IBM Software Day 2013. Defending against cyber threats with security intelligence

2. Defending Against Cyber
Threats with Security
Intelligence and Behavioral
Analytics
Bob Kalka, CRISC
Director, IBM Security Systems
bkalka@ us.ibm.com

3. Four Key Drivers
The age of Big Data – the explosion of digital
Data information – has arrived and is facilitated by
Explosion the pervasiveness of applications accessed
from everywhere
With the advent of Enterprise 2.0 and social
Consumerization business, the line between personal and
of IT professional hours, devices and data has
disappeared
Organizations continue to move to new
EVERYTHING
platforms including cloud, virtualization,
IS EVERYWHERE mobile, social business and more
The speed and dexterity of attacks has increased
Attack coupled with new actors with new motivations
Sophistication from cyber crime to terrorism
to state-sponsored intrusions

4. 2011 Sampling of Security Incidents by Attack Type, Time and Impact
Attack Type
SQL Injection Online
Gaming
URL Tampering Gaming Central
IT
Spear Phishing Security Government
Online
3rd Party Software Enter- Defense Central Gaming
tainment Govt Consumer Central
Electronics Government Online
DDoS Banking
Consulting
Services
Online
SecureID Banking Online Online Services
Marketing National Gaming Heavy
Trojan Software Police Consulting Industry Gaming Gaming
Services
Unknown Internet
Services Entertainment Online
Defense Online
Consumer Police Gaming Gaming
IT Insurance
Security Electronics Entertainment
Central Agriculture
Government Apparel Central
State Financial Government
Police Government Consulting
IT Defense Market
Security Gaming Central Central
Consumer Govt Tele- Internet Govt Central
Electronics Central State
communic Services Government
Size of circle estimates relative impact of Government Police ations
breach in terms of cost to business Online
Defense Gaming
Central National
Central Consumer
Police
Government Government Electronics
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Source: IBM X-Force® Research 2011 Trend and Risk Report

5. IBM Security: Delivering intelligence, integration and
expertise across a comprehensive framework
Intelligence ● Integration ● Expertise

6. Security Intelligence
Then: Collection
Logs
Events Alerts •Log collection
Configuration •Signature-based detection
information
System Identity Now: Intelligence
audit trails context
Network flows •Real-time monitoring
and anomalies E-mail and
•Context-aware anomaly detection
External social activity
threat feeds •Automated correlation and analytics
Malware
Business information
process data

7. People
Then: Administration
•Identity management
•Cost control
Now: Insight
•Identify and monitor highest risk users
•Know who has access to sensitive data
and systems
•Baseline normal behavior
•Prioritize privileged identities Monitor Everything

8. Data
Then: Basic Control
• Simple access controls
and encryption
Now: Laser Focus
• Discover and protect high-value data
• Understand who is accessing the data,
at what time of day, from where, and in
what role
• Baseline normal behavior Monitor Everything

9. Applications
Then: Bolt-on
• Periodic scanning of
Web applications
Now: Built-in
• Harden applications with access to
sensitive data
• Scan source and real-time
• Baseline normal application behavior
and alert Monitor Everything

10. Infrastructure
Then: Thicker Walls
• Firewalls, manual patching, and
antivirus
• Focus on perimeter security
Now: Smarter Defenses
• Baseline system and
network behavior
• Analyze unknown threats using
advanced heuristics
Monitor Everything
• Expand coverage into cloud and
mobile environments

12. IBM Security Systems - Security Intelligence
Basic Proficient Optimized
SIEM Flow Analytics
Log
Management Predictive
GRC
Analytics
Identity
User Provisioning
governance
Directory Fine-grained
management Access Mgmt. entitlements
and Strong Privileged user
Authentication management
Test Data
Data Discovery
Masking
Database Activity and Classification
Encryption
Monitoring
Data Loss Encryption Key
Prevention Management
Static Source Hybrid Scanning
Dynamic Code Scanning and Correlation
Vulnerability Web
Analysis Fraud
Application Detection
Protection
Network Professional Multi-faceted
Security Assessments Network Protection
Host Endpoint Security Anomaly Detection
Security Management
Managed Security
Anti-Virus Virtualized Services

13. IBM Security Systems - Security Intelligence
Basic Proficient Optimized
SIEM QRadar SIEM Flow Analytics QFLOW/VFLOW
Log QRadar Log
Management Manager
Predictive
GRC Open Pages QRadar Risk Manager
Analytics
Identity Manager Identity Identity Manager/Role
User Provisioning
zSecure governance Lifecycle Manager
Directory Directory Integrator Fine-grained Security Policy Manager
management Directory Server Access Mgmt. Access Manager
entitlements
and Strong family
Federated Identity Privileged user Privileged Identity
Authentication Manager management Manager
Test Data Guardium Data Masking Data Discovery InfoSphere
InfoSphere Guardium Masking
Encryption Expert Database Activity InfoSphere Guardium and Classification Discovery
Encryption
Monitoring
STG Solutions
Data Loss Encryption Key Key Lifecycle
TEM for Core Protection;
PGP (GTS) Prevention GTS partnerships Management Manager
Static Source AppScan Source Hybrid Scanning AppScan family
Dynamic Code Scanning and Correlation
AppScan
Vulnerability Standard Web
Analysis IPS, XGS, Fraud InfoSphere
Application DataPower Detection Identity Insight
Protection
Network Network IPS Professional GTS and BPs Multi-faceted XGS
Security Host Protection, Assessments Endpoint Manager Network Protection
Host RACF Endpoint Security zSecure Anomaly Detection
Network Anomaly
Security Endpoint Manager for Management Virtual Server Detection
Protection (VSP) Managed Security GTS and BPs
Anti-Virus Core Protection Virtualized Services
VFLOW

14. IBM Security Services:
Professional and Managed Services Capabilities
• Broad security capability consultative assessments and planning
Security Consulting • Compliance focused assessments (e.g. PCI, SCADA, HIPAA)
• Information Security Assessments
Security Intelligence & • SOC and SIEM assessments and planning SOC architecture and design (people, process and
Operations technology)
• Identity assessment and planning
Identity and Access • Identify solution architecture, design and deployment for access, provisioning, single sign on and two factor
Management authentication.
• Managed identity services
• Application secure engineering
Data & Application / SDLC • Data security assessments and enterprise planning
• Database protection solution design and deployment
Security • Endpoint and network data control (DLP, encryption) solution design and deployment
• Technical infrastructure assessments and planning
Infrastructure Security • Infrastructure solution (UTM, Firewall, IDPS) design and deployment
• Network, endpoint, server
• Application technical testing and source code scanning
Cyber Security Assessment & • Infrastructure penetration testing
Response • Emergency response services
• Security event monitoring and managed protection
Managed Security & Cloud • Security intelligence analysis
• Security infrastructure device (UTM, firewall, IPDS) device monitoring & management
Services • Mobile device management
• Hosted / managed SIEM, application. email, vulnerability scanning