Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Employing CDM: How Government can Protect Itself from Cyber Attacks

3,706 views

Published on

According to a GovLoop survey, 90% of respondents don’t think their agency is fully prepared for a cyber attack and named the ever-changing nature of threats, as well as inadequate training, as their biggest obstacles. For all levels of government, the number of cyber attacks on networks are growing in frequency, and becoming more sophisticated and aggressive. The threat of Sophisticated Attacks, Security Breaches, Phishing, and Social Media Fraud is very real for everyone, especially government. But that’s where the Continuous Diagnostics and Monitoring (CDM) program comes in.

The Department of Homeland Security designed CDM to help other agencies understand their vulnerabilities and identify threats in real-time. CDM is a dynamic, collaborative program that provides a holistic approach to protecting important information. Join IBM Security to learn first hand from government and industry thought leaders how it can help your agency.

View the full on-demand webcast: https://www2.gotomeeting.com/register/369078578

Published in: Technology
  • Be the first to comment

Employing CDM: How Government can Protect Itself from Cyber Attacks

  1. 1. © 2014 IBM Corporation IBM Security 0© 2014 IBM Corporation IBM Support to Continuous Diagnostics & Mitigation
  2. 2. © 2014 IBM Corporation IBM Security 1 Agenda  Why CDM?  A new Security Reality  IBM Security Overview  Why Risk Management
  3. 3. © 2014 IBM Corporation IBM Security 2 Why CDM? (according to John Streufert, DHS) Customers have spent an inordinate amount of time, effort and resources on a variety of products that have NOT delivered the results promised CDM Solutions MUST Allow for –Search, Mitigation and Reporting of cyber problems in real time. –Enable System Administrators to: • Respond to exploits at network speed • Fulfill A-130 responsibilities as intended • Implement NIST Publications on Continuous Monitoring (800-137 and parts of 800-37) –Use strategic sourcing to lower cost 2 James A. Lewis, Raising the Bar for Cybersecurity. Washington, DC: CSIS, 2013.
  4. 4. © 2014 IBM Corporation IBM Security 3 In search of buy-in for continuous monitoring [FCW] “Persuading federal IT managers that continuous diagnostics and monitoring is a boon for their agencies is one of the most challenging elements of implementing the cybersecurity technology, according to IT chiefs at the forefront of spreading the CDM message across government.” “While federal agencies are beginning to grasp what CDM can do for their organizations, risk-averse IT managers who treasure the status quo and are reluctant to shift from old practices still have to be won over, say IT leaders at GSA and the departments of Homeland Security and Energy.” “DHS has become an "evangelist" for CDM, according to Jeff Eisensmith, chief information security officer at the department, which is charged with facilitating other agencies' installation and implementation of CDM technology. Before CDM, agencies were "getting picked off like zebras on the Serengeti" by cyber attackers, he said.” http://fcw.com/articles/2014/03/19/continuous-monitoring-buy-in.aspx?s=fcwdaily_200314
  5. 5. © 2014 IBM Corporation IBM Security 4 CDM – The Opportunity For Government  Government’s compelling reason to act or business urgency: – Cyber threats are constantly changing and evolving – not static – Government recognizes a need for a modified approach to protect cyber infrastructure – This new approach moves away from historical compliance reporting toward combating threats to the nation's networks in real time – This initiative is in direct support of the Administration’s Cross- Agency Priority (CAP) goal for implementing continuous monitoring across the Federal networks
  6. 6. © 2014 IBM Corporation IBM Security 5 Continuous Diagnostics & Mitigation • IBM supports Phase 1 now • IBM has a Security Framework that addresses Risk Management across Phases 1 though 3 • IBM’s Security Portfolio answers the how in applying CDM
  7. 7. © 2014 IBM Corporation IBM Security 6 The evolving Motivations and sophistication of attackers is a driving force for CMasS and CDM National Security Nation-state actors Stuxnet Espionage, Activism Competitors and Hacktivists Aurora Monetary Gain Organized crime Zeus Revenge, Curiosity Insiders and Script-kiddies Code Red
  8. 8. © 2014 IBM Corporation IBM Security 7 83% of enterprises have difficulty finding the security skills they need tools from vendors 85 45 IBM client example 70% of security exec’s are concerned about cloud and mobile security Mobile malware grew 614% from March 2012 to March 2013 in one year A New Security Reality Is Here 61% Data theft and cybercrime are the greatest threats to their reputation of organizations say Average U.S. breach cost $7million+ 2013 Cost of Cyber Crime Study Ponemon Institute 2013 Juniper Mobile Threat Report 2012 IBM Global Reputational Risk & IT Study 2013 IBM CISO Survey 2012 ESG Research
  9. 9. © 2014 IBM Corporation IBM Security 8 Our traditional security practices and defenses are not keeping up Source: IBM client example
  10. 10. © 2014 IBM Corporation IBM Security 9 more than half a billion records of personally identifiable information (PII) were leaked in 2013
  11. 11. © 2014 IBM Corporation IBM Security 10
  12. 12. © 2014 IBM Corporation IBM Security 11 Businesses face unprecedented security challenges Evolving Threats Shifts in business environment Escalating Threats Targeted attacks are the new norm Competing Priorities Too little time, too few resources Unsustainable Practices Few resources, no clear strategy Inadequate tools Source: Verizon 2013 Data Breach Investigations ReportTools are lacking Inadequate Tools Too many silos, protection lacking Business Pressures Shifts in business environment Disruptive Technologies New innovation can introduce risk Source: IBM X-Force Trend Report, Sept 2013 Source: IBM CISO Study, Oct 2013 Source: Forrester Surviving The Technical Security Skills Crisis, May 2013
  13. 13. © 2014 IBM Corporation IBM Security 12 At IBM, the world is our security lab v13-016,000 IBM researchers, developers, and subject matter experts ALL focused on security 3,000IBM security patents More than Security Operations Centers Security Research and Development Labs Institute for Advanced Security Branches
  14. 14. © 2014 IBM Corporation IBM Security 13 IBM Security: Helping clients optimize IT security Integrated Portfolio Managed and Professional Services Extensive Partner Ecosystem IBM Research
  15. 15. © 2014 IBM Corporation IBM Security 14 • Own the security agenda for innovation • Embed security on day one • Leverage cloud, mobile, social, big data to improve security • Develop a risk-aware security strategy • Deploy a systematic approach to security • Harness the knowledge of professionals • Use intelligence and anomaly detection across every domain • Build an intelligence vault around your crown jewels • Prepare your response for the inevitable IBM’s approach is helping customers gain an advantage on attackers and seize new opportunities Get help to develop an integrated approach 3 Employ cloud and mobile to improve security 2 Use analytics and insights for smarter defense 1
  16. 16. © 2014 IBM Corporation IBM Security 15 They are looking for a trusted partner who… CISOs are looking for strategic partners to chart a path
  17. 17. © 2014 IBM Corporation IBM Security 16 Why a New Approach Attackers will not relent and every agency is a target New technologies create opportunities to transform IT security Security leaders are more accountable than ever before
  18. 18. © 2014 IBM Corporation IBM Security 17 Security teams must also shift from a conventional ―perimeter and point defense‖ mindset and begin thinking like an attacker Detect, Analyze & Remediate Think like an attacker, counter intelligence mindset  Protect high value assets  Emphasize the data  Harden targets and weakest links  Use anomaly-based detection  Baseline system behavior  Consume threat feeds  Collect everything  Automate correlation and analytics  Gather and preserve evidence Audit, Patch & Block Think like a defender, defense-in-depth mindset  Protect all assets  Emphasize the perimeter  Patch systems  Use signature-based detection  Scan endpoints for malware  Read the latest news  Collect logs  Conduct manual interviews  Shut down systems Broad Targeted What has Changed?
  19. 19. © 2014 IBM Corporation IBM Security 18 Gaining insights across the entire security event timeline VULNERABILITY REMEDIATIONEXPLOIT Pre-Exploit Post-Exploit Security Intelligence The actionable information derived from the analysis of all security-relevant data available to an organization • Gain visibility over the organization’s security posture • Detect deviations from the norm and initiate preventive procedures • Attain awareness of vulnerabilities and assess exposures • Discover anomalies and investigate to evaluate the risk • Explore and analyze data to devise countermeasures for the attack • Formulate new security best practices to adapt to emerging threats What was the impact? What is happening right now? Are we configured to protect against these threats? What are the external and internal threats?
  20. 20. © 2014 IBM Corporation IBM Security 19 © 2012IBM Corporation CDM Implementation Phases Local Computing - Devices Local Computing Environment - People Infrastructure and Network - Devices Local Computing Environment - Events Infrastructure and Network – Events Enclave (Organization – Devices and Events
  21. 21. © 2014 IBM Corporation IBM Security 20 20 Four Tool Functional Areas and IBM tools for CDM Phase 1  For supporting the Hardware Asset Management Tool Functional Area… – QRadar – IBM Endpoint Manager – Augmentation tools: IBM Cognos (dashboard)  For supporting the Software Asses Management Tool Functional Area… – QRadar – IBM Endpoint Manager – Augmentation tools: IBM Cognos (dashboard)  For supporting the Configuration Management Tool Functional Area… – QRadar – IBM Endpoint Manager – Augmentation tools: IBM Cognos (dashboard)  For supporting the Vulnerability Management Tool Functional Area… – QRadar – IBM Endpoint Manager – Augmentation tools: IBM Cognos (dashboard) & IBM Rationale Appscan
  22. 22. © 2014 IBM Corporation IBM Security 21 Delivering security solutions via a single, integrated platform Security Intelligence Platform
  23. 23. © 2014 IBM Corporation IBM Security 22 Security Intelligence platform that enables security optimization through advanced threat detection, meet compliance and policy demands and eliminating data silos Security Intelligence and Analytics Portfolio Overview QRadar SIEM •Integrated log, threat, compliance management •Asset profiling and flow analytics QRadar Risk Manager •Predictive threat modeling & simulation •Scalable configuration monitoring and audit QRadar Log Manager •Turnkey log management •Upgradeable to enterprise SIEM Network Activity Collectors (QFlow / VFlow) •Network analytics, behavior and anomaly detection •Fully integrated with SIEM QRadar Vulnerability Manager •Integrated Network Scanning & Workflow •Leverage SIEM, Threat, Risk to prioritize Vulns New: QRadar Incident Forensics •Integrated full packet capture •Meta-data extraction, reconstruction and replay
  24. 24. © 2014 IBM Corporation IBM Security 23 Infrastructure - Endpoint Providing endpoints, servers, and mobile devices with security to remain compliant, updated, and protected against today’s threats Portfolio Overview IBM Endpoint Manager for Software Usage Analysis •Network Discovery: agent-less mechanism to identify all IP- based devices on a network •HW & SW Inventory: continuous and automated agent- based inventory •SW Usage Analysis: advanced software asset management capabilities IBM Endpoint Manager for Security and Compliance •Security Configuration Management: SCAP validation for both configuration assessment and remediation •Patch Management: patch compliance and remediation •Vulnerability Management: discover, identify, and locate known security vulnerabilities by assessing systems against OVAL-based vulnerability definitions •Client Manager for Endpoint Protection: ―health-check‖ for third-party anti-virus and anti-malware solutions •Network Self Quarantine: endpoint control and quarantine capabilities for systems already running the IEM agent, via internet protocol security policy
  25. 25. © 2014 IBM Corporation IBM Security 24 Application Portfolio Overview IBM AppScan Enterprise •Manage application security and risk management with advanced security testing •Mitigate risk by collaborating with developers to remediate security vulnerabilities •Empower security teams to drive security testing throughout the software development life cycle (SDLC) •Integrate with web-application firewalls to provide custom tuning based on actual vulnerabilities •Execute DAST against applications in development and production •Hybrid analysis to perform correlation of DAST and SAST results IBM AppScan Source •Source code analysis to identify the latest security threats with SAST •Automated security testing within build environments IBM AppScan Standard •Desktop application for security analysts and penetration testers •Advanced security testing based primarily on DAST, but also includes static analysis for client-side JavaScript •Glass box testing •Coverage of the latest rich-Internet applications and web technologies (web services, SOAP, Flash, Ajax and more) JK2012-04-26
  26. 26. © 2014 IBM Corporation IBM Security 25 Data Enterprise-wide solutions for helping secure the privacy and integrity of trusted information in your data center Portfolio Overview IBM InfoSphere Guardium Product Family •Database Activity Monitoring – continuously monitor and block unauthorized access to databases •Privileged User Monitoring – detect or block malicious or unapproved activity by DBAs, developers and outsourced personnel •Database Leak Prevention – help detect and block leakage in the data center •Database Vulnerability Assessment – scan databases to detect vulnerabilities and take action •Audit and Validate Compliance – simplify SOX, PCI- DSS, and Data Privacy processes with pre-configured reports and automated workflows IBM Security Key Lifecycle Manager •Centralize and automate the encryption key management process •Simplify administration with an intuitive user interface for configuration and management JK2012-04-26
  27. 27. © 2014 IBM Corporation IBM Security 26 The Cybersecurity Framework… • Provides a structure organizations can use to create, guide, assess or improve comprehensive cybersecurity programs based on risks • Offers a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses • Allows organizations—regardless of size, degree of cyber risk or cybersecurity sophistication—to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure • Helps companies prove to themselves and their stakeholders that good cybersecurity is good business • Builds on global and other standards, guidelines, and best practices • Provides a means of expressing cybersecurity requirements to business partners and customers • Assists organizations in incorporating privacy and civil liberties as part of a comprehensive cybersecurity program Source: NIST
  28. 28. © 2014 IBM Corporation IBM Security 27 Framework Components Framework Core • Cybersecurity Activities and informative references common across critical infrastructure sectors and organized around particular outcomes • Enables communication of cyber risk across an organization Framework Profile • Aligns industry standards and best practices to the framework Core in a particular implementation scenario • Supports prioritization and measurement of progress toward the Target Profile, while factoring in other business needs— including cost-effectiveness and innovation Framework Implementation Tiers • Describes how cybersecurity risk is managed by an organization • Describes degree to which an organization’s cybersecurity risk management practices exhibit the key characteristics (e.g., risk and threat aware, repeatable, and adaptive) Source: NIST
  29. 29. © 2014 IBM Corporation IBM Security 28 Framework Core Source: NIST
  30. 30. © 2014 IBM Corporation IBM Security 29 How to Use the Cybersecurity Framework The Framework is designed to complement existing business and cybersecurity operations, and can be used to: • Understand security status • Establish / Improve a cybersecurity program • Communicate cybersecurity requirements with stakeholders, including partners and suppliers • Identify opportunities for new or revised informative references • Identify tools and technologies to help organizations use the Framework • Integrate privacy and civil liberties considerations into a cybersecurity program Source: NIST
  31. 31. © 2014 IBM Corporation IBM Security 30 Influencers • Confident / prepared • Strategic focus Protectors • Less confident • Somewhat strategic • Lack necessary structural elements Responders • Least confident • Focus on protection and compliance have a dedicated CISO have a security/risk committee have information security as a board topic use a standard set of security metrics to track their progress focused on improving enterprise communication/ collaboration focused on providing education and awareness How they differ IBM’s 2012 Chief Information Security Officer Study revealed the changing role of the CISO Source: IBM Center for Applied Insights, Finding a Strategic Voice: Insights from the 2012 IBM Chief Information Security Officer Assessment , May 2012
  32. 32. © 2014 IBM Corporation IBM Security 31 Reaching security maturity 13-09-17 Security Intelligence Predictive Analytics, Big Data Workbench, Flow Analytics SIEM and Vulnerability Management Log Management Advanced Fraud Protection People Data Applications Infrastructure Identity governance Fine-grained entitlements Privileged user management Data governance Encryption key management Fraud detection Hybrid scanning and correlation Multi-faceted network protection Anomaly detection Hardened systems User provisioning Access management Strong authentication Data masking / redaction Database activity monitoring Data loss prevention Web application protection Source code scanning Virtualization security Asset management Endpoint / network security management Directory management Encryption Database access control Application scanning Perimeter security Host security Anti-virus Optimized Proficient Basic
  33. 33. © 2014 IBM Corporation IBM Security 32 IBM Security Systems Portfolio People Data Applications Network Infrastructure Endpoint Identity Management Guardium Data Security and Compliance AppScan Source Network Intrusion Prevention Trusteer Apex Access Management Guardium DB Vulnerability Management AppScan Dynamic Next Generation Network Protection Mobile and Endpoint Management Privileged Identity Manager Guardium / Optim Data Masking DataPower Web Security Gateway SiteProtector Threat Management Virtualization and Server Security Federated Access and SSO Key Lifecycle Manager Security Policy Manager Network Anomaly Detection Mainframe Security IBM X-Force Research Advanced Fraud Protection Trusteer Rapport Trusteer Pinpoint Malware Detection Trusteer Pinpoint ATO Detection Trusteer Mobile Risk Engine Security Intelligence and Analytics QRadar Log Manager QRadar SIEM QRadar Risk Manager QRadar Vulnerability Manager IBM offers a comprehensive portfolio of security products
  34. 34. © 2014 IBM Corporation IBM Security 33 Using Security Frameworks to Achieve Effectiveness & Compliance 33
  35. 35. © 2014 IBM Corporation IBM Security 34 Highlighted announcements NEW: QRadar Incident Forensics NEW: Critical Infrastructure Services NEW: “All-in-one” Access Management NEW: Secure Network Optimization Services NEW: Virtual IPS & Identity Service for Cloud Planned future announcements
  36. 36. © 2014 IBM Corporation IBM Security 35 For more information Peter Allor Security Strategist- Federal, IBM pallor@us.ibm.com Contact Jerry Jarvis jjarvis@us.ibm.com David Nagel dnagel@us.ibm.com Additional Information – White Papers on CDM http://www.ibm.com/common/ssi/cgi- bin/ssialias?subtype=WH&infotype=SA&appname=SWGE_WG_WG_USEN &htmlfid=WGW03019USEN&attachment=WGW03019USEN.PDF http://www- 304.ibm.com/industries/publicsector/us/en/promotion/!!/xmlid=242300 35
  37. 37. © 2014 IBM Corporation IBM Security 36 © 2014 IBM Corporation IBM Security Systems 36 www.ibm.com/security © Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

×