Tom Patterson, CISA CGEIT CRISC CPA Associate Partner IBM Global Business Services

Transcription

1 The Opportunity in Risk & Security Trends Tom Patterson, CISA CGEIT CRISC CPA Associate Partner IBM Global Business Services Track 217

2 Having Increased Visibility to Information Security Risks in a Changing, Distributed World Presents Many Challenges.and Opportunities More than Ever, Critical Systems are Globally Distributed, in Constant Flux, and Regularly Come Under Attack Need to Continuously enforce security configuration baselines on hundreds of thousands of workstations, servers, and mobile devices worldwide Need to patch hundreds of thousands of workstations, laptops and servers to the latest security level in minutes Need to deploy a software application to hundreds of thousands of workstations worldwide Need to perform critical updates over high latency, low bandwidth networks without impacting productivity Need to Find and VA all assets on our network NOW!

3 Security Threats Come from Many Sources in Today s Highly Interconnected IT Environments The Challenge configure, protect and monitor every device that connects and authenticates to the network for vulnerabilities while analyzing messaging, making changes, patches, and protecting data The Opportunity turning data collected from every connected device into actionable intelligence to pro-actively redirect threats, vulnerabilities, events, and attacks into NON-EVENTS

4 Attractive Data & Cyber-Infrastructures are Targets Business & Government Data Sets Critical Infrastructure Personal Data Financial Assets

5 Insiders Still the Leading Cause of Successful Breaches Unisphere Research survey results from data managers at 200+ companies across a variety of industries 2011 ISUG Report on Data Security Management Challenges available at: REPORT-ON-DATA-SECURITY-MANAGEMENT-CHALLENGES/ISUG-DataSec-FINAL.pdf

6 What is Security Intelligence? Security Intelligence noun 1. thereal timecollection time collection, normalization, andanalytics analytics of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise Security Intelligence provides actionable and comprehensive insight for managing risks and threats from protection and detection through remediation

7 What is Security Intelligence & Event Management (SIEM)? SIEM noun 1. thereal timecollection time collection, normalization, and correlation analysis of data generated by users, applications, infrastructure, and identified events that can impact the IT security and risk posture of an enterprise SIEM can provide actionable insight to help organizations identify and manage risks to enterprise IT and the data needed to track risks & events from mitigation to remediation

8 But Using Security Intelligence in Threat Detection Requires Extensive Contextual & Correlation Insights Suspected Incidents Most Sources + Most Intelligence Most Accurate, Actionable Insight

9 Determining Full Compliance over the Security Intelligence Timeline Require Real Time Information Intelligence Timeline Require Real Time Information

10 Ensuring Compliance using Security Intelligence Also Demands a Strong Governance Processes g PC / Server Configuration Lifecycle Management Vulnerability Management IT Governance, Risk, & Compliance Management Patch Management Security Configuration Management Endpoint Protection

11 Compliance using Security Intelligence also Requires a Knowledge Baseline Reporting and Enforcement on 5,000+ Controls

12 So Organizations Need Integrated Security and Compliance Visibility Compliance Visibility

13 SIEM software used with End Point Asset Management tools help Identify IT riskpoints SIEM covers the end to end IT environment all Assets included In the SIEM solution set End Point protection tools cover the end points in an IT environment & Host (assets) included in the scope of Compliance Management

14 SIEM and End Point Asset Management software integrated into the ITGovernance process Managing dynamic, always changing IT environments requires careful integration of Asset, Change, Security (Preventive), Configuration Management, and Monitoring (Detective) processes and tools Securing and protecting critical IT assets and data requires careful integration of preventive and detective security controls and processes focused on internal vulnerabilities AND external threats A big Opportunity comes in dynamically linking real time data about Assets & their Changes, their Vulnerabilities, and Events with data on Internal and External Threats So organizations look to smartly integrate SOC and security management processes with Asset, Change, and Configuration Management processes

15 End-Point Compliance Dashboard / Reporting *Tivoli End Point Management Functionalities To monitor real time and historical visibility into state of compliance Identify critical gaps in compliance to defined policy Customized ddashboards d create different lenses into the compliance state Computer Groups Categories Policy Templates To drill downdown to specific details of non compliant or compliant systems Compliance focused Executive reporting via web reports

16 End Point Executive Compliance Reporting Generate Executive Friendly reports to show compliance state Enhance visibility into Entire infrastructure Single system Specific Policies Available through web reports Externalize visibility as desired Display and/orcalculate Display and/or calculate exceptions within report results

17 Managing End-point Exceptions Identify exceptions against Compliance Benchmarks and Controls Target specific systems by name, group, or property Dfi Define expiration dates dt for fixing exceptions Maintain full audit history of each exception. Report on exceptions and choose to ignore, use, or use and show exceptions within reports Update and modify existing exceptions as needed Export active or expired Export active or expired exceptions and history

18 Monitoring End Point Patch & Configuration Management

19 Client Manager for Endpoint Protection

20 End Point Core Protection Module

21 End Point Vulnerability Management

22 Protecting End Points is Only Part of the Internal Security and Asset Management Problem Space How do we collect configuration, change, and information on data migration events from all IT Assets? How do we create an end to end view of what s happening in complex, ever changing IT environments from all devices connecting and collecting or providing data to systems, data stores, or other devices connected tdto our internal environment? We can also use Security Information & Event Management (SIEM) and Data Loss Prevention (DLP) systems and appliances to fill in missing data points SIEM systems help automate collection, aggregation, formatting, and analysis of changing data points on enterprise systems and end point devices SIEM requires careful configuration, and time to setup security event rules before actionable events can be captured on a regular basis & rule updating based on lessons learned SIEM systems require discipline and analytical skill when applying a continual learning curve to the ongoing maintenance of Event Generating rules

23 SIEM Technology Overview SIEM tools include stand alone and integrated software tools logically connected to device specific logging databases Log Collection occurs through various log collection methods providing agent and agentless collection capabilities Collected dlogs are parsed & mapped to universal llog format (uses Common Event Format) All the log information is aggregated to produce Log Events Log events are collected and correlated from various event data sources and analyzed against threat scenarios based on pre defined rules ( Correlation Rules) Identified events matched against correlation rules are turned into Alerts for appropriate follow up action Reports can be generated and produced for different stakeholders i.e., Security Analysts working in the SOC, Auditors, Executives, Senior IT Management, etc.

24 SIEM Architecture

25 SIEM Log Parsing and Event Mapping Log parsing is an important activity to make sense of logs from various sources (End points, Servers, Routers, Firewalls, Switches, etc.) Log parsing aggregates log data in different log formats and converts this into a Common Event Format (CEF). (converts system Log data to Events) Once Event data is aggregated, SOC analysts map the aggregated data using the Common Event Formatting so the logs make sense in essence they Correlate the data coming in with Events happening in the environment using pattern recognition (defined in pre established rules)

26 SIEM Alerting and Reporting Alerts are generally designed to be operational and forwarded to Security Operations Center (SOC) professionals for investigation and action Reports provide support for ongoing events and provide summary data about threats identified and the levels of risks posed by the threats Standard reporting can be custommade made and focused on Regulatory reporting requirements Custom reports are either regular or Ad hoc reports to align with SOC or an IT executive s requirements Regulatory reports can be produced for sharing with Internal or External Auditors or to support Regulatory Compliance Audits like PCI DSS, SOX 404, HIPAA, GLBA, etc. I.E. to demonstrate Continuous Monitoring! Regulatory Reporting is a separate module contains the Regulatory requirement mappings and templates to be produced to the Auditors.

27 SIEM Products Forensics Analysis Another capability of SIEM products is Forensics and Chain of Custody Analysis Forensics analysis extracts and collects the log patterns for further analysis Chain of Custody protection supports a user s legal responsibility by providing logs As Is and demonstrate and prove a proper chain of custody that helps ensure that logs were not altered during their collection to transmission

28 Linking unstructured and structured data to improve information quality for Extended Monitoring Unstructured Information Entity & relationship extraction Facts extracted from unstructured information and summarized in a structured format Aggregation of information from: Information Server 1. Internal sources 2. External sources Metadata repository Reconcile Support Refute Structured Information Relationship Discovery & Quality Monitoring Optim Information Server Facts in structured information supported or repudiated with facts extracted from unstructured information Information in unstructured documents becomes actionable through automated means when extracted and stored din structured t dform Relationships across distributed data sources (different business units) can be discovered and used to enrich or otherwise improve the quality of structured data and information Metadata repositories are used to create common definitions of facts (entities & their relationships) the facts we are searching for in structured & unstructured information repositories

29 TFP1 Decision Management is the key to Risk Identification and Mitigation Industry Content Corporate Governance Financial Performance and Strategy Management Act Decide Operational Oversight Orient Observe Decision Mgmt Product, Project, Portfolio and Performance Management Operations

30 Slide 29 TFP1 I think the word "Execute" could be added for impact here. The concept of having a more "demand driven" corporate compliance process has yet to be pushed in GRC circles but with compliance cost mgmt optimization and the continuing corporate focus on rationalizing controls, control inventory management, and need to automate controls still a significant missed opportunity area for GRC solutions and thus still a concern of CCO's, (aka SOX 404) it might be good to add something about these concepts in the deck if it can be done without diluting the overall impact or message (outcome desired) Tom Patterson, 4/29/2011

31 RELATED EXAMPLE REPUTATION MANGEMENT Business Challenge Monitoring the Social Media Swarm to Protect Companies Reputations A consumer products good company made change of ingredients to a number of there consumer products. The change had significant ifi impact to one of their largest consumer segments. The response to these ingredient changes was as social media swarm discussion how the community should react to the apparent unilateral decision by the company to make these changes. The consequence could significantly impact the companies reputation and market share. Solution IBM Global Business Services in conjunction with IBM s Corporate Brand and Reputation Analysis (COBRA) uses Smart Alerts to monitor events on a daily basis, and identified significant increases in the buzz about the ingredient changes, along with discussions by the community of topics including Outrage, Boycott and Stop Buying. The chart to the right is an example of what happens when a company make a change to a ingredient, resulting in a significant increase in posting related in both the message boards and blogs, but was not picked up my the new sources until much later. Benefits The COBRA analysis helped help the company identify emerging buzz before it became a major traditional event. COBRA correctly identifies the seriousness of the event by monitoring the topics of discussion and identify who were the social media influencers.

32 Why We Must be Pro Active in Improving our Defensive (and Offensive) Analytic Capabilities? Surveys of US IT and IT Security professionals by the Ponemon Institute (sponsored by Juniper Networks), found threats from cyber attacks today nearing a statistical certainty of occurrence, and organizations of every type and size are vulnerable to attack Only 11 percent of respondents knew the sources of network security breaches. Almost half, 48 percent cite complexity as one of their biggest challenges to implementing network security solutions with the same percentage of respondents saying solutions are limited due to resource constraints. 76 percent of respondents said deterring and combating cyber attacks can be made more effective by streamlining or simplifying network security operations. 75 percent said their effectiveness would increase by implementing end to end security solutions. 28 percent were earmarking more than 10 percent of their IT budgets to security to address these issues. Employee mobile devices and laptops are seen as the most likely endpoint from which serious cyber attacks are unleashed against a company. The top two endpoints from which breaches occurred were employee laptops at 34 percent and employee mobile devices at 29 percent. Source: Ponemon Institute LLC, 2011 Perceptions About NetworkSecurity Ponemon, Larry Amanda Black

33 Developing a Predictive Model Profile of Potential Breaches based on Factors Identified in Reported Cases Overall Insider Threat Activity* Job Dissatisfaction 23% Consider IP Their Own Personal Property 44% Planned Ahead of Departure created Backdoors 50% Stole Ahead of Departure 29% Stole from area of job responsibility 79% Partially developed material that they stole 48% Stole within a month after departure 56% Created explicit deception 31% These numbers represent the combined scores for Entitled Independent and Ambitious Leader threat models *Source: Derived from Software Engineering Institute Preliminary Model of Insider Theft of Intellectual Property Report June 2011 CMU/SEI-2011-TN-013 page17

34 Not all risks are created equal within and across organizations Frequency of Occurrences Per Year frequ uent infre equent 1, /10 1/100 1/1,000 1/10,000 Virus Data Corruption Data Leakage Worms Disk Failure Application Outage System Availability Failures Lack of governance Network Problem Failure to meet Industry standards Failure to meet Compliance Mandates Terrorism/Civil Unrest Workplace inaccessibility Natural Disaster Regional Power Failures Building Fire Pandemic 1/100,000 $1 $10 $100 $1,000 $10k $100k $1M $10M $100M Consequences (Single Occurrence Loss) in Dollars per Occurrence low high

35 In Summary What is Security Intelligence? Security Intelligence noun 1. thereal timecollection time collection, normalization, andanalytics analytics of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise Security Intelligence provides actionable and comprehensive insight for managing risks and threats from protection and detection through remediation

36 Questions?