Leverage Big Data for Security Intelligence

© 2013 IBM Corporation
IBM Security Systems
1 IBM Security Systems © 2013 IBM Corporation
Security Intelligence with Big Data
Stefaan Van daele
Senior Security Architect
March 2013

2 IBM Security Systems
Infiltrating a trusted partner and then loading
malware onto the target’s network
Creating designer malware tailored to only infect
the target organization, preventing identification
by security vendors
Using social networking and social engineering to
perform reconnaissance on spear-phishing
targets, leading to compromised hosts and
accounts
Exploiting zero-day vulnerabilities to gain access
to data, applications, systems, and endpoints
Communicating over accepted channels such as
port 80 to exfiltrate data from the organization
Well-organized attackers and malicious insiders are successfully
bypassing security defenses
Designer Malware Backdoors
Spear Phishing Persistence
Escalating Motives and Sophistication
 Organized Crime
 Espionage and Hacktivists
 Nation-state Actors

Customers have a growing need to identify and protect against
threats by building insights from broader data sets
Logs
Events Alerts
Configuration
information
System
audit trails
External threat
intelligence feeds
Network flows
and anomalies
Identity
context
Web page
text
Full packet and
DNS captures
E-mail and
social activity
Business
process data
Customer
transactions
Traditional Security
Operations and
Technology
Big Data
Analytics
New Considerations
Collection, Storage
and Processing
 Collection and integration
 Size and speed
 Enrichment and correlation
Analytics and Workflow
 Visualization
 Unstructured analysis
 Learning and prediction
 Customization
 Sharing and export

Big Data Warehouse
Big Data
Platform
Analytics and Forensics
Security Intelligence
Platform
Real-time Processing
Security Operations
Integrated analytics and exploration in a new architecture
• Real-time data correlation
• Anomaly detection
• Event and flow normalization
• Security context and enrichment
• Distributed architecture
• Long-term, multi-PB storage
• Unstructured and structured
• Distributed Hadoop infrastructure
• Preservation of raw data
• Enterprise integration
• Pre-defined rules and reports
• Offense scoring and prioritization
• Activity and event graphing
• Compliance reporting
• Workflow management
• Advanced visuals and interaction
• Predictive and decision modeling
• Ad hoc queries
• Interactive visualizations
• Collaborative sharing tools
• Pluggable, intuitive UI
Structured,
analytical,
repeatable
Creative,
exploratory,
intuitive
Integrated
IBM
Solution

What’s Next? Solving new security challenges with expanded
Big Data analytics capabilities
What customers are telling us:
1. Analyze a variety of non-
traditional and unstructured
datasets - such as email, web
content, files and full packets
2. Significantly increase the
volume of data stored for
forensics and historic analysis
3. Visualize data in new ways,
using custom queries,
graphs, linguistics, maps, etc.
4. Integrate this capability with
my current security operations
IBM Security QRadar
• Data collection and
enrichment
• Event correlation
• Real-time analytics
• Offense prioritization
Advanced Threat Detection
Traditional data sources
Security Intelligence Platform

Real-time
streaming
Insights
IBM Security QRadar
• Hadoop-based
• Enterprise-grade
• Any data / volume
• Data mining
• Ad hoc analytics
• Data collection and
enrichment
• Event correlation
• Real-time analytics
• Offense prioritization
Big Data Platform
Custom Analytics
Traditional data sources
IBM InfoSphere BigInsights
Non-traditional
Security Intelligence Platform
How? By integrating QRadar with IBM’s Hadoop-based offering
Advanced Threat Detection

QRadar leverages big data today to identify security threats
IBM QRadar Security Intelligence Capabilities Customer Impact
Powerful appliances with massive scale  Insights from 1000s of devices, spanning 100s of TBs
Payload indexing and Google-like searching of big data  Rapid ad hoc query - search 7M+ events in <0.2 sec
Broader data analysis: logs, flows, identities, vuln’s, threats  Greater insight and detection from richer context
Layer 7 network flow collection and analytics  More accurate anomaly detection and easier forensics
Advanced threat visualization and impact analysis  Attack path visualization and device / interface mapping
Enrichment with X-Force® intelligence and external feeds  Increased accuracy of detecting the latest threats
High-
Volume
Events,
Flows and
Context

Example QRadar uses cases
Behavior
monitoring
and flow
analytics
Activity and
data access
monitoring
Stealthy
malware
detection
Irrefutable Botnet
Communication
Layer 7 flow data shows botnet
command and control
instructions
Improved
Breach Detection
360-degree visibility helps
distinguish true breaches from
benign activity, in real-time
Network Traffic
Doesn’t Lie
Attackers can stop logging and
erase their tracks, but can’t cut
off the network (flow data)

9
IBM InfoSphere BigInsights – A flexible, enterprise-class solution for
processing large volumes of data
EnterpriseValue
Core
Hadoop
BigInsights Basic
Edition
BigInsights Enterprise Edition
Free download with web support
Limit to <= 10 TB of data
(Optional: 24x7 paid support
Fixed Term License)
Professional Services Offerings
QuickStart, Bootcamp, Education, Custom Development
Enterprise-grade features
Tiered terabyte-based pricing
Easy installation
and programming
• Analytics tooling / visualization
• Recoverability security
• Administration tooling
• Development tooling
• Flexible storage
• High availability

Web and
Email Proxy
Customer example – User profiling based on multiple sources
NetFlow
Optional
Relational Store
Unstructured Data
5
1
1
10
9
8
6
2
Hadoop Store
Big Data
Warehouse
Big Data Analytics
and Forensics
Data Sources Real-time Processing Security Operations
3
7
Suspicious
User(s)
Internet 4
1. NetFlow and logs sent to QRadar
2. Event and flow processing
3. Correlation against external feeds
4. Real-time user alerts to SOC
5. Unstructured data to BigInsights
6. Enriched events and flows sent to BigInsights
7. Spreadsheet UI for business analysts (BigSheets)
8. Post-processed data storage
9. i2 Analyst Notebook: link-based visuals and
analytics
10. Update of QRadar real-time rule sets

Example Use Case: Spear-phishing analysis
ATTACKER
User receives risky
email from personal
social network
TARGET
Drive-by exploit is
used to install
malware on target PC
User is redirected to
a malicious website

Using Big Data to mine for trends within e-mail
Use BigInsights to
identify phishing targets
and redirects
Build visualizations,
such as heat maps, to
view top targets

Loading phishing data and corresponding redirects to QRadar

―Big Value from Big Data‖ – Common use cases
Targeted & advanced
threat discovery
Insider threat
analysis
Full spectrum
fraud detection
Customer
Problem
Organizations need help in
identifying advanced threats and
zero-day attacks
Fraudulent claims, account takeovers,
and invalid transactions cause
substantial losses – and many
organizations are unaware the fraud is
being committed
As repositories of private information
expand, the cost of data loss by
insiders action grows, whether
intentional or through human error
Technical
Challenges
 Collection of high volume
network and DNS events
 Rapidly changing identifiers
 Analytics to find subtle indicators
 Integration of external
intelligence
 Collection of user, application and
network activity
 Unstructured data analysis
 Long-term baselining capabilities
 Integration with fraud workflow
 Collection of inter- and intra-
company communications
 Sentiment and linguistic analysis
 Ability to identify anomalies and
outliers
 Integration with IAM solutions
IBM
Approach
 QRadar event and flow collection
 Correlation against external
threats
 Collection of all DNS
transactions using BigInsights
 Custom analytics to identify
suspicious domain names
 Analysis of historical data to
detect infections / past intrusions
 Import BigInsights findings into
QRadar
 QRadar to collect and normalize
application and transaction data
 Anomaly detection in real time
 Real-time export to BigInsights
 Baseline historical user and account
activity
 Send insights to QRadar for real-time
fraud correlation
 Extend information flow to IBM i2 for
link analysis, visualization and
dissemination to fraud analysts
 Use QRadar to correlate real-time
system and user activity
 Analyze ordinary and privileged
users accessing sensitive data
 Collect full text email and social
activity with BigInsights
 Leverage advanced analytics to
understand unstructured content
 Share findings with existing IAM
systems—such as IBM Security
Privileged Identity Manager

IBM’s Security Intelligence, Big Data, and Analytics portfolio
3 IBM i2
Analyst Notebook
helps analysts investigate
fraud by discovering
patterns and trends
across volumes of data
4
IBM SPSS
unified product family to help
capture, predict, discover trends,
and automatically deliver high-
volume, optimized decisions
1 IBM QRadar Security Intelligence
unified architecture for collecting, storing, analyzing and
querying log, threat, vulnerability and risk related data
2
IBM Big Data Platform
addresses the speed and flexibility required for customized
data exploration, discovery and unstructured analysis
InfoSphere Big
Data Platform

For IBM, Security and Business Intelligence offer insightful parallels

Extend real-time Data Activity Monitoring to also protect sensitive data in
data warehouses, Hadoop systems and file shares
Integration with
LDAP, IAM,
SIEM, TSM,
Remedy, …
NEW
Big Data
Environments
DATA
InfoSphere
BigInsights

Protect data in real-time and ensure compliance in big data
environments
Big data brings big security challenges
As big data environments ingest more data, organizations will face
significant risks and threats to the repositories in which the data is kept
Big data environments help organizations:
Process, analyze and derive maximum value from these new data
formats as well as traditional structured formats in real-time
Make more informed decisions instantaneously and cost effectively
•Turn 12 terabytes of Tweets into improved product sentiment analysis
• Monitor 100’s of live video feeds from surveillance cameras to identify security threats
Introducing Hadoop Activity Monitoring
Monitor and Audit Hadoop activity in real-time to support compliance requirements and protect data
• Real time activity monitoring of HDFS and HBASE data sources
• Automated compliance controls
• Fully integrated with InfoSphere Guardium solution for database activity monitoring
• View Hadoop systems with other data sources
NEW

Additional information
 Press Release
https://www-304.ibm.com/jct03001c/press/us/en/pressrelease/40257.wss
 Information about the presented solutions:
IBM Security Intelligence with Big Data
http://www-03.ibm.com/security/solution/intelligence-big-data/
Security Systems QRadar
http://www-142.ibm.com/software/products/us/en/subcategory/SWI60
InfoSphere BigInsights
http://www-01.ibm.com/software/data/infosphere/biginsights/
InfoSphere Guardium
http://www-01.ibm.com/software/data/guardium/secure-big-data/

ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Leverage Big Data for Security Intelligence

More Related Content

What's hot

Viewers also liked

Similar to Leverage Big Data for Security Intelligence

Recently uploaded

Leverage Big Data for Security Intelligence