Page 1
© 2012 IBM Corporation
IBM Security Systems
1 IBM Security Systems © 2012 IBM Corporation
Amplifying Security Intelligence
With Big Data and Advanced Analytics
Vijay DheapGlobal Product Manager, Master InventorBig Data Security Intelligence & Mobile Security
Page 2
© 2012 IBM Corporation
IBM Security Systems
2 IBM Security Systems
Welcome to a Not So Friendly Cyber World…
Biggest Bank Heist in History Nets $45MillionAll without setting foot in a Bank…
Cyber Espionage via Social Networking SitesTarget: US DOD Officials
Hidden Malware Steals 3000 Confidential Documents – Japanese Ministry
Page 3
© 2012 IBM Corporation
IBM Security Systems
3 IBM Security Systems
Playing Defense…
Traditional Approach to Security Predicated on a Defensive MindsTraditional Approach to Security Predicated on a Defensive Mindsetet
� Assumes explicit organizational perimeter
� Optimized for combating external threats
� Presumes standardization mitigates risk
� Dependent on general awareness of attack methodologies
� Requires monitoring and control of traffic flows
Layered Defenses Essential for Good Security Hygiene and Addressing Traditional Security Threats…but attackers adapting too
Origins of Security Intelligence
Page 4
© 2012 IBM Corporation
IBM Security Systems
4 IBM Security Systems
Business Change is Coming…If Not Already Here
Enterprises are Undergoing Dynamic TransformationsEnterprises are Undergoing Dynamic Transformations
The Organization’s Cyber Perimeter is Being Blurred…It can no longer be assumed
Page 5
© 2012 IBM Corporation
IBM Security Systems
5 IBM Security Systems
Evolving Attack Tactics…Focus on Breaching Defenses
Page 6
© 2012 IBM Corporation
IBM Security Systems
6 IBM Security Systems
A Look at the Emerging Threat Landscape
Targeted, Persistent, Clandestine
Situational, Subversive, Unsanctioned
Focused, Well-Funded, ScalableTopical, Disruptive, Public
Concealed, Motivated, Opportunistic
Page 7
© 2012 IBM Corporation
IBM Security Systems
7 IBM Security Systems
Incorporating a More Proactive Mindset to Enterprise Security
Detect, Analyze & Remediate
Think like an attacker,
counter intelligence mindset
�Protect high value assets
�Emphasize the data
�Harden targets and weakest links
�Use anomaly-based detection
�Baseline system behavior
�Consume threat feeds
�Collect everything
�Automate correlation and analytics
�Gather and preserve evidence
Audit, Patch & Block
Think like a defender,
defense-in-depth mindset
�Protect all assets
�Emphasize the perimeter
�Patch systems
�Use signature-based detection
�Scan endpoints for malware
�Read the latest news
�Collect logs
�Conduct manual interviews
�Shut down systems
Broad Targeted
Page 8
© 2012 IBM Corporation
IBM Security Systems
8 IBM Security Systems
Greater Need for Security Intelligence…
Visibility across organizational security systems to improve response times and incorporate adaptability/flexibility required for early detection of threats or risky behaviors
Page 9
© 2012 IBM Corporation
IBM Security Systems
9 IBM Security Systems
Diversity & Sophistication of Attacks Placing Greater Demands…
1. Analyze a variety of non-traditional and unstructured datasets
2. Significantly increase the volume of data stored for forensics and historic analysis
3. Visualize and query data in new ways
4. Integrate with my current operations
1. Analyze a variety of non-traditional and unstructured datasets
2. Significantly increase the volume of data stored for forensics and historic analysis
3. Visualize and query data in new ways
4. Integrate with my current operations
Amplify Security Intelligence with New Insights from Big DataAmplify Security Intelligence with New Insights from Big Data
Big Data Analytics
LogsLogs
EventsEvents AlertsAlerts
Traditional Security Operations and Technology
Configuration Configuration
informationinformation
System System
audit trails audit trails
External threat External threat
intelligence feedsintelligence feeds
Network flows Network flows
and anomaliesand anomalies
Identity Identity
contextcontext
Web pageWeb page
texttext
Full packet and Full packet and
DNS capturesDNS captures
EE--mail andmail and
social activitysocial activity
Business Business
process dataprocess data
CustomerCustomer
transactions transactions
Page 10
© 2012 IBM Corporation
IBM Security Systems
10 IBM Security Systems
Big Data Brings New Considerations & Empowers Powerful Analysis
Storage and Processing
�Collection and integration
�Size and speed
�Enrichment and correlation
Analytics and Workflow
�Visualization
�Unstructured analysis
�Learning and prediction
�Customization
�Sharing and export
Transforming Data to Insights Requires Some Infrastructure ConsiTransforming Data to Insights Requires Some Infrastructure Considerations derations
Page 11
© 2011 IBM Corporation11 IBM Confidential
IBM Security Strategy
Confidential – for division executives only
IBM Security Strategy
Use Cases
Page 12
© 2012 IBM Corporation
IBM Security Systems
12 IBM Security Systems
Security Intelligence From Real-time Processing of Big Data
Behavior
monitoring
and flow
analytics
Activity and
data access
monitoring
Stealthy
malware
detection
Irrefutable Botnet CommunicationLayer 7 flow data shows botnetcommand and control instructions
Irrefutable Botnet CommunicationLayer 7 flow data shows botnetcommand and control instructions
Improved Breach Detection360-degree visibility helps distinguish true breaches from benign activity, in real-time
Improved Breach Detection360-degree visibility helps distinguish true breaches from benign activity, in real-time
Network Traffic Doesn‘t Lie Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)
Network Traffic Doesn‘t Lie Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)
Page 13
© 2012 IBM Corporation
IBM Security Systems
13 IBM Security Systems
Security Intelligence with Investigative Analysis of Big Data:
Hunting for External Command & Control (C&C) Domains of an AttacHunting for External Command & Control (C&C) Domains of an Attackerker
Advanced analytics identify suspicious domains
�Why only a few hits across the entire organization to these domains?
�Correlating to public DNS registry information increases suspicions
Historical analysis of DNS activity within organization
Automate correlation against external DNS registries
Page 14
© 2012 IBM Corporation
IBM Security Systems
14 IBM Security Systems
Enrich Real-Time Analysis with Insights from Investigative Analysis
Monitor & Thwart Connections to Potential C&C Domains of an AttaMonitor & Thwart Connections to Potential C&C Domains of an Attackercker
Correlate against network activity and visualize
View real-time data and look for active connections
Page 15
© 2012 IBM Corporation
IBM Security Systems
15 IBM Security Systems
Security Intelligence with Investigative Analysis of Big Data:
Pursue Active SpearPursue Active Spear--Phishing Campaigns Targeting the Organization Phishing Campaigns Targeting the Organization
Employ Big Data Analytics on email to identify patterns to identify targets and redirects
Build visualizations, such as heat maps, to view top targets of a spear-phishing attacks
Load Spear-Phishing targets and redirect URLs into real-time security intelligence analysis to thwart the attack
Page 16
© 2011 IBM Corporation16 IBM Confidential
IBM Security Strategy
Confidential – for division executives only
IBM Security Strategy
IBM Security Intelligence Solution with Big Data
Page 17
© 2012 IBM Corporation
IBM Security Systems
17 IBM Security Systems
High Volume
Security Events
and Network Activity
IBM QRadar Big Data Capabilities Customer Results
� New SIEM appliances with massive scale � Quickly find critical insights among 1000s of devices and years of data
� Payload indexing for rapid ad hoc query leveraging a purpose-built data store
� Search 7M+ events in <0.2 sec
� Google-like Instant Search of large data sets (both logs and flows)
� Instant, free-text searching for easier and faster forensics
� Intelligent data policy management � Granular management of log and flow data
� Advanced Threat Visualization and Impact Analysis � Attack path visualization and device / interface mapping
High PrioritySecurity Offenses
QRadar uses Big Data capabilities to identify critical security events
Page 18
© 2012 IBM Corporation
IBM Security Systems
18 IBM Security Systems
Data ingest
Insights
IBM Security QRadar
• Hadoop-based• Enterprise-grade• Any data / volume• Data mining• Ad hoc analytics
• Data collection and enrichment
• Event correlation• Real-time analytics• Offense prioritization
Big Data Platform
Custom Analytics
Traditional data sources
IBM InfoSphere BigInsights
Non-traditional
Security Intelligence Platform
Extending the Big Data Support of QRadar
Advanced Threat Detection
Page 19
© 2012 IBM Corporation
IBM Security Systems
19 IBM Security Systems
Integrated analytics and exploration in a new architecture
Page 20
© 2012 IBM Corporation
IBM Security Systems
20 IBM Security Systems
2
0
InfoSphere BigInsights - flexible, enterprise-class solution for processing large volumes of data
En
terp
rise
Valu
e
CoreHadoop
BigInsights Basic Edition
BigInsights Enterprise Edition
Free download with web support Limit to <= 10 TB of data
(Optional: 24x7 paid supportFixed Term License)
Professional Services OfferingsQuickStart, Bootcamp, Education, Custom Development
Enterprise-grade features
Tiered terabyte-based pricing
Easy installationand programming
• Analytics tooling / visualization• Recoverability security• Administration tooling• Development tooling• Flexible storage• High availability
Page 21
© 2012 IBM Corporation
IBM Security Systems
21 IBM Security Systems
For IBM, Security and Business Intelligence offer insightful parallels
Page 22
© 2012 IBM Corporation
IBM Security Systems
22 IBM Security Systems
Find out more about Security Intelligence with Big Data
� Visit the website
� Watch the video
� Read the white paper
� Develop a richer understanding of big data
– Understanding Big Data eBook
– Harness the Power of Big Data eBook
� Download some collateral
– Security Intelligence white paper
– QRadar SIEM data sheet
– InfoSphere BigInsights data sheet
Page 23
© 2012 IBM Corporation
IBM Security Systems
23 IBM Security Systems
ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.