Security strategies to stay off the Børsen front page

Security strategies to stay off the Børsen front page Steve Durkin, Channel Director for Europe, Q1 Labs, an IBM Company 1 2012 IBM Corporation

Given the dynamic nature of the challenge, measuring the state of security within an organization is increasingly important. Since threats are always moving and solutions are more complex, dynamic and often partial, knowing where you are is essential. John Meakin Global Head of Security Solutions & Architecture, Deutsche Bank Finding a strategic voice, IBM Center for Applied Insights 2

Q1 Labs- The Security Intelligence Leader Who we are: Innovative Security Intelligence software company One of the largest and most successful SIEM vendors Leader in Gartner Magic Quadrant (2009-2012) Award-winning solutions: Family of next-generation Log Management, SIEM, Risk Management, Security Intelligence solutions Proven and growing rapidly: Thousands of customers worldwide Five-year average annual revenue growth of 70%+ Now part of IBM Security Systems: Unmatched security expertise and breadth of integrated capabilities 3

Targeted Attacks Shake Businesses and Governments Source: IBM X-Force 2011 Trend and Risk Report March 2012 4

IT Security is a board room discussion Business results Brand image Supply chain Legal exposure Impact of hacktivism Audit risk Sony estimates potential $1B long term impact $171M / 100 customers* HSBC data breach discloses 24K private banking customers Epsilon breach impacts 100 national brands TJX estimates $150M class action settlement in release of credit / debit card info Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony Zurich Insurance PLc fined 2.275M ($3.8M) for the loss and exposure of 46K customer records 5 *Sources for all breaches shown in speaker notes

Security Intelligence Use Cases 6

Total Security Intelligence: How do we address the challenges? Reduce Big Data Detect Advanced Persistent Threats Predict attacks Manage risk 7

Big Data: Reduce your data silo down 8

Case study: An international energy company reduces billions of events per day to find those that should be investigated An international energy firm analyzes 2,000,000,000 events per day to find 20 25 potential offences to investigate 9 Business challenge: Reducing huge number of events to find the ones that need to be investigated Automating the process of analyzing security data Solution: (QRadar SIEM, QFlow) Real-time correlation of hundreds of data sources, anomaly detection to help identify low and slow threats, flexibility for easy customization and expansion

Reducing Data Silos: How it looks in QRadar Single incident derived from ~20k events and 355 flows QRadar automatically pulls all related events and flows into a single security incident Highlights the magnitude / importance Reduction into manageable daily number 10

Total Security Intelligence: How do we address the challenges? Reduce Big Data Detect Advanced Persistent Threats Predict attacks Manage risk 11

Anatomy of an APT: Communications Company 3 rd Party Software Update Server Compromised Trojan auto-updated to Corporate network Attackers create Trojan Port 8080 used for C&C activities 35M records stolen 60+ Corporate computers infected w/ backdoor agent Attackers create Trojan 6 Months Day 0 Day 8 12

Activity / Behaviour Monitoring, Flow Analytics, Anomaly Detection Behaviour / activity base lining of users and processes Helps detect day-zero attacks and covert channels that have no signature or AV / IPS detection Provides definitive evidence of attack Enables visibility into attacker communications Network traffic does not lie Attackers can stop logging and erase their tracks, but can t cut off the network (flow data) 13

Activity and data access monitoring Visualize Data Risks Automated charting and reporting on potential database breaches Correlate Database and Other Network Activity Enrich database security alerts with anomaly detection and flow analysis Better Detect Serious Breaches 360-degree visibility helps distinguish true breaches from benign activity, in real-time 14

Anomaly Detection & APTs User & Application Activity Monitoring alerts to a user anomaly for Oracle database access. Identify the user, normal access behavior and the anomaly behavior with all source and destination information for quickly resolving the persistent threat. 15

Stealthy malware detection Potential Botnet Detected? This is as far as traditional SIEM can go IRC on port 80? QFlow detects a covert channel, using Layer 7 flows and deep packet inspection Irrefutable Botnet Communication Layer 7 flow data shows botnet command and control instructions 16

Total Security Intelligence: How do we address the challenges? Reduce Big Data Detect Advanced Persistent Threats Predict attacks Manage risk 17

The Security Intelligence Timeline: Proactive vs Headlines 18

Unmatched global coverage and security awareness Security Operations Centers Security Research Centers Security Solution Development Centers Institute for Advanced Security Branches IBM Research World Wide Managed Security Services Coverage 20,000+ devices under contract 3,700+ MSS clients worldwide 9B+ events managed per day 1,000+ security patents 133 monitored countries (MSS) 19

Case study: A financial information provider hardens defenses against threats and fraud A European Bank 250 activity baselines dynamically adjusted over time and saved on staffing versus alternative solutions Business challenge: On-line banking system targeted DDOS attack, three times Had security in place Early warning capability Solution: (QRadar SIEM, QFlow) Real-time correlation of hundreds of data sources, anomaly detection to help identify DDoS to low and slow threats. 20

Predicting an Attack: How it looks in QRadar Multiple IP s attack an IP Drilling into one superflow record shows all IP records contributing to the attack 21 All pulled together in one offence which is detected and raised immediately to the security team

Total Security Intelligence: How do we address the challenges? Reduce Big Data Detect Advanced Persistent Threats Predict attacks Manage risk 22

Managing risk CISOs know it s not if, it s when they get hacked; yet there is still a gap in ability to detect breach. Breaches are taking longer to discover Breaches are not being discovered internally 23 Charts from Verizon 2011 Investigative Response Caseload Review

Insider threat case study: Fashion Designer uses compliance mandate to detect insider fraud & use evidence in court Fashion Designer Using deep forensic analysis, ability to detect insider fraud to be used in court Business challenge: Employee Downloading information Erasing files Time stamped Solution: (QRadar SIEM) Ability to detect who, what and how specific events occurred. Saving of raw files allowed for exact timings and application layer 7 provided methods used 24

How it looks in QRadar Potential Data Loss? Who? What? Where? Who? An internal user What? Oracle data Where? Gmail 25

QRadar: The Most Intelligent, Integrated, Automated Security Intelligence Platform Proactive threat management Identifies most critical anomalies Rapid, complete impact analysis Eliminates silos Highly scalable Flexible, future-proof Easy deployment Rapid time to value Operational efficiency 26

Fully Integrated Security Intelligence Log Management Turnkey log management SME to Enterprise Upgradeable to enterprise SIEM SIEM Integrated log, threat, risk & compliance mgmt. Sophisticated event analytics Asset profiling and flow analytics Offense management and workflow Risk Management Predictive threat modeling & simulation Scalable configuration monitoring and audit Advanced threat visualization and impact analysis Network Activity & Anomaly Detection Network analytics Behavior and anomaly detection Fully integrated with SIEM Network and Application Visibility Layer 7 application monitoring Content capture Physical and virtual environments 27

Fully Integrated Security Intelligence Log Management Turnkey log management SME to Enterprise Upgradeable to enterprise SIEM One Console Security SIEM Integrated log, threat, risk & compliance mgmt. Sophisticated event analytics Asset profiling and flow analytics Offense management and workflow Risk Management Predictive threat modeling & simulation Scalable configuration monitoring and audit Advanced threat visualization and impact analysis Network Activity & Anomaly Detection Network analytics Behavior and anomaly detection Fully integrated with SIEM Network and Application Visibility Built on a Single Data Architecture Layer 7 application monitoring Content capture Physical and virtual environments 28

Security Intelligence: QRadar provides security visibility IBM X-Force Threat Information Center Real-time Security Overview w/ IP Reputation Correlation 29 Identity and User Context Real-time Network Visualization and Application Statistics Inbound Security Events

What to do next? Visit our stand Download the Gartner SIEM Critical Capabilities Report http://q1labs.com/resource-center/analyst-reports/details.aspx?id=151 Read our blog http://blog.q1labs.com/ Follow us on Twitter: @q1labs @ibmsecurity 30

ibm.com/security Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will 31 necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT 2012 IBM Corporation THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.