In September 2011, Prolifics & IBM hosted a speaking session at a Cyber Security Summit in California. The presentation focused on the importance of Identity and Access Management in the Energy & Utilities industry as well as today's critical regulatory requirements.

1. Holistic Enterprise Security
Solution
Speaker: Alex Ivkin

2. Holistic Enterprise Security Solution
 The “Blind Slide”
 The Insider Threat. Identity Controls and Data Loss protection
 Application Protection
 New threat vectors. Virtualization and distributed assets
 Experiences from the field

3. NERC CIP 2011 Violations & Fines
 Since January 2011, a significant increase in CIP fines
 Largest numbers for Security Awareness and Testing
Source: http://www.nerc.com/filez/enforcement
3

4. Introduction
 Personal ID – personal accountability
 Traditional identity management has always focused on these IDs.
 Well covered and controlled
 Commoditized
 Service ID - corporate accountability
 Shared administrative ID
 Programs, services, databases, scripting, testing, load testing, auditing,
troubleshooting, you name it.
 “Too hard to deal with”
 “will be the next step”
 Other
 Shared group IDs
 IDs in transition
 Template IDs
• Exchange mailboxes
4

5. Service IDs
 Service IDs are everywhere
 Different systems have different exposure via the Service IDs
5

6. Identity & Access Management
User Provisioning / Deprovisioning
and Full Role Management
Single
Sign On
& Management
of Web Access
& Passwords
The 3 Rs – Reconciliation, Security log management & reporting
Recertification & Reporting
R
E
N A
LA MATCH?
EP L
TH I
T
Y

7. Identity and Access Management for Energy Companies
•A holistic way to addressing corporate identities and access controls
• Identity lifecycle support and review
• Access provisioning, deprovisioning certification
• Policy enforcement: password, access patterns, expiration
• RBAC
•IdM for FERC/NERC CIP applications
• Energy management systems
• Energy network components
• Physical access control services
• Customer Information Systems
• Work Management System
• Plant Maintenance Systems
• Tower gateway base stations for Smart Meter infrastructure
•SOX applications. SOX 404
• Corporate Reports
• Financial systems
•PCI, NIST, HIPAA
7

8. CIP with IAM Step by Step
CIP‐ 003‐ 1 Access enforcement, audit trails, reviews and roles
• Access authorization enforcement maintained via identity lifecycle
workflows with the robust approval framework and multilevel escalation.
• The audit trails are preserved for each request and approval, ensuring
access is given, modified and revoked only under proper supervision.
• Automatic enforcement of access privileges is linked in and based on
business roles.
• Annual reviews and re‐certification of access are required from the
management and system owners.
CIP–004–1 Training, privilege revocation
• Training program requirements are enforced via proper personnel on-
boarding and transfer workflows, tied into the HR and training systems.
• Revocation within 24 hours of termination is a part of the closely
enforced identity lifecycle.
• Critical asset access lists are available for review 24/7 by authorized
personnel via a web interface
8

9. CIP with IAM Step by Step
CIP‐ 006‐ 1 Physical access protection
• Implemented by integrating with card access and badge systems and tied
into an identity lifecycle.
CIP–007–1 Access to CCA, Shared accounts, Least Privilege
• Enforcing the creation and management of user access to Critical Cyber
Assets by employing industry standard role based access control
certification, provisioning, rights and password management.
• Directly assigning owners and custodians for individuals and shared system
accounts on a "need to know basis" and subjecting it to periodic reviews.
• Analysis and remediation of orphan accounts.
• Password policies are deployed in the automated identity management
system to ensure only qualified passwords are allowed.
9

10. Service Identity Management is an essential part of IAM
Governance
 Expansion of the traditional Identity and Access Management to cover
identities used by administrators, systems, software and automated processes.
 Assign responsibility for Service accounts, track people who manage the
accounts, reports and enforces policies.
 Tracking accounts used by various IT assets
 Databases
 Enterprise applications
 Devices
 Scheduling and monitoring software
 Automatic maintenance processes
 and many more.
10

11. How PIM works
3
E-SSO Authorization 1 • Tivoli Identity Manager (TIM) with custom module provisions
privileged IDs and manages pools of shared IDs
• Shared IDs are stored in a secured data store
LDAP 1
ITIM
AD 2 • Periodically recertify account authorizations through a
consistent work flow.
Email
3 • Admin logs into Tivoli Access Manager for E-SSO (TAM E-SSO)
• TAM E-SSO automatically checks out/in shared ID as required to
Recertification of
privileged users ensure accountability while simplifying usage
Event Logs
4 • Tivoli Compliance Insight Manager (TCIM) monitors all logs for
2 end to end tracking
4
TCIM
Enterprise
Reports

12. IBM Software Map for NERC CIP Requirements
Tivoli Enterprise Portal NERC Compliance Portal Tivoli Netcool
CIP-004 Cyber CIP-005 Electronic CIP-006 Physical CIP-007 Cyber CIP-008 Cyber CIP-009 Recovery
CIP-001 Sabotage CIP-002 Critical CIP-003 Security
Security – Pers. & Security Security of Cyber Security – Systems Security – Incident Plans for Critical
Reporting Cyber Assets Mgmt. Controls
Training Parameters Assets Security Mgmt Rept. & Response Cyber Assets
Enterprise Content and Record Manager
Tivoli Provisioning
Manager
Tivoli Identity Manager Tivoli Storage Manager
Maximo Tivoli Access Manager Tivoli Security Compliance Manager
Tivoli Security Tivoli Provisioning Manager
Tivoli Security Lotus Learning
Compliance
Compliance Manager Management System
Manager
Tivoli Compliance Insight Manager
Tivoli Security
Tivoli Monitoring
Operations Manager
Internet Security Systems
R1. Electronic Security Perimeter R1. Physical Security Plan R1. Test Procedures R1. Cyber Security Incident R1. Recovery Plans
R1. Have procedures for R1. Critical Asset Identification R1. Cyber Security Policy R1. Awareness
Response Plan
recognition and reporting of Method
R2. Electronic Access Controls R2. Physical Access Controls R2. Ports and Services R2. Excercises
sabotage events. R2. Leadership R2. Training
R2. Cyber Security Incident
R2. Critical Asset Identification
R3. Monitoring Electronic Access R3. Monitoring Physical Access R3. Security Patch Management Documentation R3 Change Control
R2. Have procedures for R3. Exceptions R3. Personnel Risk Assessment
communication of sabotage to R3. Critical Cyber Asset
R4. Cyber Vulnerability R4. Logging Physical Access R4. Malicious Software R4. Backup and Restore
appropriate parties. Identification R4. Information Protection R4. Access
Assessment Prevention
R5. Access Log Retention R5. Testing Backup Media
R3. Have guideline for R4. Annual Approval R5. Access Control
R5. Documentation Review and R5. Account Management
monitoring and reporting.
Maintenance R6. Maintenance and Testing
R6. Change Control and
R6. Security Status Monitoring
R4: Have established Configuration Mgmt.
communication contacts as
applicable with local authorities.
Internet Security R7. Disposal or Redeployment
Systems
R8. Cyber Vulnerability
Assessment
R9. Documentation Review and
Tivoli Compliance Insight Manager
Maintenance
Alerts Notification Auditing Reporting Workflow Team Definition Measurement

13. Prolifics-IBM Support For NIST Industrial Control Systems Security Objectives
NIST Directive NIST Objectives IBM Technology
NIST SP 800-12 Security Policies and Procedures TSPM, TIM, TAMeb
NIST SP 800-53 Security Controls- Configuration Management TAM ESSO
Access Management TAMeb-TAM OS
TFIM
NIST SP 800-94 Guidance on Intrusion Detection/Prevention Systems ISS Proventia
NIST SP 800-61 Guidance on Incident Handling and Reporting TSIEM
NIST SP 800-73/76 Guidance on Personal Identity Verification TIM, PIM
NIST SP 800-63 Guidance on Remote Electronic Authentication TFIM
NIST SP 800-64 Guidance on Security considerations for System Development Lifecycle Rational AppScan
NIST SP 800-61 Guidance on Incident Handling/Audit Log Retention TSIEM
NIST SP 800-56/57 Guidance on Cryptographic Key Establishment and Management TKLM

14. Holistic Enterprise Security Solution
 The “Blind Slide”
 The Insider Threat. Identity Controls and Data Loss protection
 Application Protection
 New threat vectors. Virtualization and distributed assets
 Experiences from the field

15. Application Vulnerabilities Continue to Dominate
 Web app. vulnerabilities represent the largest category in vulnerability disclosures
 In 1H10, 55.95% of all vulnerabilities are web application vulnerabilities
 SQL injection and cross-site scripting are neck and neck in a race for the top spot
IBM Internet Security Systems 2010 X-Force®
Mid-Year Trend & Risk Report
15

16. Motivation for becoming Secure by Design…
100,000x
Unbudgeted Costs:
Impact to Enterprise
- e.g., Database hacked  Downtime
Security Flaw  Customer notification/care
 Fines/Litigation
 Reputational damage
 Cost to clean-up
- e.g., Database crash Functional Flaw
10x
1x
Development Test Deployment

17. Application Security Tools Strategy
Static Code Analysis = Whitebox
Scanning source code for security
issues
Total Potential
Security Issues
Dynamic Analysis = Blackbox Static Complete Dynamic
Analysis Coverage Analysis
Performing security analysis of a
compiled application
Providing for numerous
compliance requirements;
including NERC-CIP
CIP-007 Cyber
CIP-002 Critical CIP-005 Security
Security-Systems
Cyber Assets Mgmt. Control
Security Mgmt.

18. Database Servers Are The Primary Source of
Breached Data
Source of Breached Records
SQL injection played a role in 79%
of records compromised during
2010 breaches
“Although much angst and security
funding is given to …. mobile
devices and end-user systems,
these assets are simply not
a major point of compromise.”
2010 Data Breach Report from Verizon Business RISK Team
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
… up from 75% in 2009 Report

19. Real-Time Database Monitoring
Host-based Probes
(S-TAPs) Collector
• No DBMS or application changes • Cross-DBMS solution
• Does not rely on DBMS-resident logs • Granular, real-time policies & auditing
that can easily be erased by – Who, what, when, how
attackers, rogue insiders • Automated compliance reporting,
• 100% visibility including local DBA sign-offs & escalations (SOX, PCI,
access NIST, etc.)
• Minimal performance impact (1-2%)
CIP-002 Critical CIP-003 Security CIP-007 Cyber
CIP-005 Security
Security-Systems
Cyber Assets Mgmt. Controls Mgmt. Control
Security Mgmt.

20. Holistic Enterprise Security Solution
 The “Blind Slide”
 The Insider Threat. Identity Controls and Data Loss protection
 Application Protection
 New threat vectors. Virtualization and distributed assets
 Experiences from the field

21. 21
Protocol Analysis Module (PAM) is the Engine Behind our Products
Others: constant thrashing to address today’s latest threat. IBM with PAM: “Ahead of the Threat”
What It Does: What It Does: What It Does: What It Does: What It Does: What It Does:
Shields vulnerabilities Protects end users Protects Web Detects and prevents Monitors and identifies Manages control of
from exploitation against attacks targeting applications against entire classes of threats unencrypted PII & other unauthorized applications
independent of a applications used every sophisticated application- as opposed to a specific confidential information and risks within defined
software patch, and day such as Microsoft level attacks such as exploit or vulnerability. for data awareness. Also segments of the network,
enables a responsible Office, Adobe PDF, SQL Injection, XSS provides capability to such as ActiveX
patch management Multimedia files and Web (Cross-site scripting), explore data flow through fingerprinting, Peer To
process that can be browsers. PHP file-includes, CSRF the network to help Peer, Instant Messaging,
adhered to without fear of (Cross-site request determine if any potential and tunneling.
a breach forgery). risks exist.
Why Important:
Why Important: Why Important: Why Important: Why Important: Why Important: Enforces network
At the end of At the end of 2009, Expands security Eliminates the need for Flexible and scalable application and service
2009, 52% of all vulnerabilities, which capabilities to meet both constant signature customized data search access based on
vulnerabilities disclosed affect personal compliance requirements updates. Protection criteria; serves as a corporate policy and
during the year had no computers, represented and threat evolution. includes the proprietary complement to data governance.
vendor-supplied patches the second-largest Shellcode Heuristics security strategy.
available to remedy the category of vulnerability (SCH) technology, which
vulnerability. In disclosures and represent has an unbeatable track
mid-2010, the percentage about a fifth of all record of protecting
increased to 55%. vulnerability disclosures. against zero day
vulnerabilities.
CIP-007 Cyber 44
CIP-005 Security
Security-Systems
Mgmt. Control
Security Mgmt.

22. 22
Preemptive Ahead of the Threat Security – backed up by data
Top 61 Vulnerabilities 2009
341 Average days Ahead of the Threat
91 Median days Ahead of the Threat
35 Vulnerabilities Ahead of the Threat
57% Percentage of Top Vulnerabilities –
Ahead of the Threat
9 Protection released post
announcement
17 same day coverage
2010 – Average days
Ahead of the Threat
increased to 437!
45

23. Securing the Virtualized Runtime:
IBM Security Virtual Server Protection for VMware vSphere 4
Helps customers to be more secure, compliant and cost-effective by
delivering integrated and optimized security for virtual data centers
IBM Virtual Server
Protection for VMware
• VMsafe Integration
• Firewall and Intrusion
Detection & Prevention
• Rootkit Detection &
Prevention
• Inter-VM Traffic Analysis
• Automated Protection for
Mobile VMs (VMotion)
• Virtual Network Segment
Protection
• Virtual Network-Level
Protection
• Virtual Infrastructure Auditing
(Privileged User Access)
• Virtual Network Access
Control
• Virtual Patch
http://www-01.ibm.com/software/tivoli/products/virtual-server-protection/
© 2011 IBM Corporation

24. Tivoli Endpoint Manager: Smarter, Faster Endpoint Management
• Network Asset
Discovery
• Endpoint HW, SW
Inventory
• Patch Management
• Software Distribution
• OS Deployment
• Remote Desktop
Control
• Software Use
Analysis (add on) Whether it’s a Mac connecting from hotel wi-fi, or a
Windows laptop at 30K feet, or Red Hat Linux
• Power Management Server in your data center, Tivoli Endpoint Manager has
(add on) it covered. In real-time, at any scale.
CIP-002 Critical CIP-003 Security CIP-007 Cyber
CIP-005 Security
Security-Systems
Cyber Assets Mgmt. Controls Mgmt. Control
24 Security Mgmt.

25. Holistic Enterprise Security Solution
 The “Blind Slide”
 The Insider Threat. Identity Controls and Data Loss protection
 Application Protection
 New threat vectors. Virtualization and distributed assets
 Experiences from the field

26. Experience

Treating identities as an enterprise asset

Consistent, standards based method for authentication and
authorization

Provisioning and, more importantly, de-provisioning accounts
within a specified period of time (account lifecycle)

Application accounts, Databases, Servers, Network devices

Approval process with multi-level escalation and delegation

Quarterly access certification reports

FERC M/T code throughout the whole system and in reports

Standardization helps with FERC reliability regulations

Energy Management Systems kept on an isolated network

SSO limits password exposure and simplifies sign on process

Service ID Management to address shared accounts (SOX)

Separation of Duties checks (SOX)
26

27. Other features

Self-service user interface

Auditing and reporting enhancements

Dormant Accounts Management

External security audit recommended adding all enterprise
applications, not just those covered by SOX and FERC regulations

Flexible life-cycle and operational workflows
27

28. 28

29. By managing security for customers across the world, IBM has a
clear and current picture of threats and attacks
3 Branches of
+ + + +
9 Security 9 Security 11 Security Solution 133
the Institute for
Operations Research Development Advanced Monitored
Centres Centres Centres Security (“IAS”) Countries
IAS IAS
Americas Europe
IAS
Asia Pacific
IBM has the unmatched global and local expertise to deliver
complete solutions – and manage the cost and complexity of security
29

30. Our strategy: Comprehensive solutions that also leverage partners products
Security Governance, Risk and Security Information and Event
Professional Services GRC Compliance Management (SIEM) & Log Management
Managed Services
Identity & Access
Products Management
Identity Management Access Management
Cloud Delivered
Data Loss Prevention Data Entitlement
Data Security Management
Encryption & Key
Lifecycle Management Messaging Security
E-mail
Database Monitoring
Security Data Masking
& Protection
Application Web Application
Application Security
Vulnerability Scanning Firewall
Access & Entitlement
Web / URL Filtering SOA Security
Management
Infrastructure Vulnerability Virtual System
Endpoint Protection
Security Assessment Security
Threat Security Event Managed Intrusion Prevention
Analysis Management Mobility Svcs System
IBM Security Solutions:
2. Assess Risks Firewall, IDS/IPS Mainframe Security Audit, Security Configuration
MFS Management Admin & Compliance & Patch Management
3. Mitigate Risks
4. Manage Security Controls Physical Security

31. Our strategy: IBM is investing in Security Solutions
 The only security vendor in the market with
end-to-end coverage of the security foundation
 15,000 researchers, developers and SMEs on
security initiatives
 3,000+ security & risk management patents
 200+ security customer references and 50+
published case studies
 40+ years of proven success securing the
zSeries environment
 600+ security certified employees
(CISSP,CISM,CISA,..)
IBM Security acquisitions (1999 – 2010):
DASCOM

32. Our strategy: Research = intelligence = security
The mission of the IBM builds technology for
IBM X-Force research and tomorrow based on IBM
development team is to: Research
• Identify mission-critical enterprise
 Research and evaluate threat and protection assets and very sensitive data.
issues
• Build fine-grained perimeters
 Deliver security protection for today’s
security problems • Monitor fine-grained perimeters and
 Develop new technology for tomorrow’s close the loop
security challenges • End-to-end security
 Educate the media and user communities • Secure by design
• 13B analyzed Web pages & images
• 150M intrusion attempts daily
• 40M spam & phishing attacks
• 54K documented vulnerabilities
• Millions of unique malware samples

33. 33
The Importance of Research to Security:
IBM Internet Security Systems X-Force® Research Team
Research Technology Solutions
Original Vulnerability X-Force Protection Engines
Research
 Extensions to existing engines
 New protection engine creation
Public Vulnerability
Analysis
X-Force XPU’s
Malware Analysis  Security Content Update
Development
 Security Content Update QA
Threat Landscape
Forecasting X-Force Intelligence
 X-Force Database
Protection Technology
Research  Feed Monitoring and Collection
 Intelligence Sharing
The X-Force team delivers reduced operational complexity –
helping to build integrated technologies that feature “baked-in” simplification-
“Protecting people from themselves”

34. IBM’s security portfolio today
IBM Security Offering Reference Model
Security / Compliance Analytics and Reporting
IBM Products
 IBM OpenPages  GRC Consulting and Implementation Services
IBM Services
 Tivoli Security Information and  Audit and Compliance Assessment Services (e.g., PCI)
Event Management  Privacy and Risk Assessments
 DOORS  Cloud-based Vulnerability Management Portal
Security
 FocalPoint  Security Event and Log Management Consulting
IT Infrastructure – Operational Domains
Infrastructure
Security Services
People Data Applications
Network Endpoint
 Tivoli Identity and  InfoSphere  Rational AppScan  Tivoli Network  Tivoli Endpoint
IBM Products
Implemen-
Access Guardium Source Edition Intrusion Manager (anti- tation
 Tivoli Federated  InfoSphere Optim  Rational AppScan Prevention virus using Trend Services
ID Data Masking Standard Edition  WebSphere Micro)
 Tape / Disk  Tivoli Security Datapower XML  Tivoli zSecure
 Tivoli Single Sign-
encryption Policy Manager Gateway Mainframe
On
 Tivoli Key Manager security
IBM Services
 Identity  Data Security  Application  Penetration  Managed Mobile
Assessment, Assessment Assessment Testing Protection (using
Deployment and  Encryption and Services  Firewall, IPS, Juniper) Managed
Hosting Services DLP Deployment  AppScan On Vulnerability Services
Demand - SaaS Managed Services