Next generation SIEM 2012 (global #1 Q1Labs)

Innovations in data security

Total security intelligence with next generation SIEM from Q1

Labs / IBM Security division

Andris Soroka, 22.05.2012

Together with

“Data Security Solutions” brief intro

Specialization – IT Security

IT Security consulting (vulnerability assessment tests, security audit, new systems integration, HR training, technical support)

Innovative & selected software / hardware & hybrid solutions from leading technology vendors from over 10 different countries

AgendaIntroduction - threats, technology era, definitions

Business drivers for log management and SIEM (Security Information and Events Management)

Market analysis, critical capabilities of solutions

Selected Q1 Labs solutions for Your review for -SEM (Log management)SEM (Wider scope)SIEM

Some basic facts about cybercrime

Global figures - cybercrime

2011 – 431 million people affected, with more than 114 million USD directly and another 274 million USD related to direct loss

(Source: Symantec, Dec 2011)

Cybercrime costs the world significantly more than the global black market of marijuana, cocaine and heroin combined ($228 million world wide)

Year of 2011 – year of targeted attacks!

IBM Security X-Force® 2011 Midyear Trend and Risk Report September 2011

Attack Type

SQL Injection

URL Tampering

Spear Phishing

3rd Party SW

DDoS

Secure ID

Unknown

Mar April May June July AugFeb

Sony

Epsilon

L3 Communications Sony BMG

Greece

US Senate NATO

AZ Police

TurkishGovernment

SK Communications

Korea

Monsanto

RSAHB Gary

NintendoBrazilGov.

Lockheed Martin

Vanguard Defense

Booz Allen

Hamilton

PBS

PBS

SOCA

Malaysian Gov. Site Peru

Special Police

Gmail Accounts

Spanish Nat. Police

Citigroup

Sega

Fox News X-Factor

Italy PM Site

IMF

Northrop Grumman

Bethesda Software

Size of circle estimates relative impact of breach

Gadgets, gadgets, gadgets

Cloud computing

Big data mgmt.

Security as a ServiceMobility

IaaS

PaaSSaaS

VoIP

Cybercrime in 21st Century!

Security today -

Financially motivatedBank AccountsIdentity theftInsiders

Intellectual Property Theft

“Hacktivists”Denial of ServiceReputation DamageCustomer data

Defenses in 21st Century

Around 1500 IT Security vendors for Endpoint Security

Platforms and point solutionsData Security

DLP suites and point solutionsNetwork Security

Gateway solutionsNAC, visibility, NBAAuthentication, authorization etc.Traditional and next generation’s

Identity protectionVirtualization and cloud securityIT Security governanceOperational management & SecurityMobile Security

SIEM / SEM / SIM - Where to start from?

Network Servers Databases HomegrownApplications

LogSilo

?????????????????????

??????

??????? ?

??????

LOGS??

?????????

??

Identity Management

IT & Network Operations

OperationalSecurity

Governance & Compliance

LogTool

Log Jam

Do You have one, central solutions for collecting ALL events (logs), correlate them and have real time intelligent visibility?

Do You monitor the business processes instead of network?

Do You monitor identities, applications, information and their context instead of just IP addresses, OS’s and devices?

If not – You are vulnerable!!!

??

What is in Your logs so far..? 50%? Less..?

User and System Activity

Runaway Application

Customer Transaction

Email BCC

Failed Logon

Security Breach

File Up/Download

Credit CardData Access

Information Leak

Privileges Assigned/Changed

50%?

What is in Your logs so far..? 50%? Less..?

What logs –Audit logsTransaction logsIntrusion logsConnection logsSystem performance recordsUser activity logsDifferent systems alerts and different other systems messages

From where - Firewalls / Intrusion

prevention Routers / SwitchesIntrusion detectionServers, desktops, mainframesBusiness applicationsDatabasesAntivirus softwareVPN’s

There is no standard format, transportation method for logs, there are more than 800 log file formats used..

Business drivers that initiate LM / SIEM

EU directivesSuch as for data protectionCritical infrastructure protectionCooperation

Industry standards and regulationsBanks, Insurance Health organizations etc.

NATO directivesSecurity, military orgsRelated to NATO work

IT Security ISO 2700XLocal laws and regulations

Personal data protectionIT Security policy

IntroductionDefinitions from IT Security solutions / technologies –SEM – Security Events Management (Correlation – events relation together for security benefits)SIM – Security Information Management (Log management – e.g. collecting the events of the applications and operational systems.)SIEM (Security Information And Event Management)

You cannot control what You cannot see!

Just log management… SIM

Process Integration & Information Share

CollectTime-stamping and secure collection of 100% of all log data, 100% of the time, from any device, including network, storage, servers, applications!

AlertAlerts based on real time log forensics according to policies. According to anomalies, incidents. In any possible alerting way.

StoreAs much as you want,as little as your compliance needs dictate. Automated, secure storage and archival of critical log data. Maintain chain of custody.

ReportShould have reasy to configure and report. Should be easy-to-use templates and more than 10K custom reports. Packaged SOX, PCI reporting + more.

Next generation definition requirements..

Security Intelligence provides actionable and comprehensive insight for managing risks and threats from protection and detection through remediation.

Security Intelligence--noun 1. the real-time collection, normalization, and analytics of the

data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise

More about SIM / SEM / SIEM coverage

Scope of usage and quality control SIEM – A must to have!

Log and context data collection (SIM)Normalization and categorization (SIM)Correlation (SEM)Notification / Alerting (SEM)Prioritization (SEM)Dashboards and visualizationReporting and reports delivery (SIM) Security roles workflow

SIEM – next generation solutions work looking at level of –File integrity MonitoringDatabase Activity MonitoringApplication MonitoringIdentity MonitoringUser Activity MonitoringPlug & Play functionality

Security intelligence ..

What was the attack?

Who was responsible?

How many targets involved?

Was it successful?

Where do I find them?

Are any of them vulnerable?

How valuable are they to the business?

Where is all the evidence?

Clear & concise delivery of the most relevant information …

Security intelligence from Q1 Labs / IBM

Q1 Labs (IBM Group company):– Innovative Security Intelligence software company– Largest independent SIEM vendor– Leader in Gartner 2011, 2010 and 2009 Magic

Quadrants

Award winning solutions:– Family of next-generation Risk Management, Log

Management, SIEM, security intelligence solutions

Executing, growing rapidly:– Thousands of customers worldwide– Five-year average revenue growth +70% – North America, EMEA and Asia Pacific

Consistent leadership

The new #1 in SIEM market – May 2012

Security intelligence

Predict Risk

Detect InsiderFraud

ConsolidateData Silos

ExceedRegulation Mandates

Detect ThreatsOthers Miss

Security intelligence in action

Move from defense to offense mode!

Plug & Play and Automated Intelligence

Analyze

Act

Monitor

Auto-discovery of log sources, applications and assetsAsset auto-groupingCentralized log mgmt.Automated configuration audits

Auto-tuning Auto-detect threatsThousands of pre-defined rules and role based reportsEasy-to-use event filteringAdvanced security analytics

Asset-based prioritizationAuto-update of threatsAuto-responseDirected remediation

One Console Security

• Turnkey log management• SME to Enterprise• Upgradeable to enterprise SIEM

• Integrated log, threat, risk & compliance mgmt.• Sophisticated event analytics• Asset profiling and flow analytics• Offense management and workflow

• Predictive threat modeling & simulation• Scalable configuration monitoring and audit• Advanced threat visualization and impact analysis

• Network analytics• Behavior and anomaly detection• Fully integrated with SIEM

• Layer 7 application monitoring• Content capture• Physical and virtual environments

SIEM

Log Management

Risk Management

Network Activity & Anomaly Detection

Network and Application

Visibility

One Console Security

Built on a Single Data Architecture

Q1 Labs SIEM & much more

Next-generation Log Management:• Turnkey log management• SME to Enterprise• Upgradeable to enterprise SIEM

Next-generation SIEM:• Integrated log, cyber threat, risk and

compliance management• Scalable, Automated, Broad market• Network activity information

Stackable Expansion:• Event Processors, High Availability• Network Activity Processors• Geographic distribution• Horizontal scale• Embedded, real-time database

Application & Activity Monitoring:• Layer 7 application monitoring• Content Aware• Identity/user-based visibility of network and

application activity• Provides visibility into physical and virtual

Next-generation Risk Management• Predictive threat modeling & simulation• Automated compliance and policy

verification• Scalable configuration monitoring & audit• Advanced threat visualization/impact

analysis

Q1 in action - Malware activity

IRC on port 80?QFlow enables detection of a covert channel.

Irrefutable Botnet CommunicationLayer 7 data contains botnet command and control instructions.

Potential Botnet Detected?This is as far as traditional SIEM can go.

Q1 in action - User activity monitoring

Authentication FailuresPerhaps a user who forgot their

password?

Brute Force Password Attack

Numerous failed login attempts against different user accounts.

Host CompromisedAll this followed by a successful login.

Automatically detected, no custom tuning required.

Q1 in action - complex threat detection

Sounds Nasty…But how to we know this?

The evidence is a single click away.

Buffer OverflowExploit attempt seen by

Snort

Network ScanDetected by QFlow

Targeted Host Vulnerable

Detected by Nessus

Total VisibilityConvergence of Network, Event and Vulnerability data.

Q1 in action – data loss prevention

Potential Data Loss?Who? What? Where?

Who?An internal user

What?Oracle data

Where?Gmail

IBM Security division’s vision

IBM Security division’s vision

Increased Awareness and Accuracy Prevent advanced threats with real-time intelligence correlation across security domains Increase situational awareness by leveraging real-time feeds of X-Force Research and Global Threat

Intelligence across IBM security products, such as QRadar SIEM and Network Security appliances Conduct complete incident investigations with unified identity, database, network and endpoint activity

monitoring and log management

Ease of Management Simplify risk management and decision-making

with automated reporting though a unified console Enhance auditing and access capabilities by sharing

Identity context across multiple IBM security products Build automated, customized application

protection policies by feeding AppScan results intoIBM Network Intrusion Prevention Systems

Reduced Cost and Complexity Deliver faster deployment, increased value and

lower TCO by working with a single strategic partner

People

DataEndpoint

Network Applications

SecurityIntelligence

Think security first

[email protected]

+371 2 9162784