Ibm security overview bp enablement 22 feb-2012 v harper


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Ibm security overview bp enablement 22 feb-2012 v harper

  1. 1. IBM Security Systems IBM Security Intelligence, Integration and Expertise Vaughan Harper IBM Security Architect 22 February, 2012© 2012 IBM Corporation1 © 2012 IBM Corporation
  2. 2. IBM Security SystemsThe world is becoming more digitized and interconnected,opening the door to emerging threats and leaks… The age of Big Data – the explosion of digital DATA information – has arrived and is facilitated by EXPLOSION the pervasiveness of applications accessed from everywhere With the advent of Enterprise 2.0 and social CONSUMERIZATION business, the line between personal and OF IT professional hours, devices and data has disappeared Organizations continue to move to new EVERYTHING platforms including cloud, virtualization, IS EVERYWHERE mobile, social business and more The speed and dexterity of attacks has ATTACK increased coupled with new actors with new SOPHISTICATION motivations from cyber crime to terrorism to state-sponsored intrusions2 © 2012 IBM Corporation
  3. 3. IBM Security SystemsTargeted Attacks Shake Businesses and Governments Attack Type Bethesda Software SQL Injection URL Tampering Northrop Italy Grumman IMF PM Fox News Site Spear Phishing X-Factor 3rd Party SW Citigroup Spanish Nat. Sega DDoS Police Secure ID Gmail Booz Accounts Epsilon PBS Allen Hamilton Unknown Vanguard Sony PBS SOCA Defense Monsanto Malaysian Gov. Site Peru HB Gary RSA Lockheed Special Police Martin Nintendo Brazil Gov. L3 SK Communications Sony BMG Communications Size of circle estimates relative Greece Turkish Government Korea impact of breach AZ Police US Senate NATO Feb Mar April May June July Aug3 IBM Security X-Force® 2011 Midyear Trend and Risk Report September 2011 © 2012 IBM Corporation
  4. 4. IBM Security SystemsIT Security is a board room discussion Business Brand image Supply chain Legal Impact of Audit risk results exposure hacktivism Sony estimates HSBC data Epsilon breach TJX estimates Lulzsec 50-day Zurich potential $1B breach impacts 100 $150M class hack-at-will Insurance PLc long term discloses 24K national brands action spree impacts fined £2.275M impact – private banking settlement in Nintendo, CIA, ($3.8M) for the $171M / 100 customers release of PBS, UK NHS, loss and customers* credit / debit UK SOCA, exposure of card info Sony … 46K customer records4 *Sources for all breaches shown in speaker notes © 2012 IBM Corporation
  5. 5. IBM Security SystemsSolving a security issue is a complex, four-dimensional puzzle People Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers Data Structured Unstructured At rest In motion Systems Applications Web applications Web 2.0 Mobile apps applicationsInfrastructure It is no longer enough to protect the perimeter – siloed point products will not secure the enterprise5 © 2012 IBM Corporation
  6. 6. IBM Security SystemsIn this “new normal”, organizations need an intelligent view of theirsecurity posture In Sec te u lli rit ge y nc e O Automated pt im iz ed Optimized Prr P Organizations use offi o predictive and ic i ci automated security en en analytics to drive toward tt security intelligence Basic Ba Manual Organizations s employ perimeter Proficient ic protection, which Security is layered regulates access and into the IT fabric and feeds manual reporting business operations Reactive Proactive6 © 2012 IBM Corporation
  7. 7. IBM Security SystemsIBM Security: Delivering intelligence, integration and expertise across acomprehensive framework Only vendor in the market with end-to- end coverage of the security foundation 6K+ security engineers and consultants Award-winning X-Force® research Largest vulnerability database in the industry Intelligence Intelligence ● ● Integration Integration ● ● Expertise Expertise7 © 2012 IBM Corporation
  8. 8. IBM Security SystemsIntelligence: Leading products and services in every segment8 © 2012 IBM Corporation
  9. 9. IBM Security SystemsExpertise: Unmatched global coverage and security awareness Security Operations Centers Security Research Centers Security Solution Development Centers Institute for Advanced Security Branches World Wide Managed IBM Research Security Services Coverage 20,000+ devices under contract 20,000+ devices under contract 3,700+ MSS clients worldwide 3,700+ MSS clients worldwide 9B+ events managed per day 9B+ events managed per day 1,000+ security patents 1,000+ security patents 133 monitored countries (MSS) 133 monitored countries (MSS)9 © 2012 IBM Corporation
  10. 10. IBM Security SystemsProblem #1: Passwords… Most users need to log on to multiple systems to do their job It takes time to log on to each system It’s difficult to remember all the passwords It’s impossible to remember all your passwords if they’re all strong, all different, and some are used infrequently Volume of different applications (17 applications for one user we were talking to)10 © 2012 IBM Corporation
  11. 11. IBM Security Systems Demonstration…11 © 2012 IBM Corporation
  12. 12. IBM Security SystemsLatest IBM Security Access Manager for Enterprise Single Sign-OnDesktop Single Sign-On, Strong Authentication and Fine-Grained User Activity Audit LogsSimplify password management andstrengthen end user security Business challenge Reduce help desk costs, improve productivity and strengthen security on traditional, virtual, shared desktop environments Key solution highlights • Virtual Appliance for faster time to value - Easier deployment and management leading to lower TCO • Virtualized desktops and applications virtualization support - Support VMware View, IBM Virtual Desktop for Smart Business - Desktop access to virtualized MSFT App-V or Citrix XenApp • Wider platform support - Support for Win 7 64-bit, Win 2008, Internet Explorer 8 & 9 • Enhanced Strong Authentication Support “IBM’s Security Access Manager for Enterprise Single - Hybrid RFID smart card, support for National IDs Sign-On helped achieve a ROI of 244% over 3 years with a payback period of 11 months” (Large UK financial services company)12 © 2012 IBM Corporation
  13. 13. IBM Security SystemsProblem #2: Badly developed websites…13 © 2012 IBM Corporation
  14. 14. IBM Security SystemsApplication Vulnerabilities Continue to Dominate Web application vulnerabilities represented the largest category in vulnerability disclosures (55% in 2008) In 1H09, 50.4% of all vulnerabilities are Web application vulnerabilities SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot Vulnerability Disclosures Affecting Web Applications (Cumulative, Year Over Year) 18,000 16,000 14,000 12,000 10,000 8,000 6,000 4,000 2,000 - 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 H1 IBM Internet Security Systems 2009 X-Force® Mid-Year Trend & Risk Report14 © 2012 IBM Corporation
  15. 15. IBM Security SystemsWhy Security Matters ? ICO £500K fines from 6th April 2010 New powers to impose fines of up to £500,000 for serious breaches of the DPA will come into force on 6 April Data Breach Notification Law approved by EU Member states required to introduce the new rules by May 2011 PCI Compliance New prioritised approach in place, banks and card acquirers demanding progress Other Compliance Basel II, Sarbanes Oxley, ISO 27001 etc… Non-compliance reasons Reputational damage Fraud, etc15 © 2012 IBM Corporation
  16. 16. IBM Security SystemsIBM Rational AppScan End-to-End Application SecurityREQUIREMENTS CODE BUILD QA SECURITY PRODUCTION Security AppScan Requirements AppScan Source AppScan AppScan onDemand Definition Tester Standard (SaaS) AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting) Security Security / compliance Security & Outsourced testing requirements Automate Security Build security / Compliance testing incorporated Compliance for security audits & defined before testing into the into testing & Testing, oversight, production site design & testing in the IDE Build Process remediation control, policy, monitoring implementation workflows audits Application Security Best Practices16 © 2012 IBM Corporation
  17. 17. IBM Security SystemsIBM Rational AppScan End-to-End Application Security IBM Rational AppScan: A Web Application SECURITY Security Scanner – Helps users find and remediate application-layer security issues in their web applications & web services AppScan Standard IBM Rational AppScan Standard or Express Edition – A standalone desktop application Security & Compliance Who uses it? Testing, oversight, control, policy, – Security Auditors and IT Security Teams - To audits reach beyond network security – QA engineers - To add Security to Functionality & Performance testing – Developers (to a lesser extent) – Wanting to be proactive about security17 © 2012 IBM Corporation
  18. 18. IBM Security SystemsHow does AppScan work? Approaches an application as a black-box Traverses a web application and builds the site model Determines the attack vectors based on the selected Test policy Tests by sending modified HTTP requests to the application and examining the HTTP response according to validate rules HTTP Request Web Application HTTP Response18 © 2012 IBM Corporation
  19. 19. IBM Security SystemsThe ROI of Application Security Testing Cost Savings – of testing early in the development process 80% of development costs are spent identifying Cost of finding & fixing problems: and correcting defects code stage is $25, QA/Testing is $450, Production Testing for vulnerabilities earlier in the $16,000 * development process can help avoid that E.g.: 50 applications annually & 25 issues per unnecessary expense application, testing at code stage saves $780,000 over testing at QA stage. Cost Savings – of automated vs manual testing Automated testing provides tremendous Outsourced audits can cost $10,000 to $50,000 per productivity savings over manual testing application Automated source code testing with periodic At $20,000 an app, 50 audits will cost $1M. penetration testing allows for cost effective With 1 hire + 4 quarterly outsourced audits (ex: security analysis of applications $120,000+$80,000), $800,000/yr can be saved (less the cost of testing software) Cost Avoidance – of a security breach Costs as a result of a security breach can The cost to companies is $202 per include (but are not limited to) audit fees, compromised record** legal fees, regulatory fines, lost customer The average cost per data breach is $6.6 revenue and brand damage Million** * Source: Capers Jones, Applied Software Measurement, 1996 ** Source: Ponemon Institute, Privacy Rights Clearinghouse, 200819 © 2012 IBM Corporation
  20. 20. IBM Security SystemsAppScan Product Path AppScan Express (single user) More than 1 user Upgrade to AppScan Standard (floating user) floating licence Multiple users AppScan Reporting Console (enterprise-wide reporting) Enterprise wide reporting & visibility AppScan Standard AppScan Standard (floating user) (floating user) AppScan Standard AppScan Standard (floating user) (floating user) AppScan Standard AppScan Standard (floating user) (floating user)20 © 2012 IBM Corporation
  21. 21. IBM Security SystemsRecent UK General Business sales… Q3 2011 – UK digital media production company A UK digital media production company had been using some open source tools for security testing and had suffered some recent security incidents that were driving them to improve their security posture Initial Demonstration of AppScan via webinar on 22nd August. Evaluation of AppScan completed via Webinars over following weeks. Deal for one licence of AppScan Standard Edition closed within the Quarter.Q4 2011 – UK publishing company UK magazine company: increasing focus on online content is driving a greater need for security Initial Demonstration of AppScan via webinar during Oct. Evaluation of AppScan completed within 1 week via onsite visit on 16th November. Deal for one licence of AppScan Standard Edition closed within the quarter.21 © 2012 IBM Corporation
  22. 22. IBM Security SystemsProblem #3: Managing workstations and servers… How long does it take you to… …determine the number of PCs that are infected? …patch all infected systems and protect the healthy ones? …realize that a user/malware just uninstalled a critical patch? …deploy patches not only on Windows but Linux, AIX, Solaris or Mac OS? X?22 © 2012 IBM Corporation
  23. 23. IBM Security SystemsTivoli Endpoint Manager: See More, Secure More Tivoli Endpoint Manager for Security & Compliance Asset Discovery and Visibility Patch Management Multi-Vendor Endpoint Protection Security Configuration Management Management Vulnerability Management Network Self Quarantine Discover 10% - 30% more Library of 5,000+ compliance assets than previously reported settings, including support for FDCC SCAP, DISA STIG Automatically and continuously Achieve 95%+ first-pass enforce policy at the end point success rates within hours of policy or patch deployment23 © 2012 IBM Corporation
  24. 24. IBM Security SystemsThe Tivoli Endpoint Manager Approach PIPEDA/ PIPA ISO/IEC 27001 Reporting and Enforcement on 5,000+ Controls24 © 2012 IBM Corporation
  25. 25. IBM Security SystemsTEM for SCM – Meeting Endpoint Compliance Requirements Requirement PCI ISO 27001 CobIT NIST 800-53 Implement anti-malware and keep endpoints current 5.1, 5.2 A12.6 DS5.9 SI-3 Define, implement, and enforce security configuration 2.1, 2.2, A12.1, DS9 CM-2,4,6 baselines 6.2 A15.2 Keep endpoints patched 6.1 A12.6 DS5.9 CM-2 Perform regular vulnerability scans and address findings 11.2 A12.6 PO9.3 RA-5 Keep a current network diagram, know when things are added 1.1 A7.1 DS13.3 CM-8 to the network Install, maintain endpoint firewalls, NAC 1.4 A11.4 DS5.10 AC-1925 © 2012 IBM Corporation
  26. 26. IBM Security SystemsCompliance Dashboard / Reporting • Real-time and historical visibility into the state of compliance • Identify critical gaps in compliance to defined policy • Customize dashboard to create different “lenses” into the compliance state • Computer Groups • Categories • Policy Templates • Drill-down into specific details of non- compliant or compliant systems • Compliance Focused executive reporting via web reports and DSS26 © 2012 IBM Corporation
  27. 27. IBM Security SystemsSecurity & Compliance Customer Success Stories • Failed internal audit of information security configuration compliance • Highly distributed infrastructure with centralized visibility and reporting • Customized SCM Controls to meet internal SCM requirements Financial Company • Failed PCI Audit due to poor configuration policy enforcement • No visibility into system configurations and no ability to report on compliance status • No ability to enforce configuration standards across infrastructure Retail Chain • Leveraged SCM Controls to achieve PCI specific requirements • Ongoing failures to secure systems and mitigate against threats caused by poorly configured and badly managed systems • Systems highly susceptible to internal abuse and external attack • Leveraged out-of-the-box DISA STIG SCM checklists to assess Government Agency compliance and automate remediation of non-compliant systems.27 © 2012 IBM Corporation
  28. 28. 28 IBM Security Systems Problem #4: Network threats… IBM Security Research and Development: X-Force X-Force R&D team discovers and analyzes previously unknown vulnerabilities in critical software and infrastructure such as: e-mail, networks, Internet applications, security protocols, business applications and VoIP. Additional to its own research, X-Force reviews each published vulnerability in order to monitor the threat landscape, determining new attack vectors, and offering a higher level of protection. One of X-Force’s publications is the quarterly Threat Insight report Source: IBM X-Force Database 28 © 2012 IBM Corporation
  29. 29. 29 IBM Security Systems Preemptive Ahead of the Threat Security – backed up by data Top 61 Vulnerabilities 2009 341 Average days Ahead of the Threat 91 Median days Ahead of the Threat 35 Vulnerabilities Ahead of the Threat 57% Percentage of Top Vulnerabilities – Ahead of the Threat 9 Protection released post announcement 17 same day coverage 1H2010 – Average days Ahead of the Threat increased to 437! 29 © 2012 IBM Corporation
  30. 30. IBM Security SystemsIBM Security Network IPSIBM Security Network IPS is an ApplianceCore protection engine – Protocol Analysis Module (PAM) –delivers the most efficient IPS engine availableVulnerability-based protection requires fewer detectionalgorithms than competitive solutions that require a newsignature for every new exploitClients benefit with greater protection from fewer detectionalgorithms – Provides capacity for new features like Content Analysis and Web application security – Protection for older threats don’t have to be removed to maintain speed/ performanceClients benefit as X-Force continues to invest in PAM – Multithreaded version in development awards-first-gold-in-5-years.html IBM is the first vendor to secure three NSS Labs Gold Awards in a row30 © 2012 IBM Corporation
  31. 31. IBM Security Systems IBM Virtual Server Protection for VMware Integrated threat protection for VMware vSphere 4 5 Security Features – Rootkit Detection, Firewall, Intrusion Prevention, Virtual Network Admission Control, Auditing. VSP cannot monitor host-based events (e.g. file integrity) which require local installation VSP plugs into VMsafe and therefore cannot prevent threats to the underlying hardware and virtual network cards.31 © 2012 IBM Corporation
  32. 32. IBM Security Systems © Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United32 States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. © 2012 IBM Corporation