Como puede ayudar Security Intelligence a proteger nuestras empresas www.ibm.com/security securityintelligence.com Juan Paulo Cabezas, Arquitecto de IBM Security Systems jcabezas@cl.ibm.com 1
Agenda Introducción Cómo hemos resuelto esto en el tiempo? Pensando en seguridad de forma diferente Soluciones de Security Intelligence de IBM Investigación Integrada Nuevas soluciones: Risk Manager Nuevas soluciones: Vulnerability Manager Preguntas 2
INTRODUCCIÓN 3
Ataques exitosos = vulnerabilidades y errores de configuración 2012 Sampling of Security Incidents by Attack Type, Time and Impact Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses We document an average of over 150 vulnerabilities every week. 42% of publicly disclosed vulnerabilities had public exploits available 77% of exploits were released the same day as vulnerability disclosure. X-Force 2012 Trend and Risk Report Every successful exploit starts with a vulnerability, configuration error, or both. What is needed is a way to get ahead of vulnerabilities before they can be exploited. 4 SQL Injection SQL Injection combined with Malware Exposed Vulnerabilities Poor Server Configuration / Authenticatio n Malware Configuration Errors
Qué hace a mi aplicación vulnerable? Existen tres componentes básicos que debo ocuparme para asegurar una aplicación: El código fuente de la aplicación La infraestructura sobre la que se ejecuta Los componentes externos que requiere Se requieren distintas soluciones para controlar el riesgo de cada una 5
CÓMO HEMOS RESUELTO ESTO EN EL TIEMPO? 6
Productos Tiempo 7
IBM Security Systems Costos Productos Complejidad Agilidad Efectividad Tiempo 8
IBM Security Systems El equipo de seguridad «ve» ruido 9
PENSANDO EN SEGURIDAD DE FORMA DIFERENTE 10
IBM provee soluciones de seguridad mediante un framework amplio Inteligencia Integración Expertise 11 * Using the IBM Security Framework: http://www.redbooks.ibm.com/abstracts/sg248100.html?open
Pensando en seguridad de forma diferente Personas Antes Administración Ahora Entendimiento Completa Datos Control Básico Focalizado Granular Aplicaciones Bolt-on Built-in Infraestructura Muros Gruesos Defensas Inteligentes Recolectar y Analizar Todo 12
Sofisticación del ataque Cuáles son las amenazas externas e internas? Estamos configurados para protegernos contra estas amenazas? Qué está sucediendo ahora mismo? Cuál fue el impacto? Predicción y prevención Manejo de riesgos. Gestión de la vulnerabilidad. Configuración y manejo de parches. Investigación X-Force e inteligencia de amenazas. Administración del cumplimiento. Informes y tarjetas de puntuación. Reacción y remediación Prevención de intrusiones en la red y el host. Detección de anomalías en la red. Paquete forense. Monitoreo de actividad de la base de datos. Prevención de filtraciones de datos. SIEM. Manejo de registros. Respuesta a incidentes. Security Intelligence IBM 13
Security Intelligence Antes: Recolección Auditorias de Sistemas Logs Eventos Alertas Configuraciones Network flows y anomalias Feed Externos de amenazas Datos de Procesos de Negocio Contexto de Identidad E-mail y actividad social Información de Malware Logs Detección basada en firmas Ahora: Inteligencia Monitoreo en Tiempo-Real Detección de Contexto y anomalía Correlación y Analitica automatizada 14
Security Intelligence necesita INTEGRACIÓN desde la caja Consolidate and correlate siloed information from hundreds of sources Designed to help detect, notify and respond to threats missed by other security solutions Stay ahead of the changing threat landscape Designed to help detect the latest vulnerabilities, exploits and malware Customize protection capabilities to block specific vulnerabilities using scan results Converge access management with web service gateways Automate compliance tasks and assess risks Add security intelligence to non-intelligent systems Link identity information with database security JK 2012-04-26 15
Soluciones de Security Intelligence de IBM 16
Nuestra evolución continua hacia Security Intelligence 17
IBM y su plataforma soluciones de Security Intelligence Soluciones de Security Intelligence QRadar Log Manager QRadar SIEM QRadar QFlow QRadar VFlow QRadar Risk Manager QRadar Vulnerability Manager Plataforma para Security Intelligence Reporting Engine Warehouse Workflow Rules Engine Analytics Engine Normalization Archival Real-Time Viewer Reporting API Forensics API LEEF AXIS Configuration Netflow Offense Inteligente, integrado y automatizado - Una consola de Seguridad 18
Soluciones integradas de Security Intelligence IBM Security Systems Log Management Turn-key log management and reporting SME to Enterprise Upgradeable to enterprise SIEM SIEM Log, flow, vulnerability & identity correlation Sophisticated asset profiling Offense management and workflow Configuration & Vulnerability Management Network security configuration monitoring Vulnerability prioritization Predictive threat modeling & simulation Network Activity & Anomaly Detection Network analytics Behavioral anomaly detection Fully integrated in SIEM Network and Application Visibility Layer 7 application monitoring Content capture for deep insight & forensics Physical and virtual environments 19 Vulnerability Manager Bringing rich context to Vulnerability Management Improves visibility Unified vulnerability view across all products
Uso para detección de ataques Toda la información relevante en un mismo lugar Cuál fue el ataque? Quién fue el responsable? Fue exitoso? Cuáles fueron los objetivos involucrados? Alguno de ellos era vulnerable? Dónde puedo encontrarlos? Qué tan importante son los activos para el negocio? Dónde se encuentra toda la evidencia? 20
Uso para identificación de actividades maliciosas Detección posible de Botnet? Lo que tipicamente es capaz una solucion de SIEM Aplicación IRC en el puerto 80? QFlow permite la detección de tráfico infilrado Prueba Irrefutable del Botet Tráfico de capa 7 contiene instrucciones de comando y control de una red Botnet. 21
Investigación Integrada 22
The additional context provided by the X-Force Threat Intelligence Feed allows for additional insights, leading to greater protection Online Services X-Force Intelligence... IP Reputation Spam Dynamic IPs Malware IBM 19 M 453 M 19K Top Competitor 8 M 736 M 1K Combining worldwide intelligence from a variety of sources with the SIEM capabilities allows for prioritization and determination of the security incidents that require additional examination 23
Experiencia de X-Force directa sobre mi plataforma de Security Intelligence Customized selection of feeds to incorporate into rules, offenses, and events Threat Intelligence Establishing rules to create awareness of when suspicious IPs are active in an enterprise 24
Nuevas soluciones: Risk Manager 25
QRadar Risk Manager QRadar Risk Manager enhances Security Intelligence by adding network topology visualization and path analysis, network device optimization and configuration monitoring, and improved compliance monitoring/reporting to QRadar SIEM 26 Network topology views and centralized configuration auditing 1. Add network devices to topology and discover routes/paths 2. View, analyze and compare security device configuration, discover configuration errors and analyze rule usage 3. Viewing network topology and conducting path searches 4. Visualizing QRadar offense attack path and forensic capabilities using connections Policy monitoring and reporting 5. Assess high risk assets based on vulnerabilities and network reachability 6. Determine devices allowing out-of-policy traffic and protocols 7. Continuous monitoring for policy violations and compliance support Rule change modelling and threat simulations 8. Attack simulation 9. Assessing impact of network change (path addition / deletion)
QRadar Risk Manager topology view 27
QRadar Risk Manager configuration monitor and firewall rule reporting Once device configurations are imported into QRadar Risk Manager, they are normalized and available and stored on the QRM appliance Configurations may be gathered on-demand or scheduled Rule analysis, configuration error detection (e.g. shadowed rules), rule activity correlation, correlation with QRadar offenses, and configuration comparisons are supported 28
QRadar Risk Manager configuration monitor Historical and cross-device configuration comparisons are supported via point-and-click Normalized and raw comparisons are supported 29
QRadar offense attack path From any QRadar offense, clicking attack path button performs a path search that shows precise path (and all permutations) between source and destination IPs involved in the attack Firewall rules enabling the attack path can then be displayed This allows a virtual patch to be applied by quickly showing which firewall rules may be changed to immediately shut down attack path before patching or other config changes can typically be implemented 30
QRadar offense connections view Connections correlates events and flows with source and destination IPs involved in the offense Drastically reduces time required to conduct offense forensics 31
QRadar Risk Manager policy monitor Policies can be executed on-demand or in monitor mode, which evaluates hourly Exceptions can raise a QRadar offense and can also place events in the QRadar pipeline Reports can be generated that indicate policy exceptions and pass events, useful for compliance 32
Mitigating risk: Simulating attacks QRadar Risk Manager simulations allow exploit propagation to be modeled based on a specified starting point, asset vulnerability/threat data, and network reachability The example below simulates an attack originating from the Internet, targeting a specific network and vulnerability; up to five steps can be modeled Like policies, simulations can be placed into monitor mode 33
Mitigating risk: Modeling topology changes QRadar Risk Manager allows modifications to the topology model to be simulated This includes adding allow/deny rules to specified devices and assets Simulations can use either the current or a simulated topology Lowers risk by simulating changes before they are implemented 34
Nuevas soluciones: Vulnerability Manager 35
Caracteristicas de IBM Security QRadar Vulnerability Manager Embedded, well proven, scalable, analyst recognised, PCI certified scanner Detects 70,000+ vulnerabilities Tracks National Vulnerability Database (CVE) Present in all QRadar log and flow collectors and processors Integrated external scanner Complete vulnerability view supporting 3 rd party vulnerability system data feeds Supports exception and remediation processes of VM with seamlessly integrated reporting and dash boarding Complete Vulnerability Context and Visibility 36
QRadar Vulnerbility Manager permite priorizar las vulnerabilidades Inactive: QFlow Collector data helps QRadar Vulnerability Manager sense application activity Patched: IBM Endpoint Manager helps QVM understand which vulnerabilities will be patched Critical: Vulnerability knowledge base, remediation flow and QRM policies inform QVM about business critical vulnerabilities CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE Inactive CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE Blocked CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE Patched CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE Critcal CVE CVE CVE CVE At CVE Risk! CVE CVE CVE Exploited! CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE At Risk: X-Force Threat and SIEM security incident data, coupled with QFlow network traffic visibility, help QVM see assets communicating with potential threats Blocked: QRadar Risk Manager helps QVM understand which vulnerabilities are blocked by firewalls and IPSs Exploited: SIEM correlation and IPS data help QVM reveal which vulnerabilities have been exploited 37
Responsive scanning improving visibility and accuracy QRadar Collector QRadar QVM Initiate new host scan Agile responsive scanning New asset added to network New service opened Asset behaving abnormally Assets active on network but no up to date scan Scan server types and address spaces quickly New device 38
Fully Distributed 39
Improved asset tab and search Powerful filters including Products, OS Reference sets Networks Location, owners First seen, last seen passively Last scanned Services and ports Vulnerabilities, risk, severity Users Saved search list 40
Example searches Assets seen passively on the network in last two weeks but have not been scanned in two weeks Assets with outlook installed in server network New assets in the last 5 days Assets with http or https service and product IIS Assets owned by Chris, where admin has logged in, OS is windows and have netbios vulnerabilities 41
Security Intelligence de IBM, un único punto de inicio People Safeguard and monitor access to IT systems, applications and information Research Constantly monitor the threat landscape for new vulnerabilities 42 Data Continuous monitoring and assessment of databases, warehouses, file shares and big data environments Applications Identify and remediate critical web and mobile application vulnerabilities before they have an impact Infrastructure Discover, remediate and block threats to constantly changing networks, servers and endpoints
PREGUNTAS 43
ibm.com/security Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United 44 States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.