Disrupt the advanced attack chain with intelligent, integrated security

1. IBM Security Systems IBM Security Systems Disrupt the Advanced Attack Chain with Intelligent, Integrated Security Marc van Zadelhoff VP, Strategy and Product Management Brian Mulligan Security Strategist November 19, 2013 © 2013 IBM Corporation 1 © 2013 IBM Corporation

6. IBM Security Systems Advanced attackers follow a five-stage attack chain Reconnaissance, spear phishing, and remote exploits to gain access 1 Break-in ATTACK CHAIN 2 Latch-on Command and Control Malware and backdoors installed to establish a foothold 3 Expand Lateral movement to increase access and maintain a presence 4 Gather Acquisition and aggregation of confidential data 5 Exfiltrate 6 Command and Control Data exfiltration to external networks © 2013 IBM Corporation

8. IBM Security Systems Hardening environments is difficult and growing increasingly complex The ever expanding number of endpoints, applications, databases and network devices create multiple attack surfaces Endpoints • Validate endpoint patch status Hardening challenges: • Mobile device proliferation and adoption of BYOD Integrated Defense Strategy HARDEN DETECT ANALYZE Networks • Secure network traffic • Adoption of hybrid and public cloud • Rapid growth of big data Applications • Prevent web application vulnerabilities 8 • Continued exploitation of SQL injection and cross site scripting vulnerabilities Databases • Lock down database usage © 2013 IBM Corporation

9. IBM Security Systems Harden through integrated security solutions Scan assets for vulnerabilities, prioritize the severity of each vulnerability, and patch or block the most critical Integrated Defense Strategy HARDEN IBM Endpoint Manager IBM QRadar Vulnerability Manager / Risk Manager • Validate endpoint patch status DETECT ANALYZE IBM Security Network Protection XGS • Secure network traffic 6 22 102 AT RISK CRITICAL BLOCKED IBM Security AppScan IBM InfoSphere Guardium • Prevent web application vulnerabilities • Lock down database usage 75 SQL injection 50 Cross-site scripting 5 Unusual database requests IBM X-Force Research and Development 9 © 2013 IBM Corporation

10. IBM Security Systems How hardening works: practical steps • Manage hundreds of thousands of endpoints Harden Endpoints • Automatically enforce security baselines across all endpoints IBM Endpoint Manager IBM QRadar Vulnerability Manager / Risk Manager Find and Prioritize Vulnerabilities • Leverage multiple source code scanning technologies Harden Applications • Scan production web apps to detect vulnerabilities IBM AppScan Harden Network Traffic • Virtually patch detected vulnerabilities The security administrator… • Filter internet traffic according to security policies • Performs real-time vulnerability scans IBM Network Protection XGS • Scan database exposures Harden Databases • Detect behavioral vulnerabilities IBM InfoSphere Guardium 10 • Ensures hardened network device configurations • Views prioritization of vulnerabilities in context • Addresses the most critical risks first © 2013 IBM Corporation

11. IBM Security Systems Integrated products provide rich context for vulnerability risk scoring Risk score adjusted +10 on data from XGS and X-Force, the asset has communicated with malicious IPs Risk score adjusted -10 on context from Endpoint Manager, the asset is scheduled to be patched Risk score adjusted +50 on context from QRadar Risk Manager, the asset is not protected by firewall or IPS • QRadar Vulnerability Manager conducts native vulnerability scan and incorporates from other vulnerability sources • Each vulnerability is given a base risk score, in this case 10 11 © 2013 IBM Corporation

12. IBM Security Systems Hardening people is essential and becoming more complex Multiple identity stores and increasing connections from outside the enterprise complicate identity security Validate Identity • Determine who is who Identity hardening challenges: • Multiple user access points a weak link for attackers to break-in (employees, contractors, partners) Integrated Defense Strategy HARDEN DETECT ANALYZE Prevent Insider Threat and Identity Fraud • Secure shared identities and prevent targeted attacks • Extending identity security to mobile, cloud and social interactions Integrate Identity • Unify “Universe of identities” • Highly privileged insiders have access to the “crown jewels” • Compliance exposure from multiple identity silos and fragment user data Manage Identity • Enable identity lifecycle management • Increasing security demands for realtime user activity data 12 © 2013 IBM Corporation

13. IBM Security Systems Define a new perimeter with threat-aware Identity and Access Mgmt Simplify identity silos to safeguard mobile, cloud and social interactions, mitigate insider threat and deliver intelligent identity and access assurance IBM Security Access Manager • Unify “Universe of identities” HARDEN DETECT ANALYZE IBM Security Privileged Identity Manager • Determine who is who IBM Security Directory Server and Integrator Integrated Defense Strategy • Secure shared identities and prevent targeted attacks Create a secure perimeter around identities • Manage all users connecting from within and outside the enterprise IBM Security Identity Manager • Enable identity lifecycle management • Defend web applications against targeted web attacks • Enhance user activity monitoring and security intelligence across security domains 13 © 2013 IBM Corporation

14. IBM Security Systems Integrated products provide user activity and anomalies detection • Identity and Access Manager event logs offers rich insights into actual users and their roles • IAM integration with QRadar SIEM provides detection of break-ins tied to actual users & roles 14 © 2013 IBM Corporation

15. IBM Security Systems Patient, sophisticated attackers make detection a challenge Detect subtle anomalies across domains and correlate them to create a cohesive picture of threat activity Network Traffic • Blocks exploits as they traverse the network Detect challenges: • Attackers modify signatures to bypass signature based detection Defense Strategy HARDEN DETECT ANALYZE Privileged Users • Sends privileged user details to correlate with user’s activity • Users connect from new devices and locations • Lack of control over privileged users passwords and access Application Access • Blocks attacks before they reach applications • Increasing number endpoints, device types and operating systems Endpoint Protection • Dynamically detect and block endpoint malware Threat Research 15 © 2013 IBM Corporation

16. IBM Security Systems Integrated capabilities enable real-time discovery and blocking Detect and block malicious activity across networks, users, applications and endpoints IBM Security IBM QRadar Network Protection XGS Security Intelligence • Blocks exploits as they traverse the network HARDEN DETECT ANALYZE IBM Privileged Identity Manager • Sends privileged user details to correlate with user’s activity IBM Trusteer Apex IBM Security Access Manager • Blocks attacks before they reach applications Defense Strategy Creates an activity baseline to detect anomalous activity • Dynamically detect and block endpoint malware • Intelligent correlation of events, flows, assets, topologies, vulnerabilities and external threats • Produce actionable intelligence IBM X-Force Research and Development 16 © 2013 IBM Corporation

17. IBM Security Systems Defend against persistent attacks with integrated capabilities IBM QRadar SIEM X-Force Research Email with malicious link Network Protection XGS Access Manager AMP 5100 SQL injection AppScan SiteProtector Network Protection XGS • XGS blocks zero-day exploit from malicious link after incorporating X-Force security content Security Event • XGS natively creates network flow activity for QRadar to detect additional anomalies Network Flow Investigate Alerts • Access Manager blocks SQL injection from web application and alerts QRadar • Based on QRadar alert, analyst runs AppScan to find the application vulnerability Security Event • AppScan creates virtual patch in SiteProtector to block the attack at the network level  Event correlation • SiteProtector deploys policy to Network Protection XGS devices  Historic forensics  Real-time analysis  Predictive analytics Privilege escalation Email with malicious file 17 Privileged Identity Manager Trusteer Apex • Privileged Identity Manager detects anomalous privilege escalation Security Event • Privileged Identity Manager records the session and sends the escalation event to QRadar • Apex detects and block the zero-day exploit using application state context Security Event © 2013 IBM Corporation

18. IBM Security Systems Incorporate the latest threat intelligence IBM X-Force research is utilized in Network Protection XGS Network Protection XGS console showing security policies X-Force URL reputation data incorporated by category 2 Policy on XGS set to reject connections to malicious URLs 18 1 3 © 2013 IBM Corporation

19. IBM Security Systems Integrate to prevent web application exploits at the network level Access Manager flags a SQL injection, alerts QRadar and then… Analyst runs AppScan and finds the SQL injection vulnerabilities 1 AppScan sends vulnerability 2 details to SiteProtector SiteProtector creates virtual patch to block the SQL injection at the network level while 3 the vulnerabilities are patched Policy deploys to Network 4 Protection XGS devices Types of Protection • Client-side attacks • Injection attacks • Malicious file execution 19 • Cross-site request forgery • Information disclosure • Path traversal • Authentication • Buffer overflow • Brute force • Directory indexing • Miscellaneous attacks © 2013 IBM Corporation

20. IBM Security Systems Monitor privileged users to detect malicious activity An attacker steals system administrator login credentials then grants increased permissions to invalid user Privileged Identify Manager sends QRadar details of the privilege escalation QRadar notifies a security analyst 1 2 Security analyst views a recording that shows compromised administrator granting a user rights outside of the formal process 3 Security analyst revokes compromised account access to prevent further malicious action 20 © 2013 IBM Corporation

21. IBM Security Systems Security analysis is a big data problem Security analysts are overwhelmed by a variety of data and lack of visibility Defense Strategy HARDEN DETECT ANALYZE Detect challenges: Flows • Rapid growth in the volume of security data • Incompatible information from diverse data sources Events • Multiple, siloed security systems each with its own dashboard • Lack of application, configuration and user context Assets 21 © 2013 IBM Corporation

22. IBM Security Systems Integrated IBM solutions provide actionable security intelligence QRadar SIEM correlates and analyzes millions of events with contextual data to produce a detailed view of key offenses • Network traffic with user and application context from IBM Network Protection XGS devices Defense Strategy HARDEN DETECT ANALYZE IBM QRadar SIEM • Database context and activity from IBM InfoSphere Guardium Flows • IBM QFlow and VFlow Events • User context from IAM integration • Security events from IBM Network Protection XGS devices • Endpoint status from IBM Endpoint Manager 22 Assets • Network topology from IBM QRadar Risk Manager Advanced analytics combine network and contextual data to perform: • Event correlation • Activity baselining • Anomaly detection • Offense identification IBM X-Force Research and Development © 2013 IBM Corporation

23. IBM Security Systems Correlate events across security domains to gain visibility IBM QRadar Security Event • User connects from country where company does not do business Security Event • User accesses database outside normal business hours Guardium Security Event • Unusual network traffic identified XGS Investigations… IAM XGS QFlow Guardium Endpoint Manager 23 Look for recent changes in the user’s permissions Lookup all activity from user’s IP address SIEM IAM Results… QRadar correlates 3 security events and triggers an offense 1 2 User requested access to sensitive DB 6 days ago, the user connected to an unknown IP located in a suspicious region 5 days ago, the user’s machine began opening suspicious connections Find other users who connected to the same suspicious IP 3 other users have connected with similar suspicious traffic Determine which DBs and records these users accessed in last 6 days Users accessed unannounced quarterly financial results Check patch status of compromised machines All compromised users have latest browser patches 3 Remediation • Update XGS to block malware command and control • Alert security team to remove the endpoint malware • Produce sensitive data access report © 2013 IBM Corporation

24. IBM Security Systems QRadar integrates data to answer the important questions What was the attack? Was it successful? Who was responsible? Where do I find them? How many targets involved? How valuable are the targets to the business? Are any of them vulnerable? Where is all the evidence? 24 © 2013 IBM Corporation

25. IBM Security Systems Clients gain visibility with integrated security Confidence Actionable Intelligence “IBM Security Network Protection has been a great solution for us in stopping bad traffic and it’s given us great confidence in how we operate.” “IBM QRadar SIEM has also allowed us to gain efficiencies by providing our security analysts with actionable intelligence and information instead of searching through a haystack of information…” Chief Security Officer Large Financial Services Firm 25 Source: Protecting consumer and business information with advanced threat protection http://public.dhe.ibm.com/common/ssi/ecm/en/wgc12350usen/WGC12350USEN.PDF © 2013 IBM Corporation

26. IBM Security Systems Effective advanced threat defense requires diverse capabilities ATTACK CHAIN 1 Break-in 2 Latch-on Persistent HARDEN 3 Expand Patient DETECT  Configure and patch endpoints  Monitor and analyze network configurations  Develop behavior / activity baselines and detect anomalies  Securely develop, deploy, and audit web applications  Automate rules and alerts focused on privileged user activity  Intelligently scan and prioritize vulnerabilities  Detect application attacks and unauthorized access  Enforce proactive access policies and monitor user behavior 26  Inspect and block suspicious traffic 4 Gather 5 Exfiltrate Sophisticated ANALYZE  Correlate events, flows, assets, configurations, vulnerabilities and external threats  Identify compromised endpoints  Drill into security data across domains from a single interface  Produce actionable intelligence © 2013 IBM Corporation

27. IBM Security Systems A diverse range of business partners enhance IBM’s offerings Advanced Persistent Threat 27 Insider Threat Data Breach Please note: logos shown represent a subset of all security business partners Malware Detection © 2013 IBM Corporation

28. IBM Security Systems IBM offers a comprehensive portfolio of security products IBM Security Systems Portfolio Security Intelligence and Analytics QRadar Log Manager QRadar SIEM QRadar Risk Manager QRadar Vulnerability Manager Advanced Fraud Protection Trusteer Rapport Trusteer Pinpoint Malware Detection Trusteer Pinpoint ATO Detection Trusteer Mobile Risk Engine People Data Applications Identity Management Guardium Data Security and Compliance AppScan Source Network Intrusion Prevention Trusteer Apex Access Management Guardium DB Vulnerability Management AppScan Dynamic Next Generation Network Protection Mobile and Endpoint Management Privileged Identity Manager Guardium / Optim Data Masking DataPower Web Security Gateway SiteProtector Threat Management Virtualization and Server Security Federated Access and SSO Key Lifecycle Manager Security Policy Manager Network Anomaly Detection Mainframe Security Network Infrastructure Endpoint IBM X-Force Research 28 © 2013 IBM Corporation

30. IBM Security Systems Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 30 © 2013 IBM Corporation