© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Chris Poulin Security Strategist, IBM Reboot Privacy & Security Conference 2013
Oct 19, 2014
© 2012 IBM Corporation
IBM Security Systems
1© 2012 IBM Corporation
Take the Red Pill: Becoming One
with Your Computing Environment
using Security Intelligence
Chris PoulinSecurity Strategist, IBM
Reboot Privacy & Security
Conference 2013
© 2012 IBM Corporation
IBM Security Systems
2
Securing Information Resources is a Multi-Dimensional Puzzle
People
Data
Applications
Infrastructure
Hackers Outsourcers Suppliers
Systems applications
Web Applications
Web 2.0 Mobile apps
Structured Unstructured At rest In motion
It is no longer possible to define and protect the perimeter, but demands a focus on
protecting data. Point products are not sufficient to protect the enterprise.
Consultants Terrorists Customers
JK
2012-0
4-2
6
In motion
Employees
Systems Applications
Outsourcers
Unstructured
Web 2.0
Customers
Mobile Applications
Structured
© 2012 IBM Corporation
IBM Security Systems
3
Getting Intimate with Your Computing Environment
How well do you know:
�Applications? Owners? Activity patterns?
�Where sensitive data resides?
�Network activity patterns?
© 2012 IBM Corporation
IBM Security Systems
4
Why Take the Red Pill?
What’s normal? what’s suspect?
© 2012 IBM Corporation
IBM Security Systems
5
How to Get There: Security Intelligence
Extensive Data Sources
Deep Intelligence
Exceptionally Accurate and Actionable Insight+ =
Suspected Incidents
Event Correlation
Activity Baselining & Anomaly Detection
• Logs
• Flows• IP Reputation
• Geo Location
• User Activity
• Database Activity
• Application Activity
• Network Activity
Offense Identification
• Credibility
• Severity
• Relevance
Database Activity
Servers & Hosts
Vulnerability Info
Configuration Info
Security Devices
Network & Virtual Activity
Application Activity
Users & Identities
© 2012 IBM Corporation
IBM Security Systems
6
What is Security Intelligence?
Security Intelligence
--noun
1.the real-time collection, normalization, and analytics of the
data generated by users, applications and infrastructure that
impacts the IT security and risk posture of an enterprise
Security Intelligence provides actionable and comprehensive insight for managing risks and threats from protection and
detection through remediation
collectioncollectionnormalizationnormalization analyticsanalytics
© 2012 IBM Corporation
IBM Security Systems
7
Activity and Data Access Monitoring
Visualize Data Risks
Automated charting and reporting on potential attacks
Correlate System, Application,
& Network Activity
Enrich security alerts with anomaly detection and flow analysis
Detect suspicious activity before it leads to a breach
360-degree visibility helps distinguish true breaches from benign activity, in real time
© 2012 IBM Corporation
IBM Security Systems
8
Top Events by Log Type and Count
© 2012 IBM Corporation
IBM Security Systems
9
Top Flows by Application and Total Bytes
© 2012 IBM Corporation
IBM Security Systems
10
…and Bottom Flows
© 2012 IBM Corporation
IBM Security Systems
11
Alert on data patterns, such as credit
card number, in real time.
Who is responsible for the data leak?
Data Leakage
© 2012 IBM Corporation
IBM Security Systems
12
Passively Discover & Profile Assets with NetFlow & QFlow
© 2012 IBM Corporation
IBM Security Systems
13
Enrich the Asset Database with VA Scans, Manually, CMDB Import
© 2012 IBM Corporation
IBM Security Systems
14
Update Rules Automatically
© 2012 IBM Corporation
IBM Security Systems
15
Customize Your Network Landscape for Contextual Visibility
Customize Segment & System
Names for Quick Identification
© 2012 IBM Corporation
IBM Security Systems
16
Pivot by Geography
© 2012 IBM Corporation
IBM Security Systems
17
Dashboards & Reporting, Customized per Role
© 2012 IBM Corporation
IBM Security Systems
18
User Activity Monitoring to Combat Advanced Persistent Threats
User & Application
Activity Monitoring alerts
on a user anomaly for
Oracle database access.
Identify the user, normal
access behavior, and the
anomaly behavior – with
all source & destination
information to quickly
resolve the threat.
© 2012 IBM Corporation
IBM Security Systems
19
Baselining Complex Patterns
�Complex patterns can be baselined
�Anomalies take into account historical data—continuously
�May incorporate seasonality
© 2012 IBM Corporation
IBM Security Systems
20
Configuration & Risk
Network topology and open
paths of attack add context
Rules can take exposure
into account to:
• Prioritize offenses and
remediation
• Enforce policies
• Play out what-if scenarios
© 2012 IBM Corporation
IBM Security Systems
21
Security Intelligence Timeline
Prediction & Prevention
Risk Management. Vulnerability Management.
Configuration Monitoring. Patch Management.
X-Force Research and Threat Intelligence.
Compliance Management. Reporting and Scorecards.
Reaction & Remediation
SIEM. Log Management. Incident Response.
Network and Host Intrusion Prevention.
Network Anomaly Detection. Packet Forensics.
Database Activity Monitoring. Data Loss Prevention.
© 2012 IBM Corporation
IBM Security Systems
22
Security Intelligence Wrap-Up
� Monitor all activity and correlate in real time
� Reduce cost & complexity, lower TCO, compliance
� Detect policy violations� Baseline against reality (CMDB)� Social media, P2P, etc.
� Detect suspicious behavior
� Privileged actions from a contractor’s workstation
� DNS communications with external system
� Detect APTs
� File accesses out of the norm—behavior anomaly detection
� Least used applications or external systems; occasional traffic
� Detect fraud
� Baseline credit pulls or trading volumes, and detect anomalies
� Correlate eBanking PIN change with large money transfers
� Forensic evidence for prosecution
� Impact analysis
� Change & configuration management
© 2012 IBM Corporation
IBM Security Systems
23
IBM’s Security Intelligence, Analytics and Big Data portfolio
1IBM QRadar Security Intelligenceunified architecture for collecting, storing,
analyzing and querying log, threat,
vulnerability and risk related data
2IBM Big Data Platform (Streams, Big Insights, Netezza)addresses the speed and flexibility required for customized data
exploration, discovery and unstructured analysis
3IBM i2 Analyst Notebookhelps analysts investigate
fraud by discovering
patterns and trends
across volumes of data
4IBM SPSSunified product family to
help capture, predict,
discover trends, and
automatically deliver
high-volume, optimized
decisions
© 2012 IBM Corporation
IBM Security Systems
24 © 2012 IBM Corporation24
Thank You!
https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-Tivoli_Organic&S_PKG=ov7304
© 2012 IBM Corporation
IBM Security Systems
25
ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.