In September 2011, Prolifics & IBM hosted a speaking session at a Cyber Security Summit in California. The presentation focused on the importance of Identity and Access Management in the Energy & Utilities industry as well as today's critical regulatory requirements.
2. Holistic Enterprise Security Solution
The “Blind Slide”
The Insider Threat. Identity Controls and Data Loss protection
Application Protection
New threat vectors. Virtualization and distributed assets
Experiences from the field
3. NERC CIP 2011 Violations & Fines
Since January 2011, a significant increase in CIP fines
Largest numbers for Security Awareness and Testing
Source: http://www.nerc.com/filez/enforcement
3
4. Introduction
Personal ID – personal accountability
Traditional identity management has always focused on these IDs.
Well covered and controlled
Commoditized
Service ID - corporate accountability
Shared administrative ID
Programs, services, databases, scripting, testing, load testing, auditing,
troubleshooting, you name it.
“Too hard to deal with”
“will be the next step”
Other
Shared group IDs
IDs in transition
Template IDs
• Exchange mailboxes
4
5. Service IDs
Service IDs are everywhere
Different systems have different exposure via the Service IDs
5
6. Identity & Access Management
User Provisioning / Deprovisioning
and Full Role Management
Single
Sign On
& Management
of Web Access
& Passwords
The 3 Rs – Reconciliation, Security log management & reporting
Recertification & Reporting
R
E
N A
LA MATCH?
EP L
TH I
T
Y
7. Identity and Access Management for Energy Companies
•A holistic way to addressing corporate identities and access controls
• Identity lifecycle support and review
• Access provisioning, deprovisioning certification
• Policy enforcement: password, access patterns, expiration
• RBAC
•IdM for FERC/NERC CIP applications
• Energy management systems
• Energy network components
• Physical access control services
• Customer Information Systems
• Work Management System
• Plant Maintenance Systems
• Tower gateway base stations for Smart Meter infrastructure
•SOX applications. SOX 404
• Corporate Reports
• Financial systems
•PCI, NIST, HIPAA
7
8. CIP with IAM Step by Step
CIP‐ 003‐ 1 Access enforcement, audit trails, reviews and roles
• Access authorization enforcement maintained via identity lifecycle
workflows with the robust approval framework and multilevel escalation.
• The audit trails are preserved for each request and approval, ensuring
access is given, modified and revoked only under proper supervision.
• Automatic enforcement of access privileges is linked in and based on
business roles.
• Annual reviews and re‐certification of access are required from the
management and system owners.
CIP–004–1 Training, privilege revocation
• Training program requirements are enforced via proper personnel on-
boarding and transfer workflows, tied into the HR and training systems.
• Revocation within 24 hours of termination is a part of the closely
enforced identity lifecycle.
• Critical asset access lists are available for review 24/7 by authorized
personnel via a web interface
8
9. CIP with IAM Step by Step
CIP‐ 006‐ 1 Physical access protection
• Implemented by integrating with card access and badge systems and tied
into an identity lifecycle.
CIP–007–1 Access to CCA, Shared accounts, Least Privilege
• Enforcing the creation and management of user access to Critical Cyber
Assets by employing industry standard role based access control
certification, provisioning, rights and password management.
• Directly assigning owners and custodians for individuals and shared system
accounts on a "need to know basis" and subjecting it to periodic reviews.
• Analysis and remediation of orphan accounts.
• Password policies are deployed in the automated identity management
system to ensure only qualified passwords are allowed.
9
10. Service Identity Management is an essential part of IAM
Governance
Expansion of the traditional Identity and Access Management to cover
identities used by administrators, systems, software and automated processes.
Assign responsibility for Service accounts, track people who manage the
accounts, reports and enforces policies.
Tracking accounts used by various IT assets
Databases
Enterprise applications
Devices
Scheduling and monitoring software
Automatic maintenance processes
and many more.
10
11. How PIM works
3
E-SSO Authorization 1 • Tivoli Identity Manager (TIM) with custom module provisions
privileged IDs and manages pools of shared IDs
• Shared IDs are stored in a secured data store
LDAP 1
ITIM
AD 2 • Periodically recertify account authorizations through a
consistent work flow.
Email
3 • Admin logs into Tivoli Access Manager for E-SSO (TAM E-SSO)
• TAM E-SSO automatically checks out/in shared ID as required to
Recertification of
privileged users ensure accountability while simplifying usage
Event Logs
4 • Tivoli Compliance Insight Manager (TCIM) monitors all logs for
2 end to end tracking
4
TCIM
Enterprise
Reports
12. IBM Software Map for NERC CIP Requirements
Tivoli Enterprise Portal NERC Compliance Portal Tivoli Netcool
CIP-004 Cyber CIP-005 Electronic CIP-006 Physical CIP-007 Cyber CIP-008 Cyber CIP-009 Recovery
CIP-001 Sabotage CIP-002 Critical CIP-003 Security
Security – Pers. & Security Security of Cyber Security – Systems Security – Incident Plans for Critical
Reporting Cyber Assets Mgmt. Controls
Training Parameters Assets Security Mgmt Rept. & Response Cyber Assets
Enterprise Content and Record Manager
Tivoli Provisioning
Manager
Tivoli Identity Manager Tivoli Storage Manager
Maximo Tivoli Access Manager Tivoli Security Compliance Manager
Tivoli Security Tivoli Provisioning Manager
Tivoli Security Lotus Learning
Compliance
Compliance Manager Management System
Manager
Tivoli Compliance Insight Manager
Tivoli Security
Tivoli Monitoring
Operations Manager
Internet Security Systems
R1. Electronic Security Perimeter R1. Physical Security Plan R1. Test Procedures R1. Cyber Security Incident R1. Recovery Plans
R1. Have procedures for R1. Critical Asset Identification R1. Cyber Security Policy R1. Awareness
Response Plan
recognition and reporting of Method
R2. Electronic Access Controls R2. Physical Access Controls R2. Ports and Services R2. Excercises
sabotage events. R2. Leadership R2. Training
R2. Cyber Security Incident
R2. Critical Asset Identification
R3. Monitoring Electronic Access R3. Monitoring Physical Access R3. Security Patch Management Documentation R3 Change Control
R2. Have procedures for R3. Exceptions R3. Personnel Risk Assessment
communication of sabotage to R3. Critical Cyber Asset
R4. Cyber Vulnerability R4. Logging Physical Access R4. Malicious Software R4. Backup and Restore
appropriate parties. Identification R4. Information Protection R4. Access
Assessment Prevention
R5. Access Log Retention R5. Testing Backup Media
R3. Have guideline for R4. Annual Approval R5. Access Control
R5. Documentation Review and R5. Account Management
monitoring and reporting.
Maintenance R6. Maintenance and Testing
R6. Change Control and
R6. Security Status Monitoring
R4: Have established Configuration Mgmt.
communication contacts as
applicable with local authorities.
Internet Security R7. Disposal or Redeployment
Systems
R8. Cyber Vulnerability
Assessment
R9. Documentation Review and
Tivoli Compliance Insight Manager
Maintenance
Alerts Notification Auditing Reporting Workflow Team Definition Measurement
13. Prolifics-IBM Support For NIST Industrial Control Systems Security Objectives
NIST Directive NIST Objectives IBM Technology
NIST SP 800-12 Security Policies and Procedures TSPM, TIM, TAMeb
NIST SP 800-53 Security Controls- Configuration Management TAM ESSO
Access Management TAMeb-TAM OS
TFIM
NIST SP 800-94 Guidance on Intrusion Detection/Prevention Systems ISS Proventia
NIST SP 800-61 Guidance on Incident Handling and Reporting TSIEM
NIST SP 800-73/76 Guidance on Personal Identity Verification TIM, PIM
NIST SP 800-63 Guidance on Remote Electronic Authentication TFIM
NIST SP 800-64 Guidance on Security considerations for System Development Lifecycle Rational AppScan
NIST SP 800-61 Guidance on Incident Handling/Audit Log Retention TSIEM
NIST SP 800-56/57 Guidance on Cryptographic Key Establishment and Management TKLM
14. Holistic Enterprise Security Solution
The “Blind Slide”
The Insider Threat. Identity Controls and Data Loss protection
Application Protection
New threat vectors. Virtualization and distributed assets
Experiences from the field
15. Application Vulnerabilities Continue to Dominate
Web app. vulnerabilities represent the largest category in vulnerability disclosures
In 1H10, 55.95% of all vulnerabilities are web application vulnerabilities
SQL injection and cross-site scripting are neck and neck in a race for the top spot
IBM Internet Security Systems 2010 X-Force®
Mid-Year Trend & Risk Report
15
16. Motivation for becoming Secure by Design…
100,000x
Unbudgeted Costs:
Impact to Enterprise
- e.g., Database hacked Downtime
Security Flaw Customer notification/care
Fines/Litigation
Reputational damage
Cost to clean-up
- e.g., Database crash Functional Flaw
10x
1x
Development Test Deployment
17. Application Security Tools Strategy
Static Code Analysis = Whitebox
Scanning source code for security
issues
Total Potential
Security Issues
Dynamic Analysis = Blackbox Static Complete Dynamic
Analysis Coverage Analysis
Performing security analysis of a
compiled application
Providing for numerous
compliance requirements;
including NERC-CIP
CIP-007 Cyber
CIP-002 Critical CIP-005 Security
Security-Systems
Cyber Assets Mgmt. Control
Security Mgmt.
18. Database Servers Are The Primary Source of
Breached Data
Source of Breached Records
SQL injection played a role in 79%
of records compromised during
2010 breaches
“Although much angst and security
funding is given to …. mobile
devices and end-user systems,
these assets are simply not
a major point of compromise.”
2010 Data Breach Report from Verizon Business RISK Team
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
… up from 75% in 2009 Report
19. Real-Time Database Monitoring
Host-based Probes
(S-TAPs) Collector
• No DBMS or application changes • Cross-DBMS solution
• Does not rely on DBMS-resident logs • Granular, real-time policies & auditing
that can easily be erased by – Who, what, when, how
attackers, rogue insiders • Automated compliance reporting,
• 100% visibility including local DBA sign-offs & escalations (SOX, PCI,
access NIST, etc.)
• Minimal performance impact (1-2%)
CIP-002 Critical CIP-003 Security CIP-007 Cyber
CIP-005 Security
Security-Systems
Cyber Assets Mgmt. Controls Mgmt. Control
Security Mgmt.
20. Holistic Enterprise Security Solution
The “Blind Slide”
The Insider Threat. Identity Controls and Data Loss protection
Application Protection
New threat vectors. Virtualization and distributed assets
Experiences from the field
21. 21
Protocol Analysis Module (PAM) is the Engine Behind our Products
Others: constant thrashing to address today’s latest threat. IBM with PAM: “Ahead of the Threat”
What It Does: What It Does: What It Does: What It Does: What It Does: What It Does:
Shields vulnerabilities Protects end users Protects Web Detects and prevents Monitors and identifies Manages control of
from exploitation against attacks targeting applications against entire classes of threats unencrypted PII & other unauthorized applications
independent of a applications used every sophisticated application- as opposed to a specific confidential information and risks within defined
software patch, and day such as Microsoft level attacks such as exploit or vulnerability. for data awareness. Also segments of the network,
enables a responsible Office, Adobe PDF, SQL Injection, XSS provides capability to such as ActiveX
patch management Multimedia files and Web (Cross-site scripting), explore data flow through fingerprinting, Peer To
process that can be browsers. PHP file-includes, CSRF the network to help Peer, Instant Messaging,
adhered to without fear of (Cross-site request determine if any potential and tunneling.
a breach forgery). risks exist.
Why Important:
Why Important: Why Important: Why Important: Why Important: Why Important: Enforces network
At the end of At the end of 2009, Expands security Eliminates the need for Flexible and scalable application and service
2009, 52% of all vulnerabilities, which capabilities to meet both constant signature customized data search access based on
vulnerabilities disclosed affect personal compliance requirements updates. Protection criteria; serves as a corporate policy and
during the year had no computers, represented and threat evolution. includes the proprietary complement to data governance.
vendor-supplied patches the second-largest Shellcode Heuristics security strategy.
available to remedy the category of vulnerability (SCH) technology, which
vulnerability. In disclosures and represent has an unbeatable track
mid-2010, the percentage about a fifth of all record of protecting
increased to 55%. vulnerability disclosures. against zero day
vulnerabilities.
CIP-007 Cyber 44
CIP-005 Security
Security-Systems
Mgmt. Control
Security Mgmt.
22. 22
Preemptive Ahead of the Threat Security – backed up by data
Top 61 Vulnerabilities 2009
341 Average days Ahead of the Threat
91 Median days Ahead of the Threat
35 Vulnerabilities Ahead of the Threat
57% Percentage of Top Vulnerabilities –
Ahead of the Threat
9 Protection released post
announcement
17 same day coverage
2010 – Average days
Ahead of the Threat
increased to 437!
45
24. Tivoli Endpoint Manager: Smarter, Faster Endpoint Management
• Network Asset
Discovery
• Endpoint HW, SW
Inventory
• Patch Management
• Software Distribution
• OS Deployment
• Remote Desktop
Control
• Software Use
Analysis (add on) Whether it’s a Mac connecting from hotel wi-fi, or a
Windows laptop at 30K feet, or Red Hat Linux
• Power Management Server in your data center, Tivoli Endpoint Manager has
(add on) it covered. In real-time, at any scale.
CIP-002 Critical CIP-003 Security CIP-007 Cyber
CIP-005 Security
Security-Systems
Cyber Assets Mgmt. Controls Mgmt. Control
24 Security Mgmt.
25. Holistic Enterprise Security Solution
The “Blind Slide”
The Insider Threat. Identity Controls and Data Loss protection
Application Protection
New threat vectors. Virtualization and distributed assets
Experiences from the field
26. Experience
Treating identities as an enterprise asset
Consistent, standards based method for authentication and
authorization
Provisioning and, more importantly, de-provisioning accounts
within a specified period of time (account lifecycle)
Application accounts, Databases, Servers, Network devices
Approval process with multi-level escalation and delegation
Quarterly access certification reports
FERC M/T code throughout the whole system and in reports
Standardization helps with FERC reliability regulations
Energy Management Systems kept on an isolated network
SSO limits password exposure and simplifies sign on process
Service ID Management to address shared accounts (SOX)
Separation of Duties checks (SOX)
26
27. Other features
Self-service user interface
Auditing and reporting enhancements
Dormant Accounts Management
External security audit recommended adding all enterprise
applications, not just those covered by SOX and FERC regulations
Flexible life-cycle and operational workflows
27
29. By managing security for customers across the world, IBM has a
clear and current picture of threats and attacks
3 Branches of
+ + + +
9 Security 9 Security 11 Security Solution 133
the Institute for
Operations Research Development Advanced Monitored
Centres Centres Centres Security (“IAS”) Countries
IAS IAS
Americas Europe
IAS
Asia Pacific
IBM has the unmatched global and local expertise to deliver
complete solutions – and manage the cost and complexity of security
29
30. Our strategy: Comprehensive solutions that also leverage partners products
Security Governance, Risk and Security Information and Event
Professional Services GRC Compliance Management (SIEM) & Log Management
Managed Services
Identity & Access
Products Management
Identity Management Access Management
Cloud Delivered
Data Loss Prevention Data Entitlement
Data Security Management
Encryption & Key
Lifecycle Management Messaging Security
E-mail
Database Monitoring
Security Data Masking
& Protection
Application Web Application
Application Security
Vulnerability Scanning Firewall
Access & Entitlement
Web / URL Filtering SOA Security
Management
Infrastructure Vulnerability Virtual System
Endpoint Protection
Security Assessment Security
Threat Security Event Managed Intrusion Prevention
Analysis Management Mobility Svcs System
IBM Security Solutions:
2. Assess Risks Firewall, IDS/IPS Mainframe Security Audit, Security Configuration
MFS Management Admin & Compliance & Patch Management
3. Mitigate Risks
4. Manage Security Controls Physical Security
31. Our strategy: IBM is investing in Security Solutions
The only security vendor in the market with
end-to-end coverage of the security foundation
15,000 researchers, developers and SMEs on
security initiatives
3,000+ security & risk management patents
200+ security customer references and 50+
published case studies
40+ years of proven success securing the
zSeries environment
600+ security certified employees
(CISSP,CISM,CISA,..)
IBM Security acquisitions (1999 – 2010):
DASCOM
32. Our strategy: Research = intelligence = security
The mission of the IBM builds technology for
IBM X-Force research and tomorrow based on IBM
development team is to: Research
• Identify mission-critical enterprise
Research and evaluate threat and protection assets and very sensitive data.
issues
• Build fine-grained perimeters
Deliver security protection for today’s
security problems • Monitor fine-grained perimeters and
Develop new technology for tomorrow’s close the loop
security challenges • End-to-end security
Educate the media and user communities • Secure by design
• 13B analyzed Web pages & images
• 150M intrusion attempts daily
• 40M spam & phishing attacks
• 54K documented vulnerabilities
• Millions of unique malware samples
33. 33
The Importance of Research to Security:
IBM Internet Security Systems X-Force® Research Team
Research Technology Solutions
Original Vulnerability X-Force Protection Engines
Research
Extensions to existing engines
New protection engine creation
Public Vulnerability
Analysis
X-Force XPU’s
Malware Analysis Security Content Update
Development
Security Content Update QA
Threat Landscape
Forecasting X-Force Intelligence
X-Force Database
Protection Technology
Research Feed Monitoring and Collection
Intelligence Sharing
The X-Force team delivers reduced operational complexity –
helping to build integrated technologies that feature “baked-in” simplification-
“Protecting people from themselves”
34. IBM’s security portfolio today
IBM Security Offering Reference Model
Security / Compliance Analytics and Reporting
IBM Products
IBM OpenPages GRC Consulting and Implementation Services
IBM Services
Tivoli Security Information and Audit and Compliance Assessment Services (e.g., PCI)
Event Management Privacy and Risk Assessments
DOORS Cloud-based Vulnerability Management Portal
Security
FocalPoint Security Event and Log Management Consulting
IT Infrastructure – Operational Domains
Infrastructure
Security Services
People Data Applications
Network Endpoint
Tivoli Identity and InfoSphere Rational AppScan Tivoli Network Tivoli Endpoint
IBM Products
Implemen-
Access Guardium Source Edition Intrusion Manager (anti- tation
Tivoli Federated InfoSphere Optim Rational AppScan Prevention virus using Trend Services
ID Data Masking Standard Edition WebSphere Micro)
Tape / Disk Tivoli Security Datapower XML Tivoli zSecure
Tivoli Single Sign-
encryption Policy Manager Gateway Mainframe
On
Tivoli Key Manager security
IBM Services
Identity Data Security Application Penetration Managed Mobile
Assessment, Assessment Assessment Testing Protection (using
Deployment and Encryption and Services Firewall, IPS, Juniper) Managed
Hosting Services DLP Deployment AppScan On Vulnerability Services
Demand - SaaS Managed Services
Editor's Notes
R 2-1 - The Responsible Entity shall maintain documentation describing its risk-based assessment methodology that includes procedures and evaluation criteria. R 3-1 - Cyber Security Policy — The Responsible Entity shall document and implement a cyber security policy that represents management’s commitment and ability to secure its Critical Cyber Assets. The Responsible Entity shall, at minimum, ensure the following: The cyber security policy addresses the requirements in Standards CIP-002-3 through CIP-009-3, including provision for emergency situations. R 4-1 - Awareness — The Responsible Entity shall establish, document, implement, and maintain a security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets receive on-going reinforcement in sound security practices. The program shall include security awareness reinforcement on at least a quarterly basis using mechanisms such as: Direct communications (e.g., emails, memos, computer based training, etc.- Indirect communications (e.g., posters, intranet, brochures, etc.); - Management support and reinforcement (e.g., presentations, meetings, etc.). R 4-2 - Training — The Responsible Entity shall establish, document, implement, and maintain an annual cyber security training program for personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets. The cyber security training program shall be reviewed annually, at a minimum, and shall be updated whenever necessary. R 5-1 - Electronic Security Perimeter —The Responsible Entity shall ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter. The Responsible Entity shall identify and document the Electronic Security Perimeter(s) and all access points to the perimeter(s). R 6-1 - Physical Security Plan —The Responsible Entity shall document, implement, and maintain a physical security plan, approved by the senior manager or delegate(s) that shall address, at a minimum, the following: R1.1. All Cyber Assets within an Electronic Security Perimeter shall reside within an identified Physical Security Perimeter. Where a completely enclosed (“six-wall”) border cannot be established, the Responsible Entity shall deploy and document alternative measures to control physical access to such Cyber Assets. R 7-1 - Test Procedures — The Responsible Entity shall ensure that new Cyber Assets and significant changes to existing Cyber Assets within the Electronic Security Perimeter do not adversely affect existing cyber security controls. For purposes of Standard CIP-007-3, a significant change shall, at a minimum, include implementation of security patches, cumulative service packs, vendor releases, and version upgrades of operating systems, applications, database platforms, or other third-party software or firmware. - The Responsible Entity shall create, implement, and maintain cyber security test procedures in a manner that minimizes adverse effects on the production system or its operation. R 8-1 - Cyber Security Incident Response Plan — The Responsible Entity shall develop and maintain a Cyber Security Incident response plan and implement the plan in response to Cyber Security Incidents. The Cyber Security Incident response plan shall address, at a minimum, the following: - Procedures to characterize and classify events as reportable Cyber Security Incidents. R 9-1 - Recovery Plans — The Responsible Entity shall create and annually review recovery plan(s) for Critical Cyber Assets. The recovery plan(s) shall address at a minimum the following: - Specify the required actions in response to events or conditions of varying duration and severity that would activate the recovery plan(s). - Define the roles and responsibilities of responders.
Just to kind of sum that all up on this next slide . . . We recap by saying that this Identity and Access Assurance bundle is highly successful . . . And it includes comprehensive single sign-on – as you might now recall it includes Tivoli Access Manager for e-business for the Web, Tivoli Access Manager for Enterprise SSO for single sign-on benefits within an enterprise and Tivoli Federated Identity Manager for multi-domain or federated configurations Customers’ user provisioning and deprovisioning requirements are of course addressed by Identity Manager, which provides significant cost savings by assigning users to roles and automating the assigning of user accounts and the removal of user accounts. Very important to customers interested in this space are the aspects of compliance related to who has what accounts, and are we in control and can we demonstrate that control, in terms of who is accessing what. The reconciliation, recertification and reporting box in the lower left describes TIM’s ability to ensure that what you think the overall policy is for who can access what is in fact what’s happening out there. Because even though I’m the TIM administrator and I’ve put this policy into place, there are many other administrators in our company, and so I need a way of ensuring that what I think the plan is really matches up to reality. If not, I can take appropriate action, and get back into compliance. This is totally in line with the goals of governance, risk management and compliance and companies are taking this very seriously. And finally, in the package is outstanding enterprise audit management and reporting technology that takes what is really not humanly possible, in terms of reconciling and normalizing the volumes of audit information typically collected in a given quarter, or month or week or even day . . . Why not assign some automation to it and that’s what Tivoli Security Information and Even Manager does for you – gives you multiple levels of reports from executive dashboard views to specialized, more detailed reports you can request and with the capability of giving you insights into how you’ll do against upcoming audits related to major laws, standards and regulations. So it’s a successful bundle and with the functionality that I’ve described, you can see why these interrelated, integrated capabilities are attractive to our customers. So with this slide, we’ve come to the end of Part 1 of this 3-part recording. You’ve heard the introductory and background material, including smarter planet and the IBM Security Framework, and we’ve been through the first of ht e5 categories of solutions within the framework – People and Identity. When we pick back up, we’ll pick up with the next category – Data & Information. =============== A Tivoli customer who has essentially bought this solution even before it was offered as a solution bundle is Harley Davidson. They did a presentation at the 2009 and 2010 Pulse events and many of the charts looked like they came right off of the one above. They are delighted with TIM and TAMeb and they included a chart in their presentation that dramatically gets across how much audit log information builds up in a typical operational environment. It shows an example of a single log file that contains 1 minute of activity on 1 application on 1 server. The file contains 14,080 lines of text! Think of what this means audit-volume-wise across a large operational environment! This dramatically brings home the value of the log management and reporting that IAA has, thanks to TSIEM being included in the package.
In early stages of adoption, security practitioners will assess applications during pre-deployment testing. Costs are higher and window is shorter to mitigate any issues found. By integrating security into requirements, development and build/test/integration cycles, identification occurs much earlier , increasing find rate at a time when fix costs are lowest .
Let’s talk about our solution! Heterogeneous support for Databases and Applications S-TAP Agents lightweight cross platform support NO changes to Databases or Applications Also monitor direct access to databases by privileged users (such as SSH console access), which can’t be detected by solutions that only monitor at the switch level. Collectors handle the heavy lifting (continuous analysis, reporting and storage of audit data) reduces the impact on the database server Our solution does not rely on log or native audit data DBAs can (sometimes have to!) turn this off Logging greatly impacts performance on the Database Server as you increase granularity! Real-time alerting – not after the fact Monitor ALL Access
This technology is key for compliance, and is found in the IBM HIPS, NIPS, and VSP.
To give you an overview of how IBM delivers preemptive security, we look at the top 61 vulnerabilities of 2009, and we can see we were an average of 341 days “ Ahead of the Threat ” ™. . . On the right-hand side, you can see the 61 vulnerabilities. The ones in blue were discovered by IBM. On the left you can see how many days after or ahead of the threat the protection was available. Out of the full set of 61, only in 9 cases did we have to deliver protection after the release of the vulnerability. In the vast majority we are well ahead of the threat and this level of protection is far better than any that any other vendor can or does deliver. And looking at the data that X-Force published for the first half of 2010, the average days Ahead of the Threat increased to 437!
Virtual Server Protection for VMware is an integrated software product in a virtual appliance form factor that is integrated with the VMsafe initiative within the new VMware vSphere 4 release and gives us the ability to have a hypervisor level view into security. We are providing the same Intrusion Prevention System and protocol analysis engine we are using in the rest of our IBM ISS IPS products. By being integrated into the hypervisor, VSS for VMware captures information in between VMs, all without requiring any changes to the virtual network itself. This offers true plug and play connection which is the automated protection expertise. The product also provides firewall technologies for critical network level access control specifically designed to prevent virtual server sprawl. In conjunction with the IBM X-Force research, we detect VMsafe APIs (based on a blacklist approach) to get signatures or finger prints of known rootkits to alert users to any malware in the system without any presence in the guest operating system. Our virtual infrastructure auditing ties into regulatory compliance initiatives to make sure there is a holistic view of the infrastructure to report on privilege user activities. And we can also report on virtual network changes, new VMs created, suspended and moved from one layer to another. As we originally promised to the industry, we are the first to market to incorporate our intrusion prevention technology and X-Force capabilities into true virtual infrastructure protection in one product– providing our clients the flexibility to use both physical network, host or virtual devices all centrally managed through SiteProtector. Now some of the other features that I want to emphasize are the: VM rootkit detection - Virtualization-based rootkits are particularly of concern because they can cause the hypervisor to become exposed to malware that can conceal themselves from traditional security tools. VSS for VMware transparently inspects VMs to detect installation of rootkits which is a key differentiator for IBM vs. competitive products. Automatic discovery is another key feature. With VSS for VMware, the security virtual machine or the SVM can perform automatic discovery of all virtual machines. This helps increase security awareness and visibility across the virtual environment. IBM Virtual Patch technology - Automatically protects vulnerabilities on virtual servers regardless of patch strategy. The IBM Proventia® Management SiteProtector™ system offers a simpler, cost-effective way to manage security solutions and ease regulatory compliance by providing a central management point to control security policy, analysis, alerting and reporting for your business and is supported on VMware ESX. It’s designed for simplicity and flexibility, and the SiteProtector system can provide centralized configuration, management, analysis and reporting for the full IBM ISS Proventia product family. A key differentiator for IBM vs. competitive offerings. We provide all of the features that I mentioned in this one software solutions whereas competitive products have only some of the features that we’ve talked about or it takes several modules to provide only some of what we are providing in one product. Imagine the headaches and hassles trying to maintain all of those different modules. With Virtual Server Protection for VMware, we provide, easy to deploy, easy to maintain in-depth security. VMware VMsafe provides a unique capability for virtualized environments through an application program interface (API)-sharing program that enables select partners to develop security products for VMware environments. The result is an open approach to security that provides customers with the most secure platform on which they can virtualize their business-critical applications. Intrusion prevention and firewall - Virtual Server Protection for VMware provides market-leading IPS and firewall technology to protect the virtual data center in a solution that is purpose-built to protect the virtual environment at the core of the infrastructure. Inter-VM Traffic Analysis - While traditional host and network intrusion prevention systems do not have visibility into traffic between VMs, VSS for VMware monitors traffic between virtual servers to stop threats before impact. Virtual network access control - VSS for VMware performs virtual network access control to quarantine or limit network access from a virtual server until VM security posture has been confirmed. Virtual infrastructure auditing - VSS for VMware reports on privileged user activity such as VMotion events, VM state changes (start, stop, pause) and login activity which can reduce the preparation time required to support audits.
Most enterprise networks are highly distributed. Users are connecting to your HQ site from across the Internet, while on the road, and also from remote offices – which makes security and systems management extremely challenging. Additionally, most enterprise networks have bandwidth constraints – over wireless, shared MPLS, satellite links, etc - which makes pushing fat software packages and security patches over these latency-prone links a huge burden for the IT organization. Moreover, many of these devices are intermittently connected – particularly those roaming laptops – which makes validating and updating their configuration virtually impossible. Finally, most enterprises have many different types of servers, desktops, laptops and handheld devices, making cross-platform support a must for any security and systems management solution. Unlike alternative solutions, Tivoli Endpoint Manager was purpose-built to work efficiently within these types of environments. As you can see from the diagram, Tivoli Endpoint Manager Agents can be deployed on all types of devices, whether those are running Windows, Windows Mobile, different flavors of UNIX, Linux and Mac. The Agent is the “brains” of the Tivoli Endpoint Manager technology and continuously assesses the state of the endpoint against policy, whether connected to the network or not. As soon as it notices that an endpoint is out of compliance with a policy or checklist, it informs the Tivoli Endpoint Manager Server and executes the configured remediation strategy, and immediately notifies the Server of task status (completed, in process, not completed). The Tivoli Endpoint Manager Server manages policy content – delivered in messages called “ Fixlets ” and updated continuously via the Tivoli Endpoint Manager Content Delivery cloud-based service – and enables the Operator to maintain real-time visibility and control over all devices in the environment – including instantaneous discovery of devices that aren ’ t yet managed. Because most of the analysis, processing and enforcement work is done by the Agent rather than the Server, ONE Tivoli Endpoint Manager Server can support up to 250K endpoints, enabling customers to make the most of their security and systems management investment. Whatever specific Tivoli Endpoint Manager solution a customer uses – whether it ’ s endpoint protection, systems lifecycle management or security configuration and vulnerability management – it ’ s delivered via a single management console view. Additionally, new services can be provisioned and delivered via the Content Delivery cloud with no additional hardware or software installations or network changes. Deployment is straightforward, and is typically completed within hours or days. Agents can automatically be installed within minutes, without disrupting end-users. Additionally, most customers deploy Tivoli Endpoint Manager Relays to help manage distributed devices and policy content and as you can see in the diagram – an existing workstation can be leveraged for this purpose. Promoting an Agent to a Relay takes minutes and doesn ’ t require dedicated hardware or network configuration changes. It ’ s entirely up to the customer how many Relays to deploy and where they ’ d like to place them; however, we can certainly make recommendations based on business and technical considerations. In addition to caching patches and other software updates close to end user devices, Relays manage the bandwidth used by Tivoli Endpoint Manager to ensure that systems and security management tasks don ’ t consume all available network bandwidth. To a world accustomed to multiple, fragmented technologies and point solutions, Tivoli Endpoint Manager offers an alternative: the industry ’ s only single-console, single-agent platform that addresses operations, security and compliance initiatives in real-time and at global scale.
Differentiation: IBM is in an excellent position to support customers against Cyber threats and Cyber attacks We invented so much underlying fundamental technology, and so understand it versus other companies We have strong people, size, global experience of attacks. We are uniquely positioned to pull all of it together: security, service and risk management - IBM X-Force detects and investigates new vulnerabilities and attacks By monitoring security devices worldwide IBM gets information about new threats and attacks first hand The knowledge gained is made available in the X-Force threat report but also directly flows into our products and services offerings IBM Research is working on the most challenging security problems and develops innovative security solutions http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03007usen/WGL03007USEN.PDF The blue countries are the key message of this slide. These are the "monitored countries", i.e., the countries of IBM MSS' customers. When new attacks/threats are coming up, they don't happen in all the countries at the same time. Therefore it's key to have a worldwide operation so that we have a good picture of what's going on. Not only does IBM employ the The IBM X-Force Research and Development Team but we have 9 Security Operations Centers and 9 Security Research Centers globally. The information from R&D and the X-Force enables us to understand and remediate threats through thousands of researchers, developers, consultants and subject matter experts on security initiatives world-wide. This information is directly fed back in to updating our IBM Security Solutions. TJ Watson Focus Areas Cryptographic foundations Internet security & "ethical hacking" Secure systems and smart cards IDS sensors & vulnerability analysis Secure payment systems Antivirus Privacy Biometrics Almaden Focus Areas Cryptographic foundations Secure government workstation Haifa Focus Areas PKI enablement Trust policies Zurich Focus Areas Cryptographic foundations Java cryptography Privacy technology Multiparty protocols IDS & alert correlation Smart card systems and application Tokyo Focus Areas Digital watermarking XML security VLSI for crypto New Delhi Focus Areas High-performance Cryptographic hardware & software
( Note to presenter: The purpose of this slide is to highlight that IBM offers the breadth and depth – unlike any other vendor -- with our security portfolio. The intent is not to engage in a technical discussion at this point or try to cover all areas in detail.) IBM has a unique position in the market as an end-to-end security provider – we can address virtually any dimension of a secure infrastructure – and provide the services and consulting to help customers develop a strategic approach to their security challenges. Across our portfolio, we provide many capabilities that help customers solve a wide range of security problems completely and in the process result in cutting costs , reducing complexity, and assuring compliance . So depending on the types of security risks that are impacting your business, we can look more closely at how we can help address those issues. Just like we did for DTCC by helping them make their applications more secure. Notes to presenter: … Point out 1 or 2 capabilities mentioned on this slide and tie it back to a customer example to convey how we help clients meet their business requirements. You can replace reference to DTCC above with another customer reference. If there is interest in a certain domain (i.e., people and identity, application and process, etc.), use some of the backup slides that provide the next level of information on our offerings – including how we can help (1) assess the situation, (2) mitigate or decrease the risk and (3) monitor and manage the risk ongoing. In presentation mode, you can click on the icons displayed on the left hand side of the capabilities boxes to quickly navigate to the appropriate backup slide. ( Note to presenter: Keep in mind that customers often usually jump in at the wrong point so they may not have completely addressed all security risks. At times they buy something they don’t understand (aka shelfware)… they implement a security solution but forget the need to monitor it ongoing or to invest in training and awareness for a more security aware culture. What this means to you is that even if a customer already has a solution in place… it’s not the end of the story. They may still need services to optimize, or managed services to monitor – for example.) Consolidate identity management with Tivoli Identity Manager Work with multiple identity repositories with Tivoli Federated Identity Manager Improve employee productivity with Tivoli Enterprise Single Sign On Protect data center media with STG tape encryption Protect data using zSeries encryption and Lotus Notes encryption Find and remediate application vulnerabilities with Rational app scan Assure privacy compliance with Rational Policy Tester Locate and remediate Malware with ISS IPS Manage incidents with ISS X-Force Emergency Response Services
Speaker’s notes: We take data from a lot of various disciplines including the Web filtering database second only to Google that provides analysis for more than 9 billion Web sites and images, we also see what kind of intrusion attempts the managed services team sees across its customer base currently tracking at 150 million per day, we have more than 40 million documented spam attacks, and 40,000 documented vulnerabilities from both internal research and external disclosures. This report is unique in the fact that the sources listed above provide varying perspectives on the threat landscape to together provide a cohesive look at the industry based on factual data from the various research functions within the broader X-force team and databases. Provides Specific Analysis of: Vulnerabilities & exploits Malicious/Unwanted websites Spam and phishing Malware Other emerging trends
IBM ISS uses its broad and holistic intelligence infrastructure to provide one of the most accurate views of the current and emerging threat landscape We use this to define the important and pressing security problems of today and tomorrow We then focus on solving these problems with new technology and solutions in our products and services IBM ISS X-Force underpins the entire platform and is the catalyst for security innovation