Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
IBM Security Systems
Effectively Using Security Intelligence to
Detect Threats and Exceed Compliance
© 2012 IBM Corporation1© 2012 IBM Corporation
Chris PoulinSecurity Strategist, IBM
Reboot Conference 2012
IBM Security Systems
Security Threats Affect the Business
Business Supply chain Legal Impact of Audit riskBrand image
© 2012 IBM Corporation2
Business results
Sony estimates potential $1B long term impact –$171M / 100 customers*
Supply chain
Epsilon breach impacts 100 national brands
Legal exposure
TJX estimates $150M class action settlement in release of credit / debit card info
Impact of hacktivism
Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony …
Audit risk
Zurich Insurance PLc fined £2.275M ($3.8M) for the loss and exposure of 46K customer records
Brand image
HSBC data breach discloses 24K private banking customers
*Sources for all breaches shown in speaker notes
IBM Security Systems
Attacks from All Sides
Cyber vandalsCyber vandals
Cyber crimeCyber crimeHacktivistsHacktivists
Cyber warfareCyber warfare
Nation statesNation statesTargets of opportunityTargets of opportunity
Targets of choiceTargets of choice
© 2012 IBM Corporation3
Cyber terrorismCyber terrorism
Cyber espionageCyber espionage
Corporate espionageCorporate espionage
InsidersInsiders
Targets of choiceTargets of choice
APTsAPTsData Data exfiltrationexfiltration
ClientClient--side vulnerabilitiesside vulnerabilities
IBM Security Systems
Sophistication of Threats, Attackers, & Motives is Escalating
National Security
Espionage,Competitors, Hacktivists
Nation-state Actors; Targeted Attacks /
Advanced Persistent Threat
1995 – 20051st Decade of the Commercial Internet
2005 – 20152nd Decade of the Commercial Internet
Motive
© 2012 IBM Corporation4
Adversary
Monetary Gain
Espionage,Political Activism
Revenge
Curiosity Script-kiddies or hackers using tools, web-based “how-to’s”
Insiders, using inside information
Organized Crime, using sophisticated tools
Competitors, Hacktivists
IBM Security Systems
And Yet the Compromises are Mostly Avoidable
© 2012 IBM Corporation5
Source: IBM X-Force® 2011 Trend and Risk Report – March 2012
IBM Security Systems
Not If, but When
� Breaches are taking longer to discover
� Breaches are not being discovered internally
© 2012 IBM Corporation6 Charts from Verizon 2011 Investigative Response Caseload Review
IBM Security Systems
92% of Breaches Are Undetected by Breached Organization
© 2012 IBM Corporation7
Source: 2012 Data Breach Investigations Report
IBM Security Systems
…but all is not lost…
© 2012 IBM Corporation8 © 2012 IBM Corporation8
IBM Security Systems
Choose the Right Technology
Protection technology is critical, but choose wisely
© 2012 IBM Corporation9
There is no magic security technology
IBM Security Systems
People and Processes First
A lesson from airport security:
Instead of expensive equipment, use what works
In Israel
• No plane departing Ben Gurion Airport has ever been hijacked
• Use human intelligence
© 2012 IBM Corporation10
• Use human intelligence
• “Questioning” looks for suspicious behavior
• Simple metal detectors
Scotland Yard
• 24+ men planned to smuggle explosive liquids
• Foiled beforehand because of intelligence
• Before they even got to the airport
IBM Security Systems
80%20% Security
No Perfect Protection: Asymptotes Never Reach Zero
© 2012 IBM Corporation11
80%THREATS
20% Security Technology Budget
IBM Security Systems
Security is a Complex, Four-Dimensional Puzzle
People
Data
Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers
Structured Unstructured At rest In motion
© 2012 IBM Corporation12
Applications
Infrastructure
Systems applications Web applications Web 2.0 Mobile apps
It is no longer enough to protect the perimeter –siloed point products will not secure the enterprise
IBM Security Systems
What Gartner is Saying About the Need for Context
� “The rapid discovery of a breach is key to minimizing the damage of a targeted attack, but most organizations do not have adequate breach detection capabilities.”
Mark Nicollet, Managing VP, Gartner Security, Risk &
Compliance
© 2012 IBM Corporation13
detection capabilities.”
� “Since perfect defenses are not practical or achievable, organizations need to augment vulnerability management and shielding with more-effective monitoring.”
� “The addition of context, such as user, application, asset, data and threat, to security event monitoring will increase the likelihood of early discovery of a targeted attack.”
� “We need to get better at discovering the changes in normal activity patterns that are the early signal of an attack or breach.”
#1-3 from “Effective Security Monitoring Requires Context,” Gartner, 16 January 2012, G00227893
#4 from “Using SIEM for Targeted Attack Detection,” Gartner, 20 March 2012, G00227898
IBM Security Systems
What is Security Intelligence?
Security Intelligence
--noun
1.the real-time collection, normalization, and analytics of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise
© 2012 IBM Corporation14
Security Intelligence provides actionable and comprehensive insight for managing risks and threats from protection and
detection through remediation
IBM Security Systems
Security Intelligence Timeline
© 2012 IBM Corporation15
Prediction & Prevention
Risk Management. Vulnerability Management. Configuration Monitoring. Patch Management.
X-Force Research and Threat Intelligence. Compliance Management. Reporting and Scorecards.
Reaction & Remediation
SIEM. Log Management. Incident Response.Network and Host Intrusion Prevention.
Network Anomaly Detection. Packet Forensics. Database Activity Monitoring. Data Loss Prevention.
IBM Security Systems
Context and Correlation Drive Deep Insight
Event Correlation
Activity Baselining & Anomaly
• Logs• Flows
• IP Reputation• Geo Location
Offense Identification
• Credibility
Database Activity
Servers & Hosts
Security Devices
Network & Virtual Activity
© 2012 IBM Corporation16
Extensive Data Sources
Deep Intelligence
Exceptionally Accurate and Actionable Insight+ =
Suspected Incidents
Activity Baselining & Anomaly Detection
• User Activity
• Database Activity
• Application Activity
• Network Activity
• Credibility• Severity• Relevance
Users & Identities
Vulnerability Info
Configuration Info
Application Activity
IBM Security Systems
Security IntelligenceUse Cases
© 2012 IBM Corporation17 © 2012 IBM Corporation17
Use Cases
IBM Security Systems
How Security Intelligence Can Help
� Continuously monitor all activity and correlate in real time
� Change & configuration management
� Gain visibility into unauthorized or anomalous activities
– High number of failed logins to critical servers -- brute-force password attack
– Query by DBA to credit card tables during off-hours – possible SQL injection attack
© 2012 IBM Corporation18
– Spike in network activity -- high download volume from SharePoint server
– Server (or thermostat) communicating with IP address in China
– Inappropriate use of protocols -- sensitive data being exfiltrated via P2P
– Configuration change -- unauthorized port being enabled for exfiltration
– Unusual Windows service -- backdoor or spyware program
� Automation => reduced cost & complexity, simplified compliance, lower TCO
IBM Security Systems
Activity and Data Access Monitoring
Visualize Data Risks
Automated charting and reporting on potential attacks
© 2012 IBM Corporation19
Correlate System, Application, & Network Activity
Enrich security alerts with anomaly detection and flow analysis
Detect suspicious activity before it leads to a breach
360-degree visibility helps distinguish true breaches from benign activity, in real time
IBM Security Systems
User Activity Monitoring to Combat Advanced Persistent Threats
User & Application Activity Monitoring alerts on a user anomaly for Oracle database access.
Identify the user, normal access behavior, and the
© 2012 IBM Corporation20
access behavior, and the anomaly behavior – with all source & destination information to quickly resolve the threat.
IBM Security Systems
� Behaviour / activity base lining of users and processes
� Helps detect day-zero attacks and covert channels that have no signature or AV / IPS detection
� Provides definitive evidence of attack
� Enables visibility into attacker
Activity / Behavior Monitoring, Flow Analytics, Anomaly Detection
© 2012 IBM Corporation21
� Enables visibility into attacker communications
Network traffic does not lieAttackers can stop logging and erase their tracks, but can’t cut off the network (flow data)
IBM Security Systems
Potential Botnet Detected?
This is as far as traditional SIEM can go
IRC on port 80?
IBM Security QRadar QFlow
Application and Threat Detection with Forensic Evidence
© 2012 IBM Corporation22
IBM Security QRadar QFlow detects a covert channel
Irrefutable Botnet Communication
Layer 7 flow data contains botnet command control instructions
Application layer flow analysis can detect threats others miss
IBM Security Systems
Who is responsible for the data leak?
Data Leakage
© 2012 IBM Corporation23
Alert on data patterns, such as credit card
number, in real time.
IBM Security Systems
Configuration & Risk
Network topology and open
paths of attack add context
Rules can take exposure
into account to:
• Prioritize offenses and
remediation
© 2012 IBM Corporation24
• Enforce policies
• Play out what-if scenarios
IBM Security Systems
Detecting Insider Fraud and Data Loss
Who?
An internal user
Potential Data Loss
Who? What? Where?
What?
© 2012 IBM Corporation25
What?
Oracle data
Where?
Gmail
Threat detection in the post-perimeter world
User anomaly detection and application level visibility are criticalto identify inside threats
IBM Security Systems
Other Use Cases
� Detect suspicious behavior
– Privileged actions being conducted from a contractor’s workstation
– DNS communications with external system flagged as malicious
� Detect policy violations
– Baseline against reality (CMDB)
– Social media, P2P, etc.
� Detect APTs
– File accesses out of the norm—behavior anomaly detection
© 2012 IBM Corporation26
– File accesses out of the norm—behavior anomaly detection
– Least used applications or external systems; occasional traffic
� Detect fraud
– Determine baselines on credit pulls or trading volumes, and detect anomalies
– Correlate eBanking PIN change with large money transfers
� Forensic evidence for prosecution
� Impact analysis
� Compliance
– Change & configuration management
IBM Security Systems
Security Intelligence, Analytics &
GRC
People
Intelligent solutions provide the DNA to secure a Smarter Planet
© 2012 IBM Corporation27
Data
Applications
Infrastructure
IBM Security Systems
Thank You!
© 2012 IBM Corporation28 © 2012 IBM Corporation28
Thank You!
IBM Security Systems
ibm.com/security
© 2012 IBM Corporation29
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.