Effectively Using Security Intelligence to Detect Threats and Exceed Compliance

Effectively Using Security Intelligence to Detect Threats and Exceed Compliance Chris Poulin Security Strategist, IBM Reboot Conference 2012 1

Security Threats Affect the Business Business Brand image Supply chain Legal Impact of Audit risk results exposure hacktivism Sony estimates potential $1B long term impact $171M / 100 customers* HSBC data breach discloses 24K private banking customers Epsilon breach impacts 100 national brands TJX estimates $150M class action settlement in release of credit / debit card info Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony Zurich Insurance PLc fined 2.275M ($3.8M) for the loss and exposure of 46K customer records *Sources for all breaches shown in speaker notes 2

Attacks from All Sides Cyber vandals Cyber warfare Targets of opportunity Cyber crime Cyber terrorism Hacktivists Nation states Corporate espionage Targets of choice APTs Cyber espionage Data exfiltration Client-side vulnerabilities Insiders 3

Sophistication of Threats, Attackers, & Motives is Escalating Motive National Security Espionage, Political Activism 1995 2005 1 st Decade of the Commercial Internet 2005 2015 2 nd Decade of the Commercial Internet Nation-state Actors; Targeted Attacks / Advanced Persistent Threat Competitors, Hacktivists Monetary Gain Organized Crime, using sophisticated tools Revenge Insiders, using inside information Curiosity Script-kiddies or hackers using tools, web-based how-to s Adversary 4

And Yet the Compromises are Mostly Avoidable Source: IBM X-Force 2011 Trend and Risk Report March 2012 5

Not If, but When Breaches are taking longer to discover Breaches are not being discovered internally 6 Charts from Verizon 2011 Investigative Response Caseload Review

92% of Breaches Are Undetected by Breached Organization Source: 2012 Data Breach Investigations Report 7

but all is not lost 8

Choose the Right Technology Protection technology is critical, but choose wisely There is no magic security technology 9

People and Processes First A lesson from airport security: Instead of expensive equipment, use what works In Israel No plane departing Ben Gurion Airport has ever been hijacked Use human intelligence Questioning looks for suspicious behavior Simple metal detectors Scotland Yard 24+ men planned to smuggle explosive liquids Foiled beforehand because of intelligence Before they even got to the airport 10

No Perfect Protection: Asymptotes Never Reach Zero 20% Security Technology Budget 80% THREATS 11

Security is a Complex, Four-Dimensional Puzzle People Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers Data Structured Unstructured At rest In motion Applications Systems applications Web applications Web 2.0 Mobile apps Infrastructure It is no longer enough to protect the perimeter siloed point products will not secure the enterprise 12

What Gartner is Saying About the Need for Context Mark Nicollet, Managing VP, Gartner Security, Risk & Compliance The rapid discovery of a breach is key to minimizing the damage of a targeted attack, but most organizations do not have adequate breach detection capabilities. Since perfect defenses are not practical or achievable, organizations need to augment vulnerability management and shielding with moreeffective monitoring. The addition of context, such as user, application, asset, data and threat, to security event monitoring will increase the likelihood of early discovery of a targeted attack. We need to get better at discovering the changes in normal activity patterns that are the early signal of an attack or breach. 13 #1-3 from Effective Security Monitoring Requires Context, Gartner, 16 January 2012, G00227893 #4 from Using SIEM for Targeted Attack Detection, Gartner, 20 March 2012, G00227898

What is Security Intelligence? Security Intelligence --noun 1.the real-time collection, normalization, and analytics of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise Security Intelligence provides actionable and comprehensive insight for managing risks and threats from protection and detection through remediation 14

Security Intelligence Timeline Prediction & Prevention Risk Management. Vulnerability Management. Configuration Monitoring. Patch Management. X-Force Research and Threat Intelligence. Compliance Management. Reporting and Scorecards. Reaction & Remediation SIEM. Log Management. Incident Response. Network and Host Intrusion Prevention. Network Anomaly Detection. Packet Forensics. Database Activity Monitoring. Data Loss Prevention. 15

Context and Correlation Drive Deep Insight Security Devices Servers & Hosts Network & Virtual Activity Database Activity Application Activity Configuration Info Vulnerability Info Users & Identities Event Correlation Logs IP Reputation Flows Geo Location Activity Baselining & Anomaly Detection User Activity Database Activity Application Activity Network Activity Offense Identification Credibility Severity Relevance Suspected Incidents Extensive Data Sources Deep + Intelligence = Exceptionally Accurate and Actionable Insight 16

Security Intelligence Use Cases 17

How Security Intelligence Can Help Continuously monitor all activity and correlate in real time Change & configuration management Gain visibility into unauthorized or anomalous activities High number of failed logins to critical servers -- brute-force password attack Query by DBA to credit card tables during off-hours possible SQL injection attack Spike in network activity -- high download volume from SharePoint server Server (or thermostat) communicating with IP address in China Inappropriate use of protocols -- sensitive data being exfiltrated via P2P Configuration change -- unauthorized port being enabled for exfiltration Unusual Windows service -- backdoor or spyware program Automation => reduced cost & complexity, simplified compliance, lower TCO 18

Activity and Data Access Monitoring Visualize Data Risks Automated charting and reporting on potential attacks Correlate System, Application, & Network Activity Enrich security alerts with anomaly detection and flow analysis Detect suspicious activity before it leads to a breach 360-degree visibility helps distinguish true breaches from benign activity, in real time 19

User Activity Monitoring to Combat Advanced Persistent Threats User & Application Activity Monitoring alerts on a user anomaly for Oracle database access. Identify the user, normal access behavior, and the anomaly behavior with all source & destination information to quickly resolve the threat. 20

Activity / Behavior Monitoring, Flow Analytics, Anomaly Detection Behaviour / activity base lining of users and processes Helps detect day-zero attacks and covert channels that have no signature or AV / IPS detection Provides definitive evidence of attack Enables visibility into attacker communications Network traffic does not lie Attackers can stop logging and erase their tracks, but can t cut off the network (flow data) 21

Application and Threat Detection with Forensic Evidence Potential Botnet Detected? This is as far as traditional SIEM can go IRC on port 80? IBM Security QRadar QFlow detects a covert channel Irrefutable Botnet Communication Layer 7 flow data contains botnet command control instructions Application layer flow analysis can detect threats others miss 22

Data Leakage Who is responsible for the data leak? Alert on data patterns, such as credit card number, in real time. 23

Configuration & Risk Network topology and open paths of attack add context Rules can take exposure into account to: Prioritize offenses and remediation Enforce policies Play out what-if scenarios 24

Detecting Insider Fraud and Data Loss Potential Data Loss Who? What? Where? Who? An internal user What? Oracle data Where? Gmail Threat detection in the post-perimeter world User anomaly detection and application level visibility are critical to identify inside threats 25

Other Use Cases Detect suspicious behavior Privileged actions being conducted from a contractor s workstation DNS communications with external system flagged as malicious Detect policy violations Baseline against reality (CMDB) Social media, P2P, etc. Detect APTs File accesses out of the norm behavior anomaly detection Least used applications or external systems; occasional traffic Detect fraud Determine baselines on credit pulls or trading volumes, and detect anomalies Correlate ebanking PIN change with large money transfers Forensic evidence for prosecution Impact analysis Compliance Change & configuration management 26

Intelligent solutions provide the DNA to secure a Smarter Planet Security Intelligence, Analytics & GRC People Data Applications Infrastructure 27

Thank You! 28

ibm.com/security Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will 29 necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT 2012 IBM Corporation THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.