No One is Immune to Being Hacked: Strategies for Staying ... · © 2012 IBM Corporation IBM Security Systems 3 2011: Year of the Targeted Attack Source: IBM X-Force ® Research 2011

© 2012 IBM Corporation

IBM Security Systems

1© 2012 IBM Corporation

No One is Immune to Being Hacked:Strategies for Staying Out of the Headlines

QRadar Security Intelligence Platform



2

“Our most formidable challenge is getting companies to detect they have been compromised ...”

Kim Peretti, senior counsel, US Department of Justice (DoJ)

Source: http://www.scmagazine.com/rsa-conference-gonzalez-may-receive-largest-ever-us-hacking-sentence/article/165215/ – March 2010



3

2011: Year of the Targeted Attack

Source: IBM X-Force® Research 2011 Trend and Risk Report

JK 2012-04-26



4

Have We Learned Anything?

CYBER-ESPIONAGECYBER-CRIME

самбо

CYBER-ACTIVISM

*!!@&#



5

Attacks from All Sides

Cyber vandalsCyber vandals

Cyber crimeCyber crimeHacktivistsHacktivists

Cyber warfareCyber warfare

Cyber terrorismCyber terrorism

Cyber espionageCyber espionage

Corporate espionageCorporate espionage

InsidersInsiders

Nation statesNation statesTargets of opportunityTargets of opportunity

Targets of choiceTargets of choice

APTsAPTs Data exfiltrationData exfiltration

ClientClient--side vulnerabilitiesside vulnerabilities



6

Today’s threats (actors) are more sophisticated.

Threat Type % of Incidents Threat Profile

Advanced, Persistent Threat / Mercenary

� National governments

� Organized crime � Industrial spies� Terrorist cells

Equals less than 10 percent

� Sophisticated tradecraft� Foreign intelligence agencies, organized crime groups� Well financed and often acting for profit� Target technology as well as information� Target and exploit valuable data� Establish covert presence on sensitive networks� Difficult to detect� Increasing in prevalence

Hacktivist

� “White hat” and “black hat”hackers

� “Protectors of “Internet freedoms”

Equals less than 10 percent

� Inexperienced-to-higher-order skills� Target known vulnerabilities� Prefer denial of service attacks BUT use malware as

means to introduce more sophisticated tools� Detectable, but hard to attribute� Increasing in prevalence

Opportunist� Worm and virus

writers� Script Kiddie

20 percent

� Inexperienced or opportunistic behavior� Acting for thrills, bragging rights� Limited funding� Target known vulnerabilities� Use viruses, worms, rudimentary Trojans, bots� Easily detected

Inadvertent Actor

� Insiders -employees, contractors, outsourcers

60 percent

� No funding� Causes harm inadvertently by unwittingly carrying

viruses, or posting, sending or losing sensitive data� Increasing in prevalence with new forms of mobile

access and social business

Source: Government Accountability Office (GAO), Department of Homeland Security's (DHS's) Role in Critical Infrastructure Protection (CIP) Cybersecurity, GAO-05-434

Pot

entia

l Im

pact



7 © 2012 IBM Corporation7

…but all is not lost…



8

IBM developed ten essential practices required to a chieve better security intelligence.

Essential practices

7. Address new complexity of cloud and virtualization

6. Control network access and help assure resilience

1. Build a risk-aware culture and management system

2. Manage security incidents with greater intelligence

3. Defend the mobile and social workplace

5. Automate security “hygiene”

4. Security-rich services, by design

10. Manage the identity lifecycle

9. Better secure data and protect privacy

8. Manage third-party security compliance

Maturity based approach

Proactive

Aut

omat

edM

anua

l

ReactiveProficient

Basic

Optimized

Securityintelligence



9

Choose the Right Technology

Protection technology is critical, but choose wisely

There is no magic security technology



10

What Can Help You Defend Against an APT?

� Focus on both prevention and detection� A truly advanced and persistent adversary will breach your defenses

� How quickly you detect the breach will determine its impact

� Smart preventive measures reduce weaknesses…� Control your endpoints – Make sure patches are up to date

� Audit Web applications

� Find and remediate bad passwords

� Monitor device configurations for errors and vulnerabilities

� And advanced detection finds intrusions faster & assesses impact� Flow analytics and network anomaly detection

� User anomaly detection

� Reconnaissance detection

� Stealthy malware detection

� Database monitoring



11

Solutions for the Full Compliance and Security Intelligence Timeline

Prediction & Prevention Reaction & RemediationSIEM. Log Management. Incident Response.

Network and Host Intrusion Prevention. Network Anomaly Detection. Packet Forensics.

Database Activity Monitoring. Data Loss Prevention.

Risk Management. Vulnerability Management. Configuration Monitoring. Patch Management.

X-Force Research and Threat Intelligence. Compliance Management. Reporting and Scorecards.

What are the external and internal threats?

Are we configuredto protect against

these threats?

What is happening right now?

What was the impact?



12 © 2012 IBM Corporation12

Security IntelligenceUse Cases



13

Solving Complex Problems for Clients



14

How Security Intelligence Can Help

� Continuously monitor all activity and correlate in real-time

� Gain visibility into unauthorized or anomalous activities– Server (or thermostat) communicating with IP address in China

– Unusual Windows service -- backdoor or spyware program

– Query by DBA to credit card tables during off-hours – possible SQL injection attack

– Spike in network activity -- high download volume from SharePoint server

– High number of failed logins to critical servers -- brute-force password attack

– Configuration change -- unauthorized port being enabled for exfiltration

– Inappropriate use of protocols -- sensitive data being exfiltrated via P2P



15

Why Should You Care?

� Detect suspicious behavior– Privileged actions being conducted from a contractor’s workstation

– DNS communications with external system flagged as malicious

� Detect policy violations

– Baseline against reality (CMDB)– Social media, P2P, etc.

� Detect APTs

– File accesses out of the norm—behavior anomaly detection– Least used applications or external systems; occasional traffic

� Detect fraud

– Determine baselines on credit pulls or trading volumes, and detect anomalies

– Correlate eBanking PIN change with large money transfers� Forensic evidence for prosecution

� Impact analysis

� Compliance– Change & configuration management

� Metrics



16

Network Activity Monitoring (Network Flows)

• Attackers can stop logging and erase their tracks, but can’t cut off the network

• Helps detect day-zero attacks with no signature; provides visibility into attacker communications

• Network activity can build up an asset database and profile assets

• Useful for non-security related issues as well



17

Potential Botnet Detected?This is as far as traditional SIEM can go

IRC on port 80?IBM Security QRadar QFlow detects a covert channel

Irrefutable Botnet CommunicationLayer 7 flow data contains botnet command control instructions

Application layer flow analysis can detect threats others miss

Application and Threat Detection with Forensic Evidence



18

Detecting Insider Fraud and Data Loss

Who?An internal user

Potential Data LossWho? What? Where?

What?Oracle data

Where?Gmail

Threat detection in the post-perimeter worldUser anomaly detection and application level visibi lity are critical

to identify inside threats



19

User Activity Monitoring to Combat Advanced Persistent Threats

User & Application Activity Monitoring alerts on a user anomaly for Oracle database access.

Identify the user, normal access behavior, and the anomaly behavior – with all source & destination information to quickly resolve the threat.



20

Context and Correlation Drive Deep Insight

Extensive Data Sources

Deep Intelligence

Exceptionally Accurate and Actionable Insight+ =

Suspected Incidents

Event Correlation

Activity Baselining & Anomaly Detection

• Logs• Flows

• IP Reputation• Geo Location

• User Activity• Database Activity• Application Activity• Network Activity

Offense Identification• Credibility• Severity• Relevance

Database Activity

Servers & Hosts

Users & Identities

Vulnerability Info

Configuration Info

Security Devices

Network & Virtual Activity

Application Activity



21

Security Intelligence is Enabling Progress to Optimized Security

Optimized

Security Intelligence:Information and event management

Advanced correlation and deep analyticsExternal threat research

Role based analytics

Identity governance

Privileged user controls

Data flow analytics

Data governance

Secure app engineering processes

Fraud detection

Advanced network monitoring

Forensics / data mining

Secure systems

Proficient

User provisioning

Access mgmt

Strong authentication

Access monitoring

Data loss prevention

Application firewall

Source code scanning

Virtualization security

Asset mgmt

Endpoint / network security management

Basic Centralized directoryEncryption

Access controlApplication scanning

Perimeter security

Anti-virus

People Data Applications Infrastructure

SecurityIntelligence



22

What to do next?

Download the Gartner SIEM Magic Quadrant Report:bit.ly/SIEM-MQ

Read the Q1 Labs Blog: blog.q1labs.com

Subscribe to Q1 Labs Newsletter: bit.ly/Q1-subscribe

Follow us on Twitter: @q1labs @ibmsecurity



23

ibm.com/security

© Copyright IBM Corporation 2012. All rights reserv ed. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Documents

No One is Immune to Being Hacked: Strategies for Staying ... · © 2012 IBM Corporation IBM Security Systems 3 2011: Year of the Targeted Attack Source: IBM X-Force ® Research 2011