Security Intelligence

IBM Security Systems

Take the Red Pill: Becoming One
with Your Computing Environment
using Security Intelligence

Chris Poulin
Security Strategist, IBM

Reboot Privacy & Security
Conference 2013
© 2012 IBM Corporation
1 © 2012 IBM Corporation


Securing Information Resources is a Multi-Dimensional Puzzle

Employees Hackers Outsourcers
Outsourcers Suppliers
People
Consultants Terrorists Customers
Customers

Data Structured
Structured Unstructured
Unstructured At rest In motion
In motion

Systems
Systems Web Mobile
Applications Applications
Web2.0
Web 2.0 Mobile apps
applications
Applications Applications

Infrastructure

It is no longer possible to define and protect the perimeter, but demands a focus on

JK 2012-04-26
protecting data. Point products are not sufficient to protect the enterprise.



Getting Intimate with Your Computing Environment
How well do you know:
Applications? Owners? Activity patterns?
Where sensitive data resides?
Network activity patterns?



Why Take the Red Pill?

What’s normal? what’s suspect?


How to Get There: Security Intelligence

Users & Identities

Security Devices
Event Correlation
Servers & Hosts • Logs • IP Reputation
• Flows • Geo Location

Network & Virtual Activity Offense Identification
Activity Baselining & Anomaly • Credibility
Vulnerability Info Detection • Severity
• Relevance
• User Activity
Application Activity • Database Activity
• Application Activity
Database Activity • Network Activity

Configuration Info
Suspected Incidents

Extensive Data Deep Exceptionally Accurate and
Sources + Intelligence = Actionable Insight



What is Security Intelligence?

Security Intelligence
--noun
1.the real-time collectionnormalization andanalytics of the
collection,normalization
collectionnormalization, analytics
analytics
data generated by users, applications and infrastructure that
impacts the IT security and risk posture of an enterprise

Security Intelligence provides actionable and comprehensive
insight for managing risks and threats from protection and
detection through remediation



Activity and Data Access Monitoring

Visualize Data Risks
Automated charting and reporting
on potential attacks

Correlate System, Application,
& Network Activity
Enrich security alerts with anomaly
detection and flow analysis

Detect suspicious activity before it leads to a breach
360-degree visibility helps distinguish true breaches from benign activity, in real time


Top Events by Log Type and Count



Top Flows by Application and Total Bytes



…and Bottom Flows



Data Leakage

Who is responsible for the data leak?

Alert on data patterns, such as credit
card number, in real time.



Passively Discover & Profile Assets with NetFlow & QFlow



Enrich the Asset Database with VA Scans, Manually, CMDB Import



Update Rules Automatically



Customize Your Network Landscape for Contextual Visibility

Customize Segment & System
Names for Quick Identification



Pivot by Geography



Dashboards & Reporting, Customized per Role



User Activity Monitoring to Combat Advanced Persistent Threats

User & Application
Activity Monitoring alerts
on a user anomaly for
Oracle database access.

Identify the user, normal
access behavior, and the
anomaly behavior – with
all source & destination
information to quickly
resolve the threat.



Baselining Complex Patterns

Complex patterns can be baselined
Anomalies take into account historical data—continuously
May incorporate seasonality



Configuration & Risk

Network topology and open
paths of attack add context

Rules can take exposure
into account to:
• Prioritize offenses and
remediation
• Enforce policies
• Play out what-if scenarios



Security Intelligence Timeline

Prediction & Prevention Reaction & Remediation
Risk Management. Vulnerability Management. SIEM. Log Management. Incident Response.
Configuration Monitoring. Patch Management. Network and Host Intrusion Prevention.
X-Force Research and Threat Intelligence. Network Anomaly Detection. Packet Forensics.
Compliance Management. Reporting and Scorecards. Database Activity Monitoring. Data Loss Prevention.



Security Intelligence Wrap-Up
Monitor all activity and correlate in real time
Reduce cost & complexity, lower TCO, compliance
Detect policy violations
Baseline against reality (CMDB)
Social media, P2P, etc.
Detect suspicious behavior
Privileged actions from a contractor’s workstation
DNS communications with external system
Detect APTs
File accesses out of the norm—behavior anomaly detection
Least used applications or external systems; occasional traffic
Detect fraud
Baseline credit pulls or trading volumes, and detect anomalies
Correlate eBanking PIN change with large money transfers
Forensic evidence for prosecution
Impact analysis
Change & configuration management



IBM’s Security Intelligence, Analytics and Big Data portfolio
IBM SPSS IBM i2
4 unified product family to
3 Analyst Notebook
help capture, predict, helps analysts investigate
discover trends, and fraud by discovering
automatically deliver patterns and trends
high-volume, optimized across volumes of data
decisions

IBM QRadar
1 Security Intelligence
unified architecture for collecting, storing, IBM Big Data Platform (Streams, Big Insights, Netezza)
analyzing and querying log, threat, 2 addresses the speed and flexibility required for customized data
vulnerability and risk related data exploration, discovery and unstructured analysis



https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-Tivoli_Organic&S_PKG=ov7304

Thank You!



ibm.com/security

© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is
provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to,
these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its
suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials
to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities
referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a
commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International
Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of
others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper
access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to
or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure
can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will
25 necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT © 2012 IBM Corporation
WARRANT
THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Security Intelligence

More Related Content

What's hot

Similar to Security Intelligence

More from IBMGovernmentCA

Recently uploaded

Security Intelligence