Security Intelligence

© 2012 IBM Corporation

IBM Security Systems

1© 2012 IBM Corporation

Take the Red Pill: Becoming One

with Your Computing Environment

using Security Intelligence

Chris PoulinSecurity Strategist, IBM

Reboot Privacy & Security

Conference 2013



2

Securing Information Resources is a Multi-Dimensional Puzzle

People

Data

Applications

Infrastructure

Hackers Outsourcers Suppliers

Systems applications

Web Applications

Web 2.0 Mobile apps

Structured Unstructured At rest In motion

It is no longer possible to define and protect the perimeter, but demands a focus on

protecting data. Point products are not sufficient to protect the enterprise.

Consultants Terrorists Customers

JK

2012-0

4-2

6

In motion

Employees

Systems Applications

Outsourcers

Unstructured

Web 2.0

Customers

Mobile Applications

Structured



3

Getting Intimate with Your Computing Environment

How well do you know:

�Applications? Owners? Activity patterns?

�Where sensitive data resides?

�Network activity patterns?



4

Why Take the Red Pill?

What’s normal? what’s suspect?



5

How to Get There: Security Intelligence

Extensive Data Sources

Deep Intelligence

Exceptionally Accurate and Actionable Insight+ =

Suspected Incidents

Event Correlation

Activity Baselining & Anomaly Detection

• Logs

• Flows• IP Reputation

• Geo Location

• User Activity

• Database Activity

• Application Activity

• Network Activity

Offense Identification

• Credibility

• Severity

• Relevance

Database Activity

Servers & Hosts

Vulnerability Info

Configuration Info

Security Devices

Network & Virtual Activity

Application Activity

Users & Identities



6

What is Security Intelligence?

Security Intelligence

--noun

1.the real-time collection, normalization, and analytics of the

data generated by users, applications and infrastructure that

impacts the IT security and risk posture of an enterprise

Security Intelligence provides actionable and comprehensive insight for managing risks and threats from protection and

detection through remediation

collectioncollectionnormalizationnormalization analyticsanalytics



7

Activity and Data Access Monitoring

Visualize Data Risks

Automated charting and reporting on potential attacks

Correlate System, Application,

& Network Activity

Enrich security alerts with anomaly detection and flow analysis

Detect suspicious activity before it leads to a breach

360-degree visibility helps distinguish true breaches from benign activity, in real time



8

Top Events by Log Type and Count



9

Top Flows by Application and Total Bytes



10

…and Bottom Flows



11

Alert on data patterns, such as credit

card number, in real time.

Who is responsible for the data leak?

Data Leakage



12

Passively Discover & Profile Assets with NetFlow & QFlow



13

Enrich the Asset Database with VA Scans, Manually, CMDB Import



14

Update Rules Automatically



15

Customize Your Network Landscape for Contextual Visibility

Customize Segment & System

Names for Quick Identification



16

Pivot by Geography



17

Dashboards & Reporting, Customized per Role



18

User Activity Monitoring to Combat Advanced Persistent Threats

User & Application

Activity Monitoring alerts

on a user anomaly for

Oracle database access.

Identify the user, normal

access behavior, and the

anomaly behavior – with

all source & destination

information to quickly

resolve the threat.



19

Baselining Complex Patterns

�Complex patterns can be baselined

�Anomalies take into account historical data—continuously

�May incorporate seasonality



20

Configuration & Risk

Network topology and open

paths of attack add context

Rules can take exposure

into account to:

• Prioritize offenses and

remediation

• Enforce policies

• Play out what-if scenarios



21

Security Intelligence Timeline

Prediction & Prevention

Risk Management. Vulnerability Management.

Configuration Monitoring. Patch Management.

X-Force Research and Threat Intelligence.

Compliance Management. Reporting and Scorecards.

Reaction & Remediation

SIEM. Log Management. Incident Response.

Network and Host Intrusion Prevention.

Network Anomaly Detection. Packet Forensics.

Database Activity Monitoring. Data Loss Prevention.



22

Security Intelligence Wrap-Up

� Monitor all activity and correlate in real time

� Reduce cost & complexity, lower TCO, compliance

� Detect policy violations� Baseline against reality (CMDB)� Social media, P2P, etc.

� Detect suspicious behavior

� Privileged actions from a contractor’s workstation

� DNS communications with external system

� Detect APTs

� File accesses out of the norm—behavior anomaly detection

� Least used applications or external systems; occasional traffic

� Detect fraud

� Baseline credit pulls or trading volumes, and detect anomalies

� Correlate eBanking PIN change with large money transfers

� Forensic evidence for prosecution

� Impact analysis

� Change & configuration management



23

IBM’s Security Intelligence, Analytics and Big Data portfolio

1IBM QRadar Security Intelligenceunified architecture for collecting, storing,

analyzing and querying log, threat,

vulnerability and risk related data

2IBM Big Data Platform (Streams, Big Insights, Netezza)addresses the speed and flexibility required for customized data

exploration, discovery and unstructured analysis

3IBM i2 Analyst Notebookhelps analysts investigate

fraud by discovering

patterns and trends

across volumes of data

4IBM SPSSunified product family to

help capture, predict,

discover trends, and

automatically deliver

high-volume, optimized

decisions



24 © 2012 IBM Corporation24

Thank You!

https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-Tivoli_Organic&S_PKG=ov7304



25

ibm.com/security

© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Security Intelligence

Technology

ibm security

security intelligence

improper access

anomaly detection

2012 ibm corporation

systems applications

red pill

ibm products