© 2016 IBM Corporation
George Mina, Program Director Mark Hafner, Systems Engineer
What’s the State of Your Endpoint Security?
2 © 2016 IBM Corporation
Security teams face an onslaught of serious challenges
Large skills gap in security expertise worldwide 83% of enterprises have difficulty finding the skills they need. Unfilled security positions are expected to grow to 1.5 Million by 2020.4
Data breaches continue with no end in sight Cybercrime is estimated to cost organizations $400 Billion per year1 with over 600 million records leaked in 2015.2
Lack of timely and relevant intelligence plagues security teams 80% believe if they had threat intelligence at the time of the breach, they could have prevented or minimized the consequences of the attack.3
1 Ponemon: Cost of a Data Breach Report 2015 2 IBM: X-Force Threat Intelligence Report 2016 3 Ponemon: Cost of a Data Breach Report 2015 4 Ponemon: Cyber Threat Intelligence Report 2015
?
3 © 2016 IBM Corporation
The perimeter no longer exists It is wherever your endpoints are – both on and off the corporate network
1 SANS: State of Endpoint Security Survey 2016
4 © 2016 IBM Corporation
1 SANS: State of Endpoint Security Survey 2016
Endpoints Covered by Security/IR Programs
6 © 2016 IBM Corporation
Remediation and Recovery
0%
5%
10%
15%
20%
25%
Unknown
Less.than.1.hour
1–2.hours
3–4.hours
5–6.hours
7–8.hours
9–16.hours
17–24.hours
More.than.24.
hours
When%responding% to%an%incident,%how%much%time%(in%man5hours)%do%you%spend%(on%average)%per%compromised%endpoint?
1 SANS: State of Endpoint Security Survey 2016
7 © 2016 IBM Corporation
The State of Endpoint Security
44% report that one or more of their endpoints have been breached in
past 24 months
55% spend 3 or more hours per compromised endpoint
70% find it difficult or impossible to determine
when an incident has been fully remediated
1 SANS: State of Endpoint Security Survey 2016
8 © 2016 IBM Corporation
• 75% of attacks use publicly-known vulnerabilities that could be prevented by patching, but hackers know organizations can’t patch effectively.1
• 99.9% of exploited vulnerabilities were compromised more than a year after the CVE was published.2
• The average time to detect advanced persistent threats is 256 days.3
1 CSIS: Raising the Bar for Cybersecurity 2 Verizon: Data Breach Investigation Report 2015 3 IBM: X-Force Threat Intelligence Report 2016
Ineffective patch management Major contributor to most breaches
9 © 2016 IBM Corporation
Architecture Complexity Resources
! Multi products, multi agents
! Siloed security & ops teams
! Resource-intensive agent(s)
Why so many endpoint approaches fail
! Infrastructure & resource heavy
! Little pre-built content
! Manual tasks detracts from higher value projects
! Narrow visibility and coverage
! Slow, scan-based architecture
! Not cost-effective at scale
10 © 2016 IBM Corporation
Find It. Discover unmanaged endpoints and get real-time visibility into all endpoints to identify vulnerabilities and non-compliant endpoints
Fix It. Fix vulnerabilities and apply patches across all endpoints on and off the network in minutes regardless of endpoint type or network connectivity
Secure It. Continuously monitor and enforce compliance with security, regulatory and operational policies while proactively responding to threats
IBM BigFix®
FIND IT. FIX IT. SECURE IT… FAST
What we do
11 © 2016 IBM Corporation
IBM BigFix: Bridge the gap between Security and IT Operations
ENDPOINT SECURITY
Discovery and Patching
Lifecycle Management
Software Compliance and Usage
Continuous Monitoring
Threat Protection
Incident Response
ENDPOINT MANAGEMENT IBM BigFix®
FIND IT. FIX IT. SECURE IT.
…FAST
Shared visibility and control between IT Operations
and Security
IT OPERATIONS SECURITY
Reduce operational costs while improving your security posture
12 © 2016 IBM Corporation
How we do endpoint security & management
X üü ü
IBM BigFix Server
Datacenter
Remote Offices
T1
ISDN
56K
WiFi
Lightweight, robust infrastructure ! Use existing systems
as relays
! Built-in redundancy
! Support / secure roaming endpoints
Cloud-based content delivery ! Highly extensible
! Automatic, on-demand functionality
Single intelligent agent ! Performs multiple functions
! Continuous self-assessment and policy enforcement
! Minimal system impact (< 2% CPU)
Single server and console ! Highly secure
and scalable
! Aggregates data, analyzes and reports
! Pushes out pre-defined / custom policies
Cable / DSL
3G
Real-time visibility, scalability, and ease of use
Satellite Cable / DSL
BigFix Content Delivery
INTERNET T1 WiFi WAN
14 © 2016 IBM Corporation
Prioritize risks and expedite remediation of vulnerabilities
IBM QRadar IBM BigFix
Real-time endpoint intelligence
Enterprise-wide security analytics
Provides current endpoint status
Correlates events and generates alerts
Prompts IT staff to fix vulnerabilities
• Improves asset database accuracy • Strengthens risk assessments • Enhances compliance reporting
• Accelerates risk prioritization of threats and vulnerabilities
• Increases reach of vulnerability assessment to off-network endpoints
Integrated, closed-loop
risk management
15 © 2016 IBM Corporation
Step 1 Provide continuous insight
across all endpoints including off-network
laptops
Step 4 Expedite remediation of ranked vulnerabilities, configuration drift and
irregular behavior
Step 2 Enforce compliance of security, regulatory & operational policies
• QRadar correlates assets & vulnerabilities with real-time security data
• It then sends the prioritized list to BigFix administrators
• Machine Name, OS, IP Address, Malware incidents • Provides details on physical and virtual servers, PCs,
Macs, POS devices, ATMs, kiosks, etc. • All known CVEs exposed on an endpoint
• Quarantine endpoints until they can be remediated
• Patch or reconfigure endpoints
IBM BigFix IBM BigFix
IBM BigFix
• BigFix sends vulnerability and patch data to QRadar, automatically ensuring that QRadar's asset database is updated with current data
Extend QRadar’s reach and simplify incident response with BigFix
Step 3 Prioritize vulnerabilities and
remediation by risk
16 © 2016 IBM Corporation
Quarantine non-compliant endpoints Protect against zero day malware and vulnerability attacks until remediation is complete
1. Automatically assess endpoints for required compliance configurations
2. Discover and isolate out-of-compliance endpoints in network quarantine until compliance is achieved
3. Maintain management control of the endpoint and disable all other access
Server and Console
X üü
üü
Non-compliant Endpoint
17 © 2016 IBM Corporation
Solution: Comprehensive security solution from IBM that helps staff secure endpoints and better detect and respond to threats across the organization.
“We can now quickly, easily and accurately produce audit reports for HIPAA and meaningful use compliance. This has helped us obtain a considerable sum of meaningful use incentive dollars.”
—Eddy Stephens, Chief Information Officer, Infirmary Health System
Business need: Automate and strengthen security and endpoint management to better protect data and meet HIPAA and meaningful use requirements.
Expedite remediation of vulnerabilities IBM BigFix and QRadar
18 © 2016 IBM Corporation
• Achieve automatic, continuous, closed-loop remediation of endpoints
• Compress patch cycle times from weeks and days to hours or minutes
• Significantly reduce operational costs while improving security posture
• Implement and enforce continuous compliance across all endpoints both on and off the corporate network
Remediate
Evaluate Report
Find, fix and secure endpoints fast
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOU www.ibm.com/security
21 © 2016 IBM Corporation
BigFix Architecture
• Highly secure, highly available • Aggregates data, analyzes and reports • Manages up to 250K endpoints per server
• Continuous self-assessment • Continuous policy enforcement • Minimal system impact
(<2% CPU, <10MB RAM)
Flexible policy language (Fixlets)
Lightweight, easily configurable infrastructure
Single server and console
Single intelligent agent
• Thousands of out-of-the-box policies • Best practices for operations
and security • Simple custom policy authoring • Highly extensible/applicable across all platforms
• Designate IBM BigFix agent as a relay or discovery point in minutes
• Provides built-in redundancy • Leverages existing systems/shared infrastructure