Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

5/5/17 Webinar Deck

Published in: Technology
  • Be the first to comment

  • Be the first to like this


  1. 1. IBM QRadar User Behavior Analytics DETECTING INSIDER THREAT AND RISKS May 2017
  2. 2. 2 IBM Security Agenda • Problem Context • Typical Challenges • IBM UBA capabilities with machine learning analytics • IBM’s integrated approach to insider threat protection • Case Study • Next Steps Johnny Shin Executive Consultant - Identity and Access Management Architecture & Program Delivery Jas Johal Sr. Offering Manager – IAM Services IBM Security Milan Patel Program Director Security Offerings Management IBM Security
  3. 3. 3 IBM Security Increasing attacks, shortage of skills and growing insider threats continue to dominate Growing Insider Risk Too Many Tools Increasing Attack Activity Too Few People anticipated shortfall by 2020 45 vendors annual increase for InfoSec analysts 1M 100 more security incidents from 2014-201564% ’s of incidents and events daily 37% insider data breaches 43% perpetrators take data and go work for competitors 65% 85 security tools from
  4. 4. 4 IBM Security SECURITY TRANSFORMATION SERVICES Management consulting | Systems integration | Managed security QRadar Vulnerability / Risk Manager Resilient Incident Response X-Force Exchange QRadar Incident Forensics BigFix Network Protection XGS QRadar SIEM I2 Enterprise Insight Analysis App Exchange SECURITY OPERATIONS AND RESPONSE MaaS360 INFORMATION RISK AND PROTECTION Trusteer Mobile Trusteer Rapport AppScan Guardium Cloud Security Privileged Identity Manager Identity Governance and Access Cloud Identity Service Key Manager zSecure Trusteer Pinpoint QRadar User Behavior Analytics Our integrated view provides visibility so you can stop insider threats
  5. 5. 5 IBM Security Example - Extending UBA with flow data • Detect flow based anomalies • Accessing non-business resources • Accessing unauthorized resources • Potential spam/phishing attempts • Detecting malware infection • Accessing sensitive personal information • Out of policy web usage • Detect DNS anomalies • DGA • Fastflux • Tunneling and exfiltration • End-point infection analytics
  6. 6. 6 IBM Security Example - Extending QVM/QRM with UBA data • Prioritize Vulnerabilities based on user risk • Scanning Assets of users above risk thresholds • Degrees of separation to critical assets or information for risk management • Add, modify rules on IPS side to block at user level if user is phished • Augment asset risk based on user risk • Monitor possible attack vectors for Risky users
  7. 7. 7 IBM Security Comprehensive data set and open analytics sense malicious users Insider Risk Score SENSE ANALYTICSTM BEHAVIORAL • Pattern identification • User and entity profiling • Statistical analysis • Anomaly detection CONTEXTUAL • Business context • Entity and user context • External threat correlation TIME-BASED • Historical analytics • Real-time analytics • Threat hunting • Threshold rules Users Cloud Applications Applications Data Servers DLP Endpoints Network Threat Intelligence 3rd Party SIEM feeds Other analytics
  8. 8. 8 IBM Security Comprehensive data set and open analytics sense malicious users
  9. 9. 9 IBM Security IBM QRadar UBA 2.0 • Machine Learning algorithms • Flow based use cases that leverage QNI
  10. 10. 10 IBM SecurityIBM INTERNAL & BUSINESS PARTNER USE ONLY IBM QRadar UBA: Detecting anomalous deviations  Monitor users on deviation from normal behavior: • 14 different event categories of QRadar • temporal analysis • time series analysis  Predict range in which the users’ activities should fall  Example anomalous activities detected by these algorithms are: • Abnormal change in user activity (over time) • Abnormal change in user’s authentication or access activity • Deviation from normal risk posture of the user
  11. 11. 11 IBM SecurityIBM INTERNAL & BUSINESS PARTNER USE ONLY IBM QRadar UBA: Machine Learning algorithms “Deviations from normal behavior”
  12. 12. 12 IBM Security SOC analysts gain speed from user behavior analytics …in the hunt to reduce risks and eliminate threats Easily find malicious behavior Easily acquire, deploy and use Improve analyst efficiency  Detect threats across users and assets leveraging advanced analytics with behavioral patterns  Tap into broad set of internal data sources and threat intelligence  Visibility into the risk posture within hours not days  Download app and install quickly  Identify risky users, behavior and offences in minutes not hours  Reduce overhead on skills and time
  13. 13. 13 IBM Security To get most of your UBA - 3 steps to stop harmful insider actions STEP 2: Detect insider threats: Anticipate the risk of malicious actions before they occur and respond when breached STEP 1: Reduce your exposure: Secure your sensitive data and govern your user identities
  14. 14. 14 IBM Security Address security gaps insiders exploit with an integrated approach 1. Who has access to sensitive data? 2. Who should have access? 3. Can you control privileged user access to sensitive data? 4. How are your users accessing the data? 1. What data is sensitive? 2. Where is sensitive data stored? 3. Is the right sensitive data being exposed? 4. What risk is associated with sensitive data? 1. What are end users and administrators doing with data? 2. What do normal transaction patterns look like between the user and your sensitive data? 3. How much can you trust each individual user? 4. When should a deviation from “normal” be cause for further investigation?
  15. 15. 15 IBM Security  User Behavior Analytics  SIEM  Access management  Identity management & governance  Privileged users management  Data protection  Risk detection & threat analytics  Data activity monitoring Safeguard against harmful insider actions with trusted security expertise, actionable intelligence and powerful technology Security Services  Identify gaps, improve compliance and prioritize security actions  Integrate your capabilities  Security expertise to drive insights
  16. 16. 16 IBM Security 3 steps to stop harmful insider actions STEP 2: Detect insider threats. Anticipate the risk of malicious actions before they occur and respond when breached STEP 1: Reduce your exposure. Secure your sensitive data and govern your user identities STEP 3: Get started today. Apply a systematic approach and methodology to your 5-10 most important crown jewel data.
  17. 17. 17 IBM Security Getting started: An integrated approach that provides clear, actionable intelligence Prioritize compliance and security actions with risk-based insights from end-to-end mapping of your critical information’s access pathways Analyze user behaviors to detect suspicious activities for further investigation Insider threat protection services from IBM Trusted IBM security specialists can offer the business, data and IAM security experience to help you evaluate intelligence, draw more meaningful conclusions and prepare for next steps.
  18. 18. 18 IBM Security IBM puts our insider threat solution into practice with a consistent and repeatable four step operational model with emphasis on high risk assets 1 2 3 4Define Discover Investigate Remediate Define Use Case Identify critical data (crown jewels) Identify privileged users Matching user list Corporate Data Trigger  Machine/ statistical analysis  Resource usage analysis  Policy violation analysis  Top down comparative analysis  Bottom up comparative analysis Anomaly Activity Trigger Potential Threat APP/SYSTEM TRANSACITON LOG APP/SYSTEM CHANGE LOG APP/SYSTEM ACCESS LOG APP/SYSTEM PROCESS EXCEPTION LOG ApplicationsEnterpriseSystems HTTP SITE ACCESS/ DOWNLOAD LOG EMAIL HISTORY/ ATTACHMENTS LOG PC LAPTOP USB/ EXT. HARD DR./CD COPY LOG LYNC CHAT/ DOWNLOAD LOG REMOTE ACCESS LOG PRINTER/FAX LOG PHYSICAL ACCESS LOG EXT. STORAGE ACCESS LOG EXT. EMAIL ACCESS LOG SHARE DRIVE/ POINT ACCESS HISTORY PC/ LAPTOP LOSS/ STOLEN REPORT PC/ LAPTOP CRASH/ REPARE LOG Decision Committee Application Owner/Controller User’s Manager Escalation Corporate/ Legal Action Close Loop/ Remediation PICTURE PC/ LAPTOP SCREEN (CCTV) Insider threat protection services from IBM
  19. 19. 19 IBM Security We implemented this solution for one of our global pharma clients to help address concerns about the impact of major re-org on employee morale Project Overview: 1. Identified 7 areas of Information Classification in scope for the project • Finance Management, Financial Transactions, Procurement-Sourcing, HR, Tax, Planning, and Risk Management 2. Out of the 7 areas of Information Classification, identified 11 Confidential “Red” information for use cases • True Cost Data, Process Order, Serialization, Employee SPI, Investigation and Disciplinary, Purchasing and Contractual, Vendor SPI, Customer SPI, Undisclosed Financial Data, Project System 3. Mapped ~ 20% of “Red” data to specific SAP tables, transactions, and roles which expose the information 4. Collected 7 months of SAP transaction logs to analyze user activities across the sensitive transactions identified 5. Identified anomaly activities for further investigation
  20. 20. 20 IBM Security During the project, we analyzed sensitive transactions used for the first time on the month leaving the company Data Summary: • 7 months of SAP transaction logs obtained • Termination report obtained 1,984 users • Over 1M lines of transaction log entries captured • Of 1M entries, 56k sensitive transactions used • Of 56k transactions, 885 sensitive transactions were used by users on the terminated report Outcome: • 1st Analysis Finding: 8 users used 10 sensitive transactions for the first time in December 2014 before leaving company 1st Analysis Findings
  21. 21. 21 IBM Security Our team also detected sudden and significant increases of users using sensitive transaction on the month leaving the company… risky insiders! Data Summary: • 7 months of SAP transaction logs obtained • Termination report obtained 1,984 users • Over 1M lines of transaction log entries captured • Of 1M entries, 56k sensitive transactions used • Of 56k transactions, 885 sensitive transactions were used by users on the terminated report Outcome: • 2nd Analysis Finding: 7 users show sudden increase in sensitive transaction usage right before the termination 2nd Analysis Findings
  22. 22. 22 IBM Security Our experts help deliver Leading security innovation by IBM Research, with over 3,000 security and risk patents Strategic Advising Product Agnostic Recommendations Cognitive-driven Solutions Derive insights from Watson Analytics Award winning IBM Security Systems can provide a full range of integrated security services and products Worldwide Presence Threat visibility from 10 Security Operations Centers monitoring 13-plus billon events per day from 20,000-plus devices Worldwide Subject Matter Expertise over 3,700 security consultants and 3,300 service delivery experts IAM Expertise
  23. 23. 23 IBM Security Take action now • Download the whitepaper, “An Integrated Approach to Insider Threat Protection” • Read the blog on using Machine Learning to Detect Anomalies in Users’ Activities Learn more • Call your rep, or reach out to 1 (877) 257-5227 • Experiencing a breach? IBM Incident Response 24x7 Hotline: 1-888-241-9812 Contact IBM Questions? Let us know. Jas Johal Sr. Offering Manager – IAM Services Johnny Shin Sr. Executive Consultant- IAM Milan Patel Program Director Security Offerings Management
  24. 24. @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. FOLLOW US ON: THANK YOU