Defining Security Intelligence for the Enterprise - What CISOs Need to Know

Defining Security Intelligence for the Enterprise:
What Today’s CISOs Need to Know
Chris Poulin
Industry Security Systems Strategist
IBM Institute for Advanced Security

© 2012 IBM Institute for Advanced Security


You will get hacked, but…
CISOs know it’s not if, it’s when they get hacked; yet there is still a gap in ability to
detect breach.
 Breaches are taking longer to discover

 Breaches are not being discovered internally

Charts from Verizon 2011 Investigative Response Caseload Review



92% of Breaches Are Undetected by Breached Organization

Source: 2012 Data Breach Investigations Report


SQL Injection Still #1



Sophistication of cyber threats, attackers and motives is rapidly escalating

1995 – 2005
1st

2005 – 2015

Decade of the Commercial Internet

2nd

Decade of the Commercial Internet

Motive

National Security
Espionage,
Political Activism
Monetary Gain

Revenge

Curiosity

Nation-state Actors;
Targeted Attacks / Advanced
Persistent Threat
Competitors, Hacktivists

Organized Crime, using sophisticated tools

Insiders, using inside information
Script-kiddies or hackers using tools, web-based “how-to’s”

Adversary


Solving a security issue is a complex, four-dimensional puzzle

People

Employees

Consultants

Hackers

Terrorists

Outsourcers

Customers

Suppliers

Data

Structured

Unstructured

At rest

In motion

Applications

Systems applications

Web applications

Web 2.0

Mobile apps

Infrastructure

It is no longer enough to protect the perimeter –
siloed point products will not secure the enterprise


Choose the Right Technology

Protection technology is
critical, but choose wisely

There is no magic
security technology



People and Processes First
A lesson from airport security:
Instead of expensive equipment, use what works
In Israel
• No plane departing Ben Gurion Airport has ever been hijacked
• Use human intelligence
• “Questioning” looks for suspicious behavior
• Simple metal detectors
Scotland Yard
• 24+ men planned to smuggle explosive liquids
• Foiled beforehand because of intelligence
• Before they even got to the airport



What is Security Intelligence?

Security Intelligence
--noun
1.the real-time collection, normalization, and analytics of the
data generated by users, applications and infrastructure that
impacts the IT security and risk posture of an enterprise

Security Intelligence provides actionable and comprehensive
insight for managing risks and threats from protection and
detection through remediation



What Gartner is Saying About the Need for Context

Mark Nicollet, Managing VP,
Gartner Security, Risk &
Compliance

 “The rapid discovery of a breach is key to minimizing the damage of a
targeted attack, but most organizations do not have adequate breach
detection capabilities.”
 “Since perfect defenses are not practical or achievable, organizations
need to augment vulnerability management and shielding with moreeffective monitoring.”

 “The addition of context, such as user, application, asset, data and
threat, to security event monitoring will increase the likelihood of early
discovery of a targeted attack.”
 “We need to get better at discovering the changes in normal activity
patterns that are the early signal of an attack or breach.”
#1-3 from “Effective Security Monitoring Requires Context,” Gartner, 16 January 2012, G00227893
#4 from “Using SIEM for Targeted Attack Detection,” Gartner, 20 March 2012, G00227898


Context and correlation

Deep visibility into users, data, applications, and assets
Sources

+

Intelligence

=

Most Accurate &
Actionable Insight



Solving complex problems that point solutions cannot
Improving threat
detection

Discovered 500 hosts with “Here You
Have” virus, which all other security
products missed

Consolidating
data silos

2 billion log and events per day reduced
to 25 high priority offenses

Predicting risks
against your
business

Automating the policy monitoring and
evaluation process for configuration
changes in the infrastructure

Addressing
regulatory mandates

Real-time monitoring of all network
activity, in addition to PCI mandates



How Security Intelligence Can Help
 Continuously monitor all activity & correlate
in real-time
 Gain visibility into unauthorized or anomalous activities
– Server (or thermostat) communicating with IP address in China.
– Unusual Windows service -- backdoor or spyware program
– Query by DBA to credit card tables during off-hours – possible SQL injection attack
– Spike in network activity -- high download volume from SharePoint server

– High number of failed logins to critical servers -- brute-force password attack
– Configuration change -- unauthorized port being enabled for exfiltration
– Inappropriate use of protocols -- sensitive data being exfiltrated via P2P



Why Should a CISO Care?
 Detect suspicious behavior
– Privileged actions being conducted from a contractor’s workstation
– DNS communications with external system flagged as C&C
 Detect policy violations
– Baseline against reality (CMDB)
– Social media, P2P, etc
 Detect APTs
– File accesses out of the norm—behavior anomaly detection
– Least used applications or external systems; occasional traffic
 Detect fraud
– Baseline credit pulls or trading volumes and detect anomalies
– Correlate eBanking PIN change with large money transfers
 Forensic evidence for prosecution
 Impact analysis
 Compliance
– Change & configuration management
 Metrics
14



Network Activity for Total Visibility
• Attackers can stop logging and erase their tracks, but can’t
cut off the network (flow data)
• Helps detect day-zero attacks that have no signature
• Provides definitive evidence of attack
• Enables visibility into all attacker communications
• Passively builds up asset profiles—and keeps them up to date



Application Detection & Forensic Evidence
Botnet Detected?
This is/ as far as traditional
SIEM can go.

IRC on port 80?
QFlow enables detection of a
covert channel.

Irrefutable
Layer 7 data contains botnet command and
control instructions.



Data Leakage
Who is responsible for the data leak?

Alert on data patterns, such as credit card
number, in real time.



Insider Fraud
Potential Data Loss?
Who? What? Where?

Who?
An internal user

What?
Oracle data

Where?
Gmail



User Behavior Monitoring & APTs
User & Application Activity Monitoring alerts to a user anomaly for
Oracle database access.

Identify the user, normal
access behavior and the
anomaly behavior with all
source and destination
information for quickly resolving
the persistent threat.



Configuration & Risk
Network topology and open
paths of attack add context

Rules can take exposure
into account to:
• Prioritize offenses and
remediation
• Enforce policies
• Play out what-if scenarios



Real-Time Activity for Prioritized Response
Network monitoring + configuration management =
deeper level of forensics & accurate impact analysis



Integration: Increasing Security, Collapsing Silos, and Reducing Complexity
Increased Awareness and Accuracy
 Prevent advanced threats with real-time intelligence correlation across security domains
 Increase situational awareness by leveraging real-time feeds of X-Force Research and Global Threat
Intelligence across IBM security products, such as QRadar Security Intelligence Platform and Network
Security appliances
 Conduct complete incident investigations with unified identity, database, network and endpoint activity
monitoring and log management

Ease of Management
 Simplify risk management and decision-making
with automated reporting though a unified console
 Enhance auditing and access capabilities by sharing
Identity context across multiple IBM security products

 Build automated, customized application
protection policies by feeding AppScan results into
IBM Network Intrusion Prevention Systems

Reduced Cost and Complexity
 Deliver faster deployment, increased value and
lower TCO by working with a single strategic partner


Security Intelligence Timeline

Prediction & Prevention

Reaction & Remediation

Risk Management. Vulnerability Management.
Configuration Monitoring. Patch Management.
X-Force Research and Threat Intelligence.
Compliance Management. Reporting and Scorecards.

SIEM. Log Management. Incident Response.
Network and Host Intrusion Prevention.
Network Anomaly Detection. Packet Forensics.
Database Activity Monitoring. Data Loss Prevention.



In 1996 Gartner Group said…..

“Making business decisions
based on accurate and current
information takes more than
intuition. Data analysis,
reporting and query tools can
help business users wade
through a sea of data to
synthesize valuable
information from it.
Today these tools collectively
fall into a category called
“Business Intelligence”’



In 1958 IBM …
…researcher Hans Peter Luhn
used the term business intelligence.

He defined business intelligence as:
"the ability to apprehend the interrelationships
of presented facts in such a way as to guide
action towards a desired goal.“



Security and Business Intelligence Parallels
IBM Security Intelligence

Security Intelligence

DASCOM

Security as a Service
Application Security
Database Monitoring

SOA Security
Decision Management

Market Changes

Managed Security Services
Network Intrusion Prevention

Simplified Delivery (i.e., Cloud )

Compliance Management

BI Convergence with Collaboration

Identity and Access Management
Text & Social Media Analytics
Mainframe and
Server Security - RACF

Predictive Analytics
IOD Business Optimization

IBM Business Intelligence

Performance Management
Business Intelligence Suite
Enterprise Reporting

Time

Thank you


Defining Security Intelligence for the Enterprise - What CISOs Need to Know

More Related Content

What's hot

Viewers also liked

Similar to Defining Security Intelligence for the Enterprise - What CISOs Need to Know

More from IBM Security

Recently uploaded

Defining Security Intelligence for the Enterprise - What CISOs Need to Know