Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
© 2012 IBM Corporation
IBM Security Systems
1© 2012 IBM Corporation
No One is Immune to Being Hacked:Strategies for Staying Out of the Headlines
QRadar Security Intelligence Platform
© 2012 IBM Corporation
IBM Security Systems
2
“Our most formidable challenge is getting companies to detect they have been compromised ...”
Kim Peretti, senior counsel, US Department of Justice (DoJ)
Source: http://www.scmagazine.com/rsa-conference-gonzalez-may-receive-largest-ever-us-hacking-sentence/article/165215/ – March 2010
© 2012 IBM Corporation
IBM Security Systems
3
2011: Year of the Targeted Attack
Source: IBM X-Force® Research 2011 Trend and Risk Report
JK 2012-04-26
© 2012 IBM Corporation
IBM Security Systems
4
Have We Learned Anything?
CYBER-ESPIONAGECYBER-CRIME
самбо
CYBER-ACTIVISM
*!!@&#
© 2012 IBM Corporation
IBM Security Systems
5
Attacks from All Sides
Cyber vandalsCyber vandals
Cyber crimeCyber crimeHacktivistsHacktivists
Cyber warfareCyber warfare
Cyber terrorismCyber terrorism
Cyber espionageCyber espionage
Corporate espionageCorporate espionage
InsidersInsiders
Nation statesNation statesTargets of opportunityTargets of opportunity
Targets of choiceTargets of choice
APTsAPTs Data exfiltrationData exfiltration
ClientClient--side vulnerabilitiesside vulnerabilities
© 2012 IBM Corporation
IBM Security Systems
6
Today’s threats (actors) are more sophisticated.
Threat Type % of Incidents Threat Profile
Advanced, Persistent Threat / Mercenary
� National governments
� Organized crime � Industrial spies� Terrorist cells
Equals less than 10 percent
� Sophisticated tradecraft� Foreign intelligence agencies, organized crime groups� Well financed and often acting for profit� Target technology as well as information� Target and exploit valuable data� Establish covert presence on sensitive networks� Difficult to detect� Increasing in prevalence
Hacktivist
� “White hat” and “black hat”hackers
� “Protectors of “Internet freedoms”
Equals less than 10 percent
� Inexperienced-to-higher-order skills� Target known vulnerabilities� Prefer denial of service attacks BUT use malware as
means to introduce more sophisticated tools� Detectable, but hard to attribute� Increasing in prevalence
Opportunist� Worm and virus
writers� Script Kiddie
20 percent
� Inexperienced or opportunistic behavior� Acting for thrills, bragging rights� Limited funding� Target known vulnerabilities� Use viruses, worms, rudimentary Trojans, bots� Easily detected
Inadvertent Actor
� Insiders -employees, contractors, outsourcers
60 percent
� No funding� Causes harm inadvertently by unwittingly carrying
viruses, or posting, sending or losing sensitive data� Increasing in prevalence with new forms of mobile
access and social business
Source: Government Accountability Office (GAO), Department of Homeland Security's (DHS's) Role in Critical Infrastructure Protection (CIP) Cybersecurity, GAO-05-434
Pot
entia
l Im
pact
© 2012 IBM Corporation
IBM Security Systems
7 © 2012 IBM Corporation7
…but all is not lost…
© 2012 IBM Corporation
IBM Security Systems
8
IBM developed ten essential practices required to a chieve better security intelligence.
Essential practices
7. Address new complexity of cloud and virtualization
6. Control network access and help assure resilience
1. Build a risk-aware culture and management system
2. Manage security incidents with greater intelligence
3. Defend the mobile and social workplace
5. Automate security “hygiene”
4. Security-rich services, by design
10. Manage the identity lifecycle
9. Better secure data and protect privacy
8. Manage third-party security compliance
Maturity based approach
Proactive
Aut
omat
edM
anua
l
ReactiveProficient
Basic
Optimized
Securityintelligence
© 2012 IBM Corporation
IBM Security Systems
9
Choose the Right Technology
Protection technology is critical, but choose wisely
There is no magic security technology
© 2012 IBM Corporation
IBM Security Systems
10
What Can Help You Defend Against an APT?
� Focus on both prevention and detection� A truly advanced and persistent adversary will breach your defenses
� How quickly you detect the breach will determine its impact
� Smart preventive measures reduce weaknesses…� Control your endpoints – Make sure patches are up to date
� Audit Web applications
� Find and remediate bad passwords
� Monitor device configurations for errors and vulnerabilities
� And advanced detection finds intrusions faster & assesses impact� Flow analytics and network anomaly detection
� User anomaly detection
� Reconnaissance detection
� Stealthy malware detection
� Database monitoring
© 2012 IBM Corporation
IBM Security Systems
11
Solutions for the Full Compliance and Security Intelligence Timeline
Prediction & Prevention Reaction & RemediationSIEM. Log Management. Incident Response.
Network and Host Intrusion Prevention. Network Anomaly Detection. Packet Forensics.
Database Activity Monitoring. Data Loss Prevention.
Risk Management. Vulnerability Management. Configuration Monitoring. Patch Management.
X-Force Research and Threat Intelligence. Compliance Management. Reporting and Scorecards.
What are the external and internal threats?
Are we configuredto protect against
these threats?
What is happening right now?
What was the impact?
© 2012 IBM Corporation
IBM Security Systems
12 © 2012 IBM Corporation12
Security IntelligenceUse Cases
© 2012 IBM Corporation
IBM Security Systems
13
Solving Complex Problems for Clients
© 2012 IBM Corporation
IBM Security Systems
14
How Security Intelligence Can Help
� Continuously monitor all activity and correlate in real-time
� Gain visibility into unauthorized or anomalous activities– Server (or thermostat) communicating with IP address in China
– Unusual Windows service -- backdoor or spyware program
– Query by DBA to credit card tables during off-hours – possible SQL injection attack
– Spike in network activity -- high download volume from SharePoint server
– High number of failed logins to critical servers -- brute-force password attack
– Configuration change -- unauthorized port being enabled for exfiltration
– Inappropriate use of protocols -- sensitive data being exfiltrated via P2P
© 2012 IBM Corporation
IBM Security Systems
15
Why Should You Care?
� Detect suspicious behavior– Privileged actions being conducted from a contractor’s workstation
– DNS communications with external system flagged as malicious
� Detect policy violations
– Baseline against reality (CMDB)– Social media, P2P, etc.
� Detect APTs
– File accesses out of the norm—behavior anomaly detection– Least used applications or external systems; occasional traffic
� Detect fraud
– Determine baselines on credit pulls or trading volumes, and detect anomalies
– Correlate eBanking PIN change with large money transfers� Forensic evidence for prosecution
� Impact analysis
� Compliance– Change & configuration management
� Metrics
© 2012 IBM Corporation
IBM Security Systems
16
Network Activity Monitoring (Network Flows)
• Attackers can stop logging and erase their tracks, but can’t cut off the network
• Helps detect day-zero attacks with no signature; provides visibility into attacker communications
• Network activity can build up an asset database and profile assets
• Useful for non-security related issues as well
© 2012 IBM Corporation
IBM Security Systems
17
Potential Botnet Detected?This is as far as traditional SIEM can go
IRC on port 80?IBM Security QRadar QFlow detects a covert channel
Irrefutable Botnet CommunicationLayer 7 flow data contains botnet command control instructions
Application layer flow analysis can detect threats others miss
Application and Threat Detection with Forensic Evidence
© 2012 IBM Corporation
IBM Security Systems
18
Detecting Insider Fraud and Data Loss
Who?An internal user
Potential Data LossWho? What? Where?
What?Oracle data
Where?Gmail
Threat detection in the post-perimeter worldUser anomaly detection and application level visibi lity are critical
to identify inside threats
© 2012 IBM Corporation
IBM Security Systems
19
User Activity Monitoring to Combat Advanced Persistent Threats
User & Application Activity Monitoring alerts on a user anomaly for Oracle database access.
Identify the user, normal access behavior, and the anomaly behavior – with all source & destination information to quickly resolve the threat.
© 2012 IBM Corporation
IBM Security Systems
20
Context and Correlation Drive Deep Insight
Extensive Data Sources
Deep Intelligence
Exceptionally Accurate and Actionable Insight+ =
Suspected Incidents
Event Correlation
Activity Baselining & Anomaly Detection
• Logs• Flows
• IP Reputation• Geo Location
• User Activity• Database Activity• Application Activity• Network Activity
Offense Identification• Credibility• Severity• Relevance
Database Activity
Servers & Hosts
Users & Identities
Vulnerability Info
Configuration Info
Security Devices
Network & Virtual Activity
Application Activity
© 2012 IBM Corporation
IBM Security Systems
21
Security Intelligence is Enabling Progress to Optimized Security
Optimized
Security Intelligence:Information and event management
Advanced correlation and deep analyticsExternal threat research
Role based analytics
Identity governance
Privileged user controls
Data flow analytics
Data governance
Secure app engineering processes
Fraud detection
Advanced network monitoring
Forensics / data mining
Secure systems
Proficient
User provisioning
Access mgmt
Strong authentication
Access monitoring
Data loss prevention
Application firewall
Source code scanning
Virtualization security
Asset mgmt
Endpoint / network security management
Basic Centralized directoryEncryption
Access controlApplication scanning
Perimeter security
Anti-virus
People Data Applications Infrastructure
SecurityIntelligence
© 2012 IBM Corporation
IBM Security Systems
22
What to do next?
Download the Gartner SIEM Magic Quadrant Report:bit.ly/SIEM-MQ
Read the Q1 Labs Blog: blog.q1labs.com
Subscribe to Q1 Labs Newsletter: bit.ly/Q1-subscribe
Follow us on Twitter: @q1labs @ibmsecurity
© 2012 IBM Corporation
IBM Security Systems
23
ibm.com/security
© Copyright IBM Corporation 2012. All rights reserv ed. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.