© 2012 IBM Institute for Advanced Security Defining Security Intelligence for the Enterprise: What Today’s CISOs Need to Know Chris Poulin Industry Security Systems Strategist IBM Institute for Advanced Security
Sep 14, 2014
© 2012 IBM Institute for Advanced Security
Defining Security Intelligence for the Enterprise:
What Today’s CISOs Need to Know
Chris Poulin Industry Security Systems Strategist
IBM Institute for Advanced Security
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
You will get hacked, but…
CISOs know it’s not if, it’s when they get hacked; yet there is still a gap in ability to
detect breach.
Breaches are taking longer to discover
Breaches are not being discovered internally
Charts from Verizon 2011 Investigative Response Caseload Review
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
92% of Breaches Are Undetected by Breached Organization
Source: 2012 Data Breach Investigations Report
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
SQL Injection Still #1
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
Sophistication of cyber threats, attackers and motives is rapidly escalating
Adversary
National Security
Monetary Gain
Espionage,
Political Activism
Revenge
Curiosity Script-kiddies or hackers using tools, web-based “how-to’s”
Insiders, using inside information
Organized Crime, using sophisticated tools
Competitors, Hacktivists
Nation-state Actors; Targeted Attacks / Advanced
Persistent Threat
1995 – 2005 1st Decade of the Commercial Internet
2005 – 2015 2nd Decade of the Commercial Internet
Motive
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
Solving a security issue is a complex, four-dimensional puzzle
People
Data
Applications
Infrastructure
Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers
Systems applications Web applications Web 2.0 Mobile apps
Structured Unstructured At rest In motion
It is no longer enough to protect the perimeter –
siloed point products will not secure the enterprise
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
Choose the Right Technology
Protection technology is
critical, but choose wisely
There is no magic
security technology
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
People and Processes First
A lesson from airport security:
Instead of expensive equipment, use what works
In Israel
• No plane departing Ben Gurion Airport has ever been hijacked
• Use human intelligence
• “Questioning” looks for suspicious behavior
• Simple metal detectors
Scotland Yard
• 24+ men planned to smuggle explosive liquids
• Foiled beforehand because of intelligence
• Before they even got to the airport
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
What is Security Intelligence?
Security Intelligence
--noun
1.the real-time collection, normalization, and analytics of the
data generated by users, applications and infrastructure that
impacts the IT security and risk posture of an enterprise
Security Intelligence provides actionable and comprehensive
insight for managing risks and threats from protection and
detection through remediation
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
What Gartner is Saying About the Need for Context
“The rapid discovery of a breach is key to minimizing the damage of a
targeted attack, but most organizations do not have adequate breach
detection capabilities.”
“Since perfect defenses are not practical or achievable, organizations
need to augment vulnerability management and shielding with more-
effective monitoring.”
“The addition of context, such as user, application, asset, data and
threat, to security event monitoring will increase the likelihood of early
discovery of a targeted attack.”
“We need to get better at discovering the changes in normal activity
patterns that are the early signal of an attack or breach.”
Mark Nicollet, Managing VP,
Gartner Security, Risk &
Compliance
#1-3 from “Effective Security Monitoring Requires Context,” Gartner, 16 January 2012, G00227893 #4 from “Using SIEM for Targeted Attack Detection,” Gartner, 20 March 2012, G00227898
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
Context and correlation
Deep visibility into users, data, applications, and assets
Sources Intelligence Most Accurate &
Actionable Insight + =
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
Solving complex problems that point solutions cannot
Discovered 500 hosts with “Here You
Have” virus, which all other security
products missed
Improving threat
detection
2 billion log and events per day reduced
to 25 high priority offenses
Consolidating
data silos
Automating the policy monitoring and
evaluation process for configuration
changes in the infrastructure
Predicting risks
against your
business
Real-time monitoring of all network
activity, in addition to PCI mandates
Addressing
regulatory mandates
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
How Security Intelligence Can Help
Continuously monitor all activity & correlate
in real-time
Gain visibility into unauthorized or anomalous activities
– Server (or thermostat) communicating with IP address in China.
– Unusual Windows service -- backdoor or spyware program
– Query by DBA to credit card tables during off-hours – possible SQL injection attack
– Spike in network activity -- high download volume from SharePoint server
– High number of failed logins to critical servers -- brute-force password attack
– Configuration change -- unauthorized port being enabled for exfiltration
– Inappropriate use of protocols -- sensitive data being exfiltrated via P2P
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
Why Should a CISO Care?
Detect suspicious behavior
– Privileged actions being conducted from a contractor’s workstation
– DNS communications with external system flagged as C&C
Detect policy violations
– Baseline against reality (CMDB)
– Social media, P2P, etc
Detect APTs
– File accesses out of the norm—behavior anomaly detection
– Least used applications or external systems; occasional traffic
Detect fraud
– Baseline credit pulls or trading volumes and detect anomalies
– Correlate eBanking PIN change with large money transfers
Forensic evidence for prosecution
Impact analysis
Compliance
– Change & configuration management
Metrics
14
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
• Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)
• Helps detect day-zero attacks that have no signature
• Provides definitive evidence of attack
• Enables visibility into all attacker communications
• Passively builds up asset profiles—and keeps them up to date
Network Activity for Total Visibility
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
Application Detection & Forensic Evidence
IRC on port 80? QFlow enables detection of a
covert channel.
Botnet Detected? This is/ as far as traditional
SIEM can go.
Irrefutable Layer 7 data contains botnet command and
control instructions.
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
Alert on data patterns, such as credit card
number, in real time.
Who is responsible for the data leak?
Data Leakage
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
Insider Fraud Potential Data Loss?
Who? What? Where?
Who? An internal user
What? Oracle data
Where? Gmail
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
User & Application Activity Monitoring alerts to a user anomaly for
Oracle database access.
Identify the user, normal
access behavior and the
anomaly behavior with all
source and destination
information for quickly resolving
the persistent threat.
User Behavior Monitoring & APTs
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
Configuration & Risk
Network topology and open
paths of attack add context
Rules can take exposure
into account to:
• Prioritize offenses and
remediation
• Enforce policies
• Play out what-if scenarios
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
Real-Time Activity for Prioritized Response
Network monitoring + configuration management =
deeper level of forensics & accurate impact analysis
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
Increased Awareness and Accuracy
Prevent advanced threats with real-time intelligence correlation across security domains
Increase situational awareness by leveraging real-time feeds of X-Force Research and Global Threat
Intelligence across IBM security products, such as QRadar Security Intelligence Platform and Network
Security appliances
Conduct complete incident investigations with unified identity, database, network and endpoint activity
monitoring and log management
Ease of Management
Simplify risk management and decision-making
with automated reporting though a unified console
Enhance auditing and access capabilities by sharing
Identity context across multiple IBM security products
Build automated, customized application
protection policies by feeding AppScan results into
IBM Network Intrusion Prevention Systems
Reduced Cost and Complexity
Deliver faster deployment, increased value and
lower TCO by working with a single strategic partner
Integration: Increasing Security, Collapsing Silos, and Reducing Complexity
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
Security Intelligence Timeline
Prediction & Prevention
Risk Management. Vulnerability Management.
Configuration Monitoring. Patch Management.
X-Force Research and Threat Intelligence.
Compliance Management. Reporting and Scorecards.
Reaction & Remediation
SIEM. Log Management. Incident Response.
Network and Host Intrusion Prevention.
Network Anomaly Detection. Packet Forensics.
Database Activity Monitoring. Data Loss Prevention.
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
In 1996 Gartner Group said…..
“Making business decisions
based on accurate and current
information takes more than
intuition. Data analysis,
reporting and query tools can
help business users wade
through a sea of data to
synthesize valuable
information from it.
Today these tools collectively
fall into a category called
“Business Intelligence”’
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
In 1958 IBM …
…researcher Hans Peter Luhn
used the term business intelligence.
He defined business intelligence as:
"the ability to apprehend the interrelationships
of presented facts in such a way as to guide
action towards a desired goal.“
© 2012 IBM Institute for Advanced Security
IBM Institute for Advanced Security
Security and Business Intelligence Parallels
Managed Security Services
Mainframe and Server Security - RACF
SOA Security
Network Intrusion Prevention
Database Monitoring
Identity and Access Management
Application Security
Security as a Service
Compliance Management
Security Intelligence
Enterprise Reporting
Performance Management
Business Intelligence Suite
IOD Business Optimization
BI Convergence with Collaboration
Text & Social Media Analytics
Simplified Delivery (i.e., Cloud )
Predictive Analytics
Decision Management
IBM Business Intelligence
Ma
rke
t C
ha
ng
es
IBM Security Intelligence
DASCOM
Time