jobs (automation) Geo-location power Biometrics Health bands and mHealth Electronic cars Avegant Glymph and much, much more
  11. 11. Prologue: Mobility & Gadgets Multi-OS
  12. 12. Millions of mobile applications
  13. 13. Digital Agenda for European Union
  14. 14. True or fake? In fact this isn’t funny...
  15. 15. Best «success story» describing hackers..
  16. 16. No changes in that perspective
  17. 17. Disaster in software world - NSA
  18. 18. Disaster in technology world - NSA Governments write malware and exploits (USA started, others follow..) Cyber espionage Sabotage Cyber wars Infecting own citizens Surveillance Known NSA “partners” Microsoft (incl. Skype) Apple Adobe Facebook Google Many, many others Internet is changing!!! USA thinks that internet is their creation and foreign users should think of USA as their masters…
  19. 19. Many countries are in the game now…
  20. 20. Many countries are in the game now…
  21. 21. Many countries are in the game now…
  22. 22. Cyberwars going on!
  23. 23. Cybercriminal type #1 “2014.gadā vidēji katram izglītotam darbiniekam būs vidēji 3.3 mobīlās ierīces, salīdzinot ar vidējo statistiku ar 2.8 mobīlajām ierīcēm 2013.gadā.” 1
  24. 24. Cybercriminal type #2 – Monetary driven
  25. 25. Types of cybercriminals (cont.)
  26. 26. Black market figures
  27. 27. Hacking business services... Current prices on the Russian underground market: Hackingcorporatemailbox: $500 Winlockerransomware: $10-$20 Unintelligentexploitbundle: $25 Intelligentexploitbundle: $10-$3,000 Basiccrypter(forinsertingroguecodeintobenignfile): $10-$30 SOCKSbot(togetaroundfirewalls): $100 Hiringa DDoSattack: $30-$70/day,$1,200/month Botnet: $200for2,000bots DDoSBotnet: $700 ZeuSsourcecode: $200-$250 Windowsrootkit(forinstallingmaliciousdrivers): $292 HackingFacebookorTwitteraccount: $130 HackingGmailaccount: $162 Emailspam: $10per onemillionemails Emailscam(usingcustomerdatabase): $50-$500per onemillionemails
  28. 28. Examples: Advanced Persistent Threat
  29. 29. Mobility & Security...
  30. 30. The Sage Continues: Cybercriminals #2
  31. 31. Weakest link is always the most important Source: IBM X-Force annual report 2013
  32. 32. Some examples of incidents (DDoS)
  33. 33. Mobility & Security “2014.gadā vidēji katram izglītotam darbiniekam būs vidēji 3.3 mobīlās ierīces, salīdzinot ar vidējo statistiku ar 2.8 mobīlajām ierīcēm 2013.gadā.” 1
  34. 34. Examples: Hackers searching tool
  35. 35. Examples: Hackers searching tool
  36. 36. Examples (continued)
  37. 37. Examples: Hacker is watching / listening
  38. 38. Cybercriminal type #3 – Insider
  39. 39. Bright future of the internet way ahead.. 1995 – 2005 1st Decade of the Commercial Internet 2005 – 2015 2nd Decade of the Commercial InternetMotive Script-kiddies or hackers Insiders Organized crime Competitors, hacktivists National Security Infrastructure Attack Espionage Political Activism Monetary Gain Revenge Curiosity
  40. 40. Global statistics
  41. 41. Conclusion: The Saga will continue anyway For many companies security is like salt, people just sprinkle it on top.
  42. 42. Think security first & Where are You here? Organizations Need an Intelligent View of Their Security Posture Proactive AutomatedManual Reactive Optimized Organizations use predictive and automated security analytics to drive toward security intelligence Proficient Security is layered into the IT fabric and business operations Basic Organizations employ perimeter protection, which regulates access and feeds manual reporting
  43. 43. “DSS” is here for You! Just ask for… Si vis pacem, para bellum. (Lat.)
  44. 44. IBM Security Intelligence Suspected Incidents Prioritized Incidents Embedded intelligence offers automated offense identification Servers and mainframes Data activity Network and virtual activity Application activity Configuration information Security devices Users and identities Vulnerabilities and threats Global threat intelligence Extensive Data Sources Automated Offense Identification • Massive data reduction • Automated data collection, asset discovery and profiling • Automated, real-time, and integrated analytics • Activity baselining and anomaly detection • Out-of-the box rules and templates Embedded Intelligence
  45. 45. Security Intelligence = SIEM+RM+…+…. IBM QRadar Security Intelligence Platform Packets Vulnerabilities Configurations Flows Events Logs Big data consolidation of all available security information Traditional SIEM 6 products from 6 vendors are needed IBM Security Intelligence and Analytics
  46. 46. Single web-based console provides superior visibility Log Management Security Intelligence Network Activity Monitoring Risk Management Vulnerability Management Network Forensics Security Intelligence = SIEM+RM+…+….
  47. 47. QRadar Forensics – new one Scale •Event Processors •Network Activity Processors •High Availability & Disaster Recovery •Stackable Expansion Network and Application Visibility •Layer 7 application monitoring •Content capture for deep insight & forensics •Physical and virtual environments • Log, flow, vulnerability & identity correlation • Sophisticated asset profiling • Offense management and workflow SIEM Network Activity & Anomaly Detection •Network analytics •Behavioral anomaly detection •Fully integrated in SIEM •Turn-key log management and reporting •SME to Enterprise •Upgradeable to enterprise SIEM Log Management •Network security configuration monitoring •Vulnerability scanning & prioritization •Predictive threat modeling & simulation Configuration & Vulnerability Management
  48. 48. QRadar All In One
  49. 49. QRadar Distributed Deployment
  50. 50. SIEM installation – plug&play Higher capacity / performance support Basic installation in one week, immediate ROI Continuous development of features and integration Biggest IT Security solutions portfolio in today’s Security market
  51. 51. IBM leadership – taking it back CA (DataMinder) Novell (Sentinel) Nitro Fortify, WebInspect ArcSight TippingPoint RSA Access Mgr. ProtectTools RSA Live Intelligence System Team: RSA FirstWatch OAM, Novell AM, CA SiteMinder Norton AV, iPS Symantec Client/ Svr. Mgmt. Suite Symantec DLP Data Theft ProtectionDLP FW, NBA, IPS Access Rights Reviews SecureSphere Web App FW SecureSphere App Virt. Patching FW, IPS DLP Endpoint Disk Encryption FW, IPS, AV Mobile security FIM
  52. 52. SIEM Use Cases WordCloud
  53. 53. SIEM Use Cases DefinitionSIEM Use Cases Definition Requirements Scope Event Sources Response
  54. 54. Your Use Case Build YOUR own use case! React faster Improve Efficiency Automate Compliance
  55. 55. Use Cases Vulnerability Correlation Suspicious Access Correlation Flow and Event Combo Correlation Botnet Application Identity VMware Flow Analysis Unidirectional Flows Detection Vulnerability Reporting Data Loss Prevention Double Correlation Policy and Insider Threat Intelligence (Social Media Use Case)
  56. 56. Use Cases Detecting Threats or Suspicious Changes in Behaviour Preventative Alerting and Monitoring Compliance Monitoring Client-side vulnerability correlation Excessive Failed Logins to Compliance Servers Remote Access from Foreign Country Logons Communication with Known Hostile Networks Long Durations Multi-Vector Attack Device stopped sending Data (Out of Compliance)
  57. 57. Social Media Intelligence Problem: Social media is an increasing threat to an organization's policies and network; company employees are the ones who are most likely to fall victim to social engineering based threats, and serve as entry points for Advanced Persistent Threats. Solution: Social media Monitoring& Correlation in real-time: Qradar’s real-time monitoring and correlation of hundreds of social media sites, such as Twitter, Facebook, Gmail, LinkedIn, etc., offers automated application aware insight and identifies social media-based threats by user and application.
  58. 58. Social Media Intelligence With Qradar, you can: Identify all the source, destination and the actual corporate credit card number leaked. With Qradar, you can: Identify the user responsible for the data leak.
  59. 59. Data Loss Prevention Customer Requirement: Customer wants to detect when an employee may be stealing customer contact info in preparation for leaving the company Solution: Baseline employee access to CRM Detect deviations from norm: 1,000 transactions (access to customer records) vs normal 50 per day BUT…what if the user is tech savvy or has a geek nephew, and makes a single SQL query to the back end database? Profile network traffic between workstations and back-end database or policy shouldn’t allow direct access to database from workstations
  60. 60. Data Loss Prevention Potential Data Loss? Who? What? Where? Who? An internal user What? Oracle data Where? Gmail
  61. 61. Indavertent Wrongdoing A/V Server Trying to update the entire internet Issue bubbled to the top of the offense manager immediately post-installation Problem had existed for months, but was lost in firewall logs. A/V clients were badly out of date.
  62. 62. System Misconfiguration QRadar reports remote sources scanning internal SQL servers Firewall admin insists QRadar is incorrect – absolutely no inbound SQL traffic permitted. But … months earlier user had requested access to SQL server from outside campus Administrator fat-fingered the FW rule and unintentionally allowed SQL access to & from all hosts
  63. 63. Teleportation Customer Requirement: Customer wanted to detect users that logged in from IP addresses in different locations simultaneously. Solution:  Create rule to test for 2 or more logins from VPN or AD from different country within 15 minutes  Can be extended to check for local login within corporate network and simultaneous remote login
  64. 64. Purell for your VPN Customer Requirement: Customer wanted to detect when external systems over the VPN accesses sensitive servers Customer was concerned that external system could be infected / exploited through split tunneling and infect sensistive internal servers Solution:  Use latest VA scan of user systems  Create BB of OSVDB IDs of concern  Detect when external systems with vulnerabilities access sensitive servers
  65. 65. Uninvited Guests Customer Requirement: Wants to identify new systems attached to network. There are active wall jacks throughout building Solution: Set asset database retention to just beyond DHCP lease time (1-2 days)—user out of office/on vacation, asset expires New machine attaches, rule alerts Flows for real-time detection: no other SIEM can do this Can alert on VA import In 7.0, can build up MAC list in reference sets (~2 wks), then alert when new MAC appears on network
  66. 66. Policy Vialation / Resource Misuse Customer Requirement: Detect if there are P2P Server located in Local Area Network
  67. 67. Communication to known Bot C&C Customer Requirement: Detect if any of internal system is communicating to known Bot Command and Contrlol
  68. 68. Forensic of Administrative Change Customer Requirement: New User account creation with administrative privileges System registry change, Application Installed/Uninstalled Password reset Service started/stopped
  69. 69. Vulnerability Overview Customer Requirement: Generate weekly report for Vulnerabilities
  70. 70. Use Cases Summary Identify the goal for each event correlation rule (and use case). Determine the conditions for the alert. Select the relevant data sources. Test the rule. Determine response strategies, and document them.
  71. 71. Qradar latest updates Increased scalability, best HW in market Enhanced asset and vulnerability functionality Centralized license management Multicultural support (languages) Improved bar and pie charts on the Dashboard tab Data obfuscation Identity and Access Management (IAM) integration Browser support Java 7 support 2500 + reports New “QRadar 2100 Light” appliance for SMB’s New Qradar Forensics appliance New Data Node Appliances
  72. 72. Think security first www.dss.lv andris@dss.lv +371 29162784
  73. 73. Think security first