Innovations in data security Total security intelligence with next generation SIEM from Q1 Labs / IBM Security division Andris Soroka, 22.05.2012 Together with
Oct 19, 2014
Innovations in data security
Total security intelligence with next generation SIEM from Q1
Labs / IBM Security division
Andris Soroka, 22.05.2012
Together with
“Data Security Solutions” brief intro
Specialization – IT Security
IT Security consulting (vulnerability assessment tests, security audit, new systems integration, HR training, technical support)
Innovative & selected software / hardware & hybrid solutions from leading technology vendors from over 10 different countries
AgendaIntroduction - threats, technology era, definitions
Business drivers for log management and SIEM (Security Information and Events Management)
Market analysis, critical capabilities of solutions
Selected Q1 Labs solutions for Your review for -SEM (Log management)SEM (Wider scope)SIEM
Some basic facts about cybercrime
Global figures - cybercrime
2011 – 431 million people affected, with more than 114 million USD directly and another 274 million USD related to direct loss
(Source: Symantec, Dec 2011)
Cybercrime costs the world significantly more than the global black market of marijuana, cocaine and heroin combined ($228 million world wide)
Year of 2011 – year of targeted attacks!
IBM Security X-Force® 2011 Midyear Trend and Risk Report September 2011
Attack Type
SQL Injection
URL Tampering
Spear Phishing
3rd Party SW
DDoS
Secure ID
Unknown
Mar April May June July AugFeb
Sony
Epsilon
L3 Communications Sony BMG
Greece
US Senate NATO
AZ Police
TurkishGovernment
SK Communications
Korea
Monsanto
RSAHB Gary
NintendoBrazilGov.
Lockheed Martin
Vanguard Defense
Booz Allen
Hamilton
PBS
PBS
SOCA
Malaysian Gov. Site Peru
Special Police
Gmail Accounts
Spanish Nat. Police
Citigroup
Sega
Fox News X-Factor
Italy PM Site
IMF
Northrop Grumman
Bethesda Software
Size of circle estimates relative impact of breach
Gadgets, gadgets, gadgets
Cloud computing
Big data mgmt.
Security as a ServiceMobility
IaaS
PaaSSaaS
VoIP
Cybercrime in 21st Century!
Security today -
Financially motivatedBank AccountsIdentity theftInsiders
Intellectual Property Theft
“Hacktivists”Denial of ServiceReputation DamageCustomer data
Defenses in 21st Century
Around 1500 IT Security vendors for Endpoint Security
Platforms and point solutionsData Security
DLP suites and point solutionsNetwork Security
Gateway solutionsNAC, visibility, NBAAuthentication, authorization etc.Traditional and next generation’s
Identity protectionVirtualization and cloud securityIT Security governanceOperational management & SecurityMobile Security
SIEM / SEM / SIM - Where to start from?
Network Servers Databases HomegrownApplications
LogSilo
?????????????????????
??????
??????? ?
??????
LOGS??
?????????
??
Identity Management
IT & Network Operations
OperationalSecurity
Governance & Compliance
LogTool
Log Jam
Do You have one, central solutions for collecting ALL events (logs), correlate them and have real time intelligent visibility?
Do You monitor the business processes instead of network?
Do You monitor identities, applications, information and their context instead of just IP addresses, OS’s and devices?
If not – You are vulnerable!!!
??
What is in Your logs so far..? 50%? Less..?
User and System Activity
Runaway Application
Customer Transaction
Email BCC
Failed Logon
Security Breach
File Up/Download
Credit CardData Access
Information Leak
Privileges Assigned/Changed
50%?
What is in Your logs so far..? 50%? Less..?
What logs –Audit logsTransaction logsIntrusion logsConnection logsSystem performance recordsUser activity logsDifferent systems alerts and different other systems messages
From where - Firewalls / Intrusion
prevention Routers / SwitchesIntrusion detectionServers, desktops, mainframesBusiness applicationsDatabasesAntivirus softwareVPN’s
There is no standard format, transportation method for logs, there are more than 800 log file formats used..
Business drivers that initiate LM / SIEM
EU directivesSuch as for data protectionCritical infrastructure protectionCooperation
Industry standards and regulationsBanks, Insurance Health organizations etc.
NATO directivesSecurity, military orgsRelated to NATO work
IT Security ISO 2700XLocal laws and regulations
Personal data protectionIT Security policy
IntroductionDefinitions from IT Security solutions / technologies –SEM – Security Events Management (Correlation – events relation together for security benefits)SIM – Security Information Management (Log management – e.g. collecting the events of the applications and operational systems.)SIEM (Security Information And Event Management)
You cannot control what You cannot see!
Just log management… SIM
Process Integration & Information Share
CollectTime-stamping and secure collection of 100% of all log data, 100% of the time, from any device, including network, storage, servers, applications!
AlertAlerts based on real time log forensics according to policies. According to anomalies, incidents. In any possible alerting way.
StoreAs much as you want,as little as your compliance needs dictate. Automated, secure storage and archival of critical log data. Maintain chain of custody.
ReportShould have reasy to configure and report. Should be easy-to-use templates and more than 10K custom reports. Packaged SOX, PCI reporting + more.
Next generation definition requirements..
Security Intelligence provides actionable and comprehensive insight for managing risks and threats from protection and detection through remediation.
Security Intelligence--noun 1. the real-time collection, normalization, and analytics of the
data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise
More about SIM / SEM / SIEM coverage
Scope of usage and quality control SIEM – A must to have!
Log and context data collection (SIM)Normalization and categorization (SIM)Correlation (SEM)Notification / Alerting (SEM)Prioritization (SEM)Dashboards and visualizationReporting and reports delivery (SIM) Security roles workflow
SIEM – next generation solutions work looking at level of –File integrity MonitoringDatabase Activity MonitoringApplication MonitoringIdentity MonitoringUser Activity MonitoringPlug & Play functionality
Security intelligence ..
What was the attack?
Who was responsible?
How many targets involved?
Was it successful?
Where do I find them?
Are any of them vulnerable?
How valuable are they to the business?
Where is all the evidence?
Clear & concise delivery of the most relevant information …
Security intelligence from Q1 Labs / IBM
Q1 Labs (IBM Group company):– Innovative Security Intelligence software company– Largest independent SIEM vendor– Leader in Gartner 2011, 2010 and 2009 Magic
Quadrants
Award winning solutions:– Family of next-generation Risk Management, Log
Management, SIEM, security intelligence solutions
Executing, growing rapidly:– Thousands of customers worldwide– Five-year average revenue growth +70% – North America, EMEA and Asia Pacific
Consistent leadership
The new #1 in SIEM market – May 2012
Security intelligence
Predict Risk
Detect InsiderFraud
ConsolidateData Silos
ExceedRegulation Mandates
Detect ThreatsOthers Miss
Security intelligence in action
Move from defense to offense mode!
Plug & Play and Automated Intelligence
Analyze
Act
Monitor
Auto-discovery of log sources, applications and assetsAsset auto-groupingCentralized log mgmt.Automated configuration audits
Auto-tuning Auto-detect threatsThousands of pre-defined rules and role based reportsEasy-to-use event filteringAdvanced security analytics
Asset-based prioritizationAuto-update of threatsAuto-responseDirected remediation
One Console Security
• Turnkey log management• SME to Enterprise• Upgradeable to enterprise SIEM
• Integrated log, threat, risk & compliance mgmt.• Sophisticated event analytics• Asset profiling and flow analytics• Offense management and workflow
• Predictive threat modeling & simulation• Scalable configuration monitoring and audit• Advanced threat visualization and impact analysis
• Network analytics• Behavior and anomaly detection• Fully integrated with SIEM
• Layer 7 application monitoring• Content capture• Physical and virtual environments
SIEM
Log Management
Risk Management
Network Activity & Anomaly Detection
Network and Application
Visibility
One Console Security
Built on a Single Data Architecture
Q1 Labs SIEM & much more
Next-generation Log Management:• Turnkey log management• SME to Enterprise• Upgradeable to enterprise SIEM
Next-generation SIEM:• Integrated log, cyber threat, risk and
compliance management• Scalable, Automated, Broad market• Network activity information
Stackable Expansion:• Event Processors, High Availability• Network Activity Processors• Geographic distribution• Horizontal scale• Embedded, real-time database
Application & Activity Monitoring:• Layer 7 application monitoring• Content Aware• Identity/user-based visibility of network and
application activity• Provides visibility into physical and virtual
Next-generation Risk Management• Predictive threat modeling & simulation• Automated compliance and policy
verification• Scalable configuration monitoring & audit• Advanced threat visualization/impact
analysis
Q1 in action - Malware activity
IRC on port 80?QFlow enables detection of a covert channel.
Irrefutable Botnet CommunicationLayer 7 data contains botnet command and control instructions.
Potential Botnet Detected?This is as far as traditional SIEM can go.
Q1 in action - User activity monitoring
Authentication FailuresPerhaps a user who forgot their
password?
Brute Force Password Attack
Numerous failed login attempts against different user accounts.
Host CompromisedAll this followed by a successful login.
Automatically detected, no custom tuning required.
Q1 in action - complex threat detection
Sounds Nasty…But how to we know this?
The evidence is a single click away.
Buffer OverflowExploit attempt seen by
Snort
Network ScanDetected by QFlow
Targeted Host Vulnerable
Detected by Nessus
Total VisibilityConvergence of Network, Event and Vulnerability data.
Q1 in action – data loss prevention
Potential Data Loss?Who? What? Where?
Who?An internal user
What?Oracle data
Where?Gmail
IBM Security division’s vision
IBM Security division’s vision
Increased Awareness and Accuracy Prevent advanced threats with real-time intelligence correlation across security domains Increase situational awareness by leveraging real-time feeds of X-Force Research and Global Threat
Intelligence across IBM security products, such as QRadar SIEM and Network Security appliances Conduct complete incident investigations with unified identity, database, network and endpoint activity
monitoring and log management
Ease of Management Simplify risk management and decision-making
with automated reporting though a unified console Enhance auditing and access capabilities by sharing
Identity context across multiple IBM security products Build automated, customized application
protection policies by feeding AppScan results intoIBM Network Intrusion Prevention Systems
Reduced Cost and Complexity Deliver faster deployment, increased value and
lower TCO by working with a single strategic partner
People
DataEndpoint
Network Applications
SecurityIntelligence