Weitere ähnliche Inhalte
Ähnlich wie [RakutenTechConf2013] [A-0] Security Meets Analytics (20)
Mehr von Rakuten Group, Inc. (20)
Kürzlich hochgeladen (20)
[RakutenTechConf2013] [A-0] Security Meets Analytics
- 1. 10/30/13
Rakuten Technical Conference 2013
26 Oct 2013
Security Meets Analytics
Service Computing, IBM Research – Tokyo
IPSJ Director
Naohiko Uramoto
© 2013 IBM Corporation
Self introduction – My four hats as a tech person
§ My business as IBMer
– Leading Cloud and security projects in IBM Research –
Tokyo
§ Internal tech community
– Member of Academy of Technology (AoT), IBM’s crossorganizational technical community
§ External Tech community
– Secretariat of “Cloud Kenkyu-kai”
§ Academia
– Director of Information Processing Society in Japan
2
© 2013 IBM Corporation
1
- 2. 10/30/13
Information Processing Society of Japan (IPSJ)
§ Founded in 1960
§ More than 20,000 members (from academia & industry)
§ Board of Directors
– President: Masaru Kitsuregawa (Director of NII and Prof. of
U-Tokyo)
– 25 board members (including me)
§ Tight relationship with international communities
– Long term relationship with IEEE-CS, ACM etc.
– Organizing and supporting international conferences
§ Activities
– 40 SIGs in 3 Domains
– Many conferences, seminars, events not only for academia but
also engineers and students
–
e.g. Digital Practice Papers which focus on best practice
NII: National Institute of Informatics Japan
IFIP: International Federation of Information Processing
© 2013 IBM Corporation
IBM Academy of Technology (AoT)
AoT Goal
The inspiring and inclusive
academy of eminent
technology thought leaders
that have an enduring impact
on the IT industry that makes
the world better.
100 AoT leadership
members
n 1,000 AoT members
with selection
n 44 affiliates with 5,500
members
n TEC-J in Japan
Client
Value
Career
Development
n
Networking
Consultancies
Studies
Conferences
Technical Advocate
Programme
Mentoring
Skills
Development
Technology
Impact
Leadership
Skills
Think
Time
www.ibm.com/ibm/academy
4
© 2013 IBM Corporation
2
- 3. 10/30/13
5
© 2013 IBM Corporation
What is the good balance?
Internal
Tech
Community
Personal
Life
External
Academia
Tech
Community
Daily Job
6
© 2013 IBM Corporation
3
- 4. 10/30/13
World is changing…
7
© 2013 IBM Corporation
New security technology is required to support transformation of the
world
New IT
New Data
New World
8
§ Social, Mobile,
§ Blurred boundaries
Analytics, and Cloud
§ New types of
(SMAC)
vulnerabilities
§ Internet of Things (IoT)
§ Big Data
§ Data Economy
§ Social Business
§ Data protection for
Security and Privacy
§ Logs and events as
Big Data
§ Cyberspace
§ Globalization and
emerging market
§ Cyber crime
across geos and
organizations
© 2013 IBM Corporation
4
- 5. 10/30/13
The sophistication of Cyber threats, attackers and motives is rapidly
escalating
© 2013 IBM Corporation
Global Security Trends
10 SOCs
IBM X-Force 2013 Mid-Year Trend
and Risk Report is available
§ Analyzed 4,100 new security
vulnerabilities
§ Analyzed 900 million new web
pages and images
§ Created 27 million new or updated
entries in the IBM web filter
database
§ Created 180 million new, updated,
or deleted signatures in the IBM
spam filter database
http://www.ibm.com/security/xforce/
10
© 2013 IBM Corporation
5
- 8. 10/30/13
Why are we losing the game?
15
© 2013 IBM Corporation
Attacker can prepare with enough time to know about the
target
– What is the target company or organization?
– What kinds of topics are employees interested in?
– What sites do employees often visit?
– Which web browser is used in the target comapny?
– Which anti virus product used?
– …
16
© 2013 IBM Corporation
8
- 9. 10/30/13
Why traditional defense is not enough? Some insights:
n
n
n
n
n
Break in a trusted partner and then loading malware onto
the target’s network
Creating designer malware tailored to only infect the target
organization, preventing identification by security vendors
Using social networking and social engineering to perform
reconnaissance on spear-phishing targets, leading to
compromised hosts and accounts
Exploiting zero-day vulnerabilities to gain access to data,
applications, systems, and endpoints
Communicating over accepted channels such as port 80 to
exfiltrate data from the organization
17
© 2013 IBM Corporation
Enterprise network is evolving
Servers
Applications
VMs on Private
Cloud
Switch
FW
IPS/IDS
Client PCs
Internet
Anti Virus
Mobile Devices
18
© 2013 IBM Corporation
9
- 10. 10/30/13
Traditional Perimeter based defense
Protect corprate
network and
endpoints from
attacks
Servers
Applications
VMs on Private
Cloud
Switch
FW
Internet
Client PCs
IPS/IDS
Anti Virus
Mobile Devices
19
© 2013 IBM Corporation
Now we need to assume invasion of malware
Servers
Applications
VMs on Private
Cloud
Attacker’s
FW
Command & Control
Internet
Server
Switch
Protect outgoing
connections to prevent
from data leakage,
assuming that malware
exists in the network.
20
Client PCs
IPS/IDS
Anti Virus
Mobile Devices
© 2013 IBM Corporation
10
- 11. 10/30/13
Now we need to assume invasion of malware
Servers
Applications
VMs on Private
Cloud
Attacker’s
FW
Command & Control
Internet
Server
Switch
Client PCs
IPS/IDS
Anti Virus
Mobile Devices
Monitor network &
endpoints and detect
malware’s and
attacker’s activities
21
© 2013 IBM Corporation
How can we do it?
22
© 2013 IBM Corporation
11
- 12. 10/30/13
Security information and Event Management (SIEM)
Security Operation
Center (SOC)
System
audit trails
Business
process data
Configuration
information
Network flows
and anomalies
External threat
intelligence feeds
Middileware log
Full packet and
DNS captures
Internet
Application log
Switch
Access log
IPS/IDS
FW
Web page
text
OS level log
E-mail and
social activity
Mobile device
information
Download from
app stores
Endpoint
information
23
© 2013 IBM Corporation
Security Intelligence
Security Information and Event Management (SIEM)
Extensive Data Sources
+
Deep Intelligence
=
Exceptionally Accurate
and Actionable Insight
© 2013 IBM Corporation
12
- 13. 10/30/13
QRadar: Intelligent Event Management and Attack Detection
Provide information on attack with a comprehensive and integrated view
What kind of
attack?
Who is attacking?
From where?
What is the
business
value?
What are the
attacked
assets?
Does the asset
have vulnerability?
What is the
evidence of
attack?
25
© 2013 IBM Corporation
Flow of Security Analytics
Machine learning and near real-time monitoring enables continuous
refinement and tracking of ‘normal’
Filtering
Correlation
Network
Events
Behavior
Model
異常検知
予兆監視
Login
Information
Alerting
Access
Log
Social
Events
Analysis
Engine
Transformation
© 2013 IBM Corporation
13
- 14. 10/30/13
Security Analytics is built on a common platform and applied to
multiple areas
Network & Device
Analytics
Analyze network
packets and events for
anomaly detection and
risk prediction
Asset Analytics
Classify and visualize
enterprise assets to
protect them from
information leakage
User Access
Analytics
Anomaly detection
and risk prediction
from user / group
access log
Security Analytics
Platform
Business Process
Analytics
Clarify business
process and detect
security and
compliance issues
Social Network
Analytics
Detect potential risk
from social graphs
on SNS such as
Facebook and Twitter
© 2013 IBM Corporation
Event Correlation
Correlation of Logs across middleware and application stacks
• Heuristics on time sequence
• Pattern extraction
Middleware1
Middleware3
Middleware4
App1
Middleware2
28
© 2013 IBM Corporation
14
- 15. 10/30/13
Process-File Dependency Visualization
Detect dependency between processes and files on a PC
Process
File
29
© 2013 IBM Corporation
Integration Architecture of QRadar, DLP and IBM Endpoint Manager
QFlow monitors
network Trafic
QFlow
QRador correlates
network and endpoint
information
Network events
Endpoint log (e.g. file
access, process start)
DLP
Server
IEM
Agent
Endpoint
(PC)
Endpoint
Manager
dispatch policies
to be enforced
Endpoint DLP
monitors user’s
behavior
30
© 2013 IBM Corporation
15