Cyber Security in Energy & Utilities Industry


Published on

In September 2011, Prolifics & IBM hosted a speaking session at a Cyber Security Summit in California. The presentation focused on the importance of Identity and Access Management in the Energy & Utilities industry as well as today's critical regulatory requirements.

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • R 2-1 - The Responsible Entity shall maintain documentation describing its risk-based assessment methodology that includes procedures and evaluation criteria. R 3-1 - Cyber Security Policy — The Responsible Entity shall document and implement a cyber security policy that represents management’s commitment and ability to secure its Critical Cyber Assets. The Responsible Entity shall, at minimum, ensure the following: The cyber security policy addresses the requirements in Standards CIP-002-3 through CIP-009-3, including provision for emergency situations. R 4-1 - Awareness — The Responsible Entity shall establish, document, implement, and maintain a security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets receive on-going reinforcement in sound security practices. The program shall include security awareness reinforcement on at least a quarterly basis using mechanisms such as: Direct communications (e.g., emails, memos, computer based training, etc.- Indirect communications (e.g., posters, intranet, brochures, etc.); - Management support and reinforcement (e.g., presentations, meetings, etc.). R 4-2 - Training — The Responsible Entity shall establish, document, implement, and maintain an annual cyber security training program for personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets. The cyber security training program shall be reviewed annually, at a minimum, and shall be updated whenever necessary. R 5-1 - Electronic Security Perimeter —The Responsible Entity shall ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter. The Responsible Entity shall identify and document the Electronic Security Perimeter(s) and all access points to the perimeter(s). R 6-1 - Physical Security Plan —The Responsible Entity shall document, implement, and maintain a physical security plan, approved by the senior manager or delegate(s) that shall address, at a minimum, the following: R1.1. All Cyber Assets within an Electronic Security Perimeter shall reside within an identified Physical Security Perimeter. Where a completely enclosed (“six-wall”) border cannot be established, the Responsible Entity shall deploy and document alternative measures to control physical access to such Cyber Assets. R 7-1 - Test Procedures — The Responsible Entity shall ensure that new Cyber Assets and significant changes to existing Cyber Assets within the Electronic Security Perimeter do not adversely affect existing cyber security controls. For purposes of Standard CIP-007-3, a significant change shall, at a minimum, include implementation of security patches, cumulative service packs, vendor releases, and version upgrades of operating systems, applications, database platforms, or other third-party software or firmware. - The Responsible Entity shall create, implement, and maintain cyber security test procedures in a manner that minimizes adverse effects on the production system or its operation. R 8-1 - Cyber Security Incident Response Plan — The Responsible Entity shall develop and maintain a Cyber Security Incident response plan and implement the plan in response to Cyber Security Incidents. The Cyber Security Incident response plan shall address, at a minimum, the following: - Procedures to characterize and classify events as reportable Cyber Security Incidents. R 9-1 - Recovery Plans — The Responsible Entity shall create and annually review recovery plan(s) for Critical Cyber Assets. The recovery plan(s) shall address at a minimum the following: - Specify the required actions in response to events or conditions of varying duration and severity that would activate the recovery plan(s). - Define the roles and responsibilities of responders.
  • Just to kind of sum that all up on this next slide . . . We recap by saying that this Identity and Access Assurance bundle is highly successful . . . And it includes comprehensive single sign-on – as you might now recall it includes Tivoli Access Manager for e-business for the Web, Tivoli Access Manager for Enterprise SSO for single sign-on benefits within an enterprise and Tivoli Federated Identity Manager for multi-domain or federated configurations Customers’ user provisioning and deprovisioning requirements are of course addressed by Identity Manager, which provides significant cost savings by assigning users to roles and automating the assigning of user accounts and the removal of user accounts. Very important to customers interested in this space are the aspects of compliance related to who has what accounts, and are we in control and can we demonstrate that control, in terms of who is accessing what. The reconciliation, recertification and reporting box in the lower left describes TIM’s ability to ensure that what you think the overall policy is for who can access what is in fact what’s happening out there. Because even though I’m the TIM administrator and I’ve put this policy into place, there are many other administrators in our company, and so I need a way of ensuring that what I think the plan is really matches up to reality. If not, I can take appropriate action, and get back into compliance. This is totally in line with the goals of governance, risk management and compliance and companies are taking this very seriously. And finally, in the package is outstanding enterprise audit management and reporting technology that takes what is really not humanly possible, in terms of reconciling and normalizing the volumes of audit information typically collected in a given quarter, or month or week or even day . . . Why not assign some automation to it and that’s what Tivoli Security Information and Even Manager does for you – gives you multiple levels of reports from executive dashboard views to specialized, more detailed reports you can request and with the capability of giving you insights into how you’ll do against upcoming audits related to major laws, standards and regulations. So it’s a successful bundle and with the functionality that I’ve described, you can see why these interrelated, integrated capabilities are attractive to our customers. So with this slide, we’ve come to the end of Part 1 of this 3-part recording. You’ve heard the introductory and background material, including smarter planet and the IBM Security Framework, and we’ve been through the first of ht e5 categories of solutions within the framework – People and Identity. When we pick back up, we’ll pick up with the next category – Data & Information. =============== A Tivoli customer who has essentially bought this solution even before it was offered as a solution bundle is Harley Davidson. They did a presentation at the 2009 and 2010 Pulse events and many of the charts looked like they came right off of the one above. They are delighted with TIM and TAMeb and they included a chart in their presentation that dramatically gets across how much audit log information builds up in a typical operational environment. It shows an example of a single log file that contains 1 minute of activity on 1 application on 1 server. The file contains 14,080 lines of text! Think of what this means audit-volume-wise across a large operational environment! This dramatically brings home the value of the log management and reporting that IAA has, thanks to TSIEM being included in the package.
  • In early stages of adoption, security practitioners will assess applications during pre-deployment testing. Costs are higher and window is shorter to mitigate any issues found. By integrating security into requirements, development and build/test/integration cycles, identification occurs much earlier , increasing find rate at a time when fix costs are lowest .
  • Let’s talk about our solution! Heterogeneous support for Databases and Applications S-TAP Agents lightweight cross platform support NO changes to Databases or Applications Also monitor direct access to databases by privileged users (such as SSH console access), which can’t be detected by solutions that only monitor at the switch level. Collectors handle the heavy lifting (continuous analysis, reporting and storage of audit data) reduces the impact on the database server Our solution does not rely on log or native audit data DBAs can (sometimes have to!) turn this off Logging greatly impacts performance on the Database Server as you increase granularity! Real-time alerting – not after the fact Monitor ALL Access
  • This technology is key for compliance, and is found in the IBM HIPS, NIPS, and VSP.
  • To give you an overview of how IBM delivers preemptive security, we look at the top 61 vulnerabilities of 2009, and we can see we were an average of 341 days “ Ahead of the Threat ” ™. . . On the right-hand side, you can see the 61 vulnerabilities. The ones in blue were discovered by IBM. On the left you can see how many days after or ahead of the threat the protection was available. Out of the full set of 61, only in 9 cases did we have to deliver protection after the release of the vulnerability. In the vast majority we are well ahead of the threat and this level of protection is far better than any that any other vendor can or does deliver. And looking at the data that X-Force published for the first half of 2010, the average days Ahead of the Threat increased to 437!
  • Virtual Server Protection for VMware is an integrated software product in a virtual appliance form factor that is integrated with the VMsafe initiative within the new VMware vSphere 4 release and gives us the ability to have a hypervisor level view into security. We are providing the same Intrusion Prevention System and protocol analysis engine we are using in the rest of our IBM ISS IPS products. By being integrated into the hypervisor, VSS for VMware captures information in between VMs, all without requiring any changes to the virtual network itself. This offers true plug and play connection which is the automated protection expertise. The product also provides firewall technologies for critical network level access control specifically designed to prevent virtual server sprawl. In conjunction with the IBM X-Force research, we detect VMsafe APIs (based on a blacklist approach) to get signatures or finger prints of known rootkits to alert users to any malware in the system without any presence in the guest operating system. Our virtual infrastructure auditing ties into regulatory compliance initiatives to make sure there is a holistic view of the infrastructure to report on privilege user activities. And we can also report on virtual network changes, new VMs created, suspended and moved from one layer to another. As we originally promised to the industry, we are the first to market to incorporate our intrusion prevention technology and X-Force capabilities into true virtual infrastructure protection in one product– providing our clients the flexibility to use both physical network, host or virtual devices all centrally managed through SiteProtector. Now some of the other features that I want to emphasize are the: VM rootkit detection - Virtualization-based rootkits are particularly of concern because they can cause the hypervisor to become exposed to malware that can conceal themselves from traditional security tools.  VSS for VMware transparently inspects VMs to detect installation of rootkits which is a key differentiator for IBM vs. competitive products. Automatic discovery is another key feature. With VSS for VMware, the security virtual machine or the SVM can perform automatic discovery of all virtual machines. This helps increase security awareness and visibility across the virtual environment. IBM Virtual Patch technology - Automatically protects vulnerabilities on virtual servers regardless of patch strategy. The IBM Proventia® Management SiteProtector™ system offers a simpler, cost-effective way to manage security solutions and ease regulatory compliance by providing a central management point to control security policy, analysis, alerting and reporting for your business and is supported on VMware ESX. It’s designed for simplicity and flexibility, and the SiteProtector system can provide centralized configuration, management, analysis and reporting for the full IBM ISS Proventia product family. A key differentiator for IBM vs. competitive offerings. We provide all of the features that I mentioned in this one software solutions whereas competitive products have only some of the features that we’ve talked about or it takes several modules to provide only some of what we are providing in one product. Imagine the headaches and hassles trying to maintain all of those different modules. With Virtual Server Protection for VMware, we provide, easy to deploy, easy to maintain in-depth security. VMware VMsafe provides a unique capability for virtualized environments through an application program interface (API)-sharing program that enables select partners to develop security products for VMware environments. The result is an open approach to security that provides customers with the most secure platform on which they can virtualize their business-critical applications. Intrusion prevention and firewall - Virtual Server Protection for VMware provides market-leading IPS and firewall technology to protect the virtual data center in a solution that is purpose-built to protect the virtual environment at the core of the infrastructure. Inter-VM Traffic Analysis - While traditional host and network intrusion prevention systems do not have visibility into traffic between VMs, VSS for VMware monitors traffic between virtual servers to stop threats before impact. Virtual network access control - VSS for VMware performs virtual network access control to quarantine or limit network access from a virtual server until VM security posture has been confirmed. Virtual infrastructure auditing - VSS for VMware reports on privileged user activity such as VMotion events, VM state changes (start, stop, pause) and login activity which can reduce the preparation time required to support audits.
  • Most enterprise networks are highly distributed.  Users are connecting to your HQ site from across the Internet, while on the road, and also from remote offices – which makes security and systems management extremely challenging.  Additionally, most enterprise networks have bandwidth constraints – over wireless, shared MPLS, satellite links, etc - which makes pushing fat software packages and security patches over these latency-prone links a huge burden for the IT organization.  Moreover, many of these devices are intermittently connected – particularly those roaming laptops – which makes validating and updating their configuration virtually impossible. Finally, most enterprises have many different types of servers, desktops, laptops and handheld devices, making cross-platform support a must for any security and systems management solution. Unlike alternative solutions, Tivoli Endpoint Manager was purpose-built to work efficiently within these types of environments.  As you can see from the diagram, Tivoli Endpoint Manager Agents can be deployed on all types of devices, whether those are running Windows, Windows Mobile, different flavors of UNIX, Linux and Mac.  The Agent is the “brains” of the Tivoli Endpoint Manager technology and continuously assesses the state of the endpoint against policy, whether connected to the network or not.  As soon as it notices that an endpoint is out of compliance with a policy or checklist, it informs the Tivoli Endpoint Manager Server and executes the configured remediation strategy, and immediately notifies the Server of task status (completed, in process, not completed). The Tivoli Endpoint Manager Server manages policy content – delivered in messages called “ Fixlets ” and updated continuously via the Tivoli Endpoint Manager Content Delivery cloud-based service – and enables the Operator to maintain real-time visibility and control over all devices in the environment – including instantaneous discovery of devices that aren ’ t yet managed.  Because most of the analysis, processing and enforcement work is done by the Agent rather than the Server, ONE Tivoli Endpoint Manager Server can support up to 250K endpoints, enabling customers to make the most of their security and systems management investment.  Whatever specific Tivoli Endpoint Manager solution a customer uses – whether it ’ s endpoint protection, systems lifecycle management or security configuration and vulnerability management – it ’ s delivered via a single management console view. Additionally, new services can be provisioned and delivered via the Content Delivery cloud with no additional hardware or software installations or network changes. Deployment is straightforward, and is typically completed within hours or days. Agents can automatically be installed within minutes, without disrupting end-users.   Additionally, most customers deploy Tivoli Endpoint Manager Relays to help manage distributed devices and policy content and as you can see in the diagram – an existing workstation can be leveraged for this purpose.  Promoting an Agent to a Relay takes minutes and doesn ’ t require dedicated hardware or network configuration changes.   It ’ s entirely up to the customer how many Relays to deploy and where they ’ d like to place them; however, we can certainly make recommendations based on business and technical considerations.  In addition to caching patches and other software updates close to end user devices, Relays manage the bandwidth used by Tivoli Endpoint Manager to ensure that systems and security management tasks don ’ t consume all available network bandwidth. To a world accustomed to multiple, fragmented technologies and point solutions, Tivoli Endpoint Manager offers an alternative: the industry ’ s only single-console, single-agent platform that addresses operations, security and compliance initiatives in real-time and at global scale.
  • Differentiation: IBM is in an excellent position to support customers against Cyber threats and Cyber attacks We invented so much underlying fundamental technology, and so understand it versus other companies We have strong people, size, global experience of attacks. We are uniquely positioned to pull all of it together: security, service and risk management - IBM X-Force detects and investigates new vulnerabilities and attacks By monitoring security devices worldwide IBM gets information about new threats and attacks first hand The knowledge gained is made available in the X-Force threat report but also directly flows into our products and services offerings IBM Research is working on the most challenging security problems and develops innovative security solutions The blue countries are the key message of this slide. These are the "monitored countries", i.e., the countries of IBM MSS' customers. When new attacks/threats are coming up, they don't happen in all the countries at the same time. Therefore it's key to have a worldwide operation so that we have a good picture of what's going on. Not only does IBM employ the The IBM X-Force Research and Development Team but we have 9 Security Operations Centers and 9 Security Research Centers globally. The information from R&D and the X-Force enables us to understand and remediate threats through thousands of researchers, developers, consultants and subject matter experts on security initiatives world-wide. This information is directly fed back in to updating our IBM Security Solutions. TJ Watson Focus Areas Cryptographic foundations Internet security & "ethical hacking" Secure systems and smart cards IDS sensors & vulnerability analysis Secure payment systems Antivirus Privacy Biometrics Almaden Focus Areas Cryptographic foundations Secure government workstation Haifa Focus Areas PKI enablement Trust policies Zurich Focus Areas Cryptographic foundations Java cryptography Privacy technology Multiparty protocols IDS & alert correlation Smart card systems and application Tokyo Focus Areas Digital watermarking XML security VLSI for crypto New Delhi Focus Areas High-performance Cryptographic hardware & software
  • ( Note to presenter: The purpose of this slide is to highlight that IBM offers the breadth and depth – unlike any other vendor -- with our security portfolio. The intent is not to engage in a technical discussion at this point or try to cover all areas in detail.) IBM has a unique position in the market as an end-to-end security provider – we can address virtually any dimension of a secure infrastructure – and provide the services and consulting to help customers develop a strategic approach to their security challenges. Across our portfolio, we provide many capabilities that help customers solve a wide range of security problems completely and in the process result in cutting costs , reducing complexity, and assuring compliance . So depending on the types of security risks that are impacting your business, we can look more closely at how we can help address those issues. Just like we did for DTCC by helping them make their applications more secure. Notes to presenter: … Point out 1 or 2 capabilities mentioned on this slide and tie it back to a customer example to convey how we help clients meet their business requirements. You can replace reference to DTCC above with another customer reference. If there is interest in a certain domain (i.e., people and identity, application and process, etc.), use some of the backup slides that provide the next level of information on our offerings – including how we can help (1) assess the situation, (2) mitigate or decrease the risk and (3) monitor and manage the risk ongoing. In presentation mode, you can click on the icons displayed on the left hand side of the capabilities boxes to quickly navigate to the appropriate backup slide. ( Note to presenter: Keep in mind that customers often usually jump in at the wrong point so they may not have completely addressed all security risks. At times they buy something they don’t understand (aka shelfware)… they implement a security solution but forget the need to monitor it ongoing or to invest in training and awareness for a more security aware culture. What this means to you is that even if a customer already has a solution in place… it’s not the end of the story. They may still need services to optimize, or managed services to monitor – for example.) Consolidate identity management with Tivoli Identity Manager Work with multiple identity repositories with Tivoli Federated Identity Manager Improve employee productivity with Tivoli Enterprise Single Sign On Protect data center media with STG tape encryption Protect data using zSeries encryption and Lotus Notes encryption Find and remediate application vulnerabilities with Rational app scan Assure privacy compliance with Rational Policy Tester Locate and remediate Malware with ISS IPS Manage incidents with ISS X-Force Emergency Response Services
  • Speaker’s notes: We take data from a lot of various disciplines including the Web filtering database second only to Google that provides analysis for more than 9 billion Web sites and images, we also see what kind of intrusion attempts the managed services team sees across its customer base currently tracking at 150 million per day, we have more than 40 million documented spam attacks, and 40,000 documented vulnerabilities from both internal research and external disclosures. This report is unique in the fact that the sources listed above provide varying perspectives on the threat landscape to together provide a cohesive look at the industry based on factual data from the various research functions within the broader X-force team and databases. Provides Specific Analysis of: Vulnerabilities & exploits Malicious/Unwanted websites Spam and phishing Malware Other emerging trends
  • IBM ISS uses its broad and holistic intelligence infrastructure to provide one of the most accurate views of the current and emerging threat landscape We use this to define the important and pressing security problems of today and tomorrow We then focus on solving these problems with new technology and solutions in our products and services IBM ISS X-Force underpins the entire platform and is the catalyst for security innovation
  • Cyber Security in Energy & Utilities Industry

    1. 1. Holistic Enterprise SecuritySolutionSpeaker: Alex Ivkin
    2. 2. Holistic Enterprise Security Solution The “Blind Slide” The Insider Threat. Identity Controls and Data Loss protection Application Protection New threat vectors. Virtualization and distributed assets Experiences from the field
    3. 3. NERC CIP 2011 Violations & Fines Since January 2011, a significant increase in CIP fines  Largest numbers for Security Awareness and Testing Source: 3
    4. 4. Introduction Personal ID – personal accountability  Traditional identity management has always focused on these IDs.  Well covered and controlled  Commoditized Service ID - corporate accountability  Shared administrative ID  Programs, services, databases, scripting, testing, load testing, auditing, troubleshooting, you name it.  “Too hard to deal with”  “will be the next step” Other  Shared group IDs  IDs in transition  Template IDs • Exchange mailboxes 4
    5. 5. Service IDs Service IDs are everywhere Different systems have different exposure via the Service IDs 5
    6. 6. Identity & Access Management User Provisioning / Deprovisioning and Full Role ManagementSingleSign On& Managementof Web Access& Passwords The 3 Rs – Reconciliation, Security log management & reporting Recertification & Reporting R E N A LA MATCH? EP LTH I T Y
    7. 7. Identity and Access Management for Energy Companies •A holistic way to addressing corporate identities and access controls • Identity lifecycle support and review • Access provisioning, deprovisioning certification • Policy enforcement: password, access patterns, expiration • RBAC •IdM for FERC/NERC CIP applications • Energy management systems • Energy network components • Physical access control services • Customer Information Systems • Work Management System • Plant Maintenance Systems • Tower gateway base stations for Smart Meter infrastructure •SOX applications. SOX 404 • Corporate Reports • Financial systems •PCI, NIST, HIPAA7
    8. 8. CIP with IAM Step by Step CIP‐ 003‐ 1 Access enforcement, audit trails, reviews and roles • Access authorization enforcement maintained via identity lifecycle workflows with the robust approval framework and multilevel escalation. • The audit trails are preserved for each request and approval, ensuring access is given, modified and revoked only under proper supervision. • Automatic enforcement of access privileges is linked in and based on business roles. • Annual reviews and re‐certification of access are required from the management and system owners. CIP–004–1 Training, privilege revocation • Training program requirements are enforced via proper personnel on- boarding and transfer workflows, tied into the HR and training systems. • Revocation within 24 hours of termination is a part of the closely enforced identity lifecycle. • Critical asset access lists are available for review 24/7 by authorized personnel via a web interface8
    9. 9. CIP with IAM Step by Step CIP‐ 006‐ 1 Physical access protection • Implemented by integrating with card access and badge systems and tied into an identity lifecycle. CIP–007–1 Access to CCA, Shared accounts, Least Privilege • Enforcing the creation and management of user access to Critical Cyber Assets by employing industry standard role based access control certification, provisioning, rights and password management. • Directly assigning owners and custodians for individuals and shared system accounts on a "need to know basis" and subjecting it to periodic reviews. • Analysis and remediation of orphan accounts. • Password policies are deployed in the automated identity management system to ensure only qualified passwords are allowed.9
    10. 10. Service Identity Management is an essential part of IAMGovernance Expansion of the traditional Identity and Access Management to cover identities used by administrators, systems, software and automated processes. Assign responsibility for Service accounts, track people who manage the accounts, reports and enforces policies. Tracking accounts used by various IT assets  Databases  Enterprise applications  Devices  Scheduling and monitoring software  Automatic maintenance processes  and many more. 10
    11. 11. How PIM works 3E-SSO Authorization 1 • Tivoli Identity Manager (TIM) with custom module provisions privileged IDs and manages pools of shared IDs • Shared IDs are stored in a secured data store LDAP 1 ITIM AD 2 • Periodically recertify account authorizations through a consistent work flow. Email 3 • Admin logs into Tivoli Access Manager for E-SSO (TAM E-SSO) • TAM E-SSO automatically checks out/in shared ID as required to Recertification of privileged users ensure accountability while simplifying usage Event Logs 4 • Tivoli Compliance Insight Manager (TCIM) monitors all logs for 2 end to end tracking 4 TCIM Enterprise Reports
    12. 12. IBM Software Map for NERC CIP Requirements Tivoli Enterprise Portal NERC Compliance Portal Tivoli Netcool CIP-004 Cyber CIP-005 Electronic CIP-006 Physical CIP-007 Cyber CIP-008 Cyber CIP-009 Recovery CIP-001 Sabotage CIP-002 Critical CIP-003 Security Security – Pers. & Security Security of Cyber Security – Systems Security – Incident Plans for Critical Reporting Cyber Assets Mgmt. Controls Training Parameters Assets Security Mgmt Rept. & Response Cyber Assets Enterprise Content and Record Manager Tivoli Provisioning Manager Tivoli Identity Manager Tivoli Storage Manager Maximo Tivoli Access Manager Tivoli Security Compliance Manager Tivoli Security Tivoli Provisioning Manager Tivoli Security Lotus Learning Compliance Compliance Manager Management System Manager Tivoli Compliance Insight Manager Tivoli Security Tivoli Monitoring Operations Manager Internet Security Systems R1. Electronic Security Perimeter R1. Physical Security Plan R1. Test Procedures R1. Cyber Security Incident R1. Recovery PlansR1. Have procedures for R1. Critical Asset Identification R1. Cyber Security Policy R1. Awareness Response Planrecognition and reporting of Method R2. Electronic Access Controls R2. Physical Access Controls R2. Ports and Services R2. Excercisessabotage events. R2. Leadership R2. Training R2. Cyber Security Incident R2. Critical Asset Identification R3. Monitoring Electronic Access R3. Monitoring Physical Access R3. Security Patch Management Documentation R3 Change ControlR2. Have procedures for R3. Exceptions R3. Personnel Risk Assessmentcommunication of sabotage to R3. Critical Cyber Asset R4. Cyber Vulnerability R4. Logging Physical Access R4. Malicious Software R4. Backup and Restoreappropriate parties. Identification R4. Information Protection R4. Access Assessment Prevention R5. Access Log Retention R5. Testing Backup MediaR3. Have guideline for R4. Annual Approval R5. Access Control R5. Documentation Review and R5. Account Managementmonitoring and reporting. Maintenance R6. Maintenance and Testing R6. Change Control and R6. Security Status MonitoringR4: Have established Configuration Mgmt.communication contacts asapplicable with local authorities. Internet Security R7. Disposal or Redeployment Systems R8. Cyber Vulnerability Assessment R9. Documentation Review and Tivoli Compliance Insight Manager Maintenance Alerts Notification Auditing Reporting Workflow Team Definition Measurement
    13. 13. Prolifics-IBM Support For NIST Industrial Control Systems Security Objectives NIST Directive NIST Objectives IBM Technology NIST SP 800-12 Security Policies and Procedures TSPM, TIM, TAMeb NIST SP 800-53 Security Controls- Configuration Management TAM ESSO Access Management TAMeb-TAM OS TFIM NIST SP 800-94 Guidance on Intrusion Detection/Prevention Systems ISS Proventia NIST SP 800-61 Guidance on Incident Handling and Reporting TSIEM NIST SP 800-73/76 Guidance on Personal Identity Verification TIM, PIM NIST SP 800-63 Guidance on Remote Electronic Authentication TFIM NIST SP 800-64 Guidance on Security considerations for System Development Lifecycle Rational AppScan NIST SP 800-61 Guidance on Incident Handling/Audit Log Retention TSIEM NIST SP 800-56/57 Guidance on Cryptographic Key Establishment and Management TKLM
    14. 14. Holistic Enterprise Security Solution The “Blind Slide” The Insider Threat. Identity Controls and Data Loss protection Application Protection New threat vectors. Virtualization and distributed assets Experiences from the field
    15. 15. Application Vulnerabilities Continue to Dominate  Web app. vulnerabilities represent the largest category in vulnerability disclosures  In 1H10, 55.95% of all vulnerabilities are web application vulnerabilities  SQL injection and cross-site scripting are neck and neck in a race for the top spot IBM Internet Security Systems 2010 X-Force® Mid-Year Trend & Risk Report15
    16. 16. Motivation for becoming Secure by Design… 100,000x Unbudgeted Costs:Impact to Enterprise - e.g., Database hacked  Downtime Security Flaw  Customer notification/care  Fines/Litigation  Reputational damage  Cost to clean-up - e.g., Database crash Functional Flaw 10x 1x Development Test Deployment
    17. 17. Application Security Tools StrategyStatic Code Analysis = WhiteboxScanning source code for security issues Total Potential Security IssuesDynamic Analysis = Blackbox Static Complete Dynamic Analysis Coverage AnalysisPerforming security analysis of acompiled application Providing for numerous compliance requirements; including NERC-CIP CIP-007 Cyber CIP-002 Critical CIP-005 Security Security-Systems Cyber Assets Mgmt. Control Security Mgmt.
    18. 18. Database Servers Are The Primary Source ofBreached Data Source of Breached Records SQL injection played a role in 79% of records compromised during 2010 breaches “Although much angst and security funding is given to …. mobile devices and end-user systems, these assets are simply not a major point of compromise.” 2010 Data Breach Report from Verizon Business RISK Team … up from 75% in 2009 Report
    19. 19. Real-Time Database MonitoringHost-based Probes(S-TAPs) Collector • No DBMS or application changes • Cross-DBMS solution • Does not rely on DBMS-resident logs • Granular, real-time policies & auditing that can easily be erased by – Who, what, when, how attackers, rogue insiders • Automated compliance reporting, • 100% visibility including local DBA sign-offs & escalations (SOX, PCI, access NIST, etc.) • Minimal performance impact (1-2%) CIP-002 Critical CIP-003 Security CIP-007 Cyber CIP-005 Security Security-Systems Cyber Assets Mgmt. Controls Mgmt. Control Security Mgmt.
    20. 20. Holistic Enterprise Security Solution The “Blind Slide” The Insider Threat. Identity Controls and Data Loss protection Application Protection New threat vectors. Virtualization and distributed assets Experiences from the field
    21. 21. 21 Protocol Analysis Module (PAM) is the Engine Behind our Products Others: constant thrashing to address today’s latest threat. IBM with PAM: “Ahead of the Threat” What It Does: What It Does: What It Does: What It Does: What It Does: What It Does: Shields vulnerabilities Protects end users Protects Web Detects and prevents Monitors and identifies Manages control of from exploitation against attacks targeting applications against entire classes of threats unencrypted PII & other unauthorized applications independent of a applications used every sophisticated application- as opposed to a specific confidential information and risks within defined software patch, and day such as Microsoft level attacks such as exploit or vulnerability. for data awareness. Also segments of the network, enables a responsible Office, Adobe PDF, SQL Injection, XSS provides capability to such as ActiveX patch management Multimedia files and Web (Cross-site scripting), explore data flow through fingerprinting, Peer To process that can be browsers. PHP file-includes, CSRF the network to help Peer, Instant Messaging, adhered to without fear of (Cross-site request determine if any potential and tunneling. a breach forgery). risks exist. Why Important: Why Important: Why Important: Why Important: Why Important: Why Important: Enforces network At the end of At the end of 2009, Expands security Eliminates the need for Flexible and scalable application and service 2009, 52% of all vulnerabilities, which capabilities to meet both constant signature customized data search access based on vulnerabilities disclosed affect personal compliance requirements updates. Protection criteria; serves as a corporate policy and during the year had no computers, represented and threat evolution. includes the proprietary complement to data governance. vendor-supplied patches the second-largest Shellcode Heuristics security strategy. available to remedy the category of vulnerability (SCH) technology, which vulnerability. In disclosures and represent has an unbeatable track mid-2010, the percentage about a fifth of all record of protecting increased to 55%. vulnerability disclosures. against zero day vulnerabilities. CIP-007 Cyber 44 CIP-005 Security Security-Systems Mgmt. Control Security Mgmt.
    22. 22. 22 Preemptive Ahead of the Threat Security – backed up by data Top 61 Vulnerabilities 2009 341 Average days Ahead of the Threat 91 Median days Ahead of the Threat 35 Vulnerabilities Ahead of the Threat 57% Percentage of Top Vulnerabilities – Ahead of the Threat 9 Protection released post announcement 17 same day coverage 2010 – Average days Ahead of the Threat increased to 437! 45
    23. 23. Securing the Virtualized Runtime:IBM Security Virtual Server Protection for VMware vSphere 4 Helps customers to be more secure, compliant and cost-effective by delivering integrated and optimized security for virtual data centers IBM Virtual Server Protection for VMware • VMsafe Integration • Firewall and Intrusion Detection & Prevention • Rootkit Detection & Prevention • Inter-VM Traffic Analysis • Automated Protection for Mobile VMs (VMotion) • Virtual Network Segment Protection • Virtual Network-Level Protection • Virtual Infrastructure Auditing (Privileged User Access) • Virtual Network Access Control • Virtual Patch © 2011 IBM Corporation
    24. 24. Tivoli Endpoint Manager: Smarter, Faster Endpoint Management• Network Asset Discovery• Endpoint HW, SW Inventory• Patch Management• Software Distribution• OS Deployment• Remote Desktop Control• Software Use Analysis (add on) Whether it’s a Mac connecting from hotel wi-fi, or a Windows laptop at 30K feet, or Red Hat Linux• Power Management Server in your data center, Tivoli Endpoint Manager has (add on) it covered. In real-time, at any scale. CIP-002 Critical CIP-003 Security CIP-007 Cyber CIP-005 Security Security-Systems Cyber Assets Mgmt. Controls Mgmt. Control24 Security Mgmt.
    25. 25. Holistic Enterprise Security Solution The “Blind Slide” The Insider Threat. Identity Controls and Data Loss protection Application Protection New threat vectors. Virtualization and distributed assets Experiences from the field
    26. 26. Experience  Treating identities as an enterprise asset  Consistent, standards based method for authentication and authorization  Provisioning and, more importantly, de-provisioning accounts within a specified period of time (account lifecycle)  Application accounts, Databases, Servers, Network devices  Approval process with multi-level escalation and delegation  Quarterly access certification reports  FERC M/T code throughout the whole system and in reports  Standardization helps with FERC reliability regulations  Energy Management Systems kept on an isolated network  SSO limits password exposure and simplifies sign on process  Service ID Management to address shared accounts (SOX)  Separation of Duties checks (SOX)26
    27. 27. Other features  Self-service user interface  Auditing and reporting enhancements  Dormant Accounts Management  External security audit recommended adding all enterprise applications, not just those covered by SOX and FERC regulations  Flexible life-cycle and operational workflows27
    28. 28. 28
    29. 29. By managing security for customers across the world, IBM has aclear and current picture of threats and attacks 3 Branches of + + + + 9 Security 9 Security 11 Security Solution 133 the Institute for Operations Research Development Advanced Monitored Centres Centres Centres Security (“IAS”) Countries IAS IAS Americas Europe IAS Asia Pacific IBM has the unmatched global and local expertise to deliver complete solutions – and manage the cost and complexity of security29
    30. 30. Our strategy: Comprehensive solutions that also leverage partners products Security Governance, Risk and Security Information and Event Professional Services GRC Compliance Management (SIEM) & Log Management Managed Services Identity & Access Products Management Identity Management Access Management Cloud Delivered Data Loss Prevention Data Entitlement Data Security Management Encryption & Key Lifecycle Management Messaging Security E-mail Database Monitoring Security Data Masking & Protection Application Web Application Application Security Vulnerability Scanning Firewall Access & Entitlement Web / URL Filtering SOA Security Management Infrastructure Vulnerability Virtual System Endpoint Protection Security Assessment Security Threat Security Event Managed Intrusion Prevention Analysis Management Mobility Svcs SystemIBM Security Solutions:2. Assess Risks Firewall, IDS/IPS Mainframe Security Audit, Security Configuration MFS Management Admin & Compliance & Patch Management3. Mitigate Risks4. Manage Security Controls Physical Security
    31. 31. Our strategy: IBM is investing in Security Solutions  The only security vendor in the market with end-to-end coverage of the security foundation  15,000 researchers, developers and SMEs on security initiatives  3,000+ security & risk management patents  200+ security customer references and 50+ published case studies  40+ years of proven success securing the zSeries environment  600+ security certified employees (CISSP,CISM,CISA,..) IBM Security acquisitions (1999 – 2010):DASCOM
    32. 32. Our strategy: Research = intelligence = security The mission of the IBM builds technology for IBM X-Force research and tomorrow based on IBM development team is to: Research • Identify mission-critical enterprise  Research and evaluate threat and protection assets and very sensitive data. issues • Build fine-grained perimeters  Deliver security protection for today’s security problems • Monitor fine-grained perimeters and  Develop new technology for tomorrow’s close the loop security challenges • End-to-end security  Educate the media and user communities • Secure by design • 13B analyzed Web pages & images • 150M intrusion attempts daily • 40M spam & phishing attacks • 54K documented vulnerabilities • Millions of unique malware samples
    33. 33. 33 The Importance of Research to Security: IBM Internet Security Systems X-Force® Research Team Research Technology Solutions Original Vulnerability X-Force Protection Engines Research  Extensions to existing engines  New protection engine creation Public Vulnerability Analysis X-Force XPU’s Malware Analysis  Security Content Update Development  Security Content Update QA Threat Landscape Forecasting X-Force Intelligence  X-Force Database Protection Technology Research  Feed Monitoring and Collection  Intelligence Sharing The X-Force team delivers reduced operational complexity – helping to build integrated technologies that feature “baked-in” simplification- “Protecting people from themselves”
    34. 34. IBM’s security portfolio today IBM Security Offering Reference Model Security / Compliance Analytics and Reporting IBM Products  IBM OpenPages  GRC Consulting and Implementation Services IBM Services  Tivoli Security Information and  Audit and Compliance Assessment Services (e.g., PCI) Event Management  Privacy and Risk Assessments  DOORS  Cloud-based Vulnerability Management Portal Security  FocalPoint  Security Event and Log Management Consulting IT Infrastructure – Operational Domains Infrastructure Security Services People Data Applications Network Endpoint  Tivoli Identity and  InfoSphere  Rational AppScan  Tivoli Network  Tivoli EndpointIBM Products Implemen- Access Guardium Source Edition Intrusion Manager (anti- tation  Tivoli Federated  InfoSphere Optim  Rational AppScan Prevention virus using Trend Services ID Data Masking Standard Edition  WebSphere Micro)  Tape / Disk  Tivoli Security Datapower XML  Tivoli zSecure  Tivoli Single Sign- encryption Policy Manager Gateway Mainframe On  Tivoli Key Manager securityIBM Services  Identity  Data Security  Application  Penetration  Managed Mobile Assessment, Assessment Assessment Testing Protection (using Deployment and  Encryption and Services  Firewall, IPS, Juniper) Managed Hosting Services DLP Deployment  AppScan On Vulnerability Services Demand - SaaS Managed Services