The Changing Nature of Risk and the Role of Big Data

Transcription

1 The Changing Nature of Risk and the Role of Big Data Jack Danahy Director / North American Security Consulting IBM

2 Incidents Continue to Grow in Spite of Investment 2012 Sampling of Security Incidents by Attack Type, Time and Impact Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses Source: IBM X-Force 2012 Mid-year Trend and Risk Report, September 2012

3 Attacks, Sophistication, and Vulnerabilities Increase Source: Targeted-by-the-Hackers.html?ref=technology "This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked." Source: In 2012, IBM reported over Source: IBM X-Force 2012 Mid-year Trend and Risk Report, September 2012

4 Individual Attacks Span Multiple Vectors People Investments Advisors Employees Privileged Users Suppliers Outsourcers Institutional Clients Investors Data Account Information High Value Portfolios Customer Information In Motion Applications Asset Management Enterprise Applications Investment Trading Mobile Applications Infrastructure Datacenters PCs Laptops Mobile Cloud Non-traditional

5 Creating a Need for a Multi-Pronged Approach Then Now People Administration Insight Data Basiccontrol Laserfocused Applications Bolt-on Built-in Infrastructure Thicker walls Smarter defenses Collect and Analyze Everything

6 Threats and Attackers are More Sophisticated. 1 Break-in Spear phishing and remote exploits to gain access 2 Command & Control (CnC) Latch-on Malware and backdoors installed to establish a foothold 3 Expand Reconnaissance and lateral movement to increase access and maintain a presence 4 Gather Acquisition and aggregation of confidential data 5 Command & Control (CnC) Exfiltrate Data exfiltration to external networks

7 Multiple Threat Vectors Dictate Broad Visibility Misconfigured Firewall Vulnerable Server 0day Exploit Botnet Communication SQL Injection Malicious PDF Spammer Infected Website Phishing Campaign Malicious Insider Brute Force On the Network Across the Enterprise Across the World Application Control Risk Management Threat Advisories Network Anomaly Detection Vulnerability Management IP Reputation Web Application Protection Content and Data Security Intrusion Prevention Network Activity Monitoring SIEM Log Management Malware Information Malicious Websites Vulnerability Database Threat Protection Security Intelligence Threat Intelligence

8 Changing Responsibilities at the C-Level

9 Key CIO Findings Crisis or Compliance Drives Tactical Behaviors Investments typically driven by industry standards and regulation or by specific negative event Value proposition is to address immediate need at minimal cost leading to point solution buying CIOs seek to transform from IT security to information risk management Mobile, social and cloud are driving increased threats, leaks and regulations In addition to more risk, the nature of risk is shifting away from data toward the core business CIOs are looking for more a more holistic, integrated risk management approach CIOs highlight four requirements to executing information risk management Active engagement with business leaders in information security decisions New IT risk role with sufficient knowledge, authority and budget to address issues across the business Integrated vendors with consulting skill and security solutions that address the entire information lifecycle Better ways to measure the value of security / risk management to the organization

10 CIO Consensus : Holistic View Required Organizations need to move away from solely concentrating on compliance, audits, preventing unauthorized access and data exposure, and service interruptions. This new perspective is more about Information Risk Management as opposed to just security and compliance. Traditional Focus Governance and Compliance Emerging Focus Information Risk Management IT Compliance Risk Negative audit findings, penalties, fines Regulatory or statutory shortcomings LOB Operational Risk Disruption of business operations Failure to assure integrity of products or services delivered Information IT Risk Unauthorized exposure of critical information asset Significant service interruptions Brand Risk Loss of brand equity Loss of customer trust Technology IT Risk Failures in access control System or application unauthorized modification Transformation Risk Inability to execute on transformation initiatives Failure to deliver expected business value

11 1. Executive Management Considers Security as IT The business deals with risk when there is a problem/breach or impending regulatory action, otherwise security is largely considered an IT issue. CIOs tell us CIO s need to. If you tried to walk into the board of directors of today and talk about information risk management, he ll tell you to go talk to the IT people. Management does not appreciate the strategic value of good information risk management - all hell breaks loose when something does go wrong, then they forget about it in time. Business and non-it executives are willing to discuss security and technology risk issues, but typically only if he asks them to get involved, they talk about it when I bring it up The organization pays lip service to the idea that security is a business problem, but typically does not put it s money where it s mouth is. The down side is you get small, important chunks of airtime with these business executives. If you re seen as a nerd without a strategic holistic view, they don t want to go anywhere. Engage with business leaders to take a more active role in information security decisions

12 2. The CISO Suffers From Lack of Visibility and Influence IT doesn t always have a strong voice across the organization CIOs tell us CIO s need. CIOs/CTOs feel either a risk management group or executive should report to a business executive or the board so they have sufficient and independent authority and can help promote a more holistic, businessled approach to the organization. It s something I believe in, but we don t have the right people running this area. The Information Risk Officer needs to align to the business to give the position more credibility and authority those aligned to the technology organization don t have as much impact and credibility within the business lines. Don t have the right people leading this area we don t have the right level person, the right skill-level person doing it while he has the authority and the budget (or can take it from other areas), he doesn t feel prepared to assume this role The right people leading a new security role within the organization that is aligned with the business and has sufficient knowledge, authority and budget to address issues across the business

13 3. Point Solutions are Already in Place Existing (and significant) security investments CIOs tell us None of the participants take a fully integrated, holistic approach to security solution purchases reactive, point product buys are more the norm. New / ever changing threats, the desire for best of breed products to address these specific threats, and lack of awareness of integrated, enterprise-wide solutions drive this purchase behavior. The different point solutions that have been implemented throughout the years all the silos of systems that have been in place over the years it is a desired direction to move towards, however, it s going to be a long ways away. Others doubts that one provider can deliver a holistic solution that can cover all segments of security, including mobile devices (with different operating systems), anti-virus, firewalls, proxy servers, etc. CIO s need. Partner with security vendors with consulting skill sets and business relationships as well as security solutions that address the entire information lifecycle. Would make things easier if there were at least a couple vendors in the marketplace who do really good end-toend security, however, not sure who, if anyone, has that capability.

14 4. Hard to Measure the Positive Impact of Security Business leaders are skeptical about ROI since it s not directly tied to revenue growth CIOs tell us CIO s need. Not sure how to quantify it and doesn t try to with management, just tells them it s just what we need to do. It s not ROI because this isn t making you money. It s not going to save money unless there is a problem so you talk about it internally as lowering the probability of exposure. The more sophisticated talk about a certain % decrease in exposure and then apply that decrease to the revenue in play Another CIO would like vendors to approach him with more solutions that demonstrate ROI they need to come to the table with a model on how to prove that there is either a cost neutral or a positive ROI for going down a path. Better ways to measure the value of security and risk management to the organization

15 Integrating the Power of Big Data

16 Increased Threat Sophistication is Compounded by Scale Configuration data from infrastructure Vulnerability and patch information Alerts from security sensors Security logs from servers External threat feeds 250,000 managed firewalls 30,000 network devices 500,000 open port combinations 410,455 Windows client systems 36,109 Windows servers 24,000 *NIX servers 1200 vulnerability assessors System audit trails and logs and social activity Business process data Malware samples and behavior Network flows and anomalies Full packet and DNS captures Size estimates of scale and volume of events and logs TB per month per major security service GB total per minor security service Unscoped TB unstructured social and business data

17 Driving an Evolution of Intelligence for Security Log Management SIEM Security Intelligence with Big Data Collect and analyze security logs Monitor and manage users, services and system configuration changes Incident response Real-time correlation and advanced analytics Anomaly detection Enterprise-wide visibility Structured and unstructured data Predictive and decision modeling Interactive visualization Security insights from enterprise data

18 Business Potential for Big Data Enablement in Security Visibility from traditional security operations and technologies Alerts from security sensors Configuration data from infrastructure System audit trails and logs Vulnerability and patch information Security logs from servers External threat feeds Network flows and anomalies Security operations are reactive vs. proactive Lots of data but limited visibility restricts threat awareness and containment When needed - insufficient cyber security investigative and forensics capabilities Complex ever-changing regulatory environment and social activity Business process data Malware samples and behavior Full packet and DNS captures The new Security program needs to enable system availability and stakeholder confidence

19 Big Data Applies to Prevention and Clean-up What are the external and internal threats? Are we configured to protect against these threats? What is happening right now? What was the impact? Prediction & Prevention Risk Management Vulnerability Management Configuration Monitoring IBM X-Force Threat Intelligence Compliance Management Reporting and Scorecards Reaction & Remediation SIEM Log Management Incident Response Network Anomaly Detection Packet Forensics Database Activity Monitoring Data Loss Prevention

20 Data Scale Data at Rest Harnessing the Variety, Velocity and Volume of Big Data Deep: Historic Insight, Context, Model Building Exa Peta Tera Up to 10,000 times larger HOT Analytics : Realtime behavior analytics Realtime interdiction Just in time investigation and mitigation COLD Analytics : Giga User and system profiling Forensic analysis / clean-up Mega Traditional Data Warehouse and Business Intelligence Cost and resource tracking Kilo Data in Motion Up to 10,000 times faster Fast: Detection, Correlation, Aggregation, Scoring yr mo wk day hr min sec ms μs Decision Frequency

21 Global Threat Operations Center Actual Customer Example Security Analysis Center Key Functions Threat Intelligence Gathering Event and Vulnerability Analysis Impact Analysis Incident Management Investigations Enforcement Optimization Risk Assessments, Briefings, and Advisories Key Functions Security Monitoring Incident Escalation and Response SIEM Intelligence Platform Administration Security Governance Security Operations Center Key Functions Application Management Hunter Team Penetration testing Infrastructure Application Social Phishing Awareness Attack modeling Assessments Ad-hoc projects Configuration Management Policy Management Security Intelligence Platform Key Functions Aggregate security event, log and flow data Correlation, rules and feeds

22 IBM Architecture Example Security Intelligence Platform Big Data Platform QRadar Data collection Event correlation Real-time analytics Offense prioritization Data Ingest Insights InfoSphere BigInsights Hadoop-based data integration Data mining Custom analytics Machine learning Advanced Threat Detection Custom Use Cases Traditional Data Sources Non-traditional

23 Customer example User profiling based on multiple sources Data Sources Real-time Processing Security Operations Internet NetFlow Web and Proxy 6 Big Data Processing 7 Big Data Analytics and Forensics 5 Unstructured Data Hadoop Store Suspicious User(s) 8 Optional Relational Store 9

24 Intelligence Data Flow Public Research Industry Collaboration Threat Actor Analysis IR Analysis ISACS Community Groups Vuln Analysis Private Research SAC/SOC Actionable Intelligence Incident Info GregNet Threat Modeling Threat Analysis Threat Detection Anomaly Detection Vulnerability Research Honeynet Blacklists BlackNet Alerting TBS Direct Communication Hunter Team CIO/CISO Office Intel Gathering Threat Modeling Analysis Exploitation Past Exploitation Analysis Reports

25 CIO and CISO Influencers

26 CIO and CISO are a Strategic Combination In IBM s recent CISO Study, nearly two thirds said senior executives are paying more attention to security issues and expect to have to spend more over the next 2 years. They also rated external threats as a bigger challenge than internal threats, new technology or compliance. Influencers in limiting the impact of security breaches demonstrate commitment to a proven approach: 1) They set priorities by understanding the asset environment 2) They understand what needs to be protected and implement accordingly 3) They understand that they need a plan in place in the event of a breach 4) They understand that enterprise security means more than just technology it involves people and process as well Source: IBM 2012 CISO Assessment y

27 Applying the Lessons of Influencers Prioritize Protect Prepare Promote Determine what s most important to the security of your business and why Identify those areas most vulnerable to attack Identify the specific types of attacks that pose the biggest threat Create a proactive and informed approach to IT security Identify existing vulnerabilities and fix them Mediate against any existing threats Take an informed approach to security intelligence Demonstrate and document the value of your security investments Review to ensure that there are no gaps or unnecessary overlaps Develop a detailed and coordinated response plan Ensure you have access to the resources and tools needed to respond quickly Take a consistent approach to assigning responsibility across the organization Create and support a risk-aware culture throughout your organization Ensure that each employee knows what to do

28 Integration to Improve Consistency and Communications Consolidate and correlate siloed information from hundreds of sources Designed to help detect, notify and respond to threats missed by other security solutions Automate compliance tasks and assess risks Stay ahead of the changing threat landscape Designed to help detect the latest vulnerabilities, exploits and malware Add security intelligence to non-intelligent systems Customize protection capabilities to block specific vulnerabilities using scan results Converge access management with web service gateways Link identity information with database security JK

29 Put the Model Into Action Risk Baseline Knowledge What is the cost of an outage? What are the ingress and egress points? Gather Information Existing Knowledge Impact studies Network diagrams Known bad actors Interpret Results Risk Assessment Impact Vulnerability Threat How can the system be accessed? What malware exists that can exploit my OS and access methods? Routine Collection Baseline Anomalies Firewall Rule Usage Vulnerability Scans Research Penetration tests Forensic analysis Attack modelling Validation Likelihood Costs Risk mitigation & avoidance IPS Signature Firewall rule Architecture Mods Draw Conclusion The Answer Data Information Security Intelligence

30 Questions?