[RakutenTechConf2013] [A-0] Security Meets Analytics

10/30/13

1

© 2013 IBM Corporation

Security Meets Analytics Service Computing, IBM Research – Tokyo IPSJ Director Naohiko Uramoto

Rakuten Technical Conference 2013

26 Oct 2013


Self introduction – My four hats as a tech person

§ My business as IBMer –  Leading Cloud and security projects in IBM Research – Tokyo

§ Internal tech community –  Member of Academy of Technology (AoT), IBM’s cross-organizational technical community

§ External Tech community –  Secretariat of “Cloud Kenkyu-kai”

§ Academia – Director of Information Processing Society in Japan

2

10/30/13

2


Information Processing Society of Japan (IPSJ)

§ Founded in 1960 § More than 20,000 members (from academia & industry) § Board of Directors

–  President: Masaru Kitsuregawa (Director of NII and Prof. of U-Tokyo)

–  25 board members (including me) § Tight relationship with international communities

–  Long term relationship with IEEE-CS, ACM etc. –  Organizing and supporting international conferences

§  Activities –  40 SIGs in 3 Domains –  Many conferences, seminars, events not only for academia but

also engineers and students –  e.g. Digital Practice Papers which focus on best practice

NII: National Institute of Informatics Japan IFIP: International Federation of Information Processing

© 2013 IBM Corporation 4

IBM Academy of Technology (AoT)

CareerDevelopment

Networking

TechnologyImpact

LeadershipSkills

ClientValue

SkillsDevelopment

ThinkTime

ConsultanciesStudies

ConferencesTechnical Advocate

ProgrammeMentoring

n  100 AoT leadership members n  1,000 AoT members with selection n  44 affiliates with 5,500 members

n  TEC-J in Japan

AoT Goal The inspiring and inclusive academy of eminent technology thought leaders that have an enduring impact on the IT industry that makes the world better.

www.ibm.com/ibm/academy‎

10/30/13

3



What is the good balance?

6

Daily Job Internal Tech

Community

External Tech

Community Academia

Personal Life

10/30/13

4


World is changing…

7


New security technology is required to support transformation of the world

8

New World

§  Social, Mobile, Analytics, and Cloud (SMAC)

§  Internet of Things (IoT)

New Data

New IT

§ Big Data § Data Economy § Social Business

§ Cyberspace § Globalization and emerging market

§ Blurred boundaries § New types of vulnerabilities

§ Data protection for Security and Privacy

§ Logs and events as Big Data

§ Cyber crime across geos and organizations

10/30/13

5


The sophistication of Cyber threats, attackers and motives is rapidly escalating


Global Security Trends

10

http://www.ibm.com/security/xforce/

IBM X-Force 2013 Mid-Year Trend and Risk Report is available

§  Analyzed 4,100 new security vulnerabilities

§  Analyzed 900 million new web pages and images

§  Created 27 million new or updated entries in the IBM web filter database

§  Created 180 million new, updated, or deleted signatures in the IBM spam filter database

10 SOCs

10/30/13

6



10/30/13

7



10/30/13

8


Why are we losing the game?

15


Attacker can prepare with enough time to know about the target

–  What is the target company or organization? –  What kinds of topics are employees interested in? –  What sites do employees often visit? –  Which web browser is used in the target comapny? –  Which anti virus product used? –  …

16

10/30/13

9


Why traditional defense is not enough? Some insights:

17

n  Break in a trusted partner and then loading malware onto the target’s network

n  Creating designer malware tailored to only infect the target organization, preventing identification by security vendors

n  Using social networking and social engineering to perform reconnaissance on spear-phishing targets, leading to compromised hosts and accounts

n  Exploiting zero-day vulnerabilities to gain access to data, applications, systems, and endpoints

n  Communicating over accepted channels such as port 80 to exfiltrate data from the organization


Enterprise network is evolving

18

Servers Applications

Client PCs

VMs on Private Cloud

Mobile Devices

Internet FW IPS/IDS

Switch

Anti Virus

10/30/13

10


Traditional Perimeter based defense

19


Client PCs


Mobile Devices

Internet FW

IPS/IDS

Switch

Anti Virus

Protect corprate network and endpoints from attacks

Anti Virus


Now we need to assume invasion of malware

20


Client PCs


Mobile Devices

Internet FW

IPS/IDS

Switch

Anti Virus Protect outgoing connections to prevent from data leakage, assuming that malware exists in the network.

Attacker’s Command & Control Server

10/30/13

11


Now we need to assume invasion of malware

21


Client PCs


Mobile Devices

Internet FW

IPS/IDS

Switch

Anti Virus

Attacker’s Command & Control Server

Monitor network & endpoints and detect malware’s and attacker’s activities


How can we do it?

22

10/30/13

12


Security information and Event Management (SIEM)

23

Internet

FW IPS/IDS Switch

Configuration information

External threat intelligence feeds

Network flows and anomalies

Web page text

Full packet and DNS captures

E-mail and social activity

Business process data

Security Operation Center (SOC)

System audit trails

Access log

Mobile device information

Endpoint information

Middileware log

OS level log

Application log

Download from app stores


Security Information and Event Management (SIEM)

Security Intelligence

Extensive Data Sources Deep Intelligence Exceptionally Accurate and Actionable Insight + =

10/30/13

13


QRadar: Intelligent Event Management and Attack Detection Provide information on attack with a comprehensive and integrated view

25

What kind of attack?

Who is attacking?

What are the attacked assets?

From where?

Does the asset have vulnerability?

What is the business value?

What is the evidence of

attack?


Flow of Security Analytics

Login Information

Machine learning and near real-time monitoring enables continuous refinement and tracking of ‘normal’

Access Log

Social Events

Network Events

異常検知予兆監視

Analysis Engine

Filtering Correlation

Behavior Model

Transformation

Alerting

10/30/13

14


Security Analytics is built on a common platform and applied to multiple areas

Security Analytics Platform

Clarify business process and detect security and compliance issues

Business Process Analytics

Detect potential risk from social graphs on SNS such as Facebook and Twitter

Social Network Analytics

Anomaly detection and risk prediction from user / group access log

User Access Analytics

Analyze network packets and events for anomaly detection and risk prediction

Network & Device Analytics

Classify and visualize enterprise assets to protect them from information leakage

Asset Analytics


Event Correlation

28

Correlation of Logs across middleware and application stacks •  Heuristics on time sequence •  Pattern extraction

Middleware1 Middleware2

Middleware3 Middleware4 App1

10/30/13

15


Process-File Dependency Visualization

29

Detect dependency between processes and files on a PC

Process

File


Integration Architecture of QRadar, DLP and IBM Endpoint Manager

30

Endpoint (PC)

DLP Server IEM

Endpoint log (e.g. file access, process start)

Network events

QFlow

Agent

QFlow monitors network Trafic

Endpoint DLP monitors user’s behavior

Endpoint Manager dispatch policies to be enforced

QRador correlates network and endpoint information

10/30/13

16


[RakutenTechConf2013] [A-0] Security Meets Analytics

Technology

information

attackers

event management

security analytics

security information

anti virus

access log

control server