Five critical conditions to maximizing security intelligence investments

IBM Security Systems

Five Critical Conditions for Maximizing
Security Intelligence Investments
Ray Menard
Senior Security Architect
October 24, 2013

© 2013 IBM Corporation
1



Innovative technology changes everything

1 trillion
connected
objects

1 billion mobile
workers

Social
business

Bring your
own IT
Cloud and
virtualization

2



Attacks continue as perpetrators sharpen skills
Nation-state
actors, APTs
Stuxnet,
Aurora, APT1

MOTIVATION

National Security,
Economic Espionage

Hacktivists
Lulzsec,
Anonymous

Notoriety, Activism,
Defamation
Monetary
Gain
Nuisance,
Curiosity

Organized crime
Zeus, ZeroAccess,
Blackhole Exploit Pack
Insiders, Spammers,
Script-kiddies
Nigerian 419 Scams, Code Red
SOPHISTICATION

3



Targeted attacks remain top of mind

Saudi Arabia Says Aramco
Cyberattack Came From
Foreign States

How to Hack Facebook In
60 Seconds
– InformationWeek, June 2013

Facebook hacked in
'sophisticated attack'
– The Guardian, Feb 2013

– Bloomberg, Dec 2012

Hackers in China Attacked The Times
for the Last 4 Months

Fed Acknowledges Cybersecurity Breach
– The Wall Street Journal, Feb 2013

– The New York Times, Jan 2013

Adobe Systems Reports Attack
on Its Computer Network
– The Wall Street Journal, Oct 2013

Apple Hacked: Company
Admits Development
Website Was Breached
– Huffington Post, July 2013

South Carolina taxpayer
server hacked, 3.6
million Social Security
numbers compromised
– CNN, Oct 2012

Chinese hacking of US media is 'widespread phenomenon‘
– Wired, Feb 2013
4



5

IBM Security X-Force® 2011 Trend and Risk Report, IBM Security X-force 2013 Mid Year Trend and Risk Report



Despite proliferation of security solutions

The Security Division of EMC

IT
GR
C

M
DA

SIEM/Log
Management

A
NB

VM

DLP

RM/CM
6




What is Security Intelligence?
Security Intelligence
--noun
A methodology of analyzing millions and billions of security,
network and application records across the organization’s entire
network in order to gain insight into what is actually happening in
that digital world.
--verb
Combining internal, locally collected security intelligence, with
external intelligence feeds for the application of correlation rules
to reduce huge volumes of data into a handful of high probability
‘offense’ records requiring immediate investigation to prevent or
minimize the impact of security incidents

Delivers actionable, comprehensive insight for managing risks,
combatting threats, and meeting compliance mandates.
7



1. It's what you don't
know that can hurt
you

8





Security Intelligence Timeline

Prediction & Prevention

• Devices and applications having
no logging capabilities
• Anomalous activity
• Disabled Logging
• Network Noise
• Vulnerabilities (Passive)
• Virtual Activity
• User Activity

9

Reaction & Remediation

•
•
•
•
•
•
•
•
•

Firewalls
IDS
Syslog Events
Application Logs
Windows Events
Authentication Logs
Network Device Logs
Database activity Logs
Vulnerabilities (Active)



Point solutions lack 360 degree network visibility
IBM X-Force® Threat
Information Center

Identity and
User Context
10

Real-time Security Threats
and Prioritized ‘Offenses’

Real-time Network Visualization
and Application Statistics

Inbound
Security Events


Business value of security intelligence
Business
Impact

Potential
Damage effect
Business interruption
Critical Threshold
Proactive business impact:
Blocking of legitimate traffic
Actual business
Impact

Time
Proactive
Intelligence
Prevention

11


Incident

Reactive
Response
Forensics



2. Force Multipliers are
key to winning the
battle

12





Early solutions captured only tip of data iceberg

Then: Collection
Logs
Events Alerts

Configuration
information
System
audit trails
Network flows
and anomalies
External
threat feeds
Business
process data
13

Identity
context

E-mail and
social activity
Malware
information

•Log collection
•Signature-based detection
Now: Intelligence
•Real-time monitoring
•Context-aware anomaly
detection

•Automated correlation and
analytics



QRadar’s wide spectrum of security intelligence feeds

14



Backed by broad R&D organization collecting real world insights

Security Operations Centers

Herzliya

Security Research and Development Labs
Institute for Advanced Security Branches

 6,000 researchers, developers and subject matter experts working security
initiatives worldwide
 3,000+ IBM security patents
15




To further increase accuracy of analytics
Security Intelligence Feeds

Geo Location

16

Internet Threats

Vulnerabilities



Constantly injecting SI platform intelligence updates
• QRadar Security Intelligence modules
receive nightly content updates or fresh
“Intelligence”
• Updated content includes:







Device Support Modules (Log Parsers)
Event Mapping / QID (Log Meta Data)
X-Force threat and vulnerability data
Custom properties, rules, searches, reports
QFlow Application Signatures (Layer 7)
Functional Software Patches

• Delivered to Console and subsequently
consumed by all managed hosts
• No waiting weeks or months for new
releases; protection that adapts in concert
with changes in security landscape

17



3. Reduce incident
investigations with
more available data

18





Automation accelerates time-to-value, preserves currency
 Simplified deployment delivers results in days
 Syslog device detection configures log data sources
 Passive flow asset detection populates asset
database
 Out-of-the-box rules and reports reduce incident
investigations and meet compliance mandates

 Real time events keep information current
 Immediate discovery of network asset additions
triggers proactive vulnerability scans, configuration
comparisons and policy compliance checks
 Daily and weekly updates to rules, reports,
vulnerabilities, patches, searches, support modules,
protocols and signatures

19




Intuitive rules engine interface reduces false positives
Tune the system or create your own rules
in three simple steps without professional
services:

2) Build customized rule

1) Choose the action

3) Save for future use

20




Network flow analysis is fundamental capability
 Log management products collect subset of available data
 Netflows enable visibility into attacker communications
 Stored as aggregated, bi-directional records of IP addresses, ports, and protocols
 Offer advanced detection and forensics via flow pivoting, drill-down and data
mining

 QFlow Collectors dig deeper, adding Layer 7 application insights

21



Detecting the Undetectable

22



Detecting the Undetectable

23



The Bigger Picture

24



Baselining and anomaly detection complete picture
 Correlation of log and flow data
creates profiles of user, application
and data access patterns
 Anomaly Detection uses multiple
measurements to signal change
 Thresholds – above or below normal
range
 Anomaly – Detects appearance of
new objects
 Behavior – Reveals deviations from
established ‘seasonal’ patterns

Large Window

5 Hours

25

Small Window

1 Hour



4. Further reduce blind
spots using nontraditional event
sources

26





Integrated vulnerability management narrows the actions
Existing vulnerability
management tools

Yo
ur

CV
E
CV CV
CVE CV E CV
CV
E E E
EC
CV CV CV CVE
CV V
EC E C C
E
E
CVE CV CV CVE CVE VE VE C VE C
CV
C C
V
E E E
CV CV CV CVE CVE VE C VE CVE C E CV
E
CV CV
EC E C C C
E
VE VE VE E
CV CV
EC E
CVE CV E CV CVE CVE VE CVE C VE C VE C CV CVECVE CVE
C
E
E E E
VE V V
C
CV CV CV CCVECVE VE C VE C VEC E CV E CV CVE CVE CVE VE
V
E E C E C C CV CV E CVE E E
E
V V
C C C
C
C
E
V VE
C
CV CV CVECVE VE VE C VE C E C E CV CV CVE VE VE CVE C VE C
VE
E C
CV V
E C E C CCVECV CCV VE CVE VE C VEC E C C CV VE VE VE
V
CV
E C CC
CV
VE
VE VE C EEC E C EECV CV CVE VE VE VE VE E C C CV CV
C
E
V CVE VE E CC C C
CVE CV CV CVE VE CVECVVEC E C ECV C V CVE CVE CVE VE C VE C E CV E
C
V
E VE C C
V
C
E E E CV C
VE V VE
CV E CV CV CCVECVE VVE CVECVVE C E C E CV CVECVE CVE VE VE C E CVE
C
V V
V
E VE E C E
CV
EC E C ECV CVV CV CVVE VE VE C C ECV ECV CV VE E
V
E
E
E
C CE
VE C E
E C C V E C E CV CV V
CV CV CVE CVE VVE E C EECC E C E CCV CV CVE VE VE VE C E C CV
E
VE VE E E E
E C EC CCV CV CCV VE VVE VVE VEE C E C ECV CV CCV VE VE E
CV V
CV CVE VEE
CV
EC C
C
CV CV
VE VE VEE C E C EE C CVV CCV CVE CVE VE E C EC
V CV VE E E
VE CVE C
EC C
C
V C E VE E
C V CV
CVE CV CV CCVE VVE VE CVVE C E C EE CVECV CV ECVE CVE VE C VE C E CV E
E
V
E
C
C
E E E V E C CC C E CV V VV VE C VE C E C C C E
V
CV CV CV CCVE VVE VVE CVECCE E CEE CV E CV CVE CVE VE CVVE VE C E CVE
CVV CV CVEE V E VE
E C E CC E C
V
V
E E
CV CV C
E
E
C CV
VE E VE C VE C C EC V CV
CV CV CV CVE CVE VVE C VE CVE C EE C E CV CVE CVE CVE VE VE C E CV
E C E
EC
E C E C E C CV CCV CVVE VE E VVE VVE C E C EC CV CV CV VE E
V E C E C VE C V V
CV V V VE E VEE E CC CC C
E
VE
E VE E
C
VE
CV
E C E C E C CV CV CCV VVE VE E VE CVVE C E C E CV CVE CV CVE VE
VEE E V C VE C E C V V
V
VE VE VE C E C E C CC CCV CV VE VEE E C E C E C E CV CV
V V CV C
C
V
CV CV VE VE VE VE E EE C EE CVECV CV VE CVE VE E C E
CV E
E
E C E C CV CV CV CVE VVE VEE CVE C E C CV E CV CV VE
C
C
C
VE VE E C E C E C E C CVV CVVE VE VEC VE C E C E CV
E
CV V V VE VVE EE C E C C
V
E
CV
E C E C E C C CCV CVE VE VE CVE VE C E CV E
VE
EC
V
VE E
VE VE VE VE CVE C EE CV CV CVE VE
C
CV
CV CV CVE VE VE VE C E C CV
E
E
E C E C C CV CV VE VE E
CV CVE
VE VE VE C E C E
EC
CV CV VE VE
VE
E C E C CV
VE VE C E
CV V
EC E
VE

Yo
ur

Yo
u

Vu
ln

rV
uln

era

bil
it

era

Vu
ln

bil
it

era

ies

ies

bil
itie
s

Security
Intelligence
Integration
 Improves visibility
– Intelligent, event-driven
scanning, asset
discovery, asset profiling
and more

 Reduces data load
– Bringing rich context to
Vulnerability
Management

 Breaks down silos
Questions remain:
•Has that been patched?
•Has it been exploited?
•Is it likely to be exploited ?
•Does my firewall block it?
•Does my IPS block it?
•Does it matter?
27

– Leveraging all QRadar
integrations and data
– Unified vulnerability view
across all products

QRadar Vulnerability
Manager
CV
E
CV CV
Yo
E EC
ur
CV CV V
E EC E C
Vu
CV V VE
CV
lne
E EC E C C
V
CV CV VEIn E VE
ra b
E E
C a CV C
CV CV CVE VEct E VE C
i e E E ilitie
EC C CVvCV V
E
CV CV V VE E
s
C C C CV
E E E
CV CV CV CVE VE VE CVE C E C
E C C CV V V VE
E E
CV CV CVE VE VE E C E C E CV CV
V V
C C
E E
E E
CV CV CVE CVE VE VE C E C E CV CV CV
E E C Pa V CV CV VE VE E E C E C
CV CV V Ctc
C C
E E
V V
E E E Eh V C C CV V VE E E
C
CV CV CV CVE eE VE CVE C E C ECV CV CVE
dC
E E
E E E
V V
CV CV CV CVE CVE VE C VE C E C EC CV CVE
E EC E C C CV VE VE VE VE EC
CV CV V VE VE E
Cr E E C C CV CV CVE CVECVE CVECVE
E i C
CVi V VE VE E E
B CV C V
t Ec E
C C C CV lo E VE E
a
CVl CV CVE VE VE VE EC ck V CV
C
E C C C CV CV VE e E E
EC
VE VE VE C VE C E C EC CV dCVE
CV CV VE VE VE VE C E C
AC E CV CV CV CVE VE VE
E
t VE E E E C C
ris C C CV V VE
Ck V VE E E
VE E
! C C C CV CVE
V E VE VE C EC
CE CV VE VE
VE E
xCV CV CVE
plE E
oCt CV
iVe E
Ed
CV
!E

Answers delivered:

•Real-time scanning
•Early warning capabilities
•Advanced pivoting and
filtering



‘Big Data’ adds more structured and even unstructured data
Data Sources

Real-time Processing
QRadar Security
Intelligence Platform

Security and
Infrastructure
Data Sources

QRadar Console
(Web interface)

Two major roles
QRadar can play in
the IBM Big Data
Solution:

Big Data Analytics
and Forensics

1) Collects SI data
and feeds to
BigInsights to enrich
data sources

Security Operations

• Watch List
• Custom Rules

Big Data Warehouse
InfoSphere
BigInsights

External Threat
Intelligence
Feeds

InfoSphere
BigSheets

Hadoop Store
• Raw Data
Relational Store
• High-value Information

Email, Web, Blogs,
and Social Activity

Collect
Collect
Flow of data/information
Flow of knowledge

i2 Intelligence
Analysis

Store & Process
Store & Process

2) Provides a
dashboard to
display, organize,
and query the data
generated by Big
Data Analytics and
Forensics

Analyze
Analyze

1

Data Collection &
Enrichment (HOT)

3

Forward (HOT) & Store
(HOT, Warm, cold) data

5

2

Real-time insights (HOT)

4

Big Data Analysis,
Trends & History

6

Advanced Visualizations and
Investigation – (Warm and
cold)

Enrich / Adapt / Improve

(Warm and cold)

28



Virtual appliances see inside the cloud
 IBM Security QRadar VFlow Collectors
– Use deep packet inspection to provide visibility to
application layer virtual network traffic in the cloud
– Detect new security threats, malware, viruses,
anomalies through behavior profiling of network
traffic without relying on vulnerability signatures
– Support VMware virtual environments and profile
more than 1,000 applications
– Run on virtual server and require no additional
hardware

29



QRadar Risk Manager adds pro-active capabilities
 Normalized device configurations are gathered and stored either on-demand or via
scheduled activities
 Performs firewall rule analysis, configuration error detection (e.g. shadowed rules),
and rule activity correlation with ‘offenses’

Sh
ad
o

30

we

d

ru
les



5. Importance of solution
integration

31





Integrations critical to success and differentiation of IBM
Security and Customers

 Consolidate siloed
information from hundreds
of sources
 Detect, notify and respond
to threats missed by other
security solutions
 Automate compliance tasks
and assess risks
32


 Stay ahead of the
changing threat landscape
 Detect the latest
vulnerabilities, exploits
and malware
 Add security intelligence
to non-intelligent systems

 Infrastructure protection to
block specific vulnerability
types using scan results
 Converge access
management with web
service gateways
 Link identity information with
database security


Using fully integrated architecture and interface
Log
Management

SIEM

Configuration
& Vulnerability
Management

Network
Activity &
Anomaly
Detection

Network and
Application
Visibility

33


• Turn-key log management and reporting
One ConsoleEnterprise
• SME to Security
• Upgradeable to enterprise SIEM

• Log, flow, vulnerability & identity correlation
• Sophisticated asset profiling
• Offense management and workflow

• Network security configuration monitoring
• Vulnerability prioritization
• Predictive threat modeling & simulation

• Network analytics
• Behavioral anomaly detection
• Fully integrated in SIEM

• Layer 7 application monitoring
• Content capture for deep insight & forensics
• Physical and virtual environments

Built on a Single Data Architecture



Summary of five conditions and best practices

1. It's what you don't know that can hurt you
2. Force multipliers are key to winning the battle
3. Reduce incident investigations with more
available data
4. Further reduce blind spots using nontraditional event sources
5. Importance of solution integration

34



Learn more about IBM QRadar Security Intelligence
Watch executive Steve Robinson (VP) discuss
the next era for Security Intelligence :
http://ibm.co/nextera
Download the 2013 Gartner Magic Quadrant for
SIEM : http://ibm.co/GMQ

Read our IT Executive Guide to Security
Intelligence White Paper: ibm.co/11HQdfc

:Visit our
Blog www.securityintelligence.com
Website: http://ibm.co/QRadar
35


Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

www.ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
36



Five critical conditions to maximizing security intelligence investments

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Five critical conditions to maximizing security intelligence investments

Ähnlich wie Five critical conditions to maximizing security intelligence investments (20)

Mehr von IBM Security

Mehr von IBM Security (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Five critical conditions to maximizing security intelligence investments

Hinweis der Redaktion