DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence

DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
IBM Security Systems Security strategies to stay out of the headlines Q1 Labs, an IBM Company Andris Soroka, Data Security Solutions Q1 Labs 1st Certified Partner in Baltics © 2012 IBM Corporation 1 © 2012 IBM Corporation
IBM Security Systems Who we are – specialization security: Innovative & selected software / hardware & hybrid solutions from leading technology vendors from over 10 different countries IT Security consulting (vulnerability assessment tests, security audit, new systems integration, HR training, technical support) First in Baltics who had integrated several innovative IT Security solutions that no one before has done First Certified Q1 Labs Partner in the Baltic States and now IBM Business Partner continuing working with IBM Security Portfolio 2 © 2012 IBM Corporation
IBM Security Systems According to the 2011 Verizon Data Breach Report, 86 percent of breached organizations failed to detect that their networks were hacked. 3 © 2012 IBM Corporation
IBM Security Systems Headlines change, cybercrime increases 1995 – 2005 2005 – 2015 1st Decade of the Commercial Internet 2nd Decade of the Commercial Internet Motive Nation-state Actors; National Security Targeted Attacks / Advanced Persistent Threat Espionage, Competitors, Hacktivists Political Activism Monetary Gain Organized Crime, using sophisticated tools Revenge Insiders, using inside information Curiosity Script-kiddies or hackers using tools, web-based “how-to’s” Adversary 4 © 2012 IBM Corporation
IBM Security Systems What happens in IT security world? Maze.. Around 1500 IT Security vendors for Endpoint Security Platforms and point solutions Data Security DLP suites and point solutions Network Security Gateway solutions NAC, visibility, NBA Authentication, authorization etc. Traditional and next generation’s Identity protection Virtualization and cloud security IT Security governance Operational management & Security Mobile Security 5 © 2012 IBM Corporation
IBM Security Systems What do we propose? Security Intelligence --noun 1. the real-time collection, normalization, and analytics of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise Security Intelligence provides actionable and comprehensive insight for managing risks and threats from protection and detection through remediation. 6 © 2012 IBM Corporation
IBM Security Systems What logs – Audit logs Transaction logs Operational IT & Network Identity Governance & Intrusion logs Security Operations Management Compliance Connection logs Log System performance records Tool Log Silo ? User activity logs ? ? ? ???? Different systems alerts and ? ? ? ?? ? ? ? ???? different other systems messages ? ? ? ? Log Jam ? ? ?? From where - ? Firewalls / Intrusion prevention ? ? ? ???? ? ? ? ? ????? Routers / Switches ? ?? ? Intrusion detection ? LOGS ?? ? Servers, desktops, mainframes Business applications Databases Network Servers Databases Homegrown Antivirus software Applications VPN’s You cannot control what You cannot see! 7 © 2012 IBM Corporation
IBM Security Systems 8 © 2012 IBM Corporation
IBM Security Systems 9 © 2012 IBM Corporation
IBM Security Systems Fully Integrated Security Intelligence • Turnkey log management Log • SME to Enterprise Management • Upgradeable to enterprise SIEM One Console Security • Integrated log, threat, risk & compliance mgmt. • Sophisticated event analytics SIEM • Asset profiling and flow analytics • Offense management and workflow • Predictive threat modeling & simulation Risk • Scalable configuration monitoring and audit Management • Advanced threat visualization and impact analysis Network • Network analytics Activity & • Behavior and anomaly detection Anomaly • Fully integrated with SIEM Detection Network and Application Built on a Single Data Architecture • Layer 7 application monitoring • Content capture Visibility • Physical and virtual environments 10 © 2012 IBM Corporation
IBM Security Systems Fully Integrated Security Intelligence • Turnkey log management Log • SME to Enterprise Management • Upgradeable to enterprise SIEM • Integrated log, threat, risk & compliance mgmt. • Sophisticated event analytics SIEM • Asset profiling and flow analytics • Offense management and workflow • Predictive threat modeling & simulation Risk • Scalable configuration monitoring and audit Management • Advanced threat visualization and impact analysis Network • Network analytics Activity & • Behavior and anomaly detection Anomaly • Fully integrated with SIEM Detection Network and • Layer 7 application monitoring Application • Content capture Visibility • Physical and virtual environments 11 © 2012 IBM Corporation
IBM Security Systems Q1 Labs- The Security Intelligence Leader Who is Q1 Labs:  Innovative Security Intelligence software company  One of the largest and most successful SIEM vendors  Leader in Gartner Magic Quadrant (2009-2012) Award-winning solutions:  Family of next-generation Log Management, SIEM, Risk Management, Security Intelligence solutions Proven and growing rapidly:  Thousands of customers worldwide  Five-year average annual revenue growth of 70%+ Now part of IBM Security Systems:  Unmatched security expertise and breadth of integrated capabilities 12 © 2012 IBM Corporation
IBM Security Systems Security Intelligence Use Cases 13 © 2012 IBM Corporation
IBM Security Systems Clear & concise delivery of the most relevant information … What was the attack? Was it Who was successful? responsible? Where do I find them? How valuable are How many they to the targets business? involved? Are any of them vulnerable? Where is all the evidence? 14 © 2012 IBM Corporation
IBM Security Systems Total Security Intelligence: How do we address the challenges?  Reduce Big Data  Detect Advanced Persistent Threats  Predict attacks  Manage risk 15 © 2012 IBM Corporation
IBM Security Systems Big Data: Reduce your data silo down 16 © 2012 IBM Corporation
IBM Security Systems Reducing Data Silos: How it looks in QRadar Single incident derived from ~20k events and 355 flows  QRadar automatically pulls all related events and flows into a single security incident  Highlights the magnitude / importance  Reduction into manageable daily number 17 © 2012 IBM Corporation
IBM Security Systems Anatomy of an APT: Communications Company 3rd Party Software Update Server Compromised Trojan “auto-updated” to Corporate network Port 8080 used for C&C activities 35M records stolen Attackers create Trojan 60+ Corporate computers infected Attackers w/ backdoor agentcreate Trojan –6 Months Day 0 Day 8 19 © 2012 IBM Corporation
IBM Security Systems Activity / Behaviour Monitoring, Flow Analytics, Anomaly Detection  Behaviour / activity base lining of users and processes  Helps detect day-zero attacks and covert channels that have no signature or AV / IPS detection  Provides definitive evidence of attack  Enables visibility into attacker communications Network traffic does not lie Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data) 20 © 2012 IBM Corporation
IBM Security Systems Activity and data access monitoring Visualize Data Risks Automated charting and reporting on potential database breaches Correlate Database and Other Network Activity Enrich database security alerts with anomaly detection and flow analysis Better Detect Serious Breaches 360-degree visibility helps distinguish true breaches from benign activity, in real-time 21 © 2012 IBM Corporation
IBM Security Systems Anomaly Detection & APTs User & Application Activity Monitoring alerts to a user anomaly for Oracle database access. Identify the user, normal access behavior and the anomaly behavior with all source and destination information for quickly resolving the persistent threat. 22 © 2012 IBM Corporation
IBM Security Systems Stealthy malware detection Potential Botnet Detected? This is as far as traditional SIEM can go IRC on port 80? QFlow detects a covert channel, using Layer 7 flows and deep packet inspection Irrefutable Botnet Communication Layer 7 flow data shows botnet command and control instructions 23 © 2012 IBM Corporation
IBM Security Systems The Security Intelligence Timeline: Proactive vs Headlines 25 © 2012 IBM Corporation
IBM Security Systems Predicting an Attack: How it looks in QRadar Multiple IP’s attack an IP Drilling into one superflow record shows all IP records contributing to the attack All pulled together in one offence which is detected and raised immediately to the security team 26 © 2012 IBM Corporation
IBM Security Systems Managing risk CISOs know it’s not if, it’s when they get hacked; yet there is still a gap in ability to detect breach.  Breaches are taking longer to discover  Breaches are not being discovered internally 28Charts from Verizon 2011 Investigative Response Caseload Review © 2012 IBM Corporation
IBM Security Systems How it looks in QRadar Potential Data Loss? Who? What? Where? Who? An internal user What? Oracle data Where? Gmail 29 © 2012 IBM Corporation
IBM Security Systems QRadar: The Most Intelligent, Integrated, Automated Security Intelligence Platform • Proactive threat management • Identifies most critical anomalies • Rapid, complete impact analysis • Eliminates silos • Easy deployment • Highly scalable • Rapid time to value • Flexible, future-proof • Operational efficiency 30 © 2012 IBM Corporation
IBM Security Systems What to do next?  Visit our stand  Download the Gartner SIEM Critical Capabilities Report http://q1labs.com/resource-center/analyst-reports/details.aspx?id=151  Read our blog http://blog.q1labs.com/  Follow us on Twitter: @q1labs @ibmsecurity 31 © 2012 IBM Corporation
IBM Security Systems ibm.com/security © Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will 32 necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT © 2012 IBM Corporation WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Check these out next

DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence

Recomendados

Más contenido relacionado

Presentaciones para ti(20)

Destacado(20)

Similar a DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence(20)

Más de Andris Soroka(20)

Último(20)

DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence