Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Chris Poulin Security Strategist, IBM Reboot Privacy & Security Conference 2013 1 2012 IBM Corporation
Securing Information Resources is a Multi-Dimensional Puzzle People Employees Hackers Outsourcers Suppliers Consultants Terrorists Customers Data Structured Unstructured At rest In In motion Applications Systems applications Applications Web Applications Web 2.0 Mobile Applications Mobile apps Infrastructure It is no longer possible to define and protect the perimeter, but demands a focus on protecting data. Point products are not sufficient to protect the enterprise. JK 2012-04-26 2
Getting Intimate with Your Computing Environment How well do you know: Applications? Owners? Activity patterns? Where sensitive data resides? Network activity patterns? 3
Why Take the Red Pill? What s normal? what s suspect? 4
How to Get There: Security Intelligence Users & Identities Security Devices Servers & Hosts Network & Virtual Activity Vulnerability Info Application Activity Database Activity Event Correlation Logs IP Reputation Flows Geo Location Activity Baselining & Anomaly Detection User Activity Database Activity Application Activity Network Activity Offense Identification Credibility Severity Relevance Configuration Info Suspected Incidents Extensive Data Sources Deep + Intelligence = Exceptionally Accurate and Actionable Insight 5
What is Security Intelligence? Security Intelligence --noun collection normalization analytics 1.the real-time collection, normalization, and analytics of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise Security Intelligence provides actionable and comprehensive insight for managing risks and threats from protection and detection through remediation 6
Activity and Data Access Monitoring Visualize Data Risks Automated charting and reporting on potential attacks Correlate System, Application, & Network Activity Enrich security alerts with anomaly detection and flow analysis Detect suspicious activity before it leads to a breach 360-degree visibility helps distinguish true breaches from benign activity, in real time 7
Top Events by Log Type and Count 8
Top Flows by Application and Total Bytes 9
and Bottom Flows 10
Data Leakage Who is responsible for the data leak? Alert on data patterns, such as credit card number, in real time. 11
Passively Discover & Profile Assets with NetFlow & QFlow 12
Enrich the Asset Database with VA Scans, Manually, CMDB Import 13
Update Rules Automatically 14
Customize Your Network Landscape for Contextual Visibility Customize Segment & System Names for Quick Identification 15
Pivot by Geography 16
Dashboards & Reporting, Customized per Role 17
User Activity Monitoring to Combat Advanced Persistent Threats User & Application Activity Monitoring alerts on a user anomaly for Oracle database access. Identify the user, normal access behavior, and the anomaly behavior with all source & destination information to quickly resolve the threat. 18
Baselining Complex Patterns Complex patterns can be baselined Anomalies take into account historical data continuously May incorporate seasonality 19
Configuration & Risk Network topology and open paths of attack add context Rules can take exposure into account to: Prioritize offenses and remediation Enforce policies Play out what-if scenarios 20
Security Intelligence Timeline Prediction & Prevention Risk Management. Vulnerability Management. Configuration Monitoring. Patch Management. X-Force Research and Threat Intelligence. Compliance Management. Reporting and Scorecards. Reaction & Remediation SIEM. Log Management. Incident Response. Network and Host Intrusion Prevention. Network Anomaly Detection. Packet Forensics. Database Activity Monitoring. Data Loss Prevention. 21
Security Intelligence Wrap-Up Monitor all activity and correlate in real time Reduce cost & complexity, lower TCO, compliance Detect policy violations Baseline against reality (CMDB) Social media, P2P, etc. Detect suspicious behavior Privileged actions from a contractor s workstation DNS communications with external system Detect APTs File accesses out of the norm behavior anomaly detection Least used applications or external systems; occasional traffic Detect fraud Baseline credit pulls or trading volumes, and detect anomalies Correlate ebanking PIN change with large money transfers Forensic evidence for prosecution Impact analysis Change & configuration management 22
IBM s Security Intelligence, Analytics and Big Data portfolio 4 IBM SPSS unified product family to help capture, predict, discover trends, and automatically deliver high-volume, optimized decisions 3 IBM i2 Analyst Notebook helps analysts investigate fraud by discovering patterns and trends across volumes of data 1 IBM QRadar Security Intelligence unified architecture for collecting, storing, analyzing and querying log, threat, vulnerability and risk related data 2 IBM Big Data Platform (Streams, Big Insights, Netezza) addresses the speed and flexibility required for customized data exploration, discovery and unstructured analysis 23
View the Study Here: http://ibm.co/se6ieo Thank You! 24
ibm.com/security Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will 25 necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT 2012 IBM Corporation THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.