Gaining the upper hand in today s cyber security battle

Transcription

1 IBM Global Technology Services Managed Security Services Gaining the upper hand in today s cyber security battle How threat intelligence can help you stop attackers in their tracks

2 2 Gaining the upper hand in today s cyber security battle It might be modern technology s version of a perfect storm. A well-known global business enters its busy season and everyone in the company is well, busy. So when hackers release custom-made malware into the company s computer systems and the security software signals that there might be a problem, it goes unnoticed. Flash forward a couple of weeks. It s still the busy season, but instead of just dealing with millions of customers looking for bargains, the company is also busy dealing with a massive security breach that ends up costing billions of dollars and does serious maybe even irreparable damage to its reputation. How could such a thing happen? A security warning almost certainly meant that something bad was happening, right? Not necessarily. The truth is, the average medium- to largesized company experienced an average of more than 1.7 million security events a week in 2013, which means that over 240,000 potential threats were detected by security devices or applications every single day. Clearly, only a very small fraction of those would lead to an actual breach. In fact, only an average of two of those 1.7 million events was deemed worthy of deeper investigation after being reviewed by security analysts in 2013 (see Figure 1). 1 Now the question is, which two? And that s where threat intelligence comes in. Virtually no company is equipped to deal with the threat potential of 1.7 million events a week on its own. And since we know that considerably less that 1 percent of those security events end up being identified as incidents, we need the help of correlation and analytics tools, along with human security analysts, to determine which of those millions of events each year deserve further attention. Security events, attacks and incidents for 2013 Security events Annual 91,765,453 Security attacks Annual 16,856 Security incidents Annual 109 Monthly 7,647,121 Monthly 1,405 Monthly 9 Weekly 1,764,720 Weekly 324 Weekly 2 Security Intelligence Correlation and analytics tools Security Intelligence IBM security analysts Figure 1. Security intelligence makes it possible to reduce the millions of security events detected annually in any one of our clients systems to an average of 16,900 attacks and under 110 incidents in a single organization over the course of a year.

3 IBM Global Technology Services 3 Events, attacks and incidents defined Security event: An event on a system or network detected by a security device or application. Security attack: A security event that has been identified by correlation and analytics tools as malicious activity that is attempting to collect, disrupt, deny, degrade or destroy information system resources or the information itself. Security incident: An attack or security event that has been reviewed by security analysts and deemed worthy of deeper investigation. Take a proactive stance With threats and attacker strategies advancing at a pace that most enterprises are unable to match, it s become increasingly clear that access to the right information and intelligence may be the most important thing you need to help level the playing field against today s attackers. Up-to-date intelligence about current and future threats, in addition to a real understanding of how well your security strategy stands up to these threats, puts you in a better position to manage your defenses, reduce risk and make smarter investments. Threat intelligence transforms the technical analysis required to identify the symptoms of an attack such as malware and security events into an understanding of who the attackers are and what their motives and capabilities may be. Armed with that information, you can proactively configure your infrastructure to help identify and prevent the types of attacks that are known to target your industry or the technologies deployed within your infrastructure. In other words, you can use information about the threats themselves to help manage risk and make it more difficult for attackers to succeed. Taking advantage of threat intelligence to help prioritize your security controls can help you identify the latest attacks more quickly and increase the speed with which you re able to respond to an incident. The changing terrain of the threat landscape The continued worldwide growth of data, networks, applications and the new technology and innovations they support is generating a growing number of targets for potential attacks. At the same time, the promise of financial gain, strategic advantage and notoriety is driving organized criminals, hacktivists, governments and adversaries to attack your most valuable assets. Supported by operations that are often well funded and businesslike, attackers patiently evaluate targets based on potential effort and reward. They use social media and other entry points to track down people with access, take advantage of trust and exploit them as vulnerabilities. At the same time, negligent employees can inadvertently put the business at risk as the result of simple human error. Threats and attacker strategies are advancing at a pace that most enterprises are unable to match. What s more, sophisticated attackers can continue to steal valuable data for months or even years before they re even detected. Unfortunately, security investments and approaches of the past may fail to protect against the highly sophisticated attacks we re seeing today. As a result, more severe security breaches are taking place more often and gaining more negative attention in the media. In fact, public reaction to these breaches has led 61 percent of organizations to say that data theft and cybercrime are the greatest threats to their reputation. 2

4 4 Gaining the upper hand in today s cyber security battle Know the difference between gathering information and gaining insight Since we know that the average medium- to large-sized company experienced over 1.7 million security events a week in 2013, there s a good chance that some unauthorized entity, somewhere, is attempting to access your data networks this very minute. Today s security systems are capable of delivering plenty of information about when events are taking place. They can even tell you a lot about the kinds of events they ve detected. But by themselves, these system-level events are not typically going to provide much insight into actual threats. That leaves you with several important questions that may be going unanswered: Who is targeting my organization? How do they operate? Do I have the right data sets to answer these questions? If so, how do I identify legitimate threats and eliminate the noise in all this data? What can we do to respond to these threats? Where is defense most effective? Having up-to-date answers to those questions can offer a significant payoff. It can help you stay ahead of threats and attackers by managing your defenses more effectively. Such an approach focuses effort, reduces waste in security operations and improves the cost efficiency of the security organization. And ultimately, it enables developing the right security strategy and making the smartest investments. But first, you need to find the threat data that s most meaningful for your organization. For example, attackers driven to gain strategic advantage against a competitor by accessing intellectual property, for example may be associated with one set of tactics and practices. Those motivated to steal customer data for financial gain, disrupt your operations or embarrass your leaders may take a different approach. Because their characteristics differ, you need information that reflects those differences and offers you insight into the specific clues, techniques and methods that identify the intruders most likely to take aim at your organization. Targeted threat awareness for advanced defense With a security team that s primed to hunt for attacks and breaches by collecting security-relevant data from multiple sources a team with insight into the practices and tactics of known adversaries you can access the information you need to recognize evidence of threats before they surface. And by deploying security intelligence technologies that let you correlate those insights with malicious activity in real time, you can take action to thwart serious threats before they impact your business. You can also take advantage of new and more sophisticated sources of external threat intelligence and expertise along with a set of newly emerging analytics capabilities and tools to augment your own knowhow. At IBM, we know where and how to collect meaningful data and use it to develop actionable insights. We have visibility into malicious activity among thousands of managed security services clients around the world. What s more, we re innovators in threat research and we ve established many partnerships with leading-edge providers of specialized services to enhance the intelligence we already generate. For example, our partnership with CrowdStrike a global provider of security technologies and services focused on identifying advanced threats and targeted attacks provides dedicated insight into attacker activity across multiple languages and cultures worldwide as well as detailed technical analysis of threat tools, tactics and practices. We can then analyze and correlate that information across the billions of security events we collect daily to offer our clients the knowledge and expertise necessary to respond proactively to targeted threats wherever they occur.

5 IBM Global Technology Services 5 The journey from compliance to threat management A large international insurance company with over 50,000 employees and more than 900 locations has made considerable progress along its IT security journey over the years. After starting out with basic security audits and compliance activities, and later incorporating a threat- and riskfocused approach, the company is now integrating security into its business strategy. But it s taken some serious thought and effort to make that happen. A few years ago the company became concerned about a growing problem. They recognized that both internal and external actors could leverage any number of sophisticated attacks against its people, processes and technology. And if successful, those attacks could result in records theft, business disruption, customer dissatisfaction, lost revenue, fraud and a devaluation of the company s brand. It turned out that the company s continued use of its earlier security model which had been designed for compliance, not threat detection was at the root of the problem. The security system was reporting over 51 million events per hour, which required a manual, resource-intensive process to resolve. Not surprisingly, that led to delays in log collection, reporting and analysis. It ended up taking five full days from the time an attack was first detected before the security analysis could be completed. Needless to say, a lot of damage could occur in five days if any of those events were found to be serious threats. That was when the company asked IBM to help improve the situation. Together they worked to create a new security model focused on threat detection, while providing key compliance benefits. By developing a new use case-driven tool, IBM helped the company see that mature intelligence gathering is far less focused on collecting all the data than it is on collecting the right data. As a result, they were able to reduce the noise generated by so many events. They also shortened the time it took from the moment an attack was detected to when action could be taken. Now, instead of taking five days, the entire process is completed in a single day. In addition, they instituted a closed-loop process for incident follow-though and closure. And they began to produce trend information and metrics on relevant threats. With help from IBM, the company has found that it s possible to meet their compliance requirements while significantly streamlining and sharpening their threat intelligence capabilities. Now they re able to identify the threats most relevant to their business and focus on the kind information that offers the insight and context to enable them to act. They also discovered that visibility is key to successful threat management and risk mitigation which is what s now allowing them to measure their performance against business priorities. IBM expertise helped this organization sharpen its existing threat intelligence to identify the most relevant threats and focus on the information that would give them the necessary insight and context to enable action.

6 6 Gaining the upper hand in today s cyber security battle Threat intelligence can help you stop attackers in their tracks How a typical attack progresses How threat intelligence lets you respond Step 1 Attackers break in, often by hiding out in or social media posts Recognize attackers reconnaissance and penetration tactics, so you can monitor potential targets and block them when identified Step 2 They latch on to legitimate programs and applications, infecting local workstations and systems Command & Control Recognize and block malware and behavior that indicates potential compromise of the target system Step 3 They take control of those programs and applications so they can expand to other workstations and servers Identify anomalous activity and commandand-control communications, particularly when attackers may be targeting high-value assets Step 4 They gather the data they ve targeted and prepare to extract it Recognize and defeat behavior that indicates an attempted compromise of sensitive data resources Confidential Step 5 They exfiltrate the data via the command and control software they installed in Step 2 Command & Control Detect and prevent the inappropriate exposure of high-impact data Confidential Figure 2. Attacks often follow a pattern of compromise. When these tactics can be detected early, organizations can reduce not only the impact of a threat, but the cost of mitigation. Threat intelligence is key to proactively tuning your environment against known attacks that target your industry and deployed technologies, recognizing specific examples of attacker behavior and being able to capitalize on security monitoring and technology services that can provide more effective defense when informed by threat awareness.

7 IBM Global Technology Services 7 By knowing how to identify the threats that matter to your organization, we can help inform your strategy and tactics, improving your overall security posture. With IBM Advanced Cyber Threat Intelligence Service, you get the insights you need to tackle today s threats (see Figure 2). We can help you: Keep up to date with threat actors and tactics that target your industry or geography through reports and findings on global adversaries and cyber attacks. Drive action with trusted advice from IBM consultants and security intelligence analysts, who have the experience and expertise to apply the relevant intelligence to your specific needs and provide informed guidance on improving defense. Optimize your security investment by developing an intelligent security strategy that takes advantage of the information IBM gathers across thousands of customers worldwide and our in-depth insight into current threats. Reduce costs through access to intelligence expertise that can be difficult and expensive to source and retain internally. Leverage the power of IBM by complementing sophisticated threat intelligence with best-in-class managed security services. Why act now? The truth is, your business may be just a keystroke or credit card swipe away from ending up in the headlines. And that s just the first reason. Here are a few more: Criminals will not relent: Once you re a target, criminals will spend as much time trying to break into your enterprise as you spend on your core business. If you don t have visibility into attacks as they happen, the criminals will succeed. Every business is affected: In the past, financial services organizations were among the primary targets of cyber criminals. Today, diverse actors move with lightning speed to steal tangible assets, intellectual property, customer information and confidential data across all sectors. Your perimeter may already have been breached: Recent attacks demonstrate that victims were compromised for months before they discovered it. Assuming that you have already been breached is today s prudent security posture. Why IBM Security? Traditional security defenses are no match for today s unrelenting, well-funded attackers. And disruptive technologies such as cloud computing and sophisticated mobile devices are continuing to introduce new vulnerabilities to exploit. To stop attackers regardless of how advanced or persistent they are organizations must accelerate their ability to limit new risk and take advantage of intelligence to gain insight into attackers approaches and motives. IBM is a recognized leader in consultative and managed security services. Operating through a single pane of glass and employing common management processes worldwide, our thousands of consultants, analysts and delivery specialists provide security services for clients every day. We continuously update and improve our processes to reflect what we learn about ongoing changes in the threat landscape, in the course of managing tens of thousands of security devices for thousands of clients around the globe. To provide local service and support, IBM has 10 security operations centers. In addition, we hold more than 1,000 security patents and operate 10 security research centers.

8 For more information To learn more about how IBM can help you protect your organization from cyber threats and strengthen your IT security, contact your IBM representative or IBM Business Partner, or visit this website: ibm.com/services/security Follow us Copyright IBM Corporation 2014 IBM Corporation IBM Global Technology Services Route 100 Somers, NY Produced in the United States of America July 2014 IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information at ibm.com/legal/ copytrade.shtml This document is current as of the initial date of publication and may be changed by IBM at any time. THE INFORMATION IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. 1 IBM Security Services 2014 Cyber Security Intelligence Index, April Global Reputational Risk & IT Study, IBM. Please Recycle SEW03043-USEN-00