IBM Security Systems IBM Security Systems Disrupt the Advanced Attack Chain with Intelligent, Integrated Security Marc v...
IBM Security Systems Security can be a complex landscape… 85 tools from 2 45 vendors © 2013 IBM Corporation
IBM Security Systems …where your security team sees noise 3 © 2013 IBM Corporation
IBM Security Systems Attack frequency increased to record in H1 2013 4 Source: IBM X-Force® Research 2013 Trend and Ris...
IBM Security Systems IBM Security Integrating across domains to make sense of the noise and stop attackers IBM Security ...
IBM Security Systems Advanced attackers follow a five-stage attack chain Reconnaissance, spear phishing, and remote explo...
IBM Security Systems Defenders follow an iterative approach, utilizing integrated solutions ATTACK CHAIN 1 Break-in 2 L...
IBM Security Systems Hardening environments is difficult and growing increasingly complex The ever expanding number of en...
IBM Security Systems Harden through integrated security solutions Scan assets for vulnerabilities, prioritize the severit...
IBM Security Systems How hardening works: practical steps • Manage hundreds of thousands of endpoints Harden Endpoints •...
IBM Security Systems Integrated products provide rich context for vulnerability risk scoring Risk score adjusted +10 on ...
IBM Security Systems Hardening people is essential and becoming more complex Multiple identity stores and increasing conn...
IBM Security Systems Define a new perimeter with threat-aware Identity and Access Mgmt Simplify identity silos to safegua...
IBM Security Systems Integrated products provide user activity and anomalies detection • Identity and Access Manager eve...
IBM Security Systems Patient, sophisticated attackers make detection a challenge Detect subtle anomalies across domains a...
IBM Security Systems Integrated capabilities enable real-time discovery and blocking Detect and block malicious activity ...
IBM Security Systems Defend against persistent attacks with integrated capabilities IBM QRadar SIEM X-Force Research Em...
IBM Security Systems Incorporate the latest threat intelligence IBM X-Force research is utilized in Network Protection X...
IBM Security Systems Integrate to prevent web application exploits at the network level Access Manager flags a SQL injec...
IBM Security Systems Monitor privileged users to detect malicious activity An attacker steals system administrator login...
IBM Security Systems Security analysis is a big data problem Security analysts are overwhelmed by a variety of data and l...
IBM Security Systems Integrated IBM solutions provide actionable security intelligence QRadar SIEM correlates and analyze...
IBM Security Systems Correlate events across security domains to gain visibility IBM QRadar Security Event • User conne...
IBM Security Systems QRadar integrates data to answer the important questions What was the attack? Was it successful? W...
IBM Security Systems Clients gain visibility with integrated security Confidence Actionable Intelligence “IBM Security...
IBM Security Systems Effective advanced threat defense requires diverse capabilities ATTACK CHAIN 1 Break-in 2 Latch-on ...
IBM Security Systems A diverse range of business partners enhance IBM’s offerings Advanced Persistent Threat 27 Insider...
IBM Security Systems IBM offers a comprehensive portfolio of security products IBM Security Systems Portfolio Security In...
IBM Security Systems IBM Security Integrating across domains to help prevent advanced attacks IBM Security Framework In...
IBM Security Systems Statement of Good Security Practices: IT system security involves protecting systems and information ...
Upcoming SlideShare
Loading in …5
×

Disrupt the advanced attack chain with intelligent, integrated security

2,193 views

Published on

Today’s advanced threats use low and slow techniques to hide below the radar of traditional security products and approaches. Join this engaging presentation on IBM’s strategy to disrupt the attack chain. Learn how applying intelligence and integrating across security silos can help harden defenses, detect exploits, analyze attacks, and remediate weaknesses to defeat advanced threats.

View the on-demand webinar: https://www2.gotomeeting.com/register/472103354

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
no profile picture user

  • Be the first to comment

Show More
No Downloads
Views
Total views
2,193
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide
  • Too many productsWe have multiple examples of customers who have invested in many, many tools. One US government agency alone has 200 security products – that entails the license costs, but perhaps more problematically, the configuration and maintenance of all of those products in a constantly changing infrastructure. They’re not getting their money’s worth. They can’t. It’s too complex and too costly.Too many point products from too many vendorsBesides having too many products, they have too many vendors – point products from each vendor that do not integrate in any way. And those point products cannot find the advanced attacks that these enterprises are experiencing. One customer had 85 products from 45 different security vendors.Products don’t workAntivirus products cannot reliably defend against malware. In another case a customer had 46 security vendors who all failed to prevent a malware attack.http://krebsonsecurity.com/ 
  • Too many productsWe have multiple examples of customers who have invested in many, many tools. One US government agency alone has 200 security products – that entails the license costs, but perhaps more problematically, the configuration and maintenance of all of those products in a constantly changing infrastructure. They’re not getting their money’s worth. They can’t. It’s too complex and too costly.Too many point products from too many vendorsBesides having too many products, they have too many vendors – point products from each vendor that do not integrate in any way. And those point products cannot find the advanced attacks that these enterprises are experiencing. One customer had 85 products from 45 different security vendors.Products don’t workAntivirus products cannot reliably defend against malware. In another case a customer had 46 security vendors who all failed to prevent a malware attack.http://krebsonsecurity.com/ 
  • This chart highlights the volume of threat activity that is happening out there -- you can see its quite a lot considering this is a mere sampling of what was probably actually going on.Color of circles represent the technical means used by attackers to breach these customers.The size of the circle estimates the financial impact that might have occurred based on what was reported publically.Though the seemingly insurmountable magnitude of these threats is alarming, they’re certainly preventable if you’re armed with the right approach.
  • Sophisticated attackers will exploit a multitude of technical and social engineering vulnerabilities to attack an organization, however, attacks tend to follow a five stage sequence. The attacker will break into the system, frequently by using social engineering to gain access to a users’ credentials.Once inside the attacker will install malware and phone home that it has successfully compromised the system. Advanced attackers are generally patient and use a ‘low and slow’ attack style to expand across systems to maximize access to sensitive data.Once they have succeeded in accessing the desired data, attackers assemble the data they are looking for in preparation for transmittal out of they system.The attacker covertly transmits the data to an external location.These attacks can be spread out over days, weeks or months and may feather the ongoing exfiltration of data from the target, rather than a one time event.
  • Countering an advanced attack is an continuous process that requires integration between the multifaceted security tools. First, security admins must harden their systems against known vulnerabilities. Second, they must monitor activity with as much context as possible to detect attacks when they occur. Then, they must have to data and capability to drill into a suspected attack to determine the extent of the compromised systems and data, and enough about the attack vector that they can stop the attack and remediate systems to prevent similar attacks in the future.As you will see, the IBM Security portfolio is well suited and integrated to give security professionals the tools they need to harden against, detect and analyze advanced attacks.
  • Harden EndpointsManage hundreds of thousands of endpoints regardless of location, connection type or status Automatically enforce security baselines across all endpoints, including software versions and configuration settingsHardenApplicationsLeverage multiple source code scanning technologies for issue discovery and remediation across security and development teamsScan production web apps to detect vulnerabilitiessuch as SQL injection and cross-site scriptingHarden Network TrafficVirtually patch detected vulnerabilities at the network levelFilters internet traffic according to enterprise security policiesHarden DatabasesVirtually patch detected vulnerabilities at the network levelFilters internet traffic according to enterprise security policiesScan database exposures(missing patches, weak passwords, unauthorized changes, and misconfigured privileges)Detect behavioral vulnerabilities(account sharing, excessive administrative logins and after-hours activity)Vulnerability ManagementPerforms real-time vulnerability scans for 70,000+ vulnerabilities on router, firewall, OS, DB, web servers, DNS, mail serverEnsures hardened network device configuration across all assetsViews prioritization of vulnerabilities using context from IBM tools and X-Force threat intelligence Addresses the most critical risks first when hardening the system
  • Thanks Marc. We have here a great screenshot from QRadar Vulnerability Manager. What makes Vulnerability Manager so powerful is the ability to not just identify, but also risk adjust vulnerabilities using context specific to your environment. You can see from this screen capture that the server vulnerability shown has a score of 60. That’s good to know, but what does a score of 60 really mean? How did Vulnerability Manager come up with that? That 60 is comprised of a base score of 10, which is the score given by QRadar vulnerability manager’s native scanner. The base score is then adjusted using context specific to the environment. The risk is increased by 10 because Network Protection XGS provided context showing that the vulnerably system had communicated with malicious IPs identified by X-Force research. The risk was reduced by 10 because this server’s vulnerability is scheduled to be patched by IBM Security Endpoint Manager. Finally, the risk score is increased by 50 because the network topology from QRadar Risk manager indicates that the server in question is not adequately protected behind firewall and intrusion prevention systems.It is this context from integrated solutions that helps the security analyst sort through numerous vulnerabilities to identify the most risky.
  • As Marc explained, hardening against unusual behavior from users is key to successfully defend from advanced threats. An important part of hardening people is having the integration in place to be alerted when suspicious identity events occur. As you can see in the screen capture here, intelligence from identity and access manager, is captured in the QRadar dashboard. The security analyst using QRadar sees immediately the multiple login failures from the same user. Right from QRadar, the analyst can then can drill into the details of the failed logins.
  • In this scenario, our persistent attacker has sent an email containing a link to malware, in an attempt to compromise your organization. A powerful Intrusion Prevention system is a key component in detecting attack on your environment. However, intrusion prevention is only as effective as the intelligence it is using to identify and block suspicious traffic. That is why the close integration between our Network Protection XGS and X-Force threat research is so important. This series of screen captures from the XGS user interface demonstrates the integration. In the top screenshot you can see url reputation data from X-Force, one of the largest URL reputation databases in the world. In the second screenshot you can see that URLs are broken into category for example, botnet command and controls, malware etc, finally you can see the actual policy telling the XGS to reject any connections to this source, the link from the attacker’s email, because it is a known malware host.URL reputation data is only the first way that integrations between X-Force research and the network protection XGS Device is protecting you from malware. The XGS also integrates X-Force intelligence into its protocol analysis module, this deep understanding of protocols allows the XGS to identify and block malware traversing the network regardless of the source.Now that we’ve prevented the malicious link….
  • ..our attacker has moved on in an attempt to exploit an SQL injection vulnerability.The security analyst is first made aware of the attempted SQL injection through an event sent to from Access Manager’s web application firewall that is protecting the application where the attempted exploit is taking place. The security analyst can use IBM Security AppScan to run a scan of the web application in question. AppScan, shown in the top screen shot will identify the SQL injection vulnerability in the application. If that was the end of this action, we would have a problem because it can take some time for developers create a patch and update the vulnerable application. Luckily, this analyst has SiteProtector. The integration between AppScan and SiteProtector means that right from the AppScan interface, as shown in the second screen capture, the analyst can select vulnerabilities and click export to SiteProtetor. Once in SiteProtector, the analyst can deploy a virtual patch that will block SQL injection to that web application at the network level while the development team is working on a patch. SiteProtector then pushes the virtual patch out at once to all Security Network XGS devices protecting the network.
  • Still undaunted, our persistent attacker manages to steal a highly privileged system administrator’s login credentials. He realizes that using the system administrator's credentials won’t go unnoticed for long so he decides to use the account only briefly, to give increased permissions to a non-administrator who’s account he has also compromised. Later, he intends to use this account to gather and exfiltrate sensitive data.Fortunately for this organization, the system administrator is being monitored by privileged identity manager. Like we saw with the Identity and Access Manager example earlier, Privileged Identity manager is integrated with QRadar. As you can see in the top screen capture, Privileged Identity Manager sends the detail of increased permission to QRadar. Because of this deep integration, right from QRadar the security analyst can drill into detail to see, for example, that the user bouncy15, elevated the privileges of user bouncy17. Because the organization is using Privileged Identity Manager, the security analyst can open a recording of the administrator, bouncy15’s, screen while he was granting the increased permission. After reviewing the recording, the analyst determines that the compromised administrator account was giving permissions outside of the normal procedure and revokes both access to both the administrator and the user whose permissions were escalated.
  • IBM Security QRadar SIEM analyzes tremendous amounts of data (logs, network flows) and uses context to transform it useful, actionable information as is depicted in this slide. Here's what a security team member would see when they begin to investigate an offense record triggered by a correlation rule. The analyst can see the who, what and where behind the offense and quickly determine if it's a legitimate threat or a false positive.  IBM Security QRadar SIEM is strong from an event-management and analysis perspective and is very effective in detecting threats because it can leverage a broad range of data, analyze it, and apply context from an extensive range of sources. This reduces false positives, and tells users not only what has been exploited but also what kind of activity is taking place. This results in quicker threat detection and response. QRadar continuously monitors data sources across the IT infrastructure, leveraging the full context in which systems are operating. That context includes security and network device logs, vulnerabilities, configuration data, network traffic telemetry, application events and activities, user identities, assets, geo-location, and application content. This generates a staggering amount of data, and QRadar SIEM leverages it to establish very specific context around each potential area of concern, and uses sophisticated analytics to accurately detect more and different types of threats. For example, a potential exploit of a web server reported by an intrusion detection system can be validated by unusual outbound network activity detected by QRadar network behavioral anomaly detection (NBAD) capabilities.QRadar uses intelligence, automation and analytics to provide very actionable security information including the number of targets involved in a threat, who was responsible, what kind of attack occurred, whether it was successful, vulnerabilities, evidence for forensics, etc.
  • Source: Protecting consumer and business information with advanced threat protectionhttp://public.dhe.ibm.com/common/ssi/ecm/en/wgc12350usen/WGC12350USEN.PDF
  • The IBM Security Systems portfolio is built around protecting the security domains of People, Data, Applications, and Infrastructure, with a layer of Security Intelligence and Analytics providing true integration and visibility into the enterprise security landscape, and underpinned by IBM X-Force Research providing threat intelligence. The acquisition of Trusteer provides enhanced endpoint protection and threat research, while extending the portfolio with a layer of advanced fraud protection.

    • Disrupt the advanced attack chain with intelligent, integrated security

    1. 1. IBM Security Systems IBM Security Systems Disrupt the Advanced Attack Chain with Intelligent, Integrated Security Marc van Zadelhoff VP, Strategy and Product Management Brian Mulligan Security Strategist November 19, 2013 © 2013 IBM Corporation 1 © 2013 IBM Corporation
    2. 2. IBM Security Systems Security can be a complex landscape… 85 tools from 2 45 vendors © 2013 IBM Corporation
    3. 3. IBM Security Systems …where your security team sees noise 3 © 2013 IBM Corporation
    4. 4. IBM Security Systems Attack frequency increased to record in H1 2013 4 Source: IBM X-Force® Research 2013 Trend and Risk Report © 2013 IBM Corporation
    5. 5. IBM Security Systems IBM Security Integrating across domains to make sense of the noise and stop attackers IBM Security Framework Intelligence Integration Expertise 5 © 2013 IBM Corporation
    6. 6. IBM Security Systems Advanced attackers follow a five-stage attack chain Reconnaissance, spear phishing, and remote exploits to gain access 1 Break-in ATTACK CHAIN 2 Latch-on Command and Control Malware and backdoors installed to establish a foothold 3 Expand Lateral movement to increase access and maintain a presence 4 Gather Acquisition and aggregation of confidential data 5 Exfiltrate 6 Command and Control Data exfiltration to external networks © 2013 IBM Corporation
    7. 7. IBM Security Systems Defenders follow an iterative approach, utilizing integrated solutions ATTACK CHAIN 1 Break-in 2 Latch-on 3 Expand 4 Gather 5 Exfiltrate 7 © 2013 IBM Corporation
    8. 8. IBM Security Systems Hardening environments is difficult and growing increasingly complex The ever expanding number of endpoints, applications, databases and network devices create multiple attack surfaces Endpoints • Validate endpoint patch status Hardening challenges: • Mobile device proliferation and adoption of BYOD Integrated Defense Strategy HARDEN DETECT ANALYZE Networks • Secure network traffic • Adoption of hybrid and public cloud • Rapid growth of big data Applications • Prevent web application vulnerabilities 8 • Continued exploitation of SQL injection and cross site scripting vulnerabilities Databases • Lock down database usage © 2013 IBM Corporation
    9. 9. IBM Security Systems Harden through integrated security solutions Scan assets for vulnerabilities, prioritize the severity of each vulnerability, and patch or block the most critical Integrated Defense Strategy HARDEN IBM Endpoint Manager IBM QRadar Vulnerability Manager / Risk Manager • Validate endpoint patch status DETECT ANALYZE IBM Security Network Protection XGS • Secure network traffic 6 22 102 AT RISK CRITICAL BLOCKED IBM Security AppScan IBM InfoSphere Guardium • Prevent web application vulnerabilities • Lock down database usage 75 SQL injection 50 Cross-site scripting 5 Unusual database requests IBM X-Force Research and Development 9 © 2013 IBM Corporation
    10. 10. IBM Security Systems How hardening works: practical steps • Manage hundreds of thousands of endpoints Harden Endpoints • Automatically enforce security baselines across all endpoints IBM Endpoint Manager IBM QRadar Vulnerability Manager / Risk Manager Find and Prioritize Vulnerabilities • Leverage multiple source code scanning technologies Harden Applications • Scan production web apps to detect vulnerabilities IBM AppScan Harden Network Traffic • Virtually patch detected vulnerabilities The security administrator… • Filter internet traffic according to security policies • Performs real-time vulnerability scans IBM Network Protection XGS • Scan database exposures Harden Databases • Detect behavioral vulnerabilities IBM InfoSphere Guardium 10 • Ensures hardened network device configurations • Views prioritization of vulnerabilities in context • Addresses the most critical risks first © 2013 IBM Corporation
    11. 11. IBM Security Systems Integrated products provide rich context for vulnerability risk scoring Risk score adjusted +10 on data from XGS and X-Force, the asset has communicated with malicious IPs Risk score adjusted -10 on context from Endpoint Manager, the asset is scheduled to be patched Risk score adjusted +50 on context from QRadar Risk Manager, the asset is not protected by firewall or IPS • QRadar Vulnerability Manager conducts native vulnerability scan and incorporates from other vulnerability sources • Each vulnerability is given a base risk score, in this case 10 11 © 2013 IBM Corporation
    12. 12. IBM Security Systems Hardening people is essential and becoming more complex Multiple identity stores and increasing connections from outside the enterprise complicate identity security Validate Identity • Determine who is who Identity hardening challenges: • Multiple user access points a weak link for attackers to break-in (employees, contractors, partners) Integrated Defense Strategy HARDEN DETECT ANALYZE Prevent Insider Threat and Identity Fraud • Secure shared identities and prevent targeted attacks • Extending identity security to mobile, cloud and social interactions Integrate Identity • Unify “Universe of identities” • Highly privileged insiders have access to the “crown jewels” • Compliance exposure from multiple identity silos and fragment user data Manage Identity • Enable identity lifecycle management • Increasing security demands for realtime user activity data 12 © 2013 IBM Corporation
    13. 13. IBM Security Systems Define a new perimeter with threat-aware Identity and Access Mgmt Simplify identity silos to safeguard mobile, cloud and social interactions, mitigate insider threat and deliver intelligent identity and access assurance IBM Security Access Manager • Unify “Universe of identities” HARDEN DETECT ANALYZE IBM Security Privileged Identity Manager • Determine who is who IBM Security Directory Server and Integrator Integrated Defense Strategy • Secure shared identities and prevent targeted attacks Create a secure perimeter around identities • Manage all users connecting from within and outside the enterprise IBM Security Identity Manager • Enable identity lifecycle management • Defend web applications against targeted web attacks • Enhance user activity monitoring and security intelligence across security domains 13 © 2013 IBM Corporation
    14. 14. IBM Security Systems Integrated products provide user activity and anomalies detection • Identity and Access Manager event logs offers rich insights into actual users and their roles • IAM integration with QRadar SIEM provides detection of break-ins tied to actual users & roles 14 © 2013 IBM Corporation
    15. 15. IBM Security Systems Patient, sophisticated attackers make detection a challenge Detect subtle anomalies across domains and correlate them to create a cohesive picture of threat activity Network Traffic • Blocks exploits as they traverse the network Detect challenges: • Attackers modify signatures to bypass signature based detection Defense Strategy HARDEN DETECT ANALYZE Privileged Users • Sends privileged user details to correlate with user’s activity • Users connect from new devices and locations • Lack of control over privileged users passwords and access Application Access • Blocks attacks before they reach applications • Increasing number endpoints, device types and operating systems Endpoint Protection • Dynamically detect and block endpoint malware Threat Research 15 © 2013 IBM Corporation
    16. 16. IBM Security Systems Integrated capabilities enable real-time discovery and blocking Detect and block malicious activity across networks, users, applications and endpoints IBM Security IBM QRadar Network Protection XGS Security Intelligence • Blocks exploits as they traverse the network HARDEN DETECT ANALYZE IBM Privileged Identity Manager • Sends privileged user details to correlate with user’s activity IBM Trusteer Apex IBM Security Access Manager • Blocks attacks before they reach applications Defense Strategy Creates an activity baseline to detect anomalous activity • Dynamically detect and block endpoint malware • Intelligent correlation of events, flows, assets, topologies, vulnerabilities and external threats • Produce actionable intelligence IBM X-Force Research and Development 16 © 2013 IBM Corporation
    17. 17. IBM Security Systems Defend against persistent attacks with integrated capabilities IBM QRadar SIEM X-Force Research Email with malicious link Network Protection XGS Access Manager AMP 5100 SQL injection AppScan SiteProtector Network Protection XGS • XGS blocks zero-day exploit from malicious link after incorporating X-Force security content Security Event • XGS natively creates network flow activity for QRadar to detect additional anomalies Network Flow Investigate Alerts • Access Manager blocks SQL injection from web application and alerts QRadar • Based on QRadar alert, analyst runs AppScan to find the application vulnerability Security Event • AppScan creates virtual patch in SiteProtector to block the attack at the network level  Event correlation • SiteProtector deploys policy to Network Protection XGS devices  Historic forensics  Real-time analysis  Predictive analytics Privilege escalation Email with malicious file 17 Privileged Identity Manager Trusteer Apex • Privileged Identity Manager detects anomalous privilege escalation Security Event • Privileged Identity Manager records the session and sends the escalation event to QRadar • Apex detects and block the zero-day exploit using application state context Security Event © 2013 IBM Corporation
    18. 18. IBM Security Systems Incorporate the latest threat intelligence IBM X-Force research is utilized in Network Protection XGS Network Protection XGS console showing security policies X-Force URL reputation data incorporated by category 2 Policy on XGS set to reject connections to malicious URLs 18 1 3 © 2013 IBM Corporation
    19. 19. IBM Security Systems Integrate to prevent web application exploits at the network level Access Manager flags a SQL injection, alerts QRadar and then… Analyst runs AppScan and finds the SQL injection vulnerabilities 1 AppScan sends vulnerability 2 details to SiteProtector SiteProtector creates virtual patch to block the SQL injection at the network level while 3 the vulnerabilities are patched Policy deploys to Network 4 Protection XGS devices Types of Protection • Client-side attacks • Injection attacks • Malicious file execution 19 • Cross-site request forgery • Information disclosure • Path traversal • Authentication • Buffer overflow • Brute force • Directory indexing • Miscellaneous attacks © 2013 IBM Corporation
    20. 20. IBM Security Systems Monitor privileged users to detect malicious activity An attacker steals system administrator login credentials then grants increased permissions to invalid user Privileged Identify Manager sends QRadar details of the privilege escalation QRadar notifies a security analyst 1 2 Security analyst views a recording that shows compromised administrator granting a user rights outside of the formal process 3 Security analyst revokes compromised account access to prevent further malicious action 20 © 2013 IBM Corporation
    21. 21. IBM Security Systems Security analysis is a big data problem Security analysts are overwhelmed by a variety of data and lack of visibility Defense Strategy HARDEN DETECT ANALYZE Detect challenges: Flows • Rapid growth in the volume of security data • Incompatible information from diverse data sources Events • Multiple, siloed security systems each with its own dashboard • Lack of application, configuration and user context Assets 21 © 2013 IBM Corporation
    22. 22. IBM Security Systems Integrated IBM solutions provide actionable security intelligence QRadar SIEM correlates and analyzes millions of events with contextual data to produce a detailed view of key offenses • Network traffic with user and application context from IBM Network Protection XGS devices Defense Strategy HARDEN DETECT ANALYZE IBM QRadar SIEM • Database context and activity from IBM InfoSphere Guardium Flows • IBM QFlow and VFlow Events • User context from IAM integration • Security events from IBM Network Protection XGS devices • Endpoint status from IBM Endpoint Manager 22 Assets • Network topology from IBM QRadar Risk Manager Advanced analytics combine network and contextual data to perform: • Event correlation • Activity baselining • Anomaly detection • Offense identification IBM X-Force Research and Development © 2013 IBM Corporation
    23. 23. IBM Security Systems Correlate events across security domains to gain visibility IBM QRadar Security Event • User connects from country where company does not do business Security Event • User accesses database outside normal business hours Guardium Security Event • Unusual network traffic identified XGS Investigations… IAM XGS QFlow Guardium Endpoint Manager 23 Look for recent changes in the user’s permissions Lookup all activity from user’s IP address SIEM IAM Results… QRadar correlates 3 security events and triggers an offense 1 2 User requested access to sensitive DB 6 days ago, the user connected to an unknown IP located in a suspicious region 5 days ago, the user’s machine began opening suspicious connections Find other users who connected to the same suspicious IP 3 other users have connected with similar suspicious traffic Determine which DBs and records these users accessed in last 6 days Users accessed unannounced quarterly financial results Check patch status of compromised machines All compromised users have latest browser patches 3 Remediation • Update XGS to block malware command and control • Alert security team to remove the endpoint malware • Produce sensitive data access report © 2013 IBM Corporation
    24. 24. IBM Security Systems QRadar integrates data to answer the important questions What was the attack? Was it successful? Who was responsible? Where do I find them? How many targets involved? How valuable are the targets to the business? Are any of them vulnerable? Where is all the evidence? 24 © 2013 IBM Corporation
    25. 25. IBM Security Systems Clients gain visibility with integrated security Confidence Actionable Intelligence “IBM Security Network Protection has been a great solution for us in stopping bad traffic and it’s given us great confidence in how we operate.” “IBM QRadar SIEM has also allowed us to gain efficiencies by providing our security analysts with actionable intelligence and information instead of searching through a haystack of information…” Chief Security Officer Large Financial Services Firm 25 Source: Protecting consumer and business information with advanced threat protection http://public.dhe.ibm.com/common/ssi/ecm/en/wgc12350usen/WGC12350USEN.PDF © 2013 IBM Corporation
    26. 26. IBM Security Systems Effective advanced threat defense requires diverse capabilities ATTACK CHAIN 1 Break-in 2 Latch-on Persistent HARDEN 3 Expand Patient DETECT  Configure and patch endpoints  Monitor and analyze network configurations  Develop behavior / activity baselines and detect anomalies  Securely develop, deploy, and audit web applications  Automate rules and alerts focused on privileged user activity  Intelligently scan and prioritize vulnerabilities  Detect application attacks and unauthorized access  Enforce proactive access policies and monitor user behavior 26  Inspect and block suspicious traffic 4 Gather 5 Exfiltrate Sophisticated ANALYZE  Correlate events, flows, assets, configurations, vulnerabilities and external threats  Identify compromised endpoints  Drill into security data across domains from a single interface  Produce actionable intelligence © 2013 IBM Corporation
    27. 27. IBM Security Systems A diverse range of business partners enhance IBM’s offerings Advanced Persistent Threat 27 Insider Threat Data Breach Please note: logos shown represent a subset of all security business partners Malware Detection © 2013 IBM Corporation
    28. 28. IBM Security Systems IBM offers a comprehensive portfolio of security products IBM Security Systems Portfolio Security Intelligence and Analytics QRadar Log Manager QRadar SIEM QRadar Risk Manager QRadar Vulnerability Manager Advanced Fraud Protection Trusteer Rapport Trusteer Pinpoint Malware Detection Trusteer Pinpoint ATO Detection Trusteer Mobile Risk Engine People Data Applications Identity Management Guardium Data Security and Compliance AppScan Source Network Intrusion Prevention Trusteer Apex Access Management Guardium DB Vulnerability Management AppScan Dynamic Next Generation Network Protection Mobile and Endpoint Management Privileged Identity Manager Guardium / Optim Data Masking DataPower Web Security Gateway SiteProtector Threat Management Virtualization and Server Security Federated Access and SSO Key Lifecycle Manager Security Policy Manager Network Anomaly Detection Mainframe Security Network Infrastructure Endpoint IBM X-Force Research 28 © 2013 IBM Corporation
    29. 29. IBM Security Systems IBM Security Integrating across domains to help prevent advanced attacks IBM Security Framework Intelligence Integration Expertise 29 © 2013 IBM Corporation
    30. 30. IBM Security Systems Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 30 © 2013 IBM Corporation

    ×