[RakutenTechConf2013] [A-0] Security Meets Analytics

10/30/13

Rakuten Technical Conference 2013
26 Oct 2013

Security Meets Analytics
Service Computing, IBM Research – Tokyo
IPSJ Director
Naohiko Uramoto

© 2013 IBM Corporation

Self introduction – My four hats as a tech person

§ My business as IBMer
–  Leading Cloud and security projects in IBM Research –
Tokyo
§ Internal tech community
–  Member of Academy of Technology (AoT), IBM’s crossorganizational technical community
§ External Tech community
–  Secretariat of “Cloud Kenkyu-kai”
§ Academia
– Director of Information Processing Society in Japan

2


1

10/30/13

Information Processing Society of Japan (IPSJ)
§ Founded in 1960
§ More than 20,000 members (from academia & industry)
§ Board of Directors
–  President: Masaru Kitsuregawa (Director of NII and Prof. of
U-Tokyo)
–  25 board members (including me)
§ Tight relationship with international communities
–  Long term relationship with IEEE-CS, ACM etc.
–  Organizing and supporting international conferences
§  Activities
–  40 SIGs in 3 Domains
–  Many conferences, seminars, events not only for academia but
also engineers and students
– 
e.g. Digital Practice Papers which focus on best practice
NII: National Institute of Informatics Japan
IFIP: International Federation of Information Processing


IBM Academy of Technology (AoT)
AoT Goal
The inspiring and inclusive
academy of eminent
technology thought leaders
that have an enduring impact
on the IT industry that makes
the world better.
100 AoT leadership
members
n  1,000 AoT members
with selection
n  44 affiliates with 5,500
members
n  TEC-J in Japan

Client
Value
Career
Development

n 

Networking

Consultancies
Studies
Conferences
Technical Advocate
Programme
Mentoring

Skills
Development

Technology
Impact

Leadership
Skills

Think
Time

www.ibm.com/ibm/academy‎
4


2

10/30/13

5


What is the good balance?

Internal
Tech
Community
Personal
Life
External
Academia
Tech
Community

Daily Job

6


3

10/30/13

World is changing…

7


New security technology is required to support transformation of the
world

New IT

New Data

New World

8

§  Social, Mobile,
§  Blurred boundaries
Analytics, and Cloud
§  New types of
(SMAC)
vulnerabilities
§  Internet of Things (IoT)

§  Big Data
§  Data Economy
§  Social Business

§  Data protection for
Security and Privacy
§  Logs and events as
Big Data

§  Cyberspace
§  Globalization and
emerging market

§  Cyber crime
across geos and
organizations


4

10/30/13

The sophistication of Cyber threats, attackers and motives is rapidly
escalating


Global Security Trends

10 SOCs

IBM X-Force 2013 Mid-Year Trend
and Risk Report is available
§  Analyzed 4,100 new security
vulnerabilities
§  Analyzed 900 million new web
pages and images
§  Created 27 million new or updated
entries in the IBM web filter
database
§  Created 180 million new, updated,
or deleted signatures in the IBM
spam filter database
http://www.ibm.com/security/xforce/
10


5

10/30/13

11


12


6

10/30/13

13


14


7

10/30/13

Why are we losing the game?

15


Attacker can prepare with enough time to know about the
target
–  What is the target company or organization?
–  What kinds of topics are employees interested in?
–  What sites do employees often visit?
–  Which web browser is used in the target comapny?
–  Which anti virus product used?
–  …

16


8

10/30/13

Why traditional defense is not enough? Some insights:
n 

n 

n 

n 

n 

Break in a trusted partner and then loading malware onto
the target’s network
Creating designer malware tailored to only infect the target
organization, preventing identification by security vendors
Using social networking and social engineering to perform
reconnaissance on spear-phishing targets, leading to
compromised hosts and accounts
Exploiting zero-day vulnerabilities to gain access to data,
applications, systems, and endpoints
Communicating over accepted channels such as port 80 to
exfiltrate data from the organization

17


Enterprise network is evolving
Servers
Applications

VMs on Private
Cloud

Switch
FW

IPS/IDS

Client PCs

Internet
Anti Virus
Mobile Devices

18


9

10/30/13

Traditional Perimeter based defense
Protect corprate
network and
endpoints from
attacks

Servers
Applications

VMs on Private
Cloud

Switch
FW
Internet

Client PCs

IPS/IDS
Anti Virus
Mobile Devices

19


Now we need to assume invasion of malware
Servers
Applications

VMs on Private
Cloud

Attacker’s
FW
Command & Control
Internet
Server

Switch

Protect outgoing
connections to prevent
from data leakage,
assuming that malware
exists in the network.
20

Client PCs

IPS/IDS
Anti Virus
Mobile Devices


10

10/30/13

Now we need to assume invasion of malware
Servers
Applications

VMs on Private
Cloud

Attacker’s
FW
Command & Control
Internet
Server

Switch

Client PCs

IPS/IDS
Anti Virus
Mobile Devices

Monitor network &
endpoints and detect
malware’s and
attacker’s activities
21


How can we do it?

22


11

10/30/13

Security information and Event Management (SIEM)
Security Operation
Center (SOC)

System
audit trails

Business
process data

Configuration
information

Network flows
and anomalies

External threat
intelligence feeds

Middileware log

Full packet and
DNS captures

Internet

Application log

Switch

Access log

IPS/IDS

FW
Web page
text

OS level log

E-mail and
social activity

Mobile device
information
Download from
app stores

Endpoint
information
23


Security Intelligence

Security Information and Event Management (SIEM)
Extensive Data Sources

+

Deep Intelligence

=

Exceptionally Accurate
and Actionable Insight


12

10/30/13

QRadar: Intelligent Event Management and Attack Detection
Provide information on attack with a comprehensive and integrated view

What kind of
attack?
Who is attacking?
From where?

What is the
business
value?

What are the
attacked
assets?
Does the asset
have vulnerability?
What is the
evidence of
attack?

25


Flow of Security Analytics
Machine learning and near real-time monitoring enables continuous
refinement and tracking of ‘normal’
Filtering

Correlation

Network
Events

Behavior
Model

異常検知
予兆監視

Login
Information

Alerting
Access
Log

Social
Events

Analysis
Engine

Transformation

13

10/30/13

Security Analytics is built on a common platform and applied to
multiple areas
Network & Device
Analytics
Analyze network
packets and events for
anomaly detection and
risk prediction

Asset Analytics
Classify and visualize
enterprise assets to
protect them from
information leakage

User Access
Analytics
Anomaly detection
and risk prediction
from user / group
access log

Security Analytics
Platform
Business Process
Analytics
Clarify business
process and detect
security and
compliance issues

Social Network
Analytics
Detect potential risk
from social graphs
on SNS such as
Facebook and Twitter

Event Correlation
Correlation of Logs across middleware and application stacks
•  Heuristics on time sequence
•  Pattern extraction
Middleware1
Middleware3
Middleware4
App1
Middleware2

28


14

10/30/13

Process-File Dependency Visualization
Detect dependency between processes and files on a PC

Process

File

29


Integration Architecture of QRadar, DLP and IBM Endpoint Manager
QFlow monitors
network Trafic
QFlow

QRador correlates
network and endpoint
information

Network events
Endpoint log (e.g. file
access, process start)
DLP

Server

IEM

Agent

Endpoint
(PC)

Endpoint
Manager
dispatch policies
to be enforced

Endpoint DLP
monitors user’s
behavior
30


15

10/30/13

31


16

[RakutenTechConf2013] [A-0] Security Meets Analytics

More Related Content

What's hot

Viewers also liked

Similar to [RakutenTechConf2013] [A-0] Security Meets Analytics

More from Rakuten Group, Inc.

Recently uploaded

[RakutenTechConf2013] [A-0] Security Meets Analytics