4. Not all risks are created equally
Frequency of
Occurrences
Per Year Virus
Data Corruption
Worms Disk Failure
frequent
1,000
Application Outage
100 System Availability Failures
Lack of governance
10 Network Problem
Failure to meet
1 Industry standards
Failure to meet
Compliance Mandates Terrorism/Civil Unrest
1/10
Workplace inaccessibility Natural Disaster
infrequent
1/100
Regional Power Failures
1/1,000
Pandemic
1/10,000 Building Fire
1/100,000 $1 $10 $100 $1,000 $10k $100k $1M $10M $100M
Consequences (Single Occurrence Loss) in Dollars per Occurrence
low high
4
5. Increasing complexity
Interconnect, share
and protect
magnitude of data
Death by Confusion on
point 15 petabytes of new information approach
products are being generated every day. This Where to start?
is 8x more than the information in all
U.S. libraries
Rapidly Disruptive
changing technologies like
threat Virtualization and
environment Cloud Computing
508% increase in the number of
new malicious Web links discovered
80% Of enterprises consider security
in the first half of 2009 the #1 inhibitor to cloud adoptions
Source: IBM X-Force 2009 Mid-year Trend Report
5
5
6. Rising costs
Today’s CIOs spend 55% of their time on activities
that spur innovation. The remaining 45% is spent primarily on
cost reduction, managing risk and automation.*
Skills to deploy new IT departments have:
technologies like
Virtualization and Cloud •Increasing responsibilities
computing are costly •Time pressures
•Do more with less
Bulk of security Administrators and
budget is spent help desk resources
firefighting rather are strained to
than innovating support increasing
base of users
Source: IBM Global CIO Study, 2009
6
6
7. Cost, complexity and compliance
Death by point products
People are
becoming more
and more reliant on
Rising Costs: Do more with less security
Regulation/Compliance fatigue
IBM believes that
security is
progressively
viewed as every
individual’s right
7
8. “Foundational Controls” = seatbelts and airbags
• Find a balance between effective security and
cost
– The axiom… never spend $100 dollars on a
Pressure
Cost
fence to protect a $10 horse
• Studies show the Pareto Principle (the 80-20 Complexity
rule) applies to IT security*
Effectiveness
– 87% of breaches were considered
avoidable through reasonable controls
• Small set of security controls provide a Agility
disproportionately high amount of coverage
– Critical controls address risk at every layer Time
of the enterprise
– Organizations that use security controls *Sources: W.H. Baker, C.D. Hylender, J.A. Valentine,
2008 Data Breach Investigations Report, Verizon
have significantly higher performance* Business, June 2008
ITPI: IT Process Institute, EMA December 2008
• Focus on building security into the fabric of
the business
– “Bolt on” approaches after the fact are less
effective and more expensive
8
9. The IBM security strategy:
Make security, by design, an enabler of innovative
change
Trusted Partner Trusted Security Vendor
Delivering secure Providing end-to-end coverage
products and services across all security domains
• 15,000 researchers, developers and
SMEs on security initiatives
– Data Security Steering Committee
– Security Architecture Board
– Secure Engineering Framework
• 3,000+ security & risk management
patents
• Implemented 1000s of security projects
• 40+ years of proven success securing
the zSeries environment
• Managing over 7 Billion security events
per day for clients
• 200+ security customer references and
more than 50 published case studies
9
10. Physical infrastructure
BUSINESS VALUE
Provide actionable intelligence and improve effectiveness of physical infrastructure security
Video Surveillance Video Analytics Command and Control
Legacy analog video Video information from many IT and physical security
systems with proprietary cameras present an operate in silos and do not
interfaces are hard to information overload to integrate. It is increasingly
integrate with IT human security personnel, difficult and expensive to
Business challenge infrastructure detection is often after the consolidate security
fact and response information across locations
management is problematic for effectiveness and
compliance
IT infrastructure, Logical Smart Vision Suite Command Control Center
Software Security products, and DVS Solution
partner products
Base Digital Video Design, Implementation, Command Control Center
Professional Services Surveillance Infrastructure Optimization services Solution Services
services
This is not intended to be a comprehensive list of all IBM products and services
10
11. People and identity
BUSINESS VALUE
Lower costs and mitigate the risks associated with managing user access to corporate resources
Cost and Complexity of Providing Access to Auditing, reporting and
Managing Identities Applications managing access to resources
• On average, enterprises spend 2 “We would need to spend $60k • Privileged users cause 87% of
weeks to setup new users on all on each of our 400 applications internal security incidents, while firms
systems and about 40% of accounts to implement security access cannot effectively monitor thousands
Business Challenge are invalid rules” of security events generated each day
• 30% of help desk calls are for – Global financial services firm • Role management, recertification, etc.
password resets, at $20 per call
Tivoli® Identity and Access Tivoli Access Manager, Tivoli Tivoli Identity and Access Assurance,
Software Assurance, Tivoli zSecure suite Federated Identity Manager Tivoli Security Information and Event
Manager
Identity and Access Management Identity and Access Management Compliance Assessment Services,
Professional Services Professional Services Professional Services Privileged Identity Management
Managed Identity and Access Managed Identity and Access Managed User Monitoring and Log
Managed Services Management Management Management
This is not intended to be a comprehensive list of all IBM products and services
11
11
12. Data and information
BUSINESS VALUE
Understand, deploy and properly test controls for access to and usage of sensitive business data
Protecting Messaging Managing Data Access and Monitoring Data Access
Critical Security and Encryption and Preventing Data
Databases Content Filtering Loss
Mitigate threats Spam and inappropriate Over 82% of firms have had more than 42% of all cases involved third-
against databases Web sites pose major one data breach in the past year party mistakes and flubs…
from external productivity drains, involving loss or theft of 1,000+ records magnitude of breach events
Business attacks and internal resource capacity with personal information; cost of a data ranged from about 5,000 to
privileged users strains, and leading breach increased to $204 per 101,000 lost or stolen customer
Challenge attack vector for compromised customer record* records*
malware
Guardium Multi-Function Security Tivoli® Key Lifecycle Manager, Tivoli Data Loss Prevention; Tivoli
Software Database appliance, Security Policy Manager, Tivoli Security Information and Event
Monitoring & Lotus Protector Federated Identity Manager Manager
Protection
Data Security Data Security Data Security, Compliance Assessment Data Security, Compliance
Professional Assessment Assessment Services Services Assessment Services
Services Services
This is not intended to be a comprehensive list of all IBM products and services
* "Fifth Annual U.S. Cost of Data Breach Study”, Ponemon Institute, Jan 2010
12
13. Application and process
BUSINESS VALUE
Keep applications secure, protected from malicious or fraudulent use, and hardened against failure
Security in App Discovering App Embedding App Providing SOA Security
Development Vulnerabilities Access Controls
Vulnerabilities caught •74% of vulnerabilities in According to Establishing trust and high
early in the development applications have no patch customers, up to 20% performance for services that
process are orders of available today* of their application span corporate boundaries is a
magnitude cheaper to fix •80% of development costs development costs can top priority for SOA-based
Business Challenge versus after the are spent identifying and be for coding custom deployments
application is released correcting defects, costing access controls and
$25 during coding phase vs. their corresponding
$16,000 in post-production** infrastructure
Software Rational® AppScan®; Rational AppScan; Ounce Tivoli® Identity and WebSphere® DataPower®;
Ounce Access Assurance Tivoli Security Policy Manager
Secure App Dev Process App Vulnerability and Source Application Access
Enablement, App Code Scanning Services
Professional Services Vulnerability and Source
Code Scanning
Managed Vulnerability Managed Access
Managed Services Scanning Control
* IBM X-Force Annual Report, Feb 2009 This is not intended to be a comprehensive list of all IBM products and services
** Applied Software Measurement, Caper Jones, 1996
13
14. Application and Process
54% of all vulnerabilities disclosed in 1st half of 2008 were web-based*
75% of attacks are focused on applications**
IBM ISS Intrusion protection Define Security
Requirements
IBM ISS Managed Services and Policy IBM ISS Consulting
IBM Global Services Rational Requirements Management
Build
Manage, Security into
Monitor & design and Rational Application Developer
Defend models
Rational Software Architect
WebSphere Business Modeller
Deploy Build & Test
Rational Change Management
Rational BuildForge
Tivoli distribution products
Rational AppScan
14
15. Network, server and end point
BUSINESS VALUE
Optimize service availability by mitigating risks while optimizing expertise, technology and process
Storage
Systems Virtual Network
Protecting
Protecting Servers Protecting Endpoints Protecting Mainframes
Networks
Mitigate threats against Effective management can Mitigate network Mitigate threats against
servers; prevent data loss cut total cost of ownership based threats and mainframes; protect against
Business Challenge for secured desktops by prevent data loss vulnerabilities from
42%* configuration; contain the
privileged users
Server Protection, Server Desktop security platform; Network Intrusion Tivoli® zSecure suite
Software Protection for VMWare encryption Prevention System
(IPS)
Professional Server security, data Desktop security, data Network security
security assessment security assessment assessment services
Services services services
Managed IDS, Privileged Managed Desktop security Managed Network IPS
Managed Services User Mgmt platform
* Gartner Desktop Total Cost of Ownership: 2008 Update, Jan 2008 This is not intended to be a comprehensive list of all IBM products and services
15
15
16. Addressing New Threats
Virtualization and Cloud Computing
Market-leading network protection now
available on a virtual appliance
– World class, vulnerability-based protection
powered by X-Force research
– Integrate virtual security with physical
network protection
– Runs on VMWare
Segment-based network protection
– Physical network segments
– Virtual network segments
– Cloud-based service providers
Network protection with the speed of an
appliance
– Replacement for Real Secure Network
Sensor
– Upgrade to full Proventia protection
Makes virtualized and cloud environments
REAL FOR BUSINESS
16
17. Security governance, risk management and compliance
BUSINESS VALUE
Ensure comprehensive management of security activities and compliance with all security mandates
Security Pen Testing & Vuln. Sec. Compliance Incident
Strategy Design Assessment Assessment Response
Design and implement Identify and eliminate Perform security Design and implement
secure deployment security threats that compliance assessments policy and processes for
strategies for advanced enable attacks against against PCI, ISO and other security governance,
Business Challenge technologies such as systems, applications standards and regulations incident response;
Cloud, virtualization, and devices perform timely response
etc. and computer forensics
Rational® AppScan®; Tivoli Security Information Tivoli® Security
Guardium Database and Event Manager; Information and Event
Software Monitoring & Protection Guardium Database Manager;
Monitoring & Protection; Tivoli zSecure suite
Tivoli zSecure suite
Consulting Services; Ethical hacking and Qualified Security Policy definition
Professional Services Security Design AppSec assessment Assessors services; CERT team
App Vulnerability and Source Code Scanning Managed Protection
Managed Services OnDemand Services
This is not intended to be a comprehensive list of all IBM products and services
17
17
18. We know how…
Smarter security enabling client innovation
Banco Mercantil do Brasil DTCC
Automates access management, reduces Improves the delivery of new
the number of help desk calls by 30% with insurance products and services and
savings of 450K annually adds 225 new applications per year
Washington Metro Area Transit Authority Gruppo Intergea
Level 1 merchant with 9 million transactions Protects its network infrastructure from threats
yearly protects consumer trust by shielding and ensures business continuity
database infrastructure from internal and
external threats
18
20. Smart surveillance helped a large US metropolis to identify
safety threats quickly and respond proactively
Value
Helped increase patrolling of a convention center during
a conference event
Video analytics covered secondary sites, including
more than 2 dozen hotels hosting conference attendees
Surveillance solution identified a van parked by a hotel
for more than 24 hours and alerted police to avoid a
possible threat
Physical Infrastructure
Business Challenge Solution
IBM Smart Surveillance Solutions
• Identify public safety threats
before they happen • Delivers a broad set of surveillance
• Quickly respond to events with tools – including video analytics
police, emergency medical and centralized monitoring – to
services, and fire and rescue help identify threats and quickly
when needed alert police, fire and rescue resources.
20
20
21. Why IBM? IBM is dedicated to
cybersecurity advancement
“Worldclass Research”
IBM researches
and monitors
latest threat
trends with X-
Force
Institute Focus
• Engage in public-private collaboration
Provides Specific Analysis of: • Address and mitigate cybersecurity
Vulnerabilities and exploits Malware challenges
Malicious/Unwanted websites Other emerging
Spam and phishing trends • Provide a forum for clients to better
understand how recent IBM Research
Most comprehensive vulnerability
database in the world advances can help
Entries date back to the 1990’s
Click for more information
www.ibm.com/federal/security
21
Source: IBM X-Force Database, www.ibm.com/federal/security
21
22. Why IBM?
Recent accolades IBM and a few others can help any
sized customer with security,
regardless of whether they need
“IDC believes IBM has recognized help securing their business,
this trend and has created implementing an enterprise security
comprehensive security packages initiative, or fixing a big security
that leverage various products to problem.”
provide for multiple layers of security
to customers.” — Jon Oltsik, Enterprise Strategy Group, March 2010
— Charles Kolodgy, IDC, March 2010
In light of IBM’s growing presence in security and compliance,
and the weight of its impact on the larger issues of business
risk control, these factors should make IBM a primary partner
to consider in shaping strategy and evaluating technologies
and services that make a difference. Few others have the IBM was named the
range of capabilities of today’s IBM for addressing the “Best Security Company”*
challenge—fewer still have the resources of an IBM for by SC Magazine
understanding the nature of business risks and emerging
threats, and how best to address them going forward.” Source: SC Magazine award, March 2, 2010
High Performers and Foundational Controls: Building a Strategy for Security and Risk 22
Management - Enterprise Management Associates® (EMA™), Dec 2009
22
23. Why IBM?
IBM has unmatched global and local expertise in security
9 Security 9 Security 133 20,000+ 3,700+ 7 Billion+
Operations Research Monitored Devices under MSS Clients Events
Centers Centers Countries Contract Worldwide Per Day
23
3,000+ security and risk management patents 23
24. IBM is your trusted partner…
Know how to
ensure your success
Successfully implemented
Deliver value by 1000s of client projects
Help you to choose
understanding the big picture
Security across mainframes, Create the right solution for you
desktops, networks, handheld devices
Ensure success
Expertise to meet
by execution
your industry needs
Manage security for 400,000 IBM
Tailor solutions to meet your employees, 7B events/day for
industry challenges clients
Client success stories Leverage our skills to
to demonstrate results meet your goals
Provided IT Security for 1000s of researchers and SMEs
30+ yrs, 200 client references Partnership with
a huge ecosystem
Large business partner community
Delivering solutions that enable enterprises to be Secure by Design
24
24
27. Banco Mercantil do Brasil automates access management
processes and increases employee productivity
Value
Reduced the number of help desk calls by 30%, resulting
in savings of at least $450,000 USD annually
Enabled HR managers to create and cancel user accounts
in just 2 days instead of 7 – improving productivity
Provided 3,200 employees with a single password,
synchronized across several environments in 3 months “ We have already reduced
from 7 days to 2 days the
People & Identity
Business Challenge Solution time it takes to provide
employees with
• Automate access management IBM’s Identity Management solution access to IT resources,
processes for internal applications • Manages and including human resource
• Increase agility controls access at a central point processes, identifications
• Manage changes in business • Grants access based on roles and passwords.”
and increasing demands • Ensures security of — Jaime Roberto Pérez Herrera,
critical information Technical Support Manager, Banco
• Increases productivity Mercantil do Brasil.
27
27
Source: http://www-01.ibm.com/software/success/cssdb.nsf/customerindexVW?OpenView&Count=75&RestrictToCategory=corp_1&cty=en_us
28. Community medical center improves patient information
security to meet electronic data requirements (HIPAA)
Value
Client satisfied the mandated electronic data
requirements by required deadline (HIPAA)
Physicians, nurses and administrators are spending
less time logging onto and off applications
Reduced operating costs enabling the medical center
to focus more on patient care
People & Identity
Business Challenge Solution “The solution helped
address issues in more than
Access Manager for Single Sign On
• Meet federal guidelines for half of the HIPAA security
• Secures access to new and
HIPAA compliance standards, specifically
legacy applications
• Not impede staff convenience addressing many access
• Delivers single sign on and sign
control and audit tracking
off to users
issues.”
• Easy to deploy with maximum
— George Vasquez
flexibility
28
28 Source: http://www-01.ibm.com/software/success/cssdb.nsf/customerindexVW?OpenView&Count=75&RestrictToCategory=corp_1&cty=en_us
30. IBM X-Force Research and Development
What does it do?
– Researches and evaluates vulnerabilities and security issues
– Develops assessment and countermeasure technology for IBM security
offerings
– Educates the public about emerging Internet threats
Why is it differentiating?
– One of the best-known commercial security research groups in the world
– IBM X-Force maintains the most comprehensive vulnerability database
in the world—dating back to the 1990s.
– X-Force develops our Protocol Analysis Module which is the engine
inside IBM Security solutions. This technology allows X-Force to
regularly and automatically infuse new security intelligence into IBM
Security offerings on average 341 days ahead of the latest threats.
30
30
31. IBM X-Force Database
IBM X-Force® Database
Most comprehensive
vulnerability database in
the world
Entries date back to the
1990’s
Updated daily by a dedicated
research team currently
tracks over:
7,600 Vendors
17,000 Products
40,000 Versions
31
31
33. Homomorphic Encryption facilitates analysis of encrypted
information without sacrificing confidentiality
Analyze confidential
electronic client data
without seeing any private
information
Store data anywhere
while it remains
completely secure and
private
Query a search engine without will be the engine what you are
Service providers telling
to easily be able to adopt
looking for!
new models like cloud
33
computing and deliver 33
smarter services
34. IBM continues to research and test new, more robust and
more focused approaches to enterprise security
IBM is working with clients worldwide to implement the
new Enterprise Security Architecture
Combines:
IBM Methodology for Architecting Secure Solutions
Enterprise architecture framework of IBM Global
Services Method
The new architecture is defined around the concept
of six security zones of control
(Boundary control, authentication, authorization,
integrity services, audit/monitoring, and cryptographic
services)
34
34
35. Advanced Risk Analytics is the key to future of IT Security
• Mine intelligence from logs and
audit records from multitude of
event sources
• Consolidate and correlate
events and data at line speeds
and present them to the analyst in Advanced risk calculators to provide faster
data processing rates at 15 to 20 times the
a meaningful manner scale of today’s model
• Put control back into the hands Automatically creates and checks behavioral
of decision makers, such as Models for malware detection at real time
security analysts, by taking over Provides pre-fraud detectors with extremely
repetitive and manual tasks low false positive rates
35
35
36. With these new opportunities come new risks
Emerging technology
n Virtualization and cloud computing increase infrastructure complexity.
n Applications are a vulnerable point for breaches and attack.
Data and information explosion
n Data volumes are doubling every 18 months.
n Storage, security, and discovery around information context is becoming increasingly
important.
Wireless world
n Mobile platforms are developing as new means of identification.
n Security technology is many years behind the security used to protect PCs.
Supply chain
n The chain is only as strong as the weakest link… partners need to shoulder their fair
share of the load for compliance and the responsibility for failure.
Clients expect privacy
n An assumption or expectation now exists to integrate security into the infrastructure,
processes and applications.
Compliance fatigue
n Organizations are trying to maintain a balance between investing in both the security
and compliance postures.
36