AMPLIFYING SECURITY INTELLIGENCE WITH BIG DATA AND ADVANCED ANALYTICS Chris Meenan Senior Product Manager, Security Intelligence 1 IBM Security Systems
Welcome to a Not So Friendly Cyber World Biggest Bank Heist in History Nets $45Million All without setting foot in a Bank CYBER ESPIONAGE VIA SOCIAL NETWORKING SITES TARGET: US DOD OFFICIALS Hidden Malware Steals 3000 Confidential Documents Japanese Ministry 2 IBM Security Systems
Welcome to a Not So Friendly Cyber World 2012 Sampling of Security Incidents by Attack Type, Time and Impact Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses 3 IBM Security Systems
Playing Defense Traditional Approach to Security Predicated on a Defensive Mindset Assumes explicit organizational perimeter Optimized for combating external threats Presumes standardization mitigates risk Dependent on general awareness of attack methodologies Requires monitoring and control of traffic flows Origins of Security Intelligence Layered Defenses Essential for Good Security Hygiene and Addressing Traditional Security Threats but attackers adapting too 4 IBM Security Systems
Business Change is Coming If Not Already Here Enterprises are Undergoing Dynamic Transformations The Organization s Cyber Perimeter is Being Blurred It can no longer be assumed 5 IBM Security Systems
Evolving Attack Tactics Focus on Breaching Defenses 6 IBM Security Systems
A Look at the Emerging Threat Landscape APTs Targeted, Persistent, Clandestine Concealed, Motivated, Opportunistic Fraud Insider Threat Situational, Subversive, Unsanctioned Hacktivism Cyber Attack 7 IBM Security Systems Topical, Disruptive, Public Focused, Well-Funded, Scalable
Incorporating a More Proactive Mindset to Enterprise Security Audit, Patch & Block Think like a defender, defense-in-depth mindset Protect all assets Emphasize the perimeter Patch systems Use signature-based detection Scan endpoints for malware Read the latest news Collect logs Conduct manual interviews Shut down systems Detect, Analyze & Remediate Think like an attacker, counter intelligence mindset Protect high value assets Emphasize the data Harden targets and weakest links Use anomaly-based detection Baseline system behavior Consume threat feeds Collect everything Automate correlation and analytics Gather and preserve evidence Broad Targeted 8 IBM Security Systems
Diversity & Sophistication of Attacks Placing Greater Demands Amplify Security Intelligence with New Insights from Big Data Traditional Security Operations and Technology Logs Events Alerts Configuration information System audit trails Identity context Network flows and anomalies 1. Analyze a variety of non-traditional and unstructured datasets 2. Significantly increase the volume of data stored for forensics and historic analysis 3. Visualize and query data in new ways External threat intelligence feeds Web page text Full packet and DNS captures Business process data 4. Integrate with my current operations Big Data Analytics E-mail and social activity Customer transactions 9 IBM Security Systems
Greater Need for Security Intelligence Visibility across organizational security systems to improve response times and incorporate adaptability/flexibility required for early detection of threats or risky behaviors 10 IBM Security Systems
Big Data Brings New Considerations & Empowers Powerful Analysis Transforming Data to Insights Requires Some Infrastructure Considerations Storage and Processing Collection and integration Size and speed Enrichment and correlation Analytics and Workflow Visualization Unstructured analysis Learning and prediction Customization Sharing and export 11 IBM Security Systems
Confidential for division executives only IBM Security Strategy Use Cases 12 IBM Confidential 2011 IBM Corporation
Security Intelligence From Real-time Processing of Big Data Behavior monitoring and flow analytics Network Traffic Doesn t Lie Attackers can stop logging and erase their tracks, but can t cut off the network (flow data) Activity and data access monitoring Improved Breach Detection 360-degree visibility helps distinguish true breaches from benign activity, in real-time Stealthy malware detection Irrefutable Botnet Communication Layer 7 flow data shows botnet command and control instructions 13 IBM Security Systems
Insider Threat: Cat and mouse Detecting insider fraud Customer Requirement: Customer wants to detect when an employee may be stealing customer contact info in preparation for leaving the company Solution: Baseline employee access to CRM Detect deviations from norm: 1,000 transactions (access to customer records) vs normal 50 per day BUT what if the user is tech savvy or has a geek nephew, and makes a single SQL query to the back end database? Profile network traffic between workstations and back-end database or policy shouldn t allow direct access to database from workstations 14 IBM Security Systems
User and Application Activity Monitoring Cont d Detecting insider fraud User & Application Activity Monitoring alerts to a user anomaly for Oracle database access. identifies the user, normal access behavior and the anomaly behavior with all source and destination information for quickly resolving the persistent threat. 15 IBM Security Systems
Social Media Intelligence When is social media being exploited or misused? Problem: Social media is an increasing threat to an organization's policies and network; company employees are the ones who are most likely to fall victim to social engineering based threats, and serve as entry points for Advanced Persistent Threats. Solution: Social media Monitoring& Correlation in real-time: QRadar alerts you, in real-time, to any sensitive data being transmitted to a social media site and as the offense shown in this example indicates, of social media being the avenue for a data breach. real-time monitoring and correlation of hundreds of social media sites, such as Twitter, Facebook, Gmail, LinkedIn, etc., offers automated application aware insight and identifies social media-based threats by user and application. 16 IBM Security Systems
Social Media Intelligence Cont d When is social media being exploited or misused? you can: Identify the user responsible for the data leak. you can: Identify all the source, destination and the actual corporate credit card number leaked. 17 IBM Security Systems
Stealthy Malware How to find malicious activity hiding behind web traffic? Botnet Detected? This is/ as far as traditional SIEM can go. IRC on port 80? QFlow enables detection of a covert channel. Irrefutable Layer 7 data contains botnet command and control instructions. 18 IBM Security Systems
Security Intelligence with Investigative Analysis of Big Data: Hunting for External Command & Control (C&C) Domains of an Attacker Historical analysis of DNS activity within organization Advanced analytics identify suspicious domains Why only a few hits across the entire organization to these domains? Correlating to public DNS registry information increases suspicions Automate correlation against external DNS registries 19 IBM Security Systems
Enrich Real-Time Analysis with Insights from Investigative Analysis Monitor & Thwart Connections to Potential C&C Domains of an Attacker View real-time data and look for active connections Correlate against network activity and visualize 20 IBM Security Systems
Security Intelligence with Investigative Analysis of Big Data: Pursue Active Spear-Phishing Campaigns Targeting the Organization Employ Big Data Analytics on email to identify patterns to identify targets and redirects Load Spear-Phishing targets and redirect URLs into realtime security intelligence analysis to thwart the attack Build visualizations, such as heat maps, to view top targets of a spear-phishing attacks 21 IBM Security Systems
22 IBM Security Systems
Confidential for division executives only IBM Security Strategy IBM Security Intelligence Solution with Big Data 23 IBM Confidential 2011 IBM Corporation
QRadar uses Big Data capabilities to identify critical security events High Volume Security Events and Network Activity High Priority Security Offenses IBM QRadar Big Data Capabilities New SIEM appliances with massive scale Payload indexing for rapid ad hoc query leveraging a purpose-built data store Google-like Instant Search of large data sets (both logs and flows) Intelligent data policy management Advanced Threat Visualization and Impact Analysis 24 IBM Security Systems Customer Results Quickly find critical insights among 1000s of devices and years of data Search 7M+ events in <0.2 sec Instant, free-text searching for easier and faster forensics Granular management of log and flow data Attack path visualization and device / interface mapping
Extending the Big Data Support of QRadar Security Intelligence Platform Big Data Platform IBM Security QRadar Data collection and enrichment Event correlation Real-time analytics Offense prioritization Advanced Threat Detection Data ingest Insights IBM InfoSphere BigInsights Hadoop-based Enterprise-grade Any data / volume Data mining Ad hoc analytics Custom Analytics Traditional data sources Non-traditional 25 IBM Security Systems
Integrated analytics and exploration in a new architecture 26 IBM Security Systems
Enterprise Value IBM Security Systems InfoSphere BigInsights - flexible, enterprise-class solution for processing large volumes of data BigInsights Basic Edition Free download with web support Limit to <= 10 TB of data (Optional: 24x7 paid support Core Fixed Term License) Hadoop Easy installation and programming BigInsights Enterprise Edition Tiered terabyte-based pricing Enterprise-grade features Analytics tooling / visualization Recoverability security Administration tooling Development tooling Flexible storage High availability 27 IBM Security Systems Professional Services Offerings QuickStart, Bootcamp, Education, Custom Development
For IBM, Security and Business Intelligence offer insightful parallels 28 IBM Security Systems
Next Steps Download the Big Data whitepaper bit.ly/12p58qv Watch our Big Data with Security Intelligence Video: http://www.youtube.com/watch?v=k84vlxpdhga&feature= youtu.be Go to our dedicated website: ibm.co/12aomg0 Follow us on Twitter: @ibmsecurity 29 IBM Security Systems
Statement IBM Security of Good Systems Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. ibm.com/security Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 30 IBM Security Systems