Keynote: Cyber Intelligence and Cyber Security Overview

Transcription

1 3/08/205 Keynote: Cyber and Cyber Security Overview David Waxman Executive Architect EIA Bob Stasio EIA for Cyber Security Product Manager Ralph Klaassen Senior Architect EIA

2 3/08/205 Important Disclaimer IBM's statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM's sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. 3 The growth of asymmetric threats is changing the landscape Information security has become a human vs. human problem Remote control device Hackers negate tens of millions of dollars in security infrastructure with a $30USD device! 2 A male posing as an IT technician deployed a $30USD remote control device on a bank branch office computer The crooks connected to the device from a nearby hotel, then accessed the bank s servers 3 The hackers logged into a bank terminal and shifted ~$2.M USD through 28 transfers into mule accounts The gang responsible for the theft was caught 3 months later only due to attempting the same attack at another bank 4 2

3 3/08/205 Today s attackers are sophisticated and relentless National Security, Economic Espionage Monetary Gain Notoriety, Activism, Defamation Nuisance, Curiosity Hactivists, advanced social engineers Lulzsec, Anonymous Nation-state actors, APTs Stuxnet, Duqu, APT- Organized crime Zeus, Dyre, Blackhole Exploit Pack Insiders, Spam, Script-kiddies, Commodity threats Nigerian 49 Scams, Code Red This group can bypass any static network security ygiven enough time and resources Use security intelligence and cyber analysis to detect their presence through anomalies Command and control Proliferation Exfiltration Most effectively mitigated by implementing an integrated framework of security controls 5 Both security and analysis must address the problem Non-Linear Relationship Between Effectiveness and Cost 99.9% Percent of Threat ts Stopped 90% 80% Example of Personnel Tier One SOC Analyst Information Security Incident Responders High Effort Cyber Analysis Cyber Analysts Implement a Security Framework Advanced Security Cyber Analysis Level of Effort / Investment 3

4 3/08/205 as a Time Horizon Information Security Cyber Analysis Tier One SOC Analyst Tier Two SOC Analyst Incident Responders Threat Researchers Cyber Analysts 7 Learning from medical analogies Threat Example MEDICAL Mitigation Strategy Threat Example SECURITY Mitigation Strategy Tier One Hygiene Common hospital associated infections Washing hands, wearing masks and scrubs Commodity threat, individual hackers with widely-used tools Changing passwords, removing unused services, patching Tier Two Specialization Emergent situations (e.g. chest pain, gunshot wound) Creation of critical care and preventative medicine discipline Organized crime, semi-tailored fraud and crimeware tools Visibility, monitoring, alerting, response, realtime security analytics Tier Three Research Genetic diseases and cancer Research and tailored genetic treatments Advanced Persistent Threat, nation-state, high resources Cyber analysis, threat intelligence trend analysis, campaign tracking 8 4

5 3/08/205 The cyber analysis discipline addresses the human dimension High expertise from CISO and SOC organizations Information Security Forensics Science Analysis High expertise from the military and intelligence communities The Cyber Analysis Discipline Cyber Analysis is a new discipline and profession with three subcomponents Information Security blends aspects of network defense, confidentiality, assurance, and malware threats 9 Human Enabled High expertise from law enforcement and IR community Analysis brings the art of the intel cycle where information is directed, collected, processed, analyzed, produced, and disseminated Cyber Analysis Mostly IT Sources PCAP Alerts System Logs SIEM SSO/AD Vulnerability Scans Mostly Human Sources Behavioral Data HR Data Reviews Account Creation Badge Logs Access Logs Security Persona Data Analysis Platform Threat Human Enabled Cyber Analysis Results Integrated data feeds Enterprise awareness Compliance monitoring Threat discovery Risk management Enable decisions Mostly External Sources Hacker Forums Intel Vendors Threat Indicators Social Media Government Alerts Community Info Leveraging an analytical platform and internal and external information feeds, Cyber Analysts can help form a deep understanding of the threats targeting your organization 5

6 3/08/205 Workflows Security Cyber Analysis Threat Research IBM Security QRadar IBM Enterprise Insight Analysis IBM X-Force Enrich Produce Continuous Feedback Loop Visualize Analyze Domain Generalities SECURITY Structured data Automatic detection Real-time operations Universal configuration Anomaly detection Roll-over data Organizational visibility Threat management Logical domain Traditional data sources CYBER Unstructured data Manual analysis Long-term research Customized Anomaly discovery Big data storage Ecosystem visibility Threat discovery Physical domain Non-traditional data sources 6

7 3/08/205 IBM s Strategic Threat Analysis Capability Machine enabled Security Platform Real-time processing Real-time data correlation Anomaly detection Event and flow normalization security context and enrichment Distributed architecture Human enabled Cyber Analysis Platform Multi-Dimensional Analysis Strategic Security Operations All-source intelligence Anomaly discovery Ecosystem visibility Scales to 50TBs of data Customized configuration Human-Led Discovery i Pre-defined rules and reports Offense scoring and prioritization Activity and event graphing Compliance reporting Workflow management Visualize linked data Identity and relationship resolution Geospatial and physical data analysis Persona domain threat identification Create decision-making products for leaders IBM i2 brings the Cyber and domains together Contextual Event Analysis & Forensics Build multi source target profiles Global threat intelligence includingg a cyber y Visual Forensics footprint even when 3rd data is scarce Customer, Employee, Party Records Data at Rest Actionable Enterprise Incidents p Activity Reports Data in Motion Collect Collate Telephone CDR Financial Parse Query Social Network Analyze R d Recommend Predict External Cyber - Hashtagging Corporate & Public Structured & Unstructured Data Sources Video & Biometric Multi source Security Devices 7

8 3/08/205 Solution Overview IBM i2 Cyber Analysis and Forensics Repository Geospatial Analytics Visualisation Unstructured, Open Source and Social Media Asynchronous Big Data Analytics All source fusion of data The Analyst s Whiteboard Identity and Relationship resolution (The Analyst s Assistant) Cyber Security Analytics (SIEM systems) High Speed Actionable IBM i2 Cyber Incident Forensics Deployment Model Security Operations Joins Cyber to All source intelligence Visual query API integration to QRadar through portal SIEM Systems - QRadar Security domain pillar Supports key SOC operations API Cyber Analysis Forensics Appliance, virtual appliance or software Supports standard PCAP format Retrieves PCAPs for an incident & reconstructs sessions for forensics Security Analyst s Whiteboard Advanced visualization capabilities Network analysis Relationship Analytics ANB plugin to QRadar API Entity Link Analytics At Scale Data Packet Capture Long tail custom analytics Asynchronous allowing analysts to ask the questions they want Scalable storage Performs Full Packet Capture Optimized appliance solution Scalable storage 8

9 3/08/205 Screenshots Disclaimer slide Copyright 205 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally controlled isolated environments obtained in a controlled, environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property p p y right. g IBM, the IBM logo, ibm.com, DOORS, Enterprise Document Management System, Global Business Services, Global Technology Services, Maximo, MQIntegrator, MQSeries, Netcool, PureAnalytics, PureApplication, purecluster, PureCoverage, PureData, PureExperience, PureFlex, purequery, purescale, PureSystems, QRadar, Rational, Rhapsody, Tivoli, Trusteer, urban{code}, WebSphere, Worklight, X-Force and System z are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information at: 9

10 3/08/205 Thank You 0