IBM Security Framework Intelligence, Integration and Expertise Sadu Bajekal, Senior Technical Staff Member Principal Security Architect IBM Security Systems January 28, 2014 12013 IBM Corporation
Agenda Introduction: The evolving threat landscape A new approach to security is needed How the IBM Security Framework is positioned to help 2
M O T I V A T I O N IBM Security Systems Motivations and sophistication are rapidly evolving National Security, Economic Espionage Nation-state actors, APTs Stuxnet, Aurora, APT-1 Notoriety, Activism, Defamation Hacktivists Lulzsec, Anonymous Monetary Gain Organized crime Zeus, ZeroAccess, Blackhole Exploit Pack Nuisance, Curiosity Insiders, Spammers, Script-kiddies Nigerian 419 Scams, Code Red S O P H I S T I C A T I O N 3
Evolving threats and increasing payoffs INTERNAL EXTERNAL PAYOFFS 4
X-Force Research: Attackers are taking advantage of the human factor 5 Source: IBM X-Force Research 2013 Trend and Risk Report
IT Security is a board room discussion CEO CFO/COO CIO CHRO CMO Loss of market share and reputation Legal exposure Audit failure Fines and criminal charges Financial loss Loss of data confidentiality, integrity and/or availability Violation of employee privacy Loss of customer trust Loss of brand reputation Increasingly, companies are appointing CROs and CISOs with a direct line to the Audit Committee 6 Source: Discussions with more than 13,000 C-suite executives as part of the IBM C-suite Study Series
8 2012 2013 IBM Corporation
Security challenges are a complex, four-dimensional puzzle People Employees Consultants Attackers Partners Outsourcers Customers Suppliers Data Structured Unstructured At rest In motion Applications Systems Applications Web Applications Web 2.0 Mobile Applications Infrastructure Datacenters PCs Laptops Mobile Cloud Non-traditional that requires a new approach 9
Thinking differently about security Then Now People Administration Insight Data Basiccontrol Laserfocused Applications Bolt-on Built-in Infrastructure Thicker walls Smarter defenses Collect and Analyze Everything 10
Customers have a growing need to identify and protect against threats by building insights from broader data sets Traditional Security Operations and Technology Logs Events Alerts Configuration information System audit trails Identity context New Considerations Collection, Storage and Processing Collection and integration Size and speed Enrichment and correlation Big Data Analytics Network flows and anomalies External threat intelligence feeds Web page text E-mail and social activity Full packet and DNS captures Business process data Customer transactions Analytics and Workflow Visualization Unstructured analysis Learning and prediction Customization Sharing and export 11
Reaching security maturity Security Intelligence Predictive Analytics, Big Data Workbench, Flow Analytics SIEM and Vulnerability Management Log Management Advanced Fraud Protection People Data Applications Infrastructure Optimized Identity governance Fine-grained entitlements Privileged user management Data governance Encryption key management Fraud detection Hybrid scanning and correlation Multi-faceted network protection Anomaly detection Hardened systems Proficient User provisioning Access management Strong authentication Data masking / redaction Database activity monitoring Data loss prevention Web application protection Source code scanning Virtualization security Asset management Endpoint / network security management Basic Directory management Encryption Database access control Application scanning Perimeter security Host security Anti-virus 13-09-17 12
IBM Security: Delivering intelligence, integration and expertise across a comprehensive framework Intelligence Integration Expertise 13
IBM Security: Market-changing milestones Mainframe and Server Security Access Management 1976 Network Intrusion Prevention SOA Management and Security Identity 2005 Management 2002 Resource Access Control Facility (RACF) is created, eliminating the need for each application to imbed security 1999 Dascom is acquired for access management capabilities Access360 is acquired for identity management capabilities MetaMerge is acquired for directory integration capabilities Compliance Management DataPower is acquired for SOA management and security capabilities 2006 Internet Security Systems, Inc. is acquired for security research and network protection capabilities Database Monitoring 2007 Watchfire is acquired for security and compliance capabilities Application Security Consul is acquired for risk management capabilities Princeton Softech is acquired for data management capabilities 2008 Security Analytics Encentuate is acquired for enterprise single-sign-on capabilities 2009 Ounce Labs is acquired for application security capabilities Guardium is acquired for enterprise database monitoring and protection capabilities Security Intelligence 2010 Advanced Fraud Protection Big Fix is acquired for endpoint security management capabilities NISC is acquired for information and analytics management capabilities 2011 Q1 Labs is acquired for security intelligence capabilities IBM Security Investment 6,000+ IBM Security experts worldwide 3,000+ IBM security patents 4,000+ IBM managed security services clients worldwide 2012 25 IBM Security labs worldwide 2013 Intent to acquire Trusteer for mobile and application security, counter-fraud and malware detection IBM Security Systems division is created 14
IBM offers a comprehensive portfolio of security products IBM Security Systems Portfolio Security Intelligence and Analytics QRadar Log Manager QRadar SIEM QRadar Risk Manager QRadar Vulnerability Manager Advanced Fraud Protection Trusteer Rapport Trusteer Pinpoint Malware Detection Trusteer Pinpoint ATO Detection Trusteer Mobile Risk Engine People Data Applications Network Infrastructure Endpoint Identity Management Guardium Data Security and Compliance AppScan Source Network Intrusion Prevention Trusteer Apex Access Management Guardium DB Vulnerability Management AppScan Dynamic Next Generation Network Protection Mobile and Endpoint Management Privileged Identity Manager Guardium / Optim Data Masking DataPower Web Security Gateway SiteProtector Threat Management Virtualization and Server Security Federated Access and SSO Key Lifecycle Manager Security Policy Manager Network Anomaly Detection Mainframe Security IBM X-Force Research 15
Increase security, collapse silos, and reduce complexity Integrated Intelligence. Integrated Research. Integrated Protection. Consolidate and correlate siloed information from hundreds of sources Stay ahead of the changing threat landscape Link security and vulnerability information across domains JK 2013-04-265 16
Intelligent Security for the Cloud Security Intelligence Provide visibility, auditability and control for the cloud 13-04-02 Identity Protection Administer, secure, and extend identity and access to and from the cloud Data and Application Protection Secure enterprise databases Build, test and maintain secure cloud applications Threat Protection Prevent advanced threats with layered protection and analytics 17
Securing the Mobile Enterprise Device Management Security for endpoint device and data Network, Data, and Access Security Achieve visibility and adaptive security policies Application Layer Security Develop and test applications 18
Driving Compliance with Enhanced Visibility and Controls Security Intelligence Activity Monitoring, Anomaly Detection, Reporting Preventing insider threat Monitoring Data and PII concerns Managing end users and Privacy concerns Accessing Applications on a need-to-know basis 19 IBM Confidential
Security Intelligence: Integrating across IT silos Security Intelligence and Analytics Security devices Servers and mainframes Network and virtual activity Data activity Application activity Configuration information Vulnerabilities and threats Correlation Logs/events Flows IP reputation Geographic location Activity baselining and anomaly detection User activity Database activity Application activity Network activity Offense identification Credibility Severity Relevance True offense Suspected incidents Users and identities Extensive data sources Deep intelligence + = Exceptionally accurate and actionable insight 20 Key Themes Increased Data Sources Data from 450+ security collectors and Integration with X-Force intelligence and other external feeds to use in analysis for determining relevant vulnerabilities and potential threats Integrated Vulnerability Management Comprehensive understanding of the configuration and exposure of systems in the environment, enabling contextual analysis to determine vulnerabilities against particular threats Enhanced Identity Context V13-03 Integrated understanding of users, their roles, level of privilege, geographical location and their typical behaviors to enable enterprises to identify abnormal activity that might indicate insider threat
Integration: A unified architecture delivered in a single console Designed from scratch to deliver massive log management scale without any compromise on SIEM Intelligence Log Management NextGen SIEM Activity Monitoring Risk Management Vulnerability Management Network Forensics 21
Identity and Access Management: Helping to extend secure user access across the enterprise People 22 Key Themes Standardized IAM and Compliance Management Expand IAM vertically to provide identity and access intelligence to the business; Integrate horizontally to enforce user access to data, app, and infrastructure Secure Cloud, Mobile, Social Interaction Enhance context-based access control for cloud, mobile and SaaS access, as well as integration with proofing, validation and authentication solutions Insider Threat and IAM Governance Continue to develop Privileged Identity Management (PIM) capabilities and enhanced Identity and Role management
Announcing: Threat-Aware Identity and Access Management New capabilities to help organizations secure enterprise identity as a new perimeter Safeguard mobile, cloud and social interactions Validate who is who when users connect from outside the enterprise Enforce proactive access policies on cloud, social and mobile collaboration channels Prevent insider threat and identity fraud Manage shared access inside the enterprise Defend applications and access against targeted web attacks and vulnerabilities Deliver intelligent identity and access assurance Enable identity management for the line of business Enhance user activity monitoring and security intelligence across security domains Simplify identity silos and cloud integrations Provide visibility into all available identities within the enterprise Unify Universe of Identities for security management 23
Helping achieve secure transactions and graded trust Safeguard mobile, cloud and social interactions Eliminate use of passwords to secure mobile application access Implement Risk Based access posture for BYOD Validate Customer Identity interacting via Mobile and Social channels Enforce Identity context for Mobile, SaaS and Cloud access Eliminate use of passwords to secure mobile app access ISAM for Mobile 24
Prevent insider breaches caused by privileged identity misuse Prevent insider threat and identity fraud Audit privileged user activity and sensitive data access Address compliance, regulatory and privacy requirements Secure user access and content against targeted attacks Integrated security intelligence Session Recording Credential Vault Administrative ID Target Systems 25
Security Solutions i n t e g r a t e i n t e g r a t e IT & Business Process IBM Security Systems Data Security: Helping to secure structured, unstructured, online and offline data across the enterprise Data Governance, Security Intelligence, Analytics Audit, Reporting, and Monitoring Protect data in any form, anywhere, from internal or external threats Streamline regulation compliance process Data at Rest Protection & Encryption Policy-based Access and Entitlements Data Discovery and Classification Enforcement Data in Motion Network Loss Prevention Data in Use Endpoint Loss Prevention Reduce operational costs around data protection Stored (Databases, File Servers, Big Data, Data Warehouses, Application Servers, Cloud/Virtual..) over Network (SQL, HTTP, SSH, FTP, email,. ) at Endpoint (workstations, laptops, mobile, ) Key Themes 26 Expand to new platforms Expand beyond supporting databases to all relevant data sources, including data warehouses, file shares, file systems, enterprise content managers, and Big Data (Hadoop, NoSQL, in-memory DB), wherever data is stored Introduce new data protection capabilities Complement discovery, classification, monitoring, auditing, and blocking with though leadership capabilities like cloud encryption/tokenization, dynamic data masking, and fraud detection Lead on scalability and lower TCO Continue to improve on solution deployability with improvements to scalability, performance, simplification, automation, serviceability, and ease of use
InfoSphere Guardium integration with QRadar opens up new opportunities Security Devices In-depth data activity monitoring and security insights from InfoSphere Guardium Servers & Hosts Network & Virtual Activity Event Correlation Databases Data warehouses Big Data environments File shares Database Activity Activity Application Activity Configuration Info Activity Baselining & Anomaly Detection Offense Identification Applications Vulnerability Info User Activity Vulnerability Information Extensive Data Sources Deep Intelligence + = Exceptionally Accurate and Actionable Insight Send security alerts from Guardium to QRadar Send audit reports from Guardium to QRadar to enhance analytics Send database vulnerability assessment status from Guardium to QRadar NEW 28
IBM Security Systems Application Security: Helping to protect against the threat of attacks and data breaches Audience Development teams Software Development Lifecycle CODING BUILD QA Penetration Testers SECURITY PRODUCTION Dynamic analysis (black box) Static analysis (white box) Scanning Techniques Programming Languages Applications Governance and Collaboration Security teams Applications Web Applications Web Services Mobile Applications Purchased Applications Test policies, test templates and access control Dashboards, detailed reports and trending Manage regulatory requirements such as PCI, GLBA and HIPAA (40+ out-of-the-box compliance reports) Integrated Build Systems improve scan efficiencies Defect Tracking Systems track remediation IDEs remediation assistance Security Intelligence raise threat level Key Themes Coverage for Mobile applications and new threats Simplified interface and accelerated ROI Security Intelligence Integration Continue to identify and reduce risk by expanding scanning capabilities to new platforms such as mobile, as well as introducing next generation dynamic analysis scanning and glass box testing New capabilities to improve customer time to value and consumability with out-of-the-box scanning, static analysis templates and ease of use features Automatically adjust threat levels based on knowledge of application vulnerabilities by integrating and analyzing scan results with SiteProtector and the QRadar Security Intelligence Platform 29
IBM Security Systems Infrastructure Protection: Network Security Intelligence Platform Threat Intelligence and Research Advanced Threat Platform Log Manager Vulnerability Data Intrusion Prevention Network Activity Monitor SIEM Malicious Websites Content and Data Security Infrastructure Risk Manager Malware Information Web Application Protection Network Anomaly Detection Vulnerability Manager IP Reputation Application Control Future Future Future IBM Network Security Key Themes Advanced Threat Protection Platform Expanded X-Force Threat Intelligence Security Intelligence Integration Helps to prevent sophisticated threats and detect abnormal network behavior by using an extensible set of network security capabilities in conjunction with real-time threat information and Security Intelligence Increased coverage of world-wide threat intelligence harvested by X-Force and the consumption of this data to make smarter and more accurate security decisions Tight integration between the Advanced Threat Protection Platform and QRadar Security Intelligence platform to provide unique and meaningful ways to detect, investigate and remediate threats 30
X-Force Threat Intelligence: The IBM Differentiator Advanced Security and Threat Research The mission of X-Force is to: Monitor and evaluate the rapidly changing threat landscape Research new attack techniques and develop protection for tomorrow s security challenges Educate our customers and the general public URL/Web Filtering Anti-Spam IP Reputation Web Application Control Provides access to one of the world s largest URL filter databases containing more than 20 billion evaluated Web pages and images Detect spam using known signatures, discover new spam types automatically, 99.9% accurate, near 0% overblocking Categorize malicious websites via their IP address into different threat segments, including malware hosts, spam sources, and anonymous proxies Identifying and providing actions for application traffic, both web-based, such as Gmail, and client based, such as Skype 31 IBM Confidential
IBM Security Systems Infrastructure Protection: Endpoint Infrastructure Provides in-depth security across your network, servers, virtual servers, mainframes and endpoints Key Themes Security for Mobile Devices Expansion of Security Content Provide security for and manage traditional endpoints alongside mobile devices such as Apple ios, Google Android, Symbian, and Microsoft Windows Phone - using a single platform Continued expansion of security configuration and vulnerability content to increase coverage for applications, operating systems, and industry best practices 32 Security Intelligence Integration Improved usage of analytics - providing valuable insights to meet compliance and IT security objectives, as well as further integration with SiteProtector and the QRadar Security Intelligence Platform
IBM Security: Helping clients optimize IT security Integrated Portfolio Managed and Professional Services Extensive Partner Ecosystem IBM Research 33
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 34
Disclaimer Please Note: IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. 35
Customer successes across domains Security Intelligence and Analytics Improve overall security and compliance Global office products supplier achieved greater visibility to potential security threats and PCI compliance with $0 cost increase Advanced Fraud Protection Protect against financial fraud and advanced security threats Banking clients reduced online banking fraud to near zero while complying with regulatory compliance mandates for layered security People Manage user access securely and cost-effectively Major South American bank health reduced the number of help desk calls by 30%, resulting in annual savings of $450,000+ Data Ensure privacy and integrity of data Major global bank saved $1.5 USD / year on storage costs and reduced compliance costs by $20M USD Applications Automate security testing on web-based applications Client added 225 new applications per year to handle US$1 quadrillion in securities transactions per year Infrastructure Proactively alert, simplify monitoring and management Client monitored all devices and networks across all sites with zero false positives without blocking revenue-based traffic 36