Leverage Big Data for Security Intelligence


Published on

In January IBM Security Systems has announced a new solution wherein it combines the security intelligence capabilities of QRadar SIEM and Big Data + analytics to

Published in: Business, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Leverage Big Data for Security Intelligence

  1. 1. © 2013 IBM CorporationIBM Security Systems1 IBM Security Systems © 2013 IBM CorporationSecurity Intelligence with Big DataIBM Security SystemsStefaan Van daeleSenior Security ArchitectMarch 2013
  2. 2. © 2013 IBM CorporationIBM Security Systems2 IBM Security SystemsInfiltrating a trusted partner and then loadingmalware onto the target’s networkCreating designer malware tailored to only infectthe target organization, preventing identificationby security vendorsUsing social networking and social engineering toperform reconnaissance on spear-phishingtargets, leading to compromised hosts andaccountsExploiting zero-day vulnerabilities to gain accessto data, applications, systems, and endpointsCommunicating over accepted channels such asport 80 to exfiltrate data from the organizationWell-organized attackers and malicious insiders are successfullybypassing security defensesDesigner Malware BackdoorsSpear Phishing PersistenceEscalating Motives and Sophistication Organized Crime Espionage and Hacktivists Nation-state Actors
  3. 3. © 2013 IBM CorporationIBM Security Systems3 IBM Security SystemsCustomers have a growing need to identify and protect againstthreats by building insights from broader data setsLogsEvents AlertsConfigurationinformationSystemaudit trailsExternal threatintelligence feedsNetwork flowsand anomaliesIdentitycontextWeb pagetextFull packet andDNS capturesE-mail andsocial activityBusinessprocess dataCustomertransactionsTraditional SecurityOperations andTechnologyBig DataAnalyticsNew ConsiderationsCollection, Storageand Processing Collection and integration Size and speed Enrichment and correlationAnalytics and Workflow Visualization Unstructured analysis Learning and prediction Customization Sharing and export
  4. 4. © 2013 IBM CorporationIBM Security Systems4 IBM Security SystemsBig Data WarehouseBig DataPlatformAnalytics and ForensicsSecurity IntelligencePlatformReal-time ProcessingSecurity OperationsIntegrated analytics and exploration in a new architecture• Real-time data correlation• Anomaly detection• Event and flow normalization• Security context and enrichment• Distributed architecture• Long-term, multi-PB storage• Unstructured and structured• Distributed Hadoop infrastructure• Preservation of raw data• Enterprise integration• Pre-defined rules and reports• Offense scoring and prioritization• Activity and event graphing• Compliance reporting• Workflow management• Advanced visuals and interaction• Predictive and decision modeling• Ad hoc queries• Interactive visualizations• Collaborative sharing tools• Pluggable, intuitive UIStructured,analytical,repeatableCreative,exploratory,intuitiveIntegratedIBMSolution
  5. 5. © 2013 IBM CorporationIBM Security Systems5 IBM Security SystemsWhat’s Next? Solving new security challenges with expandedBig Data analytics capabilitiesWhat customers are telling us:1. Analyze a variety of non-traditional and unstructureddatasets - such as email, webcontent, files and full packets2. Significantly increase thevolume of data stored forforensics and historic analysis3. Visualize data in new ways,using custom queries,graphs, linguistics, maps, etc.4. Integrate this capability withmy current security operationsIBM Security QRadar• Data collection andenrichment• Event correlation• Real-time analytics• Offense prioritizationAdvanced Threat DetectionTraditional data sourcesSecurity Intelligence Platform
  6. 6. © 2013 IBM CorporationIBM Security Systems6 IBM Security SystemsReal-timestreamingInsightsIBM Security QRadar• Hadoop-based• Enterprise-grade• Any data / volume• Data mining• Ad hoc analytics• Data collection andenrichment• Event correlation• Real-time analytics• Offense prioritizationBig Data PlatformCustom AnalyticsTraditional data sourcesIBM InfoSphere BigInsightsNon-traditionalSecurity Intelligence PlatformHow? By integrating QRadar with IBM’s Hadoop-based offeringAdvanced Threat Detection
  7. 7. © 2013 IBM CorporationIBM Security Systems7 IBM Security SystemsQRadar leverages big data today to identify security threatsIBM QRadar Security Intelligence Capabilities Customer ImpactPowerful appliances with massive scale  Insights from 1000s of devices, spanning 100s of TBsPayload indexing and Google-like searching of big data  Rapid ad hoc query - search 7M+ events in <0.2 secBroader data analysis: logs, flows, identities, vuln’s, threats  Greater insight and detection from richer contextLayer 7 network flow collection and analytics  More accurate anomaly detection and easier forensicsAdvanced threat visualization and impact analysis  Attack path visualization and device / interface mappingEnrichment with X-Force® intelligence and external feeds  Increased accuracy of detecting the latest threatsHigh-VolumeEvents,Flows andContext
  8. 8. © 2013 IBM CorporationIBM Security Systems8 IBM Security SystemsExample QRadar uses casesBehaviormonitoringand flowanalyticsActivity anddata accessmonitoringStealthymalwaredetectionIrrefutable BotnetCommunicationLayer 7 flow data shows botnetcommand and controlinstructionsImprovedBreach Detection360-degree visibility helpsdistinguish true breaches frombenign activity, in real-timeNetwork TrafficDoesn’t LieAttackers can stop logging anderase their tracks, but can’t cutoff the network (flow data)
  9. 9. © 2013 IBM CorporationIBM Security Systems9 IBM Security Systems9IBM InfoSphere BigInsights – A flexible, enterprise-class solution forprocessing large volumes of dataEnterpriseValueCoreHadoopBigInsights BasicEditionBigInsights Enterprise EditionFree download with web supportLimit to <= 10 TB of data(Optional: 24x7 paid supportFixed Term License)Professional Services OfferingsQuickStart, Bootcamp, Education, Custom DevelopmentEnterprise-grade featuresTiered terabyte-based pricingEasy installationand programming• Analytics tooling / visualization• Recoverability security• Administration tooling• Development tooling• Flexible storage• High availability
  10. 10. © 2013 IBM CorporationIBM Security Systems10 IBM Security SystemsWeb andEmail ProxyCustomer example – User profiling based on multiple sourcesNetFlowOptionalRelational StoreUnstructured Data511109862Hadoop StoreBig DataWarehouseBig Data Analyticsand ForensicsData Sources Real-time Processing Security Operations37SuspiciousUser(s)Internet 41. NetFlow and logs sent to QRadar2. Event and flow processing3. Correlation against external feeds4. Real-time user alerts to SOC5. Unstructured data to BigInsights6. Enriched events and flows sent to BigInsights7. Spreadsheet UI for business analysts (BigSheets)8. Post-processed data storage9. i2 Analyst Notebook: link-based visuals andanalytics10. Update of QRadar real-time rule sets
  11. 11. © 2013 IBM CorporationIBM Security Systems11 IBM Security SystemsExample Use Case: Spear-phishing analysisATTACKERUser receives riskyemail from personalsocial networkTARGETDrive-by exploit isused to installmalware on target PCUser is redirected toa malicious website
  12. 12. © 2013 IBM CorporationIBM Security Systems12 IBM Security SystemsUsing Big Data to mine for trends within e-mailUse BigInsights toidentify phishing targetsand redirectsBuild visualizations,such as heat maps, toview top targets
  13. 13. © 2013 IBM CorporationIBM Security Systems13 IBM Security SystemsLoading phishing data and corresponding redirects to QRadar
  14. 14. © 2013 IBM CorporationIBM Security Systems14 IBM Security Systems―Big Value from Big Data‖ – Common use casesTargeted & advancedthreat discoveryInsider threatanalysisFull spectrumfraud detectionCustomerProblemOrganizations need help inidentifying advanced threats andzero-day attacksFraudulent claims, account takeovers,and invalid transactions causesubstantial losses – and manyorganizations are unaware the fraud isbeing committedAs repositories of private informationexpand, the cost of data loss byinsiders action grows, whetherintentional or through human errorTechnicalChallenges Collection of high volumenetwork and DNS events Rapidly changing identifiers Analytics to find subtle indicators Integration of externalintelligence Collection of user, application andnetwork activity Unstructured data analysis Long-term baselining capabilities Integration with fraud workflow Collection of inter- and intra-company communications Sentiment and linguistic analysis Ability to identify anomalies andoutliers Integration with IAM solutionsIBMApproach QRadar event and flow collection Correlation against externalthreats Collection of all DNStransactions using BigInsights Custom analytics to identifysuspicious domain names Analysis of historical data todetect infections / past intrusions Import BigInsights findings intoQRadar QRadar to collect and normalizeapplication and transaction data Anomaly detection in real time Real-time export to BigInsights Baseline historical user and accountactivity Send insights to QRadar for real-timefraud correlation Extend information flow to IBM i2 forlink analysis, visualization anddissemination to fraud analysts Use QRadar to correlate real-timesystem and user activity Analyze ordinary and privilegedusers accessing sensitive data Collect full text email and socialactivity with BigInsights Leverage advanced analytics tounderstand unstructured content Share findings with existing IAMsystems—such as IBM SecurityPrivileged Identity Manager
  15. 15. © 2013 IBM CorporationIBM Security Systems15 IBM Security SystemsIBM’s Security Intelligence, Big Data, and Analytics portfolio3 IBM i2Analyst Notebookhelps analysts investigatefraud by discoveringpatterns and trendsacross volumes of data4IBM SPSSunified product family to helpcapture, predict, discover trends,and automatically deliver high-volume, optimized decisions1 IBM QRadar Security Intelligenceunified architecture for collecting, storing, analyzing andquerying log, threat, vulnerability and risk related data2IBM Big Data Platformaddresses the speed and flexibility required for customizeddata exploration, discovery and unstructured analysisInfoSphere BigData Platform
  16. 16. © 2013 IBM CorporationIBM Security Systems16 IBM Security SystemsFor IBM, Security and Business Intelligence offer insightful parallels
  17. 17. © 2013 IBM CorporationIBM Security Systems17 IBM Security Systems © 2013 IBM CorporationExtending security toBig Data stores
  18. 18. © 2013 IBM CorporationIBM Security Systems18 IBM Security SystemsExtend real-time Data Activity Monitoring to also protect sensitive data indata warehouses, Hadoop systems and file sharesIntegration withLDAP, IAM,SIEM, TSM,Remedy, …NEWBig DataEnvironmentsDATAInfoSphereBigInsights
  19. 19. © 2013 IBM CorporationIBM Security Systems19 IBM Security SystemsProtect data in real-time and ensure compliance in big dataenvironmentsBig data brings big security challengesAs big data environments ingest more data, organizations will facesignificant risks and threats to the repositories in which the data is keptBig data environments help organizations:Process, analyze and derive maximum value from these new dataformats as well as traditional structured formats in real-timeMake more informed decisions instantaneously and cost effectively•Turn 12 terabytes of Tweets into improved product sentiment analysis• Monitor 100’s of live video feeds from surveillance cameras to identify security threatsIntroducing Hadoop Activity MonitoringMonitor and Audit Hadoop activity in real-time to support compliance requirements and protect data• Real time activity monitoring of HDFS and HBASE data sources• Automated compliance controls• Fully integrated with InfoSphere Guardium solution for database activity monitoring• View Hadoop systems with other data sourcesNEW
  20. 20. © 2013 IBM CorporationIBM Security Systems20 IBM Security SystemsAdditional information Press Releasehttps://www-304.ibm.com/jct03001c/press/us/en/pressrelease/40257.wss Information about the presented solutions:IBM Security Intelligence with Big Datahttp://www-03.ibm.com/security/solution/intelligence-big-data/Security Systems QRadarhttp://www-142.ibm.com/software/products/us/en/subcategory/SWI60InfoSphere BigInsightshttp://www-01.ibm.com/software/data/infosphere/biginsights/InfoSphere Guardiumhttp://www-01.ibm.com/software/data/guardium/secure-big-data/
  21. 21. © 2013 IBM CorporationIBM Security Systems21 IBM Security Systemsibm.com/security© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposesonly, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the useof, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating anywarranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreementgoverning the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available inall countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s solediscretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in anyway. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the UnitedStates, other countries or both. Other company, product, or service names may be trademarks or service marks of others.Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and responseto improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriatedor can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secureand no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed tobe part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THEMALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.