Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
IBM Security Systems

Five Critical Conditions for Maximizing
Security Intelligence Investments
Ray Menard
Senior Security...
IBM Security Systems

Innovative technology changes everything

1 trillion
connected
objects

1 billion mobile
workers

So...
IBM Security Systems

Attacks continue as perpetrators sharpen skills
Nation-state
actors, APTs
Stuxnet,
Aurora, APT1

MOT...
IBM Security Systems

Targeted attacks remain top of mind

Saudi Arabia Says Aramco
Cyberattack Came From
Foreign States

...
IBM Security Systems

5

IBM Security X-Force® 2011 Trend and Risk Report, IBM Security X-force 2013 Mid Year Trend and Ri...
IBM Security Systems

Despite proliferation of security solutions

The Security Division of EMC

IT
GR
C

M
DA

SIEM/Log
M...
IBM Security Systems

What is Security Intelligence?
Security Intelligence
--noun
A methodology of analyzing millions and ...
IBM Security Systems

1. It's what you don't
know that can hurt
you

8

IBM Security Systems

© 2013 IBM Corporation

© 20...
IBM Security Systems

Security Intelligence Timeline

Prediction & Prevention

• Devices and applications having
no loggin...
IBM Security Systems

Point solutions lack 360 degree network visibility
IBM X-Force® Threat
Information Center

Identity ...
IBM Security Systems

Business value of security intelligence
Business
Impact

Potential
Damage effect
Business interrupti...
IBM Security Systems

2. Force Multipliers are
key to winning the
battle

12

IBM Security Systems

© 2013 IBM Corporation...
IBM Security Systems

Early solutions captured only tip of data iceberg

Then: Collection
Logs
Events Alerts

Configuratio...
IBM Security Systems

QRadar’s wide spectrum of security intelligence feeds

14

© 2013 IBM Corporation
IBM Security Systems

Backed by broad R&D organization collecting real world insights

Security Operations Centers

Herzli...
IBM Security Systems

To further increase accuracy of analytics
Security Intelligence Feeds

Geo Location

16

Internet Th...
IBM Security Systems

Constantly injecting SI platform intelligence updates
• QRadar Security Intelligence modules
receive...
IBM Security Systems

3. Reduce incident
investigations with
more available data

18

IBM Security Systems

© 2013 IBM Cor...
IBM Security Systems

Automation accelerates time-to-value, preserves currency
 Simplified deployment delivers results in...
IBM Security Systems

Intuitive rules engine interface reduces false positives
Tune the system or create your own rules
in...
IBM Security Systems

Network flow analysis is fundamental capability
 Log management products collect subset of availabl...
IBM Security Systems

Detecting the Undetectable

22

© 2013 IBM Corporation
IBM Security Systems

Detecting the Undetectable

23

© 2013 IBM Corporation
IBM Security Systems

The Bigger Picture

24

© 2013 IBM Corporation
IBM Security Systems

Baselining and anomaly detection complete picture
 Correlation of log and flow data
creates profile...
IBM Security Systems

4. Further reduce blind
spots using nontraditional event
sources

26

IBM Security Systems

© 2013 I...
IBM Security Systems

Integrated vulnerability management narrows the actions
Existing vulnerability
management tools

Yo
...
IBM Security Systems

‘Big Data’ adds more structured and even unstructured data
Data Sources

Real-time Processing
QRadar...
IBM Security Systems

Virtual appliances see inside the cloud
 IBM Security QRadar VFlow Collectors
– Use deep packet ins...
IBM Security Systems

QRadar Risk Manager adds pro-active capabilities
 Normalized device configurations are gathered and...
IBM Security Systems

5. Importance of solution
integration

31

IBM Security Systems

© 2013 IBM Corporation

© 2013 IBM ...
IBM Security Systems

Integrations critical to success and differentiation of IBM
Security and Customers

 Consolidate si...
IBM Security Systems

Using fully integrated architecture and interface
Log
Management

SIEM

Configuration
& Vulnerabilit...
IBM Security Systems

Summary of five conditions and best practices

1. It's what you don't know that can hurt you
2. Forc...
IBM Security Systems

Learn more about IBM QRadar Security Intelligence
Watch executive Steve Robinson (VP) discuss
the ne...
IBM Security Systems
Statement of Good Security Practices: IT system security involves protecting systems and information ...
Upcoming SlideShare
Loading in …5
×

Five critical conditions to maximizing security intelligence investments

874 views

Published on

In today's high tech, highly mobile, everything connected , data is everywhere world we need to look at security very differently than we did just a few years ago In the good ole days good strong perimeter defense and some end point protection was pretty much all that was needed to protect a companies digital environment. There are however many indicators highlighting the fact we need to do something different.

Learn more: http://securityintelligence.com

Published in: Technology, Business
  • Be the first to comment

Five critical conditions to maximizing security intelligence investments

  1. 1. IBM Security Systems Five Critical Conditions for Maximizing Security Intelligence Investments Ray Menard Senior Security Architect IBM Security Systems October 24, 2013 © 2013 IBM Corporation 1 © 2013 IBM Corporation
  2. 2. IBM Security Systems Innovative technology changes everything 1 trillion connected objects 1 billion mobile workers Social business Bring your own IT Cloud and virtualization 2 © 2013 IBM Corporation
  3. 3. IBM Security Systems Attacks continue as perpetrators sharpen skills Nation-state actors, APTs Stuxnet, Aurora, APT1 MOTIVATION National Security, Economic Espionage Hacktivists Lulzsec, Anonymous Notoriety, Activism, Defamation Monetary Gain Nuisance, Curiosity Organized crime Zeus, ZeroAccess, Blackhole Exploit Pack Insiders, Spammers, Script-kiddies Nigerian 419 Scams, Code Red SOPHISTICATION 3 © 2013 IBM Corporation
  4. 4. IBM Security Systems Targeted attacks remain top of mind Saudi Arabia Says Aramco Cyberattack Came From Foreign States How to Hack Facebook In 60 Seconds – InformationWeek, June 2013 Facebook hacked in 'sophisticated attack' – The Guardian, Feb 2013 – Bloomberg, Dec 2012 Hackers in China Attacked The Times for the Last 4 Months Fed Acknowledges Cybersecurity Breach – The Wall Street Journal, Feb 2013 – The New York Times, Jan 2013 Adobe Systems Reports Attack on Its Computer Network – The Wall Street Journal, Oct 2013 Apple Hacked: Company Admits Development Website Was Breached – Huffington Post, July 2013 South Carolina taxpayer server hacked, 3.6 million Social Security numbers compromised – CNN, Oct 2012 Chinese hacking of US media is 'widespread phenomenon‘ – Wired, Feb 2013 4 © 2013 IBM Corporation
  5. 5. IBM Security Systems 5 IBM Security X-Force® 2011 Trend and Risk Report, IBM Security X-force 2013 Mid Year Trend and Risk Report © 2013 IBM Corporation
  6. 6. IBM Security Systems Despite proliferation of security solutions The Security Division of EMC IT GR C M DA SIEM/Log Management A NB VM DLP RM/CM 6 IBM Security Systems © 2013 IBM Corporation
  7. 7. IBM Security Systems What is Security Intelligence? Security Intelligence --noun A methodology of analyzing millions and billions of security, network and application records across the organization’s entire network in order to gain insight into what is actually happening in that digital world. --verb Combining internal, locally collected security intelligence, with external intelligence feeds for the application of correlation rules to reduce huge volumes of data into a handful of high probability ‘offense’ records requiring immediate investigation to prevent or minimize the impact of security incidents Delivers actionable, comprehensive insight for managing risks, combatting threats, and meeting compliance mandates. 7 © 2013 IBM Corporation
  8. 8. IBM Security Systems 1. It's what you don't know that can hurt you 8 IBM Security Systems © 2013 IBM Corporation © 2013 IBM Corporation
  9. 9. IBM Security Systems Security Intelligence Timeline Prediction & Prevention • Devices and applications having no logging capabilities • Anomalous activity • Disabled Logging • Network Noise • Vulnerabilities (Passive) • Virtual Activity • User Activity 9 Reaction & Remediation • • • • • • • • • Firewalls IDS Syslog Events Application Logs Windows Events Authentication Logs Network Device Logs Database activity Logs Vulnerabilities (Active) © 2013 IBM Corporation
  10. 10. IBM Security Systems Point solutions lack 360 degree network visibility IBM X-Force® Threat Information Center Identity and User Context 10 Real-time Security Threats and Prioritized ‘Offenses’ Real-time Network Visualization and Application Statistics Inbound Security Events © 2013 IBM Corporation
  11. 11. IBM Security Systems Business value of security intelligence Business Impact Potential Damage effect Business interruption Critical Threshold Proactive business impact: Blocking of legitimate traffic Actual business Impact Time Proactive Intelligence Prevention 11 IBM Security Systems Incident Reactive Response Forensics © 2013 IBM Corporation
  12. 12. IBM Security Systems 2. Force Multipliers are key to winning the battle 12 IBM Security Systems © 2013 IBM Corporation © 2013 IBM Corporation
  13. 13. IBM Security Systems Early solutions captured only tip of data iceberg Then: Collection Logs Events Alerts Configuration information System audit trails Network flows and anomalies External threat feeds Business process data 13 Identity context E-mail and social activity Malware information •Log collection •Signature-based detection Now: Intelligence •Real-time monitoring •Context-aware anomaly detection •Automated correlation and analytics © 2013 IBM Corporation
  14. 14. IBM Security Systems QRadar’s wide spectrum of security intelligence feeds 14 © 2013 IBM Corporation
  15. 15. IBM Security Systems Backed by broad R&D organization collecting real world insights Security Operations Centers Herzliya Security Research and Development Labs Institute for Advanced Security Branches  6,000 researchers, developers and subject matter experts working security initiatives worldwide  3,000+ IBM security patents 15 IBM Security Systems © 2013 IBM Corporation
  16. 16. IBM Security Systems To further increase accuracy of analytics Security Intelligence Feeds Geo Location 16 Internet Threats Vulnerabilities © 2013 IBM Corporation
  17. 17. IBM Security Systems Constantly injecting SI platform intelligence updates • QRadar Security Intelligence modules receive nightly content updates or fresh “Intelligence” • Updated content includes:       Device Support Modules (Log Parsers) Event Mapping / QID (Log Meta Data) X-Force threat and vulnerability data Custom properties, rules, searches, reports QFlow Application Signatures (Layer 7) Functional Software Patches • Delivered to Console and subsequently consumed by all managed hosts • No waiting weeks or months for new releases; protection that adapts in concert with changes in security landscape 17 © 2013 IBM Corporation
  18. 18. IBM Security Systems 3. Reduce incident investigations with more available data 18 IBM Security Systems © 2013 IBM Corporation © 2013 IBM Corporation
  19. 19. IBM Security Systems Automation accelerates time-to-value, preserves currency  Simplified deployment delivers results in days  Syslog device detection configures log data sources  Passive flow asset detection populates asset database  Out-of-the-box rules and reports reduce incident investigations and meet compliance mandates  Real time events keep information current  Immediate discovery of network asset additions triggers proactive vulnerability scans, configuration comparisons and policy compliance checks  Daily and weekly updates to rules, reports, vulnerabilities, patches, searches, support modules, protocols and signatures 19 IBM Security Systems © 2013 IBM Corporation
  20. 20. IBM Security Systems Intuitive rules engine interface reduces false positives Tune the system or create your own rules in three simple steps without professional services: 2) Build customized rule 1) Choose the action 3) Save for future use 20 IBM Security Systems © 2013 IBM Corporation
  21. 21. IBM Security Systems Network flow analysis is fundamental capability  Log management products collect subset of available data  Netflows enable visibility into attacker communications  Stored as aggregated, bi-directional records of IP addresses, ports, and protocols  Offer advanced detection and forensics via flow pivoting, drill-down and data mining  QFlow Collectors dig deeper, adding Layer 7 application insights 21 © 2013 IBM Corporation
  22. 22. IBM Security Systems Detecting the Undetectable 22 © 2013 IBM Corporation
  23. 23. IBM Security Systems Detecting the Undetectable 23 © 2013 IBM Corporation
  24. 24. IBM Security Systems The Bigger Picture 24 © 2013 IBM Corporation
  25. 25. IBM Security Systems Baselining and anomaly detection complete picture  Correlation of log and flow data creates profiles of user, application and data access patterns  Anomaly Detection uses multiple measurements to signal change  Thresholds – above or below normal range  Anomaly – Detects appearance of new objects  Behavior – Reveals deviations from established ‘seasonal’ patterns Large Window 5 Hours 25 Small Window 1 Hour © 2013 IBM Corporation
  26. 26. IBM Security Systems 4. Further reduce blind spots using nontraditional event sources 26 IBM Security Systems © 2013 IBM Corporation © 2013 IBM Corporation
  27. 27. IBM Security Systems Integrated vulnerability management narrows the actions Existing vulnerability management tools Yo ur CV E CV CV CVE CV E CV CV E E E EC CV CV CV CVE CV V EC E C C E E CVE CV CV CVE CVE VE VE C VE C CV C C V E E E CV CV CV CVE CVE VE C VE CVE C E CV E CV CV EC E C C C E VE VE VE E CV CV EC E CVE CV E CV CVE CVE VE CVE C VE C VE C CV CVECVE CVE C E E E E VE V V C CV CV CV CCVECVE VE C VE C VEC E CV E CV CVE CVE CVE VE V E E C E C C CV CV E CVE E E E V V C C C C C E V VE C CV CV CVECVE VE VE C VE C E C E CV CV CVE VE VE CVE C VE C VE E C CV V E C E C CCVECV CCV VE CVE VE C VEC E C C CV VE VE VE V CV E C CC CV VE VE VE C EEC E C EECV CV CVE VE VE VE VE E C C CV CV C E V CVE VE E CC C C CVE CV CV CVE VE CVECVVEC E C ECV C V CVE CVE CVE VE C VE C E CV E C V E VE C C V C E E E CV C VE V VE CV E CV CV CCVECVE VVE CVECVVE C E C E CV CVECVE CVE VE VE C E CVE C V V V E VE E C E CV EC E C ECV CVV CV CVVE VE VE C C ECV ECV CV VE E V E E E C CE VE C E E C C V E C E CV CV V CV CV CVE CVE VVE E C EECC E C E CCV CV CVE VE VE VE C E C CV E VE VE E E E E C EC CCV CV CCV VE VVE VVE VEE C E C ECV CV CCV VE VE E CV V CV CVE VEE CV EC C C CV CV VE VE VEE C E C EE C CVV CCV CVE CVE VE E C EC V CV VE E E VE CVE C EC C C V C E VE E C V CV CVE CV CV CCVE VVE VE CVVE C E C EE CVECV CV ECVE CVE VE C VE C E CV E E V E C C E E E V E C CC C E CV V VV VE C VE C E C C C E V CV CV CV CCVE VVE VVE CVECCE E CEE CV E CV CVE CVE VE CVVE VE C E CVE CVV CV CVEE V E VE E C E CC E C V V E E CV CV C E E C CV VE E VE C VE C C EC V CV CV CV CV CVE CVE VVE C VE CVE C EE C E CV CVE CVE CVE VE VE C E CV E C E EC E C E C E C CV CCV CVVE VE E VVE VVE C E C EC CV CV CV VE E V E C E C VE C V V CV V V VE E VEE E CC CC C E VE E VE E C VE CV E C E C E C CV CV CCV VVE VE E VE CVVE C E C E CV CVE CV CVE VE VEE E V C VE C E C V V V VE VE VE C E C E C CC CCV CV VE VEE E C E C E C E CV CV V V CV C C V CV CV VE VE VE VE E EE C EE CVECV CV VE CVE VE E C E CV E E E C E C CV CV CV CVE VVE VEE CVE C E C CV E CV CV VE C C C VE VE E C E C E C E C CVV CVVE VE VEC VE C E C E CV E CV V V VE VVE EE C E C C V E CV E C E C E C C CCV CVE VE VE CVE VE C E CV E VE EC V VE E VE VE VE VE CVE C EE CV CV CVE VE C CV CV CV CVE VE VE VE C E C CV E E E C E C C CV CV VE VE E CV CVE VE VE VE C E C E EC CV CV VE VE VE E C E C CV VE VE C E CV V EC E VE Yo ur Yo u Vu ln rV uln era bil it era Vu ln bil it era ies ies bil itie s Security Intelligence Integration  Improves visibility – Intelligent, event-driven scanning, asset discovery, asset profiling and more  Reduces data load – Bringing rich context to Vulnerability Management  Breaks down silos Questions remain: •Has that been patched? •Has it been exploited? •Is it likely to be exploited ? •Does my firewall block it? •Does my IPS block it? •Does it matter? 27 – Leveraging all QRadar integrations and data – Unified vulnerability view across all products QRadar Vulnerability Manager CV E CV CV Yo E EC ur CV CV V E EC E C Vu CV V VE CV lne E EC E C C V CV CV VEIn E VE ra b E E C a CV C CV CV CVE VEct E VE C i e E E ilitie EC C CVvCV V E CV CV V VE E s C C C CV E E E CV CV CV CVE VE VE CVE C E C E C C CV V V VE E E CV CV CVE VE VE E C E C E CV CV V V C C E E E E CV CV CVE CVE VE VE C E C E CV CV CV E E C Pa V CV CV VE VE E E C E C CV CV V Ctc C C E E V V E E E Eh V C C CV V VE E E C CV CV CV CVE eE VE CVE C E C ECV CV CVE dC E E E E E V V CV CV CV CVE CVE VE C VE C E C EC CV CVE E EC E C C CV VE VE VE VE EC CV CV V VE VE E Cr E E C C CV CV CVE CVECVE CVECVE E i C CVi V VE VE E E B CV C V t Ec E C C C CV lo E VE E a CVl CV CVE VE VE VE EC ck V CV C E C C C CV CV VE e E E EC VE VE VE C VE C E C EC CV dCVE CV CV VE VE VE VE C E C AC E CV CV CV CVE VE VE E t VE E E E C C ris C C CV V VE Ck V VE E E VE E ! C C C CV CVE V E VE VE C EC CE CV VE VE VE E xCV CV CVE plE E oCt CV iVe E Ed CV !E Answers delivered: •Real-time scanning •Early warning capabilities •Advanced pivoting and filtering © 2013 IBM Corporation
  28. 28. IBM Security Systems ‘Big Data’ adds more structured and even unstructured data Data Sources Real-time Processing QRadar Security Intelligence Platform Security and Infrastructure Data Sources QRadar Console (Web interface) Two major roles QRadar can play in the IBM Big Data Solution: Big Data Analytics and Forensics 1) Collects SI data and feeds to BigInsights to enrich data sources Security Operations • Watch List • Custom Rules Big Data Warehouse InfoSphere BigInsights External Threat Intelligence Feeds InfoSphere BigSheets Hadoop Store • Raw Data Relational Store • High-value Information Email, Web, Blogs, and Social Activity Collect Collect Flow of data/information Flow of knowledge i2 Intelligence Analysis Store & Process Store & Process 2) Provides a dashboard to display, organize, and query the data generated by Big Data Analytics and Forensics Analyze Analyze 1 Data Collection & Enrichment (HOT) 3 Forward (HOT) & Store (HOT, Warm, cold) data 5 2 Real-time insights (HOT) 4 Big Data Analysis, Trends & History 6 Advanced Visualizations and Investigation – (Warm and cold) Enrich / Adapt / Improve (Warm and cold) 28 © 2013 IBM Corporation
  29. 29. IBM Security Systems Virtual appliances see inside the cloud  IBM Security QRadar VFlow Collectors – Use deep packet inspection to provide visibility to application layer virtual network traffic in the cloud – Detect new security threats, malware, viruses, anomalies through behavior profiling of network traffic without relying on vulnerability signatures – Support VMware virtual environments and profile more than 1,000 applications – Run on virtual server and require no additional hardware 29 © 2013 IBM Corporation
  30. 30. IBM Security Systems QRadar Risk Manager adds pro-active capabilities  Normalized device configurations are gathered and stored either on-demand or via scheduled activities  Performs firewall rule analysis, configuration error detection (e.g. shadowed rules), and rule activity correlation with ‘offenses’ Sh ad o 30 we d ru les © 2013 IBM Corporation
  31. 31. IBM Security Systems 5. Importance of solution integration 31 IBM Security Systems © 2013 IBM Corporation © 2013 IBM Corporation
  32. 32. IBM Security Systems Integrations critical to success and differentiation of IBM Security and Customers  Consolidate siloed information from hundreds of sources  Detect, notify and respond to threats missed by other security solutions  Automate compliance tasks and assess risks 32 IBM Security Systems  Stay ahead of the changing threat landscape  Detect the latest vulnerabilities, exploits and malware  Add security intelligence to non-intelligent systems  Infrastructure protection to block specific vulnerability types using scan results  Converge access management with web service gateways  Link identity information with database security © 2013 IBM Corporation
  33. 33. IBM Security Systems Using fully integrated architecture and interface Log Management SIEM Configuration & Vulnerability Management Network Activity & Anomaly Detection Network and Application Visibility 33 IBM Security Systems • Turn-key log management and reporting One ConsoleEnterprise • SME to Security • Upgradeable to enterprise SIEM • Log, flow, vulnerability & identity correlation • Sophisticated asset profiling • Offense management and workflow • Network security configuration monitoring • Vulnerability prioritization • Predictive threat modeling & simulation • Network analytics • Behavioral anomaly detection • Fully integrated in SIEM • Layer 7 application monitoring • Content capture for deep insight & forensics • Physical and virtual environments Built on a Single Data Architecture © 2013 IBM Corporation
  34. 34. IBM Security Systems Summary of five conditions and best practices 1. It's what you don't know that can hurt you 2. Force multipliers are key to winning the battle 3. Reduce incident investigations with more available data 4. Further reduce blind spots using nontraditional event sources 5. Importance of solution integration 34 © 2013 IBM Corporation
  35. 35. IBM Security Systems Learn more about IBM QRadar Security Intelligence Watch executive Steve Robinson (VP) discuss the next era for Security Intelligence : http://ibm.co/nextera Download the 2013 Gartner Magic Quadrant for SIEM : http://ibm.co/GMQ Read our IT Executive Guide to Security Intelligence White Paper: ibm.co/11HQdfc :Visit our Blog www.securityintelligence.com Website: http://ibm.co/QRadar 35 © 2013 IBM Corporation
  36. 36. IBM Security Systems Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 36 IBM Security Systems © 2013 IBM Corporation

×