Embed Size (px)
Citation preview
IBM Global Technology ServicesThought Leadership White Paper
July 2012
Preventing security risks in real timeSecurity intelligence and advanced analytics help strengthen enterprise defenses
2 Preventing security risks in real time
Contents
2 Introduction
3 The challenge
3 Regaining the security advantage
5 Getting to “intelligent security”
10 IBM can help
10 Why IBM?
10 For more information
IntroductionAs the world becomes more digitized and interconnected, the door to emerging security leaks has opened wider. Today, there are billions of RFID tags for items including products, passports, buildings and animals. With more than two billion Internet users and cellular phone subscriptions now exceeding five bil-lion, nearly one in three people worldwide surfs the Internet.1 The amount of information created and replicated—the digital universe—is more than doubling every two years.2
Not only has the amount of data increased, but the dispersion and corresponding value of digital assets has increased as well. Sensitive customer information, intellectual property and even
the control systems of key machinery are increasingly found in electronic formats. While information security continues to evolve in sophistication, attacking networks and stealing information has arguably become easier due to popular new technologies that introduce loopholes in enterprise security.
Furthermore, damages can extend far beyond the targeted victim, introducing cascading impacts to all those involved, including customers, the specific industry and even world gov-ernments. Take, for example, the December 2011 attack against Stratfor Global Intelligence Service where the hacktivist organi-zation Anonymous stole credit card details, passwords and home addresses of approximately 4,000 customers, many of whom were major financial, military and humanitarian organizations. While the circumstances were politically and socially motivated, the attack introduced damages far beyond the single intended victim.
With the emergence of cloud, mobility, social business, big data and more, the boundaries of business continue to extend and dissolve. As a result, risks posed to confidential or proprietary information, business continuity, financial stability, brand reputa-tion and even governmental control are increasing steadily. This new reality is forcing the evolution of organizations’ defenses to become smarter and more intelligent—which in turn requires
3IBM Global Technology Services
new infrastructures capable of using sophisticated analytics to scale visibility across broad data sets, both diverse and comple-mentary, in real time.
As organizations face tighter requirements around privacy and compliance, they also face a mounting challenge in countering advanced threats. The accuracy of identifying threats becomes essential as security teams migrate from legacy approaches to a security intelligence model.
Developing security intelligence—the ability to predict, identify and react to potential threats proactively—is a key priority in this new digital age.
The challengeTo address both the proliferation and increasing magnitude of risks, organizations must carefully consider the evolution of their security infrastructure. Next-generation security products are coming to market continuously, compelling companies to extend the multi-layer nature of their enterprise security. However, the reality is slowly sinking in that unless security technologies are consumed as a suite or portfolio of complementary and interconnected products, companies are left with best of breed technologies that are not designed to work in unison—they cannot share valuable information or coordinate actions across vendor platforms.
These facts alone illustrate the intrinsic gaps that result from deploying best of breed but unrelated technologies. As an alternative to bolting on additional layers of defense, security intelligence can extend visibility and bolster decision-making capabilities by applying real-time correlation, historical analytics and global intelligence across the technologies already deployed by an organization.
Regaining the security advantageAs the number and sophistication of threats continue to grow, security professionals are cognizant of the increasing volume of high profile security breaches, many of which have been perpe-trated against organizations that have fortified defenses and teams of highly trained security personnel. Cyber criminals are smart, well funded and well organized. For IT security organiza-tions to regain an advantage, real-time security intelligence will emerge as a key tool capable of providing advanced analysis that can track the historical actions of these elusive threats—making it possible to apply the right action to mitigate potential impact.
Global intelligence across thousands of worldwide organizations representing all industries, all countries, on all continents is becoming a prerequisite to unlocking unparalleled security intel-ligence. The analysis of such data can provide rich profiling of attackers such as botnet operators, crime syndicates, political activists and enemy nation states, to name a few. Analysts can derive intelligence to help understand who and what is being
4 Preventing security risks in real time
targeted, by whom, and the attack techniques used. By detecting outlying behavior and threading together diverse data, organiza-tions can make rapid decisions to prevent security breaches from impacting the business.
Understanding the evolving threat landscape
The concepts of external threats, internal threats and compli-ance are dissolving as mobile devices rapidly distribute corporate data into our personal, unprotected lives.
External threats. With the continual breakdown of the traditional perimeter, external threats now exist within the corporate premises as enterprises have opened themselves to Internet-based commerce and remote users.
Internal threats. Once the domain of human error, malicious intent and various forms of propagating malware, internal threats now include advanced persistent threats and the coordinated actions of well funded and determined adversaries.
Compliance. Enterprises today are under growing pressure to comply with mandates such as Sarbanes-Oxley, GPG-13, FSA, Garante, HIPAA, FISMA, GLBA, PCI and NERCO—including regulators that can impose financial penalties for nonconfor-mance. As organizations continue to embrace mobility and innovative new technologies, compliance regulations will in turn embrace more sophisticated controls.
The massive amount of security and event data being generated by organizations provides the keys for establishing security intelligence as well as an audit trail. Organizations can assess archived data and predict what will happen next based on a sophisticated analysis of the past. For this reason, real-time analytics and high performance inline security appliances are being bolstered by security information and event management (SIEM). Furthermore, due to increased access to global threat analytics across thousands of organizations, predictive capabili-ties will mature with powerful new global capabilities. These analytics can detect advanced threats, monitor organizational governance, simulate what-if scenarios and then maintain enterprise risk processes in place—critical building blocks for enabling security intelligence.
Predictive analytics include the ability to:
●● Identify common breach patterns and areas of higher risk for future attack
●● Mine user behavior on critical systems to identify patterns of misuse and those approaching violation
●● Proactively monitor the worldwide threat surface to identify shifts in attack patterns, identifying new or unique techniques and the organizations they could potentially target
●● Simulate what-if scenarios and the anticipated severity and impact
5IBM Global Technology Services
Real-time vs. historic and global analytics
The relationship of real-time versus historic and global analysis can be illustrated in this airport security scenario.
• Real-time threat analytics represent airport security personnel providing instantaneous assessment of a passen-ger’s identification and airline ticket. Due to the limited time available to perform real-time analytics, the actions of the security agent are limited to the quickest, most effective techniques for detecting threats.
• Historical analytics are analogous to checking the back-ground of airline passengers to determine if they are convicted felons or if they have a history of psychological issues or violent crime.
• Global analytics represent collaboration with international law enforcement and government agencies, providing visibility into activities abroad, whether the passenger is on the “no fly” list or has affiliations with terrorist organizations.
Unlike real-time analytics, historical and global analytics are not constrained by time. They have the advantage of looking deeper into the data available and providing more sophisti-cated and insightful analysis.
Getting to “intelligent security”Today’s advanced threats are forcing clients to move up the secu-rity maturity model, from basic to proficient to optimized (Figure 1). Sophisticated, targeted intrusions are typically multi-staged and multi-faceted, difficult to detect and very difficult to eradicate; advanced persistent threats are characterized by the tenacity of the attackers and resources at their disposal. Security technologies such as firewall, intrusion detection
and vulnerability scanners are all proficient at solving specific security problems; however, they are often standalone and are not designed to work together.
Figure 1: Security intelligence evolves across three levels, from manual approaches to the use of increasingly automated processes for identifying, tracking and addressing threats.
OptimizedOrganizations use predictive and automated security
analytics to drive toward security intelligence
Security intelligence
ProactiveReactive
Aut
omat
edM
anua
l
Optimized
Proficient
Basic
ProficientSecurity is layered into the IT fabric and business operations
BasicOrganizations employ perimeter protection, which
regulates access and feeds manual reporting
6 Preventing security risks in real time
As a result, perpetrators of advanced threats have become adept at learning the idiosyncrasies in and around security technolo-gies, capitalizing on the gaps between technologies or their intrinsic weaknesses or vulnerabilities. Time is on the side of the attackers. They can probe an organization’s defense to understand the technologies deployed and identify vulnerabilities and gaps, eventually hacking their way into the organization. Sophisticated correlation and analytics are required to thread together the analysis of these often loosely integrated technolo-gies, helping to close the gaps exploited by advanced attackers.
Business intelligence helps enterprises make decisions that optimize opportunities and minimize business risks. Similarly, security intelligence enables the ability to better detect threats, identify security risks and areas of noncompliance and set priori-ties for remediation.
IBM is applying security experience and business analytics to client security concerns in an integrated package that will reduce the dependency on internal experts and maximize the productive returns from investments in security components. Using one of the world’s largest collections of security informa-tion, IBM Managed Security Services provides advanced analysis across a broad portfolio of security technologies. This informa-tion is derived from a client base of nearly 4,000 diverse compa-nies as well as best of breed third-party technology providers and IBM X-FORCE® research and development, offering global analytics and the world’s most comprehensive threats and vulnerabilities database. A cloud-based analytics engine provides valuable and actionable insights that help security managers make better and more informed decisions, optimizing the feature sets of the technology they have invested in and providing enhanced business value to the organization.
Figure 2: IBM Managed Security Services security intelligence capabilities utilize the sophisticated intelligence of the IBM X-FORCE Protection System (XPS) and Managed SIEM QRadar technologies.
CUSTOMER DATA
Firewall
IDPS
Vulnerability scan
User activity
Network activity
Application activity
Server and hosts
Data import
X-FORCE Protection System (XPS)
Cloud-based SIEM
Real-time correlationand analysis
Historical analytics anddata mining
Real-time correlationand analysis
Historical analytics anddata mining
CPE-based managed QRadar
Globalintelligence
9Security operation
centers
3,700+MSS clientsworldwide
13B+Events managed
per day
1,000+Security patents
133Monitored
countries (MSS)
Incident management
Availability of both CPE andcloud-based SIEM
Analysis across thousandsof customers worldwide
Advanced threat analytics
Advance business analytics
Compliance reporting
System activity and privilegeduser monitoring
Historical analysisand reporting
Security visualization
Real-time and historical query
Capture Analyze Monitor
IBM DATA
Geo-IP location
Threat intel feeds
7IBM Global Technology Services
As shown in Figure 2, IBM security intelligence uses sophisti-cated correlation and analytics to proactively highlight risks and to identify, monitor and address threats across an enterprise. Recent acquisitions enable IBM to offer an accelerated cloud and customer premises equipment (CPE) based portfolio to help clients more intelligently secure their enterprises by applying global analytics that correlate and publish analysis from key security domains. IBM security intelligence capabilities include advanced threat analysis, continuous monitoring, managed security services and IBM X-FORCE research and development. Security intelligence enables organizations to use integrated tools across a common framework. This has been demonstrated in numerous prominent use cases in which security intelligence provided additional high value.
Threat detectionAs enterprises have opened themselves to Internet-based commerce, remote users and bring your own device (BYOD), security has moved from a perimeter-based model, with all policy centered on the firewall and intrusion detection and pre-vention appliances, to a distributed security model. This new security surface has introduced new weaknesses and a subsequent increase in targeted attacks on high-profile companies. To address these issues in an intelligent way, new techniques must be deployed to identify, track and remediate cyber crime.
Real-time identification of advanced threats such as botnets is required, including prioritizing the most active threats and streamlining remediation so attacks can be thwarted before they impact business functions. With security intelligence, an activity that appears natural to one part of an infrastructure may be revealed as a threat when the event data is correlated with other sources. For example, it can identify a public IP address that has been confirmed to be participating in malicious activi-ties such as a command and control (CnC) botnet.
The intelligence used to identify this traffic comes from IBM X-FORCE research and development and other IBM data feeds. By correlating suspicious IP data with additional collected data sources (firewall, application, database and server logs; netf low; intrusion detection and prevention events; and geo-IP location data), the analytic engine can identify direct attacks, drive-by downloads, propagation activities and phone-home attempts of infected internal hosts. Furthermore, by utilizing historical trending, IBM can automatically prioritize the severity of these circumstances using threat management best practices, elevating their visibility for triage as well as introducing a spark line that visualizes the quantity and frequency of communication activities.
8 Preventing security risks in real time
Regulatory complianceEarlier log management solutions helped organizations meet compliance needs in the past, but they are no longer sufficient. Newer compliance standards such as PCI DSS, as well as a greater focus on internal policy compliance, require application-aware monitoring and visibility, which simply isn’t attainable through log analysis alone. Security intelligence provides the data that serves as a foundation to deliver and demonstrate audit requirements for all regulations. Consolidated compliance capabilities are possible with security intelligence by monitoring broadly across IT infrastructure events, configuration changes, network activity, applications and user activity.
Business analytics and risk managementToday’s executives are increasingly participating in security esca-lations, often without the subject matter expertise necessary to make rapid and knowledgeable decisions. Simply put, the highly technical nature of enterprise security is putting executives at a disadvantage, which can cause unnecessary delay and confusion. Technical subject matter experts suffer similar circumstances, struggling to simplify complex technical circumstances in order to justify investment in critical areas. The communication barrier that results is impacting enterprise security.
In many ways, tracking enterprise security is similar to tracking financial investments. For both security and stocks, it is impor-tant to know performance today in comparison to yesterday, last month or last year. By tracking the success or failure of stocks or enterprise security policy, it is possible to make educated decisions that can quickly alter position, protecting and growing assets. This simplified approach to enterprise security represents a strategic shift from higher complexity threat analytics to risk-centric business analytics.
By definition, business analytics refers to a continuous and iterative process of monitoring the activities of people, processes and technologies to gain insight on business performance, impending risk and ultimately a return on investment. Through business analytics and the statistical analysis of events over time, businesses are able to develop new insights, see hard to identify trends, track the health of the business and assist in identifying where to invest in order to strengthen weakness.
Where the security market has gravitated towards threats, business analytics gravitates towards risk. The severity and sophistication of the attack and the existence of proof of concept code are common measurements today. But how determined the
9IBM Global Technology Services
attackers are, their affinity for particular industries or informa-tion they target are emphasized much less. Furthermore, for the targeted victim, is the asset vulnerable? When was the asset last scanned? How mature is the organization’s patch manage-ment process? What technologies have been deployed to protect this asset? How mature or hardened are the technologies and techniques? And how catastrophic would a breach be if the organization suffered data loss or server outage?
Utilizing business analytics, organizations can break down the existing communication barrier between executive decision mak-ers and technical subject matter experts using easily understood risk scores that reveal current and historical perspective on the performance of the enterprise security policy, as well as the origin of risk.
For example, a global corporation has offices in 27 countries. Utilizing business analytics, the corporation can see that organi-zational risk has spiked from 57 percent to 85 percent over the past three months. Drilling into the risk score, the corporation can see that of the 27 offices, the London and Barcelona offices have elevated risk due to a number of issues. Drilling further into the risk of each office, the corporation can identify the peo-ple, processes or technology at play and those that are causing risk to spike. Using this high level data, executives are empow-ered to assign a technical subject matter expert to address the issue and report back. Similarly, risk management empowers
technical subject matter experts to address how technical issues impact the overall enterprise and when to bring issues to the executives’ attention.
In another example, an organization has experienced a recent steep drop in its risk score as a result of a patch to vulnerable critical servers and updating of the vulnerability scan results. Using business analytics, the corporation was able to see a rapid return on investment, justifying its actions and documenting the success of the enterprise security policy.
Finally, through predictive modeling, enterprises are able to look ahead and see how an investment in people, process or technology could impact organizational risk. For example, if the organization adjusts data center staff hours from 9 a.m. to 5 p.m. to 24x7x365, how could this extra coverage improve the overall corporate risk posture?
Business analytics empowers technical experts and executives alike, optimizing the communication of complex circumstances and streamlining critical decision making. Whether used manually or in automated mode, business analytics can do for enterprise security what the FICO score did for the insurance industry: hide the highly complex calculations required to measure risk within a single, simple to understand rating.
10 Preventing security risks in real time
IBM can helpIBM Managed Security Services combines its advanced analytic capabilities into cloud-based and CPE-based security service offerings. These can be mixed and matched according to specific needs and include:
●● Managed security information and event management (SIEM)●● Firewall management●● Intrusion detection and prevention system management●● Managed protection services ●● Unified threat management●● Hosted security event and log management●● Hosted vulnerability management service
Why IBM?With nearly 50 years of security development and innovation, IBM has the breadth and depth of research, products, services, consulting and global business partners to deliver end-to-end security solutions. IBM also has the world’s largest security services practice, with more than 3,500 skilled security services professionals who have expertise on the broad threat landscape.
IBM’s approach to security is to help customers strategically manage IT and operational risk end to end across a full spec-trum of information technology security, including information security, threat and vulnerability management, identity and access management, application security and physical security.
Utilizing one of the world’s largest collections of sanitized security information, IBM Security Services is able to provide advanced analysis across a broad portfolio of security technolo-gies, per customer or across all industry silos. Whether an orga-nization has a mature security model in place or is just getting started, IBM can help chart a path to true security intelligence, enabling the pursuit of innovation.
For more informationTo learn more about how IBM can help you derive business value through security intelligence and analytics, please contact your IBM marketing representative or IBM Business Partner, or visit the following websites: ●● ibm.com/services/security●● ibm.com/securityintelligence
Notes
Please Recycle
© Copyright IBM Corporation 2012 IBM Global Technology Services
Route 100 Somers, NY 10589
Produced in the United States of America July 2012
IBM, the IBM logo, ibm.com and X-FORCE are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.
The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation.
1 International Telecommunications Union, “Global Number of Internet Users, total and per 100 inhabitants, 2000-2012,” United Nations, http://www.itu.int/ITU-D/ict/statistics/material/excel/2010/ Internet_users_00-10_2.xls
2 IDC, The 2011 Digital Universe Study, "Extracting Value from Chaos," sponsored by EMC, June 2011, IDC 1142.
SEW03028-USEN-00
