The Changing Nature of Risk and the Role of Big Data

Similar documents
IBM Security Intelligence Strategy

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

IBM QRadar Security Intelligence April 2013

AMPLIFYING SECURITY INTELLIGENCE

Sicurezza & Big Data: la Security Intelligence aiuta le aziende a difendersi dagli attacchi

Breaking down silos of protection: An integrated approach to managing application security

IBM Security X-Force Threat Intelligence

Defending Against Data Beaches: Internal Controls for Cybersecurity

Cybersecurity and internal audit. August 15, 2014

IBM Security IBM Corporation IBM Corporation

End-user Security Analytics Strengthens Protection with ArcSight

IBM Security Operations Center Poland! Wrocław! Daniel Donhefner SOC Manager!

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

IBM Security QRadar Vulnerability Manager

RSA Security Analytics

IBM Advanced Threat Protection Solution

The Benefits of an Integrated Approach to Security in the Cloud

QRadar SIEM and FireEye MPS Integration

Security strategies to stay off the Børsen front page

A Love Affair: Cyber Security, Big-data and Risk

IBM Security QRadar Risk Manager

Under the Hood of the IBM Threat Protection System

SANS Top 20 Critical Controls for Effective Cyber Defense

IBM Security Strategy

Risk-based solutions for managing application security

Extreme Networks Security Analytics G2 Vulnerability Manager

IBM Security QRadar Risk Manager

IBM: An Early Leader across the Big Data Security Analytics Continuum Date: June 2013 Author: Jon Oltsik, Senior Principal Analyst

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

QRadar SIEM and Zscaler Nanolog Streaming Service

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Extending security intelligence with big data solutions

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

FIVE PRACTICAL STEPS

Effectively Using Security Intelligence to Detect Threats and Exceed Compliance

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

IBM & Security Gov. Point Of Views

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Strengthen security with intelligent identity and access management

Ecom Infotech. Page 1 of 6

Cyber Security Metrics Dashboards & Analytics

Using SIEM for Real- Time Threat Detection

The webinar will begin shortly

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

McAfee Security Architectures for the Public Sector

Changing the Enterprise Security Landscape

What is Security Intelligence?

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

2011 Forrester Research, Inc. Reproduction Prohibited

Continuous Network Monitoring

Introducing IBM s Advanced Threat Protection Platform

Can We Become Resilient to Cyber Attacks?

The Protection Mission a constant endeavor

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

Beyond Watson: The Business Implications of Big Data

Q1 Labs Corporate Overview

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Cisco SAFE: A Security Reference Architecture

Cybersecurity The role of Internal Audit

Extreme Networks Security Analytics G2 Risk Manager

24/7 Visibility into Advanced Malware on Networks and Endpoints

Boosting enterprise security with integrated log management

Stay ahead of insiderthreats with predictive,intelligent security

Bridging the gap between COTS tool alerting and raw data analysis

應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊

Advanced Threat Protection with Dell SecureWorks Security Services

Protecting Your Organisation from Targeted Cyber Intrusion

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

IBM SECURITY QRADAR INCIDENT FORENSICS

Vulnerability management lifecycle: defining vulnerability management

THE TOP 4 CONTROLS.

White Paper: Leveraging Web Intelligence to Enhance Cyber Security

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Attack Intelligence: Why It Matters

Seven Things To Consider When Evaluating Privileged Account Security Solutions

How To Create An Insight Analysis For Cyber Security

CyberArk Privileged Threat Analytics. Solution Brief

Managing security risks and vulnerabilities

How To Buy Nitro Security

Metrics that Matter Security Risk Analytics

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING

Sicurezza & Big Data: la Security Intelligence aiuta le aziende a difendersi dai cyber-attacchi

Vulnerability Management

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

You ll learn about our roadmap across the Symantec and gateway security offerings.

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

2011 Cyber Security and the Advanced Persistent Threat A Holistic View

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Transcription:

The Changing Nature of Risk and the Role of Big Data Jack Danahy Director / North American Security Consulting IBM

Incidents Continue to Grow in Spite of Investment 2012 Sampling of Security Incidents by Attack Type, Time and Impact Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses Source: IBM X-Force 2012 Mid-year Trend and Risk Report, September 2012

Attacks, Sophistication, and Vulnerabilities Increase Source: http://www.nytimes.com/interactive/2013/02/18/business/industries- Targeted-by-the-Hackers.html?ref=technology "This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked." Source: http://blog.twitter.com/2013/02/keeping-our-users-secure.html In 2012, IBM reported over Source: IBM X-Force 2012 Mid-year Trend and Risk Report, September 2012

Individual Attacks Span Multiple Vectors People Investments Advisors Employees Privileged Users Suppliers Outsourcers Institutional Clients Investors Data Account Information High Value Portfolios Customer Information In Motion Applications Asset Management Enterprise Applications Investment Trading Mobile Applications Infrastructure Datacenters PCs Laptops Mobile Cloud Non-traditional

Creating a Need for a Multi-Pronged Approach Then Now People Administration Insight Data Basiccontrol Laserfocused Applications Bolt-on Built-in Infrastructure Thicker walls Smarter defenses Collect and Analyze Everything

Threats and Attackers are More Sophisticated. 1 Break-in Spear phishing and remote exploits to gain access 2 Command & Control (CnC) Latch-on Malware and backdoors installed to establish a foothold 3 Expand Reconnaissance and lateral movement to increase access and maintain a presence 4 Gather Acquisition and aggregation of confidential data 5 Command & Control (CnC) Exfiltrate Data exfiltration to external networks

Multiple Threat Vectors Dictate Broad Visibility Misconfigured Firewall Vulnerable Server 0day Exploit Botnet Communication SQL Injection Malicious PDF Spammer Infected Website Phishing Campaign Malicious Insider Brute Force On the Network Across the Enterprise Across the World Application Control Risk Management Threat Advisories Network Anomaly Detection Vulnerability Management IP Reputation Web Application Protection Content and Data Security Intrusion Prevention Network Activity Monitoring SIEM Log Management Malware Information Malicious Websites Vulnerability Database Threat Protection Security Intelligence Threat Intelligence

Changing Responsibilities at the C-Level

Key CIO Findings Crisis or Compliance Drives Tactical Behaviors Investments typically driven by industry standards and regulation or by specific negative event Value proposition is to address immediate need at minimal cost leading to point solution buying CIOs seek to transform from IT security to information risk management Mobile, social and cloud are driving increased threats, leaks and regulations In addition to more risk, the nature of risk is shifting away from data toward the core business CIOs are looking for more a more holistic, integrated risk management approach CIOs highlight four requirements to executing information risk management Active engagement with business leaders in information security decisions New IT risk role with sufficient knowledge, authority and budget to address issues across the business Integrated vendors with consulting skill and security solutions that address the entire information lifecycle Better ways to measure the value of security / risk management to the organization

CIO Consensus : Holistic View Required Organizations need to move away from solely concentrating on compliance, audits, preventing unauthorized access and data exposure, and service interruptions. This new perspective is more about Information Risk Management as opposed to just security and compliance. Traditional Focus Governance and Compliance Emerging Focus Information Risk Management IT Compliance Risk Negative audit findings, penalties, fines Regulatory or statutory shortcomings LOB Operational Risk Disruption of business operations Failure to assure integrity of products or services delivered Information IT Risk Unauthorized exposure of critical information asset Significant service interruptions Brand Risk Loss of brand equity Loss of customer trust Technology IT Risk Failures in access control System or application unauthorized modification Transformation Risk Inability to execute on transformation initiatives Failure to deliver expected business value

1. Executive Management Considers Security as IT The business deals with risk when there is a problem/breach or impending regulatory action, otherwise security is largely considered an IT issue. CIOs tell us CIO s need to. If you tried to walk into the board of directors of today and talk about information risk management, he ll tell you to go talk to the IT people. Management does not appreciate the strategic value of good information risk management - all hell breaks loose when something does go wrong, then they forget about it in time. Business and non-it executives are willing to discuss security and technology risk issues, but typically only if he asks them to get involved, they talk about it when I bring it up The organization pays lip service to the idea that security is a business problem, but typically does not put it s money where it s mouth is. The down side is you get small, important chunks of airtime with these business executives. If you re seen as a nerd without a strategic holistic view, they don t want to go anywhere. Engage with business leaders to take a more active role in information security decisions

2. The CISO Suffers From Lack of Visibility and Influence IT doesn t always have a strong voice across the organization CIOs tell us CIO s need. CIOs/CTOs feel either a risk management group or executive should report to a business executive or the board so they have sufficient and independent authority and can help promote a more holistic, businessled approach to the organization. It s something I believe in, but we don t have the right people running this area. The Information Risk Officer needs to align to the business to give the position more credibility and authority those aligned to the technology organization don t have as much impact and credibility within the business lines. Don t have the right people leading this area we don t have the right level person, the right skill-level person doing it while he has the authority and the budget (or can take it from other areas), he doesn t feel prepared to assume this role The right people leading a new security role within the organization that is aligned with the business and has sufficient knowledge, authority and budget to address issues across the business

3. Point Solutions are Already in Place Existing (and significant) security investments CIOs tell us None of the participants take a fully integrated, holistic approach to security solution purchases reactive, point product buys are more the norm. New / ever changing threats, the desire for best of breed products to address these specific threats, and lack of awareness of integrated, enterprise-wide solutions drive this purchase behavior. The different point solutions that have been implemented throughout the years all the silos of systems that have been in place over the years it is a desired direction to move towards, however, it s going to be a long ways away. Others doubts that one provider can deliver a holistic solution that can cover all segments of security, including mobile devices (with different operating systems), anti-virus, firewalls, proxy servers, etc. CIO s need. Partner with security vendors with consulting skill sets and business relationships as well as security solutions that address the entire information lifecycle. Would make things easier if there were at least a couple vendors in the marketplace who do really good end-toend security, however, not sure who, if anyone, has that capability.

4. Hard to Measure the Positive Impact of Security Business leaders are skeptical about ROI since it s not directly tied to revenue growth CIOs tell us CIO s need. Not sure how to quantify it and doesn t try to with management, just tells them it s just what we need to do. It s not ROI because this isn t making you money. It s not going to save money unless there is a problem so you talk about it internally as lowering the probability of exposure. The more sophisticated talk about a certain % decrease in exposure and then apply that decrease to the revenue in play Another CIO would like vendors to approach him with more solutions that demonstrate ROI they need to come to the table with a model on how to prove that there is either a cost neutral or a positive ROI for going down a path. Better ways to measure the value of security and risk management to the organization

Integrating the Power of Big Data

Increased Threat Sophistication is Compounded by Scale Configuration data from infrastructure Vulnerability and patch information Alerts from security sensors Security logs from servers External threat feeds 250,000 managed firewalls 30,000 network devices 500,000 open port combinations 410,455 Windows client systems 36,109 Windows servers 24,000 *NIX servers 1200 vulnerability assessors System audit trails and logs E-mail and social activity Business process data Malware samples and behavior Network flows and anomalies Full packet and DNS captures Size estimates of scale and volume of events and logs 1.5 2 TB per month per major security service 200 750GB total per minor security service Unscoped TB unstructured social and business data

Driving an Evolution of Intelligence for Security Log Management SIEM Security Intelligence with Big Data 2000 2005 2009 2013 Collect and analyze security logs Monitor and manage users, services and system configuration changes Incident response Real-time correlation and advanced analytics Anomaly detection Enterprise-wide visibility Structured and unstructured data Predictive and decision modeling Interactive visualization Security insights from enterprise data

Business Potential for Big Data Enablement in Security Visibility from traditional security operations and technologies Alerts from security sensors Configuration data from infrastructure System audit trails and logs Vulnerability and patch information Security logs from servers External threat feeds Network flows and anomalies Security operations are reactive vs. proactive Lots of data but limited visibility restricts threat awareness and containment When needed - insufficient cyber security investigative and forensics capabilities Complex ever-changing regulatory environment E-mail and social activity Business process data Malware samples and behavior Full packet and DNS captures The new Security program needs to enable system availability and stakeholder confidence

Big Data Applies to Prevention and Clean-up What are the external and internal threats? Are we configured to protect against these threats? What is happening right now? What was the impact? Prediction & Prevention Risk Management Vulnerability Management Configuration Monitoring IBM X-Force Threat Intelligence Compliance Management Reporting and Scorecards Reaction & Remediation SIEM Log Management Incident Response Network Anomaly Detection Packet Forensics Database Activity Monitoring Data Loss Prevention

Data Scale Data at Rest Harnessing the Variety, Velocity and Volume of Big Data Deep: Historic Insight, Context, Model Building Exa Peta Tera Up to 10,000 times larger HOT Analytics : Realtime behavior analytics Realtime interdiction Just in time investigation and mitigation COLD Analytics : Giga User and system profiling Forensic analysis / clean-up Mega Traditional Data Warehouse and Business Intelligence Cost and resource tracking Kilo Data in Motion Up to 10,000 times faster Fast: Detection, Correlation, Aggregation, Scoring yr mo wk day hr min sec ms μs Decision Frequency

Global Threat Operations Center Actual Customer Example Security Analysis Center Key Functions Threat Intelligence Gathering Event and Vulnerability Analysis Impact Analysis Incident Management Investigations Enforcement Optimization Risk Assessments, Briefings, and Advisories Key Functions Security Monitoring Incident Escalation and Response SIEM Intelligence Platform Administration Security Governance Security Operations Center Key Functions Application Management Hunter Team Penetration testing Infrastructure Application Social Phishing Awareness Attack modeling Assessments Ad-hoc projects Configuration Management Policy Management Security Intelligence Platform Key Functions Aggregate security event, log and flow data Correlation, rules and feeds

IBM Architecture Example Security Intelligence Platform Big Data Platform QRadar Data collection Event correlation Real-time analytics Offense prioritization Data Ingest Insights InfoSphere BigInsights Hadoop-based data integration Data mining Custom analytics Machine learning Advanced Threat Detection Custom Use Cases Traditional Data Sources Non-traditional

Customer example User profiling based on multiple sources Data Sources Real-time Processing Security Operations Internet NetFlow 1 2 4 10 3 1 Web and Email Proxy 6 Big Data Processing 7 Big Data Analytics and Forensics 5 Unstructured Data Hadoop Store Suspicious User(s) 8 Optional Relational Store 9

Intelligence Data Flow Public Research Industry Collaboration Threat Actor Analysis IR Analysis ISACS Community Groups Vuln Analysis Private Research SAC/SOC Actionable Intelligence Incident Info GregNet Threat Modeling Threat Analysis Threat Detection Anomaly Detection Vulnerability Research Honeynet Blacklists BlackNet Alerting TBS Direct Communication Hunter Team CIO/CISO Office Intel Gathering Threat Modeling Analysis Exploitation Past Exploitation Analysis Reports

CIO and CISO Influencers

CIO and CISO are a Strategic Combination In IBM s recent CISO Study, nearly two thirds said senior executives are paying more attention to security issues and expect to have to spend more over the next 2 years. They also rated external threats as a bigger challenge than internal threats, new technology or compliance. Influencers in limiting the impact of security breaches demonstrate commitment to a proven approach: 1) They set priorities by understanding the asset environment 2) They understand what needs to be protected and implement accordingly 3) They understand that they need a plan in place in the event of a breach 4) They understand that enterprise security means more than just technology it involves people and process as well Source: IBM 2012 CISO Assessment y http://www.ibm.com/smarterplanet/us/en/business_resilience_management/article/security_essentials.html

Applying the Lessons of Influencers Prioritize Protect Prepare Promote Determine what s most important to the security of your business and why Identify those areas most vulnerable to attack Identify the specific types of attacks that pose the biggest threat Create a proactive and informed approach to IT security Identify existing vulnerabilities and fix them Mediate against any existing threats Take an informed approach to security intelligence Demonstrate and document the value of your security investments Review to ensure that there are no gaps or unnecessary overlaps Develop a detailed and coordinated response plan Ensure you have access to the resources and tools needed to respond quickly Take a consistent approach to assigning responsibility across the organization Create and support a risk-aware culture throughout your organization Ensure that each employee knows what to do

Integration to Improve Consistency and Communications Consolidate and correlate siloed information from hundreds of sources Designed to help detect, notify and respond to threats missed by other security solutions Automate compliance tasks and assess risks Stay ahead of the changing threat landscape Designed to help detect the latest vulnerabilities, exploits and malware Add security intelligence to non-intelligent systems Customize protection capabilities to block specific vulnerabilities using scan results Converge access management with web service gateways Link identity information with database security JK 2012-04-26

Put the Model Into Action Risk Baseline Knowledge What is the cost of an outage? What are the ingress and egress points? Gather Information Existing Knowledge Impact studies Network diagrams Known bad actors Interpret Results Risk Assessment Impact Vulnerability Threat How can the system be accessed? What malware exists that can exploit my OS and access methods? Routine Collection Baseline Anomalies Firewall Rule Usage Vulnerability Scans Research Penetration tests Forensic analysis Attack modelling Validation Likelihood Costs Risk mitigation & avoidance IPS Signature Firewall rule Architecture Mods Draw Conclusion The Answer Data Information Security Intelligence

Questions? jack.danahy@us.ibm.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information