Detect and Respond to Threats Better with IBM Security App Exchange Partners

IBM Security App Exchange Spotlight:Immerse Your Security in Threat Intelligence

Russ WarrenProgram Manager Security Intelligence Technology Alliance

#IBM SecurityAuthor notes:

This is the IBM Security Default Template for both internal and external use. Its aspect ratio is 16:10 and measures 10 x 6.25. This template was created in Microsoft PowerPoint 365 Pro Plus 2016.

Template files (saved with the file extension .potx) contain slide designs and customized layouts and are stored in your Microsoft templates folder*To save your new template as your default template for future use:Click File / Save as and choose PowerPoint template (.potx) from the pull down menuRename file to, Blank.potx and click Save (file will then be stored to the default template location)

Themes provide a complete slide design that can be applied to your existing presentation, including background designs, font styles, colors, and layoutsTo save your new templates theme file; click View / Slide Master / ThemesOn the Themes pull down menu, select, Save Current ThemeThis new Theme file is how you apply the new template design to your existing presentationsFor more information, visit: Office.com / PowerPoint / Support

Copy your existing source slides in slide sorter viewPaste special by right-clicking in slide sorter view of destination file or templateSelect Keep source formattingThis helps to ensure your slides retain their existing stylesEach slide needs to be adjusted by doing the following in Normal viewSelect body content except title and footer by (Control A; then select title and footers while holding shift key)Cut remaining selected body content (Control X)Reset slide layout using new template layoutsPaste slide content back onto slide (Control V)

Learn more about using templates, visit: Office.com / PowerPoint / Support111/8/2016

Todays attacks require a strategic security approachBuild multiple perimetersProtect all systems Use signature-based methodsPeriodically scan for known threatsShut down systemsTactical ApproachCompliance-driven, reactionaryTodays AttacksAssume constant compromisePrioritize high-risk assetsUse behavioral-based methodsContinuously monitor activityGather, preserve, retrace evidenceStrategic ApproachIntelligent, orchestrated, automatedIndiscriminate malware,spam and DDoS activityAdvanced, persistent, organized, politically or financially motivatedIt takes power and precision to stop adversaries and unknown threatsYesterdays Attacks

#IBM Security

Continuously stop attacks and remediate vulnerabilitiesUpgrade your defenses with a coordinated platform to outthink threatsDisrupt malware and exploitsDiscover and patch endpointsAutomatically fix vulnerabilitiesRespond to incidents quickly, with precisionHunt for indicators using deep forensicsOrchestrate and automate incident responseDiscover unknown threats with advanced analyticsSee attacks across the enterpriseSense abnormal behaviorsAutomatically prioritize threats

RESPONDDETECT

PREVENT

#IBM Security

Imagine if you couldPROTECT against tomorrows risks, today

#IBM SecurityImagine if you could protect the world of tomorrow, today. Threats continue to grow as does the reliance on information technology to generate value for your organization. However we are moving to be in a position to proactively stay ahead of the threats. By having the ability to identify and protect your most critical data it will be possible to TRUST that our organization is doing all that is required to adequately prevent, detect, and respond quickly to threats. To get to this point requires a security partner that is building an integrated system to help gain the needed insight required to respond to the threat environment. 4

How do I get started when all I see is chaos?IP reputationIndicators of compromiseThreat sharingFirewallsIncident and threat managementVirtual patchingSandboxingNetwork visibilityEndpoint patching and managementMalware protectionAntivirusData access controlData monitoringApplication security managementApplication scanningAccess managementEntitlements and rolesIdentity managementTransaction protectionDevice managementContent securityWorkloadprotectionCloud accesssecurity brokerAnomaly detectionLog, flow, data analysisVulnerability managementPrivileged identity managementIncident responseCriminal detectionFraud protection

#IBM Security.

Companies have been building up their security arsenals for the past 20 years - what do you see? A jumbled mess of scattered toolschaos. This is actually what most IT environments look like today, which adds to the complexity. 5

Integration to help prevent, detect and respond to advanced threats

Integration to help prevent, detect and block insider threat

Integration to manage compliance and governance

Integration for risk-based access to critical assets

Integration to help secure mobile transformation

Integration for secure adoption of cloud apps

Integrated protection to optimize security postureVia our IBM Technology Partners and their QRadar Extensions, we can gain more visibility, clearer context and collaborateon suspicious activities for the Security Operations and Incident Response teams

#IBM SecurityPrevoty Kunal AnandNovember 8, 2016Co-founder and CTO







Prevoty OverviewPrevoty provides Application Security Detection and Protection at RuntimeAgent Installation: no code changes requiredApplication Integrations: C#, Java, Node.js, PHP, Python, Ruby, etc.DevOps Integrations: Ansible, Chef, Jenkins, Puppet, etc.Detection: Application and Data Security IntelligenceVisibility into attack execution in production applicationsUse cases: asset tagging, database monitoring/exfiltration, fraud, etc.Protection: RASP (Runtime Application Self-Protection)Instant mitigation against attacks including the OWASP Top 10, including content, database and command injectionsApplication and Data Security at Runtime

#IBM SecurityPrevoty IntelligencePre-Correlated Intelligence (Everything in One Place)Network HTTP Request, HTTP Response, IP Addresses, Hosts InfoApplication User Session, Code Execution, Filename, Line NumberOperating System File Reads/Writes, Process ExecutionsDatabase Query Execution, Modified Rows via ExecutionThe Four WsWho IP Address, Session, Cookie IdentifierWhat Contents of the payload (HTTP variables, database queries)Where URL, Stack Trace (includes Filename and Line Number)When Nanosecond TimestampUnparalleled Security Application and Database Security Insights{ category : SQL, event : Data Exfiltration, engine : query, severity : HIGH, query : SELECT name, pw FROM u WHERE name= OR 1=1, returnedRows : 10, tautology : true, file : UserRepository.java, line : 30, ip : 127.0.0.1, session_id : 8fOEWOQ890a, url : http://acme.com/search?name='%20OR%201=1, timestamp : 1478552486344}

#IBM SecurityPrevoty & IBM QRadar1. Add a Prevoty Agent to your applicationPrevoty travels with the application through the entire SSDLCDevOps integrations with CI and CD solutionsInsights are logged in many formats: CEF, LEEF, JSON2. Download the Prevoty / QRadar Extensionhttps://exchange.xforce.ibmcloud.com/hub/extension/PrevotyRASPForward Prevoty LEEF log output to your QRadar deployment3. Analyze and Visualize Security InsightsPre-built dashboards/reports for visualizing runtime insightsCorrelate Prevoty with AppScan (vulnerability management), Guardium (DAM) and Trusteer (fraud)

3 Steps to Analyze and Visualize Real-Time Application and Data Security Insights

#IBM SecurityPrevoty & IBM QRadarDashboardsDashboards aggregate Prevoty intelligence into a unified view across all applicationsDashboards provide a quick way to see the security posture while allowing analysts to jump inPre-Built Dashboards, Saved Searches, Reports and OffensesSaved Searches & ReportsPrevoty has pre-built saved searches and reports to speed up common tasks that analysts typically execute during their day-to-day works and investigations. Example searches: Intelligence Grouped by Src & Dest, Intelligence Grouped by Application, Offenses, etc.

#IBM SecurityPrevoty & IBM QRadarVisibility into applications and databasesApplication and database monitoring and protectionAuthentication, authorization and transactional fraudInsights into whats happening in the app and beyondPerformance within applicationsAddressing Top Security Use Cases & Questions Together

#IBM SecurityPrevoty & IBM AppScanPre-Production SSDLC is Resource IntensiveDevelopers are not security expertsPush to Agile Development and CI/CD represents the desire to deploy new applications and features to production fasterProduction Risk ManagementAcceptable risk management allows for vulnerable applications to be deployed to production while organizations know their application is protected by PrevotyCorrelate Real-World Attacks with VulnerabilitiesPrioritize vulnerability remediation efforts based on actual attacksImproves the cost and resource efficiency of remediation

Unparalleled Security Application and Database Security Insights

#IBM SecurityPrevoty & IBM QRadar EcosystemRuntime Visibility Improves Security Decision-Making Across the EcosystemProductionPre-ProdApplications On-PremCloudDatabases

SSDLC Vulnerability ManagementAuthentication, Authorization & Transactional FraudStatic & Dynamic TestingApplicationMonitoring & ProtectionIntelligence(LEEF)DataMonitoring &Protection

Data Behavior

DatabaseActivity Monitoring

#IBM SecurityNiara UBA Application for QRadarMachine learning-driven attack detection and accelerated investigationKarthik KrishnanNovember 8, 2016VP Product Line Management







Two major value propositionsDetection of Attacks and Risky Behaviors on the inside

Accelerated Incident Responsevia integrated forensic data

#IBM SecurityKey PointsNiara is a behavioral analytics solution that offers two key value propositions.

First, Niara uses machine learning for the automated and early detection of attacks and risky behaviors inside an organization. These are either external attacks that have evaded perimeter defenses or internal user activity that is suspicious.

Our discussions on insider threats with customers have confirmed a broad spectrum of use cases that they care about, starting with compromised users/hosts, but we also see concern around negligent employees and malicious insiders.

Compromised users/hosts users who have been compromised by an attacker for e.g. credentials were stolen and the attacker is now on the inside of the network posing as the employee

Negligent employees The misconfigured host that is downloading information from your finance server or the user who is uploading all her files to a personal Dropbox account in violation of policy or downloading their Salesforce customer lists.

Malicious insiders the employee who has gone rogue

By focusing on insiders in all forms, Niara provides user/host level security insights within days. These include the following activity:Command and ControlCredential violationsPassword sharingAbnormal high value resource accessRemote access violations via password theftLateral movementInternal reconnaissanceExfiltration

Protect against compromised users, negligent and malicious insidersDetect privilege escalation, credential violations like password sharing, theftFlag inappropriate high-value resource accessSee lateral movement attemptsTrack remote access violationsSpot data exfiltration

16

Machine learning combined with big data forensics

Behavioral Analytics

Discrete Analytics

Forensics

#IBM SecurityNiara puts this all together in the form of an Entity360 risk profile .. Niara constructs 1 of this for each entity in your environment user, host or IP

17

SOLUTION AT A GLANCEConsole / Workflow

QRadar

PACKET BROKERNETWORK TRAFFIC PACKETS FLOWS

IDENTITYINFASTRUCTURELogs

SaaSlaaSALERTSAD, DHCPDNS, Firewall, Proxy,VPN, Email, DLPEndpoint, Network, STIXANALYZERENTITY360ANALYTICSFORENSICSDATA FUSIONBIG DATA

Spark/HadoopBox, Office360AWS, Azure

#IBM SecurityKey PointsThere are two top level points to be made on this slide.Point #1:Niara is deployed alongside your existing network and security infrastructure and consumes exhaust data such as logs and alerts from your tools (firewalls, web proxies, VPN, DNS, AD, etc.).Niara can consume this data natively or from existing data stores such as SIEM/log management.In addition, Niara can also OPTIONALLY consume data from your network, going all the way down to the packet level as necessary.Niara applies its analytics on these diverse data sources and builds up user- and host-level risk profiles to help detect and investigate compromised users and hosts as well as negligent and malicious insiders.

Point #2:Niara analytics results can either be leveraged standalone or can plug back into existing consoles / workflows via open APIs. This is exactly what we demo through our Splunk / ArcSight integrations.

18

Demo

#IBM SecurityEntity360 Security Dossier

#IBM Security

20

Behavioral analytics across multiple dimensions

#IBM Security

21

Model Confidence and Business Impact

Business ImpactModel Confidence

#IBM SecurityNiara Alert Details

#IBM SecurityChoice of Niara Entry Points

#IBM Security

Entity 360 security dossier

#IBM Security

25

Network Conversations Drill Down

#IBM SecurityLog Details

#IBM Security

UBA Incident response ROI

#IBM SecurityCertified to Integrate with QRadar

#IBM SecurityBasics of Behavioral Analytics

ABNORMAL INTERNALRESOURCE ACCESS

Behavioral AnalyticsUNSUPERVISED+SEMI-SUPERVISEDHISTORICAL+PEER GROUPMACHINE LEARNINGBASELINES

#IBM SecurityScriptSo how do you differentiate a simple anomaly from an attack that merits attention?

Perhaps we see that an employee came into the office near midnight a couple of days ago and downloaded a large file, which is odd, since they religiously work between the hours of 9 am and 5 pm. No doubt about it. Thats 100% anomalous behavior. But is it malicious? Most tools out there leave this as a problem for you to figure out.30

Finding the Malicious in the Anomalous

Behavioral Analytics

Discrete Analytics

SUSPICIOUSFILE DOWNLOADANOMALOUSDNS REQUESTUNUSUAL PRIVILEGEESCALATIONABNORMAL INTERNALRESOURCE ACCESSIRREGULAR EXTERNALDATA UPLOADSUPERVISEDMACHINE LEARNINGDLPSandboxFirewallsSTIXRulesEtc.THIRD PARTY ALERTS

#IBM SecurityNiara lets you look back in time, and see how contextually relevant events continuously contribute to a risk score. You will see the risk score rising and at some point the system has detected the late night file share access and large file downloads and I creased the risk score to 80. Niaras rich forensics provide evidence surrounding each individual event over time. Risk scoring helps guide analysts on where they should focus their efforts.

Making extensive use of both supervised and unsupervised machine learning models, Niaras behavioral analytics enables automatic detection of anomalous behavior, without up-front configuration or rules. Combined with the discrete analytics and forensics, Niara is able to more reliably link anomalies to malicious intent so security personnel are spending time on whats important.

In this example, file, authentication, internal resource access, and DNS behavior all have contributed to an in depth understanding of the attack thats underway. And thats just some of the many behavioral analytic modules Niara continuously applies to the varied data sources to automatically find attacks already on the inside.

Niaras ability to use seemingly small blips or anomalies to build up a comprehensive picture for what might be truly happening to the user (or the entity) and, in the process, also build up an associated risk score for that user (or entity) is whats really going to make things easier for a security analyst floundering in a sea of alerts.

31

Niara Alert Dashboards on QRadar Console

#IBM Security

32

Check Point SmartViewFor QRadarBill Sheeran Check Point IBM Global Account Manager[Restricted] ONLY for designated groups and individuals

#IBM Security

3311/8/2016

THE CYBERTHREAT LANDSCAPE IS RAPIDLY EVOLVINGmore sophisticated and more advanced[Restricted] ONLY for designated groups and individuals

#IBM SecurityThreats are quickly evolving. Cybercrime has become a mature industry. Today you no longer have to be a genius at writing code to be a cybercriminal. Most of today's attackers buy platforms that let them spread malware and rent botnets for attacks. The maturity of cybercrime has lowered the barriers to entry.

Suggested anecdote:Case in point, heres a real-life story about malware infrastructure-as-a-service. In June 2016, we saw the Angler exploit kit vanish completely. Soon after, the Neutrino exploit kit began spreading the same malware payloads that Angler had delivered. The Angler criminal infrastructure might have become ineffective against security measures, the authorities could have shut it down, or possibly the group behind Neutrino offered the malware producers a better deal. Whatever the reason, this is malware infrastructure-as-a-service in action.More: http://blog.checkpoint.com/2016/06/27/the-malware-as-a-service-industry/34

IT environments have EVOLVED with new EMERGING technologies

EVOLVING AND COMPLEX IT ENVIRONMENTS [Restricted] ONLY for designated groups and individuals

#IBM Security

HOW TO PROTECT TODAYS BOUNDLESS ENVIRONMENTS?[Restricted] ONLY for designated groups and individuals

#IBM Security[Restricted] ONLY for designated groups and individuals

SOFTWARE-DEFINED PROTECTION (SDP) ARCHITECTURECONVERTING INTELLIGENCE INTO PROTECTIONENFORCEMENT LAYER

THREAT PREVENTIONENDPOINTSECURITYNETWORK SECURITYGATEWAYMOBILESECURITYVIRTUALSYSTEMSCLOUDSECURITY

CONTROL LAYERMANAGEMENT LAYERSINGLE MANAGEMENT

#IBM SecurityWe take ThreatCloud intelligence and transform it into prevention. Probably the best way to show how we do it is our complete architecture called Software-Defined Protection. The idea behind Software-Defined Protection is we have a complete set of enforcement points: physical, virtual, cloud, mobile, and desktop endpoints and connect all of them to ThreatCloud in real-time.

Suggested anecdote:If for example I find new malware propagating in a power plant in Vietnam, I would like a power plant in the U.S. to be protected at the same time. Software Defined Protection translates threat intelligence from one source into protection throughout your whole environment, all managed by the single, efficient management platform.37

A Single View into Security Risk

[Restricted] ONLY for designated groups and individuals

#IBM Security

38

Fully Integrated Threat Management

Logging

EventCorrelation

Reporting

MonitoringFor Full Visibility Across Your Network

SECURITY MANAGEMENT[Restricted] ONLY for designated groups and individuals

#IBM SecurityWeve integrated logging, monitoring, event correlation and reporting into the main console for full visibility and faster incidence response because when an incident happens, you need immediate visibility into who, what, when, where and how of the attack. With our integrated threat management, besides a unified threat prevention policy that now unifies IPS, anti-bot, anti-spam, DLP

Logging isolate and detect real threats in real-time. Using google like search admin can find all the log information he needs. He can search on any field by software blade, user, IP, application, threat, security gateway, time span etc. and see all results in a single view.

Event correlation we provide the only native event correlation for all our enforcement points. So you can weed out the critical events and be able to quickly drill down to investigate

Monitoring integrated monitoring means you get detailed information on your gateways via a single view. You can collect real-time or historical data on each security gateway health status, system resources, performance counters and VPN tunnel status. The data can be used to troubleshoot security policy and gw configurations.39

Forensics: Converting Intelligence into Protection


#IBM Security

Investigate the Threat


#IBM Security

41




#IBM Security

Easily Customize Your Reports

Management

Helpdesk

AuditorAccessible from any device[Restricted] ONLY for designated groups and individuals

#IBM SecurityIt is possible to create custom reports for each stakeholder so if you CISO wants to look at what applications users are accessing most this week, you can easily tee up the report and even make it accessible via a web browser. 45


#IBM Security


#IBM Security

Consolidate all your securityDeploy security without impeding innovationGain full visibility to prevent the next attackKeep pace with dynamic environments


#IBM Security

48

THINK ABOUT IT We blocked 1,700,000 attacks We detected 140,000 bots communicatingwith command and control We created 1,500 new protections minutes since we started?

The value to our customers 5[Restricted] ONLY for designated groups and individuals

#IBM Security

49

ibm.com/securitysecurityintelligence.comxforce.ibmcloud.com@ibmsecurityyoutube/user/ibmsecuritysolutions Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.FOLLOW US ON:THANK YOU

#IBM SecurityMandatory closing slide with copyright and legal disclaimers.5011/8/2016