Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Trends and Risk Mitigation for the Public Sector


Published on

Presentation from the Cyber Security Briefing held in Ottawa on June 12, 2013.

-Keynote: Security Trends and Risk Mitigation for the Public Sector - Presented by: Sandy Bird, CTO - Security Division, IBM Canada Ltd.
- Application Security for mobile and web applications - Presented by: Patrick Vandenberg, Program Director, IBM Security Segment Marketing
- Detect Threat and Mitigate Risk Using Security Intelligence - Presented by: Sandy Bird, CTO - Security Division, IBM Canada Ltd.

Published in: Technology
  • Be the first to comment

Security Trends and Risk Mitigation for the Public Sector

  1. 1. © 2013 IBM CorporationCyber Security Briefing:Security Trends and Risk Mitigation for thePublic SectorOttawa – June 12, 2013
  2. 2. © 2013 IBM Corporation2IBM Security SystemsAgenda 8:30 am - Registration & Breakfast 9:00 am – Opening RemarksRodney Helal, Sales Executive, Software, Canadian Federal Accounts 9:15 am - Keynote: Security Trends and Risk Mitigation for the Public SectorSandy Bird, CTO - Security Division, IBM Canada Ltd. 9:45 am - Application Security for mobile and web applicationsPatrick Vandenberg, Program Director, IBM SecuritySegment Marketing 10:15 am - Detect threat and mitigate risk using Security IntelligenceSandy Bird, CTO - Security Division, IBM Canada Ltd. 10:45 am - Investigating, Mitigating, and Preventing Cyber Attacks withSecurity Analytics and VisualizationOrion Suydam, Director of Product Management, 21CT
  3. 3. © 2012 IBM CorporationIBM Security Systems3© 2013 IBM CorporationIBM X-Force 2012 Annual Trend & Risk ReportSandy BirdCTO IBM Security SystemsMay 2013
  4. 4. © 2013 IBM CorporationIBM Security Systems4Oct 2011AcquiredUpdate on IBM SecurityOctControlling privilegeduser accessAugNextGen networksecurityMarchEnhanced identitymanagementMayIntegration acrossdomainsJan 2012Formed IBM SecuritySystems division10Leader in virtually all of the marketswe target, according to Gartner, IDCand ForresterIBM X-ForceAward-winning X-Force® securityresearch with one of the industry slargest vulnerability databases25New organic product releasesin 2012 focused on integrations15%Year-to-year growth of Security SystemsMarket leadershipEnrich capabilitiesJan 2013Big data securityanalyticsMariOS MobileApp Security18Product development labs WW4Rank by revenue in security software
  5. 5. © 2013 IBM CorporationIBM Security Systems5Cloud security is a key concern ascustomers rethink how IT resources aredesigned, deployed and consumedCloud ComputingShaping our strategy – the megatrendsRegulatory and compliance pressures aremounting as companies store more dataand can become susceptible to auditfailuresRegulation and ComplianceSophisticated, targeted attacks designedto gain continuous access to criticalinformation are increasing in severity andoccurrenceAdvanced ThreatsSecuring employee-owned devices andconnectivity to corporate applications aretop of mind as CIOs broaden support formobilityMobile ComputingAdvanced Persistent ThreatsStealth Bots Targeted AttacksDesigner Malware Zero-daysEnterpriseCustomersGLBA
  6. 6. © 2013 IBM CorporationIBM Security Systems6X-Force is the foundation for advanced security and threat researchacross the IBM Security Framework
  7. 7. © 2013 IBM CorporationIBM Security Systems7Collaborative IBM teams monitor and analyze the latest threats20,000+ devicesunder contract3,700+ managedclients worldwide13B+ eventsmanaged per day133 monitoredcountries (MSS)1,000+ securityrelated patents20B analyzedweb pages & images45M spam &phishing attacks73K documentedvulnerabilitiesBillions of intrusionattempts dailyMillions of uniquemalware samples
  8. 8. © 2013 IBM CorporationIBM Security Systems8The Global IBM Security Community15,000 researchers, developers and subject matter expertsworking security initiatives worldwideSecurity Operations CentersSecurity Research CentersSecurity Solution Development CentersInstitute for Advanced Security Branches
  9. 9. © 2012 IBM CorporationIBM Security Systems9 IBM Security SystemsWhat are we seeing?Annual Trend Reportgives an X-Forceview of the changingthreat landscape
  10. 10. © 2013 IBM CorporationIBM Security Systems102011: “The year of the targeted attack”Source: IBM X-Force® Research 2011 Trend and Risk ReportMarketingServicesOnlineGamingOnlineGamingOnlineGamingOnlineGamingCentralGovernmentGamingGamingInternetServicesOnlineGamingOnlineGamingOnlineServicesOnlineGamingITSecurityBankingITSecurityGovernmentConsultingITSecurityTele-communicationsEnter-tainmentConsumerElectronicsAgricultureApparelInsuranceConsultingConsumerElectronicsInternetServicesCentralGovtCentralGovtCentralGovtAttack TypeSQL InjectionURL TamperingSpear Phishing3rd Party SoftwareDDoSSecureIDTrojan SoftwareUnknownSize of circle estimates relative impact ofbreach in terms of cost to businessJan Feb Mar Apr May Jun Jul Aug Sep Oct Nov DecEntertainmentDefenseDefenseDefenseConsumerElectronicsCentralGovernmentCentralGovernmentCentralGovernmentCentralGovernmentCentralGovernmentCentralGovernmentCentralGovernmentConsumerElectronicsNationalPoliceNationalPoliceStatePoliceStatePolicePoliceGamingFinancialMarketOnlineServicesConsultingDefenseHeavyIndustryEntertainmentBanking2011 Sampling of Security Incidents by Attack Type, Time and ImpactConjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial lossesThreats Operational Security Emerging Trends
  11. 11. © 2013 IBM CorporationIBM Security Systems112012: The explosion of breaches continues!Source: IBM X-Force® Research 2012 Trend and Risk Report2012 Sampling of Security Incidents by Attack Type, Time and ImpactConjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial lossesThreats Operational Security Emerging Trends
  12. 12. © 2013 IBM CorporationIBM Security Systems12Attacker motivations remain similar, although methods evolveMany security incidents disclosed in 2012were carried out by attackers going after abroad target base while using off-the-shelftools and techniques (top left)SQL injection andDDoS continue to betried-and-truemethods of attackAttackers are opportunistic; notall advanced adversaries useexotic malware and zero-dayvulnerabilitiesThreats Operational Security Emerging Trends
  13. 13. © 2013 IBM CorporationIBM Security Systems13Operational sophistication, not always technical sophisticationThreats Operational Security Emerging Trends
  14. 14. © 2013 IBM CorporationIBM Security Systems14Tried and true techniques - SQL and Command Injection attacksDramatic andsustained risein SQL injection-based trafficAlerts came fromall industrysectors, with abias towardbanking andfinance targetsThreats Operational Security Emerging Trends
  15. 15. © 2013 IBM CorporationIBM Security Systems15Tried and true techniques - Distributed Denial of Service (DDoS)High profile DDoSattacks marked by asignificant increasein traffic volumeImplementation ofbotnets oncompromised webservers in highbandwidth datacentersThreats Operational Security Emerging Trends
  16. 16. © 2013 IBM CorporationIBM Security Systems16Tried and true techniques - Spear-phishing using social networksThreats Operational Security Emerging TrendsOverall spam volumecontinues to decline, butspam containingmalicious attachmentsis on the riseScammers rotate the“carousel” of their targets– focusing on socialnetworks in 2012
  17. 17. © 2013 IBM CorporationIBM Security Systems17Botnet Command & Control Server resiliencyOperationalsophistication:When botnetcommand andcontrol servers aretaken down, otherreadily availablenetworks can beput into actionThreats Operational Security Emerging Trends
  18. 18. © 2013 IBM CorporationIBM Security Systems18Why was Java one of 2012’s hottest software targets?Threats Operational Security Emerging Trends1. Java is cross-platform2. Exploits written for Javavulnerabilities are veryreliable and do not needto circumvent mitigationsin modern OSes3. The Java plugin runswithout a sandbox –making it easier to installpersistent malware onthe system
  19. 19. © 2013 IBM CorporationIBM Security Systems19As a result, exploit authors and toolkits favor JavaThreats Operational Security Emerging TrendsWeb browserexploit kits - aka“exploit packs” - are builtfor one particular purpose:to install malware on end-user systemsIn 2012 we observed anupsurge in web browser exploitkit development and activity -the primary target of which areJava vulnerabilities
  20. 20. © 2013 IBM CorporationIBM Security Systems20And more…Threats Operational Security Emerging Trends
  21. 21. © 2013 IBM CorporationIBM Security Systems21Blackhole CrimewareBlackhole Exploit Kit–  First appeared in August 2007–  Advertised as a “Systems for Network Testing”–  Protects itself with blacklists and integrated antivirus–  Comes in Russian or English–  Currently the most purchased exploit packFlexible Pricing Plan• Purchase•  $1500/annual•  $1000/semi-annual•  $700/quarterly• Lease•  $50/24 hours•  $200/1 week•  $300/2 weeks•  $400/3 weeks•  $500/month*($35 domain name change fee if necessary)Threats Operational Security Emerging Trends
  22. 22. © 2013 IBM CorporationIBM Security Systems22Software vulnerabilities - disclosures up in 20128,168publiclydisclosedvulnerabilitiesAn increase ofover 14% from2011Threats Operational Security Emerging Trends
  23. 23. © 2013 IBM CorporationIBM Security Systems23Public exploit disclosures – not as many “true exploits”Continueddownward trendin percentageof public exploitdisclosures tovulnerabilitiesSlightly up inactual numberscompared to2011Threats Operational Security Emerging Trends
  24. 24. © 2013 IBM CorporationIBM Security Systems24Web application vulnerabilities surge upward14%increase inweb applicationvulnerabilitiesCross-site scriptingrepresented53%Threats Operational Security Emerging Trends
  25. 25. © 2013 IBM CorporationIBM Security Systems25Content Management Systems plug-ins provide soft targetThreats Operational Security Emerging TrendsAttackers know that CMSvendors more readilyaddress and patch theirexposuresCompared to smallerorganizations andindividuals producing theadd-ons and plug-ins
  26. 26. © 2013 IBM CorporationIBM Security Systems26Impact on RiskRisk = Threat x Vulnerability  Risk is growing asthreats become morehostile and vulnerabilitiescontinue to grow  Better understandinghelps to focus strategiesThreats Operational Security Emerging Trends
  27. 27. © 2013 IBM CorporationIBM Security Systems27Social Media and Intelligence Gathering50%of all websitesconnected tosocial mediaEnhancedspear-phishingseeminglyoriginating fromtrusted friendsand co-workersThreats Operational Security Emerging Trends
  28. 28. © 2013 IBM CorporationIBM Security Systems28Mobile devices should be more secure in 2014- Separation of Personas & Roles- Ability to Remotely Wipe Data- Biocontextual Authentication- Secure Mobile App Development- Mobile Enterprise App Platform(MEAP)Threats Operational Security Emerging TrendsMobile computing is becoming increasingly secure,based on technical controls occurring with securityprofessionals and software development
  29. 29. © 2013 IBM CorporationIBM Security Systems29What are we seeing? Key Findings from the 2012 Trend Report  Software vulnerability disclosures up in 2012  Web application vulnerabilities surge upward  XSS vulnerabilities highest ever seen at 53%  Content Management Systems plug-ins provide soft target  Social Media leveraged for enhanced spear-phishingtechniques and intelligence gathering  Mobile Security should be more secure than traditional usercomputing devices by 2014  40% increase in breach events for 2012  Sophistication is not always about technology  SQL Injection, DDoS, Phishing activity increased from 2011  Java means to infect as many systems as possibleThreatsand ActivityOperationalSecurityEmergingTrends
  30. 30. © 2013 IBM CorporationIBM Security Systems30Get Engaged with IBM X-Force Research and DevelopmentFollow us at @ibmsecurity and @ibmxforceSubscribe to X-Force alerts at X-Force Security Insights blog at IBM X-Force 2012 Annual Trend & Risk
  31. 31. © 2013 IBM CorporationIBM Security© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposesonly, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the useof, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating anywarranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreementgoverning the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available inall countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM ssole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability inany way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in theUnited States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
  32. 32. © 2013 IBM CorporationIBM Security SystemsApplication Security OverviewPatrick VandenbergProgram Director, IBM Security Segment Marketing
  33. 33. © 2013 IBM Corporation33IBM Security SystemsSecuring Applications is a ChallengeYour Application PortfolioDifferent Types & SourcesFinancialIn-houseOutsourceHR Logistics IntranetLegacy Open SrcYour PoliciesData PrivacyRegulatory ComplianceAccountabilityYour SDLC Processes  Large and diverse applicationportfolios  Mobile applications  In-house and outsourcedevelopment  External & internal regulatorypressure  Pockets of security expertise  Yet another task for developersNeed an efficient, scalable,automated way to develop anddeliver secure applications…
  34. 34. © 2013 IBM Corporation34IBM Security SystemsX-Force is the foundation for advanced security and threat researchacross the IBM Security Framework
  35. 35. © 2013 IBM Corporation35IBM Security SystemsWhat are we seeing? Key Findings from the 2012 Trend Report  Software vulnerability disclosures up in 2012  Web application vulnerabilities surge upward  XSS vulnerabilities highest ever seen at 53%  Content Management Systems plug-ins provide soft target  Social Media leveraged for enhanced spear-phishingtechniques and intelligence gathering  Mobile Security should be more secure than traditional usercomputing devices by 2014  40% increase in breach events for 2012  Sophistication is not always about technology  SQL Injection, DDoS, Phishing activity increased from 2011  Java means to infect as many systems as possibleThreatsand ActivityOperationalSecurityEmergingTrends
  36. 36. © 2013 IBM Corporation36IBM Security SystemsTried and true techniques - SQL and Command Injection attacksDramatic andsustained risein SQL injection-based trafficAlerts came fromall industrysectors, with abias towardbanking andfinance targets
  37. 37. © 2013 IBM Corporation37IBM Security SystemsWeb application vulnerabilities surge upward14%increase inweb applicationvulnerabilitiesCross-sitescriptingrepresented53%
  38. 38. © 2013 IBM Corporation38IBM Security SystemsBoth Paid and Free Apps are TargetedSource: Arxan State of Security in the App Economy – 2012Mobile increases risk of applications as attack vector
  39. 39. © 2013 IBM Corporation39IBM Security Systems  SQL injection continues to be one ofthe most popular points of entry forextracting data from a website  Web app vulnerabilities also allowattackers to inject malicious scriptsand files onto legitimate websites  The high rate of vulnerable webapplications and their plugins allowattackers to use automated scripts toscan the web for targetsApplication Threats  Analyze applications beforedeployment, to identify securityvulnerabilities  Scan applications as early aspossible in the development cycle,to reduce costs  Remediate critical vulnerabilities,and validate by re-scanning  Integrate scanning results withintrusion prevention, to blockattacks before apps are updated  Continuously monitor databaseactivities to detect suspiciousactivity and respond in real-time  Detect database vulnerabilities toprevent threats
  40. 40. © 2013 IBM Corporation40IBM Security SystemsAdopt a Secure by Design approach to enable you to design, deliverand manage smarter software and services  Build security into your applicationdevelopment process  Efficiently and effectively addresssecurity defects before deployment  Collaborate effectively between Securityand Development  Provide Management visibilityDeliver NewServices FasterReduceCostsInnovateSecurelyProactively address vulnerabilities early in the development process
  41. 41. © 2013 IBM Corporation41IBM Security SystemsWhen it comes to risk, all applications are not created equal
  42. 42. © 2013 IBM Corporation42IBM Security SystemsApplication Security Testing• Training – Applications Security & Product ( Instructor led , self paced – classroom & web based)• Test policies, test templates and access control• Dashboards, detailed reports & trending• Manage regulatory requirements such as DIACAP, PCI, GLBA and HIPAA (40+ out-of-the-box compliance reports)ScanningTechniquesApplicationsGovernance &Collaboration                  Build Systemsimprove scanefficienciesIntegratedAudience Development teams Security teams Penetration TestersCODING BUILD QA SECURITY PRODUCTIONStatic analysis(white box)SDLC     (Rational Build Forge, RationalTeam Concert,Hudson, Maven)Defect TrackingSystemstrack remediation(Rational Team Concert, RationalClearQuest,HP QC, MS Team FoundationServer)IDEsremediation assistance(RAD, Rational TeamConcert,Eclipse, Visual StudioSecurity Intelligenceraise threat level(SiteProtector, QRadar, Guardium)Source code vulnerabilities & code quality risksData & Call Flow analysis tracks tainted dataDynamic analysis(black box)Live Web ApplicationWeb crawling & Manual testingHybrid Glass Box analysis
  43. 43. © 2013 IBM Corporation43IBM Security SystemsFinding more vulnerabilities using advanced techniquesStatic Analysis-  Analyze Source Code-  Use during development-  Uses Taint Analysis /Pattern MatchingDynamic Analysis-  Correlate Dynamic andStatic results-  Assists remediation byidentification of line of codeHybrid Analysis43-  Analyze Live Web Application-  Use during testing-  Uses HTTP tamperingClient-Side Analysis-  Analyze downloaded Javascriptcode which runs in client-  Unique in the industryRun-Time Analysis-  Combines Dynamic Analysis withrun-time agent-  More results, better accuracy
  44. 44. © 2013 IBM Corporation44IBM Security SystemsBridging the Security/Development gap  Dashboard of application risk  Enable compliance withregulation-specific reporting  Security experts establish security testingpolicies  Development teams test early in the cycle  Treat vulnerabilities as developmentdefects“… we wanted to go to a multiuser web-based solutionthat enabled us to do concurrent scans and provide ourcustomers with a web-based portal for accessing andsharing information on identified issues.”Alex Jalso, Asst Dir, Office of InfoSecurity, WVUProvide Management VisibilityBreak down organizational silosArchitectDeveloperQualityProfessionalSecurity AuditorEnablesCollaboration
  45. 45. © 2013 IBM Corporation45IBM Security SystemsReducing Costs Through a Secure by Design ApproachFind duringDevelopment$80 / defect*$8,000 / applicationFind during Build$240 / defect*$24,000 / applicationFind during QA/Test$960 / defect*$96,000 / applicationFind in Production$7,600 / defect*$760,000 / application80% of development costsare spent identifying andcorrecting defects!***** Source: Ponemon Institute 2009-10*** Source: National Institute of Standards and TechnologyAverage Cost of a Data Breach$7.2M** from law suits, loss of customertrust, damage to brand*Based on X-Force analysis of 100 vulnerabilities per application
  46. 46. © 2013 IBM Corporation46IBM Security SystemsServer Side LogicSAST (source code)DAST (web interfaces)Mobile Web AppsJavaScript / HTML5 hybrid analysisNative AppsAndroid applicationsiOS applicationsJavaScriptStatic AnalysisN EWStatic AnalysisIMPROVEDStatic AnalysisAppScan Mobile Support: Server and Native
  47. 47. © 2013 IBM Corporation47IBM Security Systems Support for Native iOS apps Mac OS platform support Security SDK research & riskassessment of over 20k iOSAPIs Xcode interoperability & buildautomation support Full call and data flowanalysis of  Objective-C  JavaScript  Java Identify where sensitive datais being leakedAppScan Source V8.7 – What’s New  IBM formally launched a major initiative to help tightenthe security of mobile apps developed for business useon iPhones handsets. -- USA Today  AppScan provides developers with an unmatched viewinto where vulnerabilities appear in their mobile apps dueits deep cognizance of platform APIs. -- eWeek  The real power of AppScan arises from how it performsvulnerability analysis - by using the full trace technique. --SecurityWeek  iPhone users will benefit from the IBM AppScan update.-- IT PRO
  48. 48. © 2013 IBM Corporation48IBM Security SystemsAppScan Components
  49. 49. © 2012 IBM CorporationIBM Security SystemsUsing Big Data and Analytics toThink Like an AttackerSandy Bird, CTO IBM Security Systems
  50. 50. 5050Now, forsomethingyou’veneverseenbefore
  51. 51. 51
  52. 52. 5252
  53. 53. 5353
  54. 54. 5454
  55. 55. 5555
  56. 56. 5656Bring yourown ITSocialbusinessCloud andvirtualization1 billion mobileworkers1 trillionconnectedobjectsInnovative technology changes everything
  57. 57. 5757Attacker motivations are rapidly escalatingNationalSecurityNation-stateactorsStuxnetEspionage,ActivismSponsored groupsand HacktivistsAuroraMonetaryGainOrganizedcrimeZeusRevenge,CuriosityInsiders andScript-kiddiesCode Red
  58. 58. 5858Organized groups are using multiple techniquesUsing social networking and social engineering toperform reconnaissance on spear-phishing targets,leading to compromised hosts and accountsInfiltrating a trusted partner and then loading malwareonto the target’s networkCreating designer malware tailored to only infect thetarget organization, preventing positive identificationby security vendorsExploiting zero-day vulnerabilities to gain access todata, applications, systems, and endpointsCommunicating over accepted channels such as port80 to exfiltrate data from the organization
  59. 59. of malicious identifiers are limitless
  60. 60. 6060
  61. 61. 61Image retrieved from
  62. 62. 6262A change in mindset is already happening
  63. 63. 6363By monitoring for subtle indicators across all frontsBreak-in Spoofed email with maliciousfile attachment sent to usersCommand& Control (CnC)Latch-on Anomalous system behaviorand network communicationsExpandDevice contacting internalhosts in strange patternsGather Abnormal user behavior anddata access patternsCommand& Control (CnC)Exfiltrate Movement of data in chunksor streams to unknown hosts
  64. 64. 6464Big DataAnalyticsTraditional SecurityOperations andTechnology
  65. 65. 65
  66. 66. 6666Security IntelligencePlatformReal-time Processing•  Real-time data correlation•  Anomaly detection•  Event and flow normalization•  Security context & enrichment•  Distributed architectureSecurity Operations• Pre-defined rules and reports• Offense scoring & prioritization•  Activity and event graphing•  Compliance reporting•  Workflow managementBig Data Warehouse•  Long-term, multi-PB storage•  Unstructured and structured•  Distributed infrastructure•  Preservation of raw data•  Hadoop-based backendBig DataPlatformAnalytics and Forensics•  Advanced visuals and interaction•  Predictive & decision modeling•  Ad hoc queries•  Spreadsheet UI for analysts•  Collaborative sharing tools•  Pluggable UIComplementary analytics and workflow from IBMIBMSecurityIntelligencewithBig Data
  67. 67. 6767QRadar leverages Big Data to identify security threatsApplianceswith massive scaleIntelligent datapolicy managementPayload indexing leveraginga purpose-built data storeAdvanced threat visualizationand impact analysisGoogle-like searchof large data setsEnrichment with X-Forceand external intelligence
  68. 68. 6868Example QRadar uses casesIrrefutable BotnetCommunicationLayer 7 flow data shows botnetcommand and controlinstructionsImproved 
Breach Detection360-degree visibility helpsdistinguish true breachesfrom benign activity, in real-timeNetwork TrafficDoesn’t LieAttackers can stop loggingand erase their tracks, butcan’t cut off the network(flow data)
  69. 69. 6969Extending Security Intelligence with additionalBig Data analytics capabilities1. Analyze a variety ofnon-traditional andunstructured datasets2. Significantly increasethe volume of datastored for forensics andhistoric analysis3. Visualize and querydata in new ways4. Integrate with mycurrent operationsIBM Security QRadar•  Data collection andenrichment•  Event correlation•  Real-time analytics•  Offense prioritizationAdvanced Threat DetectionTraditional data sourcesSecurity Intelligence Platform
  70. 70. 7070By integrating QRadar with IBM’s EnterpriseHadoop-based offeringReal-timeStreamingInsightsIBM Security QRadar•  Hadoop-based•  Enterprise-grade•  Any data / volume•  Data mining•  Ad hoc analytics•  Data collection andenrichment•  Event correlation•  Real-time analytics•  Offense prioritizationBig Data PlatformCustom AnalyticsTraditional data sourcesIBM InfoSphere BigInsightsNon-traditionalSecurity Intelligence PlatformAdvanced Threat Detection
  71. 71. 7171
  72. 72. 72ATTACKERUser receives riskyemail from personalsocial networkTARGETDrive-by exploit isused to installmalware on target PCUser is redirected toa malicious website
  73. 73. 7373Using Big Data to mine for trends within emailUse BigInsights toidentify phishing targetsand redirectsBuild visualizations,such as heat maps, toview top targets
  74. 74. 7474Loading phishing data and correspondingredirects to QRadar
  75. 75. 75ATTACKERAttacker registersor acquires a domain Compromised hosts“phone home” toattacker C&C serversAttacker changes thelocation of servers, butdomains stay the sameInternal attacks leadto more infectionsHosts and serversphone home andexfiltrate data
  76. 76. 7676Analyze historical DNS activity within organization
  77. 77. 7777Automate correlation against DNS registries
  78. 78. 7878Advanced analytics identify suspicious domainsWhy only a few hitsacross the entireorganization to thesedomains?Correlating topublic DNS registryinformationincreases suspicions
  79. 79. 7979Importing results to QRadar for real-time analysisCorrelate againstnetwork activityand visualizeView real-time data and look for active connections
  80. 80. 80801IBM QRadarSecurity Intelligenceunified architecture for collecting, storing,analyzing and querying log, threat,vulnerability and risk related data2IBM Big Data Platform (Streams, Big Insights, Netezza)addresses the speed and flexibility required for customized dataexploration, discovery and unstructured analysis3IBM i2Analyst Notebookhelps analystsinvestigate fraud bydiscovering patterns andtrends across volumes ofdata4IBM SPSSunified product family tohelp capture, predict,discover trends, andautomatically deliverhigh-volume, optimizeddecisionsAdditional IBM analytics capabilities for security
  81. 81. 811.  Traditional defenses are insufficient2.  Security has become a Big Data problem3.  Security Intelligence is a Big Data solution4.  New analysis can lead to new insights
  82. 82. © 2013 IBM Corporation82IBM Security SystemsIBM Contacts Rodney Helal, Software Sales Manager, Canadian Federal GovernmentAccounts – Phone: 613-222-6691 / e-mail: Eliane Guindon, IBM Security Systems Account Manager – Phone:613-249-2284 / Mobile 613-292-0125 / e-mail: Anita Bowness, Software Client Lead, Canadian Federal Government –Phone: 613-249-2099 / e-mail:
  83. 83. © 2013 IBM Corporation83IBM Security