10/30/13
1
© 2013 IBM Corporation
Security Meets Analytics Service Computing, IBM Research – Tokyo IPSJ Director Naohiko Uramoto
Rakuten Technical Conference 2013
26 Oct 2013
© 2013 IBM Corporation
Self introduction – My four hats as a tech person
§ My business as IBMer – Leading Cloud and security projects in IBM Research – Tokyo
§ Internal tech community – Member of Academy of Technology (AoT), IBM’s cross-organizational technical community
§ External Tech community – Secretariat of “Cloud Kenkyu-kai”
§ Academia – Director of Information Processing Society in Japan
2
10/30/13
2
© 2013 IBM Corporation
Information Processing Society of Japan (IPSJ)
§ Founded in 1960 § More than 20,000 members (from academia & industry) § Board of Directors
– President: Masaru Kitsuregawa (Director of NII and Prof. of U-Tokyo)
– 25 board members (including me) § Tight relationship with international communities
– Long term relationship with IEEE-CS, ACM etc. – Organizing and supporting international conferences
§ Activities – 40 SIGs in 3 Domains – Many conferences, seminars, events not only for academia but
also engineers and students – e.g. Digital Practice Papers which focus on best practice
NII: National Institute of Informatics Japan IFIP: International Federation of Information Processing
© 2013 IBM Corporation 4
IBM Academy of Technology (AoT)
CareerDevelopment
Networking
TechnologyImpact
LeadershipSkills
ClientValue
SkillsDevelopment
ThinkTime
ConsultanciesStudies
ConferencesTechnical Advocate
ProgrammeMentoring
n 100 AoT leadership members n 1,000 AoT members with selection n 44 affiliates with 5,500 members
n TEC-J in Japan
AoT Goal The inspiring and inclusive academy of eminent technology thought leaders that have an enduring impact on the IT industry that makes the world better.
www.ibm.com/ibm/academy
10/30/13
3
© 2013 IBM Corporation 5
© 2013 IBM Corporation
What is the good balance?
6
Daily Job Internal Tech
Community
External Tech
Community Academia
Personal Life
10/30/13
4
© 2013 IBM Corporation
World is changing…
7
© 2013 IBM Corporation
New security technology is required to support transformation of the world
8
New World
§ Social, Mobile, Analytics, and Cloud (SMAC)
§ Internet of Things (IoT)
New Data
New IT
§ Big Data § Data Economy § Social Business
§ Cyberspace § Globalization and emerging market
§ Blurred boundaries § New types of vulnerabilities
§ Data protection for Security and Privacy
§ Logs and events as Big Data
§ Cyber crime across geos and organizations
10/30/13
5
© 2013 IBM Corporation
The sophistication of Cyber threats, attackers and motives is rapidly escalating
© 2013 IBM Corporation
Global Security Trends
10
http://www.ibm.com/security/xforce/
IBM X-Force 2013 Mid-Year Trend and Risk Report is available
§ Analyzed 4,100 new security vulnerabilities
§ Analyzed 900 million new web pages and images
§ Created 27 million new or updated entries in the IBM web filter database
§ Created 180 million new, updated, or deleted signatures in the IBM spam filter database
10 SOCs
10/30/13
6
© 2013 IBM Corporation 11
© 2013 IBM Corporation 12
10/30/13
7
© 2013 IBM Corporation 13
© 2013 IBM Corporation 14
10/30/13
8
© 2013 IBM Corporation
Why are we losing the game?
15
© 2013 IBM Corporation
Attacker can prepare with enough time to know about the target
– What is the target company or organization? – What kinds of topics are employees interested in? – What sites do employees often visit? – Which web browser is used in the target comapny? – Which anti virus product used? – …
16
10/30/13
9
© 2013 IBM Corporation
Why traditional defense is not enough? Some insights:
17
n Break in a trusted partner and then loading malware onto the target’s network
n Creating designer malware tailored to only infect the target organization, preventing identification by security vendors
n Using social networking and social engineering to perform reconnaissance on spear-phishing targets, leading to compromised hosts and accounts
n Exploiting zero-day vulnerabilities to gain access to data, applications, systems, and endpoints
n Communicating over accepted channels such as port 80 to exfiltrate data from the organization
© 2013 IBM Corporation
Enterprise network is evolving
18
Servers Applications
Client PCs
VMs on Private Cloud
Mobile Devices
Internet FW IPS/IDS
Switch
Anti Virus
10/30/13
10
© 2013 IBM Corporation
Traditional Perimeter based defense
19
Servers Applications
Client PCs
VMs on Private Cloud
Mobile Devices
Internet FW
IPS/IDS
Switch
Anti Virus
Protect corprate network and endpoints from attacks
Anti Virus
© 2013 IBM Corporation
Now we need to assume invasion of malware
20
Servers Applications
Client PCs
VMs on Private Cloud
Mobile Devices
Internet FW
IPS/IDS
Switch
Anti Virus Protect outgoing connections to prevent from data leakage, assuming that malware exists in the network.
Attacker’s Command & Control Server
10/30/13
11
© 2013 IBM Corporation
Now we need to assume invasion of malware
21
Servers Applications
Client PCs
VMs on Private Cloud
Mobile Devices
Internet FW
IPS/IDS
Switch
Anti Virus
Attacker’s Command & Control Server
Monitor network & endpoints and detect malware’s and attacker’s activities
© 2013 IBM Corporation
How can we do it?
22
10/30/13
12
© 2013 IBM Corporation
Security information and Event Management (SIEM)
23
Internet
FW IPS/IDS Switch
Configuration information
External threat intelligence feeds
Network flows and anomalies
Web page text
Full packet and DNS captures
E-mail and social activity
Business process data
Security Operation Center (SOC)
System audit trails
Access log
Mobile device information
Endpoint information
Middileware log
OS level log
Application log
Download from app stores
© 2013 IBM Corporation
Security Information and Event Management (SIEM)
Security Intelligence
Extensive Data Sources Deep Intelligence Exceptionally Accurate and Actionable Insight + =
10/30/13
13
© 2013 IBM Corporation
QRadar: Intelligent Event Management and Attack Detection Provide information on attack with a comprehensive and integrated view
25
What kind of attack?
Who is attacking?
What are the attacked assets?
From where?
Does the asset have vulnerability?
What is the business value?
What is the evidence of
attack?
© 2013 IBM Corporation
Flow of Security Analytics
Login Information
Machine learning and near real-time monitoring enables continuous refinement and tracking of ‘normal’
Access Log
Social Events
Network Events
異常検知 予兆監視
Analysis Engine
Filtering Correlation
Behavior Model
Transformation
Alerting
10/30/13
14
© 2013 IBM Corporation
Security Analytics is built on a common platform and applied to multiple areas
Security Analytics Platform
Clarify business process and detect security and compliance issues
Business Process Analytics
Detect potential risk from social graphs on SNS such as Facebook and Twitter
Social Network Analytics
Anomaly detection and risk prediction from user / group access log
User Access Analytics
Analyze network packets and events for anomaly detection and risk prediction
Network & Device Analytics
Classify and visualize enterprise assets to protect them from information leakage
Asset Analytics
© 2013 IBM Corporation
Event Correlation
28
Correlation of Logs across middleware and application stacks • Heuristics on time sequence • Pattern extraction
Middleware1 Middleware2
Middleware3 Middleware4 App1
10/30/13
15
© 2013 IBM Corporation
Process-File Dependency Visualization
29
Detect dependency between processes and files on a PC
Process
File
© 2013 IBM Corporation
Integration Architecture of QRadar, DLP and IBM Endpoint Manager
30
Endpoint (PC)
DLP Server IEM
Endpoint log (e.g. file access, process start)
Network events
QFlow
Agent
QFlow monitors network Trafic
Endpoint DLP monitors user’s behavior
Endpoint Manager dispatch policies to be enforced
QRador correlates network and endpoint information
10/30/13
16
© 2013 IBM Corporation 31