Defining Security Intelligence for the Enterprise - What CISOs Need to Know

© 2012 IBM Institute for Advanced Security

Defining Security Intelligence for the Enterprise:

What Today’s CISOs Need to Know

Chris Poulin Industry Security Systems Strategist

IBM Institute for Advanced Security

http://securityintelligence.com



You will get hacked, but…

CISOs know it’s not if, it’s when they get hacked; yet there is still a gap in ability to

detect breach.

Breaches are taking longer to discover

Breaches are not being discovered internally

Charts from Verizon 2011 Investigative Response Caseload Review

http://www.verizonbusiness.com/resources/whitepaper/wp_verizon-2011-investigative-response-caseload-review_en_xg.pdf



92% of Breaches Are Undetected by Breached Organization

Source: 2012 Data Breach Investigations Report



SQL Injection Still #1



Sophistication of cyber threats, attackers and motives is rapidly escalating

Adversary

National Security

Monetary Gain

Espionage,

Political Activism

Revenge

Curiosity Script-kiddies or hackers using tools, web-based “how-to’s”

Insiders, using inside information

Organized Crime, using sophisticated tools

Competitors, Hacktivists

Nation-state Actors; Targeted Attacks / Advanced

Persistent Threat

1995 – 2005 1st Decade of the Commercial Internet

2005 – 2015 2nd Decade of the Commercial Internet

Motive



Solving a security issue is a complex, four-dimensional puzzle

People

Data

Applications

Infrastructure

Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers

Systems applications Web applications Web 2.0 Mobile apps

Structured Unstructured At rest In motion

It is no longer enough to protect the perimeter –

siloed point products will not secure the enterprise



Choose the Right Technology

Protection technology is

critical, but choose wisely

There is no magic

security technology



People and Processes First

A lesson from airport security:

Instead of expensive equipment, use what works

In Israel

• No plane departing Ben Gurion Airport has ever been hijacked

• Use human intelligence

• “Questioning” looks for suspicious behavior

• Simple metal detectors

Scotland Yard

• 24+ men planned to smuggle explosive liquids

• Foiled beforehand because of intelligence

• Before they even got to the airport



What is Security Intelligence?

Security Intelligence

--noun

1.the real-time collection, normalization, and analytics of the

data generated by users, applications and infrastructure that

impacts the IT security and risk posture of an enterprise

Security Intelligence provides actionable and comprehensive

insight for managing risks and threats from protection and

detection through remediation



What Gartner is Saying About the Need for Context

“The rapid discovery of a breach is key to minimizing the damage of a

targeted attack, but most organizations do not have adequate breach

detection capabilities.”

“Since perfect defenses are not practical or achievable, organizations

need to augment vulnerability management and shielding with more-

effective monitoring.”

“The addition of context, such as user, application, asset, data and

threat, to security event monitoring will increase the likelihood of early

discovery of a targeted attack.”

“We need to get better at discovering the changes in normal activity

patterns that are the early signal of an attack or breach.”

Mark Nicollet, Managing VP,

Gartner Security, Risk &

Compliance

#1-3 from “Effective Security Monitoring Requires Context,” Gartner, 16 January 2012, G00227893 #4 from “Using SIEM for Targeted Attack Detection,” Gartner, 20 March 2012, G00227898



Context and correlation

Deep visibility into users, data, applications, and assets

Sources Intelligence Most Accurate &

Actionable Insight + =



Solving complex problems that point solutions cannot

Discovered 500 hosts with “Here You

Have” virus, which all other security

products missed

Improving threat

detection

2 billion log and events per day reduced

to 25 high priority offenses

Consolidating

data silos

Automating the policy monitoring and

evaluation process for configuration

changes in the infrastructure

Predicting risks

against your

business

Real-time monitoring of all network

activity, in addition to PCI mandates

Addressing

regulatory mandates



How Security Intelligence Can Help

Continuously monitor all activity & correlate

in real-time

Gain visibility into unauthorized or anomalous activities

– Server (or thermostat) communicating with IP address in China.

– Unusual Windows service -- backdoor or spyware program

– Query by DBA to credit card tables during off-hours – possible SQL injection attack

– Spike in network activity -- high download volume from SharePoint server

– High number of failed logins to critical servers -- brute-force password attack

– Configuration change -- unauthorized port being enabled for exfiltration

– Inappropriate use of protocols -- sensitive data being exfiltrated via P2P



Why Should a CISO Care?

Detect suspicious behavior

– Privileged actions being conducted from a contractor’s workstation

– DNS communications with external system flagged as C&C

Detect policy violations

– Baseline against reality (CMDB)

– Social media, P2P, etc

Detect APTs

– File accesses out of the norm—behavior anomaly detection

– Least used applications or external systems; occasional traffic

Detect fraud

– Baseline credit pulls or trading volumes and detect anomalies

– Correlate eBanking PIN change with large money transfers

Forensic evidence for prosecution

Impact analysis

Compliance

– Change & configuration management

Metrics

14



• Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)

• Helps detect day-zero attacks that have no signature

• Provides definitive evidence of attack

• Enables visibility into all attacker communications

• Passively builds up asset profiles—and keeps them up to date

Network Activity for Total Visibility



Application Detection & Forensic Evidence

IRC on port 80? QFlow enables detection of a

covert channel.

Botnet Detected? This is/ as far as traditional

SIEM can go.

Irrefutable Layer 7 data contains botnet command and

control instructions.



Alert on data patterns, such as credit card

number, in real time.

Who is responsible for the data leak?

Data Leakage



Insider Fraud Potential Data Loss?

Who? What? Where?

Who? An internal user

What? Oracle data

Where? Gmail



User & Application Activity Monitoring alerts to a user anomaly for

Oracle database access.

Identify the user, normal

access behavior and the

anomaly behavior with all

source and destination

information for quickly resolving

the persistent threat.

User Behavior Monitoring & APTs



Configuration & Risk

Network topology and open

paths of attack add context

Rules can take exposure

into account to:

• Prioritize offenses and

remediation

• Enforce policies

• Play out what-if scenarios



Real-Time Activity for Prioritized Response

Network monitoring + configuration management =

deeper level of forensics & accurate impact analysis



Increased Awareness and Accuracy

Prevent advanced threats with real-time intelligence correlation across security domains

Increase situational awareness by leveraging real-time feeds of X-Force Research and Global Threat

Intelligence across IBM security products, such as QRadar Security Intelligence Platform and Network

Security appliances

Conduct complete incident investigations with unified identity, database, network and endpoint activity

monitoring and log management

Ease of Management

Simplify risk management and decision-making

with automated reporting though a unified console

Enhance auditing and access capabilities by sharing

Identity context across multiple IBM security products

Build automated, customized application

protection policies by feeding AppScan results into

IBM Network Intrusion Prevention Systems

Reduced Cost and Complexity

Deliver faster deployment, increased value and

lower TCO by working with a single strategic partner

Integration: Increasing Security, Collapsing Silos, and Reducing Complexity



Security Intelligence Timeline

Prediction & Prevention

Risk Management. Vulnerability Management.

Configuration Monitoring. Patch Management.

X-Force Research and Threat Intelligence.

Compliance Management. Reporting and Scorecards.

Reaction & Remediation

SIEM. Log Management. Incident Response.

Network and Host Intrusion Prevention.

Network Anomaly Detection. Packet Forensics.

Database Activity Monitoring. Data Loss Prevention.



In 1996 Gartner Group said…..

“Making business decisions

based on accurate and current

information takes more than

intuition. Data analysis,

reporting and query tools can

help business users wade

through a sea of data to

synthesize valuable

information from it.

Today these tools collectively

fall into a category called

“Business Intelligence”’



In 1958 IBM …

…researcher Hans Peter Luhn

used the term business intelligence.

He defined business intelligence as:

"the ability to apprehend the interrelationships

of presented facts in such a way as to guide

action towards a desired goal.“



Security and Business Intelligence Parallels

Managed Security Services

Mainframe and Server Security - RACF

SOA Security

Network Intrusion Prevention

Database Monitoring

Identity and Access Management

Application Security

Security as a Service

Compliance Management

Security Intelligence

Enterprise Reporting

Performance Management

Business Intelligence Suite

IOD Business Optimization

BI Convergence with Collaboration

Text & Social Media Analytics

Simplified Delivery (i.e., Cloud )

Predictive Analytics

Decision Management

IBM Business Intelligence

Ma

rke

t C

ha

ng

es

IBM Security Intelligence

DASCOM

Time


Thank you

http://securityintelligence.com