Employing CDM: How Government can Protect Itself from Cyber Attacks
•Als PPTX, PDF herunterladen•
7 gefällt mir•4,149 views
According to a GovLoop survey, 90% of respondents don’t think their agency is fully prepared for a cyber attack and named the ever-changing nature of threats, as well as inadequate training, as their biggest obstacles. For all levels of government, the number of cyber attacks on networks are growing in frequency, and becoming more sophisticated and aggressive. The threat of Sophisticated Attacks, Security Breaches, Phishing, and Social Media Fraud is very real for everyone, especially government. But that’s where the Continuous Diagnostics and Monitoring (CDM) program comes in. The Department of Homeland Security designed CDM to help other agencies understand their vulnerabilities and identify threats in real-time. CDM is a dynamic, collaborative program that provides a holistic approach to protecting important information. Join IBM Security to learn first hand from government and industry thought leaders how it can help your agency. View the full on-demand webcast: https://www2.gotomeeting.com/register/369078578
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Mehr von IBM Security
Mehr von IBM Security (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Employing CDM: How Government can Protect Itself from Cyber Attacks
- 1. © 2014 IBM Corporation IBM Security 0© 2014 IBM Corporation IBM Support to Continuous Diagnostics & Mitigation
- 2. © 2014 IBM Corporation IBM Security 1 Agenda Why CDM? A new Security Reality IBM Security Overview Why Risk Management
- 3. © 2014 IBM Corporation IBM Security 2 Why CDM? (according to John Streufert, DHS) Customers have spent an inordinate amount of time, effort and resources on a variety of products that have NOT delivered the results promised CDM Solutions MUST Allow for –Search, Mitigation and Reporting of cyber problems in real time. –Enable System Administrators to: • Respond to exploits at network speed • Fulfill A-130 responsibilities as intended • Implement NIST Publications on Continuous Monitoring (800-137 and parts of 800-37) –Use strategic sourcing to lower cost 2 James A. Lewis, Raising the Bar for Cybersecurity. Washington, DC: CSIS, 2013.
- 4. © 2014 IBM Corporation IBM Security 3 In search of buy-in for continuous monitoring [FCW] “Persuading federal IT managers that continuous diagnostics and monitoring is a boon for their agencies is one of the most challenging elements of implementing the cybersecurity technology, according to IT chiefs at the forefront of spreading the CDM message across government.” “While federal agencies are beginning to grasp what CDM can do for their organizations, risk-averse IT managers who treasure the status quo and are reluctant to shift from old practices still have to be won over, say IT leaders at GSA and the departments of Homeland Security and Energy.” “DHS has become an "evangelist" for CDM, according to Jeff Eisensmith, chief information security officer at the department, which is charged with facilitating other agencies' installation and implementation of CDM technology. Before CDM, agencies were "getting picked off like zebras on the Serengeti" by cyber attackers, he said.” http://fcw.com/articles/2014/03/19/continuous-monitoring-buy-in.aspx?s=fcwdaily_200314
- 5. © 2014 IBM Corporation IBM Security 4 CDM – The Opportunity For Government Government’s compelling reason to act or business urgency: – Cyber threats are constantly changing and evolving – not static – Government recognizes a need for a modified approach to protect cyber infrastructure – This new approach moves away from historical compliance reporting toward combating threats to the nation's networks in real time – This initiative is in direct support of the Administration’s Cross- Agency Priority (CAP) goal for implementing continuous monitoring across the Federal networks
- 6. © 2014 IBM Corporation IBM Security 5 Continuous Diagnostics & Mitigation • IBM supports Phase 1 now • IBM has a Security Framework that addresses Risk Management across Phases 1 though 3 • IBM’s Security Portfolio answers the how in applying CDM
- 7. © 2014 IBM Corporation IBM Security 6 The evolving Motivations and sophistication of attackers is a driving force for CMasS and CDM National Security Nation-state actors Stuxnet Espionage, Activism Competitors and Hacktivists Aurora Monetary Gain Organized crime Zeus Revenge, Curiosity Insiders and Script-kiddies Code Red
- 8. © 2014 IBM Corporation IBM Security 7 83% of enterprises have difficulty finding the security skills they need tools from vendors 85 45 IBM client example 70% of security exec’s are concerned about cloud and mobile security Mobile malware grew 614% from March 2012 to March 2013 in one year A New Security Reality Is Here 61% Data theft and cybercrime are the greatest threats to their reputation of organizations say Average U.S. breach cost $7million+ 2013 Cost of Cyber Crime Study Ponemon Institute 2013 Juniper Mobile Threat Report 2012 IBM Global Reputational Risk & IT Study 2013 IBM CISO Survey 2012 ESG Research
- 9. © 2014 IBM Corporation IBM Security 8 Our traditional security practices and defenses are not keeping up Source: IBM client example
- 10. © 2014 IBM Corporation IBM Security 9 more than half a billion records of personally identifiable information (PII) were leaked in 2013
- 11. © 2014 IBM Corporation IBM Security 10
- 12. © 2014 IBM Corporation IBM Security 11 Businesses face unprecedented security challenges Evolving Threats Shifts in business environment Escalating Threats Targeted attacks are the new norm Competing Priorities Too little time, too few resources Unsustainable Practices Few resources, no clear strategy Inadequate tools Source: Verizon 2013 Data Breach Investigations ReportTools are lacking Inadequate Tools Too many silos, protection lacking Business Pressures Shifts in business environment Disruptive Technologies New innovation can introduce risk Source: IBM X-Force Trend Report, Sept 2013 Source: IBM CISO Study, Oct 2013 Source: Forrester Surviving The Technical Security Skills Crisis, May 2013
- 13. © 2014 IBM Corporation IBM Security 12 At IBM, the world is our security lab v13-016,000 IBM researchers, developers, and subject matter experts ALL focused on security 3,000IBM security patents More than Security Operations Centers Security Research and Development Labs Institute for Advanced Security Branches
- 14. © 2014 IBM Corporation IBM Security 13 IBM Security: Helping clients optimize IT security Integrated Portfolio Managed and Professional Services Extensive Partner Ecosystem IBM Research
- 15. © 2014 IBM Corporation IBM Security 14 • Own the security agenda for innovation • Embed security on day one • Leverage cloud, mobile, social, big data to improve security • Develop a risk-aware security strategy • Deploy a systematic approach to security • Harness the knowledge of professionals • Use intelligence and anomaly detection across every domain • Build an intelligence vault around your crown jewels • Prepare your response for the inevitable IBM’s approach is helping customers gain an advantage on attackers and seize new opportunities Get help to develop an integrated approach 3 Employ cloud and mobile to improve security 2 Use analytics and insights for smarter defense 1
- 16. © 2014 IBM Corporation IBM Security 15 They are looking for a trusted partner who… CISOs are looking for strategic partners to chart a path
- 17. © 2014 IBM Corporation IBM Security 16 Why a New Approach Attackers will not relent and every agency is a target New technologies create opportunities to transform IT security Security leaders are more accountable than ever before
- 18. © 2014 IBM Corporation IBM Security 17 Security teams must also shift from a conventional ―perimeter and point defense‖ mindset and begin thinking like an attacker Detect, Analyze & Remediate Think like an attacker, counter intelligence mindset Protect high value assets Emphasize the data Harden targets and weakest links Use anomaly-based detection Baseline system behavior Consume threat feeds Collect everything Automate correlation and analytics Gather and preserve evidence Audit, Patch & Block Think like a defender, defense-in-depth mindset Protect all assets Emphasize the perimeter Patch systems Use signature-based detection Scan endpoints for malware Read the latest news Collect logs Conduct manual interviews Shut down systems Broad Targeted What has Changed?
- 19. © 2014 IBM Corporation IBM Security 18 Gaining insights across the entire security event timeline VULNERABILITY REMEDIATIONEXPLOIT Pre-Exploit Post-Exploit Security Intelligence The actionable information derived from the analysis of all security-relevant data available to an organization • Gain visibility over the organization’s security posture • Detect deviations from the norm and initiate preventive procedures • Attain awareness of vulnerabilities and assess exposures • Discover anomalies and investigate to evaluate the risk • Explore and analyze data to devise countermeasures for the attack • Formulate new security best practices to adapt to emerging threats What was the impact? What is happening right now? Are we configured to protect against these threats? What are the external and internal threats?
- 20. © 2014 IBM Corporation IBM Security 19 © 2012IBM Corporation CDM Implementation Phases Local Computing - Devices Local Computing Environment - People Infrastructure and Network - Devices Local Computing Environment - Events Infrastructure and Network – Events Enclave (Organization – Devices and Events
- 21. © 2014 IBM Corporation IBM Security 20 20 Four Tool Functional Areas and IBM tools for CDM Phase 1 For supporting the Hardware Asset Management Tool Functional Area… – QRadar – IBM Endpoint Manager – Augmentation tools: IBM Cognos (dashboard) For supporting the Software Asses Management Tool Functional Area… – QRadar – IBM Endpoint Manager – Augmentation tools: IBM Cognos (dashboard) For supporting the Configuration Management Tool Functional Area… – QRadar – IBM Endpoint Manager – Augmentation tools: IBM Cognos (dashboard) For supporting the Vulnerability Management Tool Functional Area… – QRadar – IBM Endpoint Manager – Augmentation tools: IBM Cognos (dashboard) & IBM Rationale Appscan
- 22. © 2014 IBM Corporation IBM Security 21 Delivering security solutions via a single, integrated platform Security Intelligence Platform
- 23. © 2014 IBM Corporation IBM Security 22 Security Intelligence platform that enables security optimization through advanced threat detection, meet compliance and policy demands and eliminating data silos Security Intelligence and Analytics Portfolio Overview QRadar SIEM •Integrated log, threat, compliance management •Asset profiling and flow analytics QRadar Risk Manager •Predictive threat modeling & simulation •Scalable configuration monitoring and audit QRadar Log Manager •Turnkey log management •Upgradeable to enterprise SIEM Network Activity Collectors (QFlow / VFlow) •Network analytics, behavior and anomaly detection •Fully integrated with SIEM QRadar Vulnerability Manager •Integrated Network Scanning & Workflow •Leverage SIEM, Threat, Risk to prioritize Vulns New: QRadar Incident Forensics •Integrated full packet capture •Meta-data extraction, reconstruction and replay
- 24. © 2014 IBM Corporation IBM Security 23 Infrastructure - Endpoint Providing endpoints, servers, and mobile devices with security to remain compliant, updated, and protected against today’s threats Portfolio Overview IBM Endpoint Manager for Software Usage Analysis •Network Discovery: agent-less mechanism to identify all IP- based devices on a network •HW & SW Inventory: continuous and automated agent- based inventory •SW Usage Analysis: advanced software asset management capabilities IBM Endpoint Manager for Security and Compliance •Security Configuration Management: SCAP validation for both configuration assessment and remediation •Patch Management: patch compliance and remediation •Vulnerability Management: discover, identify, and locate known security vulnerabilities by assessing systems against OVAL-based vulnerability definitions •Client Manager for Endpoint Protection: ―health-check‖ for third-party anti-virus and anti-malware solutions •Network Self Quarantine: endpoint control and quarantine capabilities for systems already running the IEM agent, via internet protocol security policy
- 25. © 2014 IBM Corporation IBM Security 24 Application Portfolio Overview IBM AppScan Enterprise •Manage application security and risk management with advanced security testing •Mitigate risk by collaborating with developers to remediate security vulnerabilities •Empower security teams to drive security testing throughout the software development life cycle (SDLC) •Integrate with web-application firewalls to provide custom tuning based on actual vulnerabilities •Execute DAST against applications in development and production •Hybrid analysis to perform correlation of DAST and SAST results IBM AppScan Source •Source code analysis to identify the latest security threats with SAST •Automated security testing within build environments IBM AppScan Standard •Desktop application for security analysts and penetration testers •Advanced security testing based primarily on DAST, but also includes static analysis for client-side JavaScript •Glass box testing •Coverage of the latest rich-Internet applications and web technologies (web services, SOAP, Flash, Ajax and more) JK2012-04-26
- 26. © 2014 IBM Corporation IBM Security 25 Data Enterprise-wide solutions for helping secure the privacy and integrity of trusted information in your data center Portfolio Overview IBM InfoSphere Guardium Product Family •Database Activity Monitoring – continuously monitor and block unauthorized access to databases •Privileged User Monitoring – detect or block malicious or unapproved activity by DBAs, developers and outsourced personnel •Database Leak Prevention – help detect and block leakage in the data center •Database Vulnerability Assessment – scan databases to detect vulnerabilities and take action •Audit and Validate Compliance – simplify SOX, PCI- DSS, and Data Privacy processes with pre-configured reports and automated workflows IBM Security Key Lifecycle Manager •Centralize and automate the encryption key management process •Simplify administration with an intuitive user interface for configuration and management JK2012-04-26
- 27. © 2014 IBM Corporation IBM Security 26 The Cybersecurity Framework… • Provides a structure organizations can use to create, guide, assess or improve comprehensive cybersecurity programs based on risks • Offers a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses • Allows organizations—regardless of size, degree of cyber risk or cybersecurity sophistication—to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure • Helps companies prove to themselves and their stakeholders that good cybersecurity is good business • Builds on global and other standards, guidelines, and best practices • Provides a means of expressing cybersecurity requirements to business partners and customers • Assists organizations in incorporating privacy and civil liberties as part of a comprehensive cybersecurity program Source: NIST
- 28. © 2014 IBM Corporation IBM Security 27 Framework Components Framework Core • Cybersecurity Activities and informative references common across critical infrastructure sectors and organized around particular outcomes • Enables communication of cyber risk across an organization Framework Profile • Aligns industry standards and best practices to the framework Core in a particular implementation scenario • Supports prioritization and measurement of progress toward the Target Profile, while factoring in other business needs— including cost-effectiveness and innovation Framework Implementation Tiers • Describes how cybersecurity risk is managed by an organization • Describes degree to which an organization’s cybersecurity risk management practices exhibit the key characteristics (e.g., risk and threat aware, repeatable, and adaptive) Source: NIST
- 29. © 2014 IBM Corporation IBM Security 28 Framework Core Source: NIST
- 30. © 2014 IBM Corporation IBM Security 29 How to Use the Cybersecurity Framework The Framework is designed to complement existing business and cybersecurity operations, and can be used to: • Understand security status • Establish / Improve a cybersecurity program • Communicate cybersecurity requirements with stakeholders, including partners and suppliers • Identify opportunities for new or revised informative references • Identify tools and technologies to help organizations use the Framework • Integrate privacy and civil liberties considerations into a cybersecurity program Source: NIST
- 31. © 2014 IBM Corporation IBM Security 30 Influencers • Confident / prepared • Strategic focus Protectors • Less confident • Somewhat strategic • Lack necessary structural elements Responders • Least confident • Focus on protection and compliance have a dedicated CISO have a security/risk committee have information security as a board topic use a standard set of security metrics to track their progress focused on improving enterprise communication/ collaboration focused on providing education and awareness How they differ IBM’s 2012 Chief Information Security Officer Study revealed the changing role of the CISO Source: IBM Center for Applied Insights, Finding a Strategic Voice: Insights from the 2012 IBM Chief Information Security Officer Assessment , May 2012
- 32. © 2014 IBM Corporation IBM Security 31 Reaching security maturity 13-09-17 Security Intelligence Predictive Analytics, Big Data Workbench, Flow Analytics SIEM and Vulnerability Management Log Management Advanced Fraud Protection People Data Applications Infrastructure Identity governance Fine-grained entitlements Privileged user management Data governance Encryption key management Fraud detection Hybrid scanning and correlation Multi-faceted network protection Anomaly detection Hardened systems User provisioning Access management Strong authentication Data masking / redaction Database activity monitoring Data loss prevention Web application protection Source code scanning Virtualization security Asset management Endpoint / network security management Directory management Encryption Database access control Application scanning Perimeter security Host security Anti-virus Optimized Proficient Basic
- 33. © 2014 IBM Corporation IBM Security 32 IBM Security Systems Portfolio People Data Applications Network Infrastructure Endpoint Identity Management Guardium Data Security and Compliance AppScan Source Network Intrusion Prevention Trusteer Apex Access Management Guardium DB Vulnerability Management AppScan Dynamic Next Generation Network Protection Mobile and Endpoint Management Privileged Identity Manager Guardium / Optim Data Masking DataPower Web Security Gateway SiteProtector Threat Management Virtualization and Server Security Federated Access and SSO Key Lifecycle Manager Security Policy Manager Network Anomaly Detection Mainframe Security IBM X-Force Research Advanced Fraud Protection Trusteer Rapport Trusteer Pinpoint Malware Detection Trusteer Pinpoint ATO Detection Trusteer Mobile Risk Engine Security Intelligence and Analytics QRadar Log Manager QRadar SIEM QRadar Risk Manager QRadar Vulnerability Manager IBM offers a comprehensive portfolio of security products
- 34. © 2014 IBM Corporation IBM Security 33 Using Security Frameworks to Achieve Effectiveness & Compliance 33
- 35. © 2014 IBM Corporation IBM Security 34 Highlighted announcements NEW: QRadar Incident Forensics NEW: Critical Infrastructure Services NEW: “All-in-one” Access Management NEW: Secure Network Optimization Services NEW: Virtual IPS & Identity Service for Cloud Planned future announcements
- 36. © 2014 IBM Corporation IBM Security 35 For more information Peter Allor Security Strategist- Federal, IBM pallor@us.ibm.com Contact Jerry Jarvis jjarvis@us.ibm.com David Nagel dnagel@us.ibm.com Additional Information – White Papers on CDM http://www.ibm.com/common/ssi/cgi- bin/ssialias?subtype=WH&infotype=SA&appname=SWGE_WG_WG_USEN &htmlfid=WGW03019USEN&attachment=WGW03019USEN.PDF http://www- 304.ibm.com/industries/publicsector/us/en/promotion/!!/xmlid=242300 35
- 37. © 2014 IBM Corporation IBM Security 36 © 2014 IBM Corporation IBM Security Systems 36 www.ibm.com/security © Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
Hinweis der Redaktion
- On February 12, 2013 Jim Lewis of CSIS reported:Executive Summary Analysis of successful attacks has provided good data on both the techniques used in breaching corporatenetworks and the steps needed to prevent such breaches. However, this information is not reflected inpractice. Companies underestimate the risk they face of being breached or hacked. Most companies only find out thatthey have been hacked when told by a third party. This could raise questions of fiduciary responsibility asgreater awareness of risk grows in the business community and in government. Hacking is incredibly easy; survey data consistently shows that 80 to 90 percent of successful breaches ofcorporate networks required only the most basic techniques. Hacking tools are easily acquired from the Internet, including tools that “crack” passwords in minutes. In the last few years, in 2009 and 2010, Australia’s Defense Signals Directorate (DSD) and the U.S. NationalSecurity Agency (NSA) independently surveyed the techniques hackers used to successfully penetrate networks.NSA (in partnership with private experts) and DSD each came up with a list of measures that stop almost allattacks. DSD found that four risk reduction measures block most attacks. Agencies and companies implementing thesemeasures saw risk fall by 85 percent and, in some cases, to zero.CDM includes 3 of 4 measures in Phase I.
- A new security reality is hereSophisticated attackers break through conventional safeguards every day.Organized criminals, hacktivists, governments and adversaries are compelled by financial gain, politics and notoriety to attack your most valuable assets. Their operations are well-funded and business-like ‒ attackers patiently evaluate targets based on potential effort and reward. Their methods are extremely targeted ‒ they use social media and other entry points to track down people with access, take advantage of trust, and exploit them as vulnerabilities. Meanwhile, negligent employees inadvertently put the business at risk via human error. Even worse, security investments of the past fail to protect against these new classes of attacks. The result is more severe security breaches more often. In fact, 61% of organizations say data theft and cybercrime are the greatest threats to their reputation.1 And the costs are staggering. By one estimate, the average cost of a breach is over $7million.2Sources: (1) 2012 Global Reputational Risk & IT Study, IBM; (2) 2013 Cost of Cyber Crime Study, Ponemon Institute<MOUSE CLICK> Cloud, mobile, social and big data drive unprecedented change. Businesses are adopting mobile, social, big data and cloud to analyze and share information at unprecedented rates. This influx of new innovation, technologies, and end-points push more and more business transactions outside company walls and completely transform enterprise security as we know it. As the traditional network perimeter permanently dissolves, it is more difficult to defend company data from the increasing gaps in security, and to verify that users accessing data are protected. In one study, 70% of security executives expressed concern about cloud and mobile security.3Theft or loss of mobile devices, privacy concerns associated with cloud, and accidental sharing of sensitive data are some of the key fears. Without dynamic protection, an organization may spend more time recovering from attacks than it does preventing them. And those who do not prepare for change are leaving their companies dangerously exposed.Sources: (3) 2013 CISO Survey, IBM;2013 Juniper Mobile Threat Report<MOUSE CLICK> Yesterday’s security practices are not sustainable Up to now, organizations have responded to security concerns by deploying a new tool to address each new risk. Now they have to install, configure, manage, patch, upgrade, and pay for dozens of non-integrated solutions with limited views of the landscape. Costly and complex, these fragmented security capabilities do not provide the visibility and coordination needed to stop today’s sophisticated attacks. Moreover, the skills and expertise needed to keep up with a constant stream of new threats is not always available. 83% of enterprises report having difficulty finding the security skills they need.4And as new risks emerge, the environment will grow more complex and the skills gap wider. 49% of IT executives say that they are challenged by an inability to measure the effectiveness of their current security efforts5and 31% of IT professionals have no risk strategy at all6. Many security teams are simply operating in the dark.Sources: (4) 2012 ESG Research; (5) Security Intelligence Can Deliver Value Beyond Expectations And Needs To Be Prioritized, Forrester; (6) 2013 Global Reputational Risk & IT Study, IBM
- Challenge #2 – Tools lacking…Too Many ProductsWe have multiple examples of customers who have invested in many, many tools. One US government agency alone has 200 security products – that entails the license costs, but perhaps more problematically, the configuration and maintenance of all of those products in a constantly changing infrastructure. They’re not getting their money’s worth. They can’t. It’s too complex and too costly.Point ProductsBesides having too many products, they have too many vendors – point products from each vendor that do not integrate in any way. And those point products cannot find the advanced attacks that these enterprises are experiencing.Products don’t workAntivirus products cannot reliably defend against malware.http://krebsonsecurity.com/
- 2012 was a record year for reported data breaches and security incidents, with a 40 percent increase in total volume over 2011.1 In the first half of 2013, security incidents have already surpassed the total number reported in 2011 and are on track to surpass 2012.This year kicked off with a number of high profile sophisticated attacks on major websites, media, and tech companies
- With more than 6,000 researchers, developers and subject matter experts engaged in security initiatives, IBM operates one of the world’s broadest enterprise security research, development and delivery organizations. This powerful combination of expertise is made up of the award-winning X-Force research and development team—with one of the largest vulnerability databases in the industry—and includes nine security operations centers, nine IBM Research centers, 14 software security development labs and the IBM Institute for Advanced Security with chapters in the United States, Europe and the Asia Pacific region.________________________Security Operations Centers: Atlanta, Georgia; Detroit, Michigan; Boulder, Colorado; Toronto, Canada; Brussels, Belgium; Tokyo, Japan; Brisbane, Australia; Hortolandia, Brazil; Bangalore, India; Wroclaw, Poland Security Research Centers: Yorktown Heights, NY; Atlanta, GA; Almaden, CA; Ottawa, Canada; Zurich, CH; Kassel, DE; Herzliya, IL; Haifa, IL; New Delhi, IN; Tokyo, JPSecurity Development Labs: Littleton, MA; Raleigh, NC; Atlanta, GA; Austin, TX; Costa Mesa, CA; Fredericton, Canada; Toronto, CAN; Ottowa, CAN; Belfast, NIR; Delft, NL; Pune, IN; Bangalore, IN, Taipei, TW; Singapore, SG; Gold Coast, AUNote: IBM patent search performed by Paul Landsberg, IBM IP Office
- To support the role of successful CISO’s, IBM offers integrated security intelligence and industry-leading experience enabled by the IBM Security Framework solution capabilities. All of the IBM Security offerings are backed by an extensive business partner ecosystem which consists of industry-leading technology, sales and service partners.These capabilities are delivered through a comprehensive and robust set of tools and best practices (including software and hardware) that are supported by the services needed to address:Intelligence: Through a common and intuitive view that combines deep analytics with real-time security intelligence.Integration: Through unifying existing tools and infrastructures with new forms of defense in order to reduce complexity and lower the cost of maintaining a strong security posture.Expertise: Through a more proactive and trusted source of truth in order to stay ahead of emerging threats and risks.Addressing these three key imperatives enables a more holistic, comprehensive perspective and can enhance your security maturity.
- Why should organizations act now?... Because your department is a keystroke away from being in the headlines. Criminals will not relent: Once you are a target, criminals will spend as much time trying to break into your enterprise as you do on your core business. If you do not have visibility, they will succeed.Recently, Trusteer came across a complex new criminal scheme involving the Tatanga Trojan that conducts an elaborate Man in the Browser (MitB) attack to bypass SMS based transaction authorization to commit online banking fraud. The scam targets online banking customers of several German banks. When the victim logs on to the online banking application, Tatanga uses a MitBwebinject that alleges the bank is performing a security check on their computer and ability to receive a Transaction Authorization Number (TAN) on their mobile device. In the background, Tatanga initiates a fraudulent money transfer to a mule account. It even checks the victim’s account balance, and will transfer funds from the account with the highest balance if there is more than one to choose from. The victim is asked to enter the SMS-delivered TAN they receive from the bank into the fake web form, as a way to complete this security process. By entering the TAN in the injected HTML page the victim is in fact approving the fraudulent transaction originated by Tatanga against their account. Even though the victim is presented with the fund transfer amount and the destination account information in the SMS message that contains the TAN, the injected HTML page claims that the process uses “experimental” data and that no money will leave their account. Once the victim enters the TAN in the fake form and hits submit, the funds are transferred to the fraudster’s account. Meanwhile, Tatanga modifies the account balance reports in the online banking application to hide the fraudulent transaction. This is a very sophisticated and multi-faceted attack. By combining a MitB attack and social engineering, Tatanga is able to circumvent out-of-band authentication used by many banks. Then it goes one step further by hiding evidence of the fraudulent transaction from the victim using a post transaction attack mechanism. Fortunately, the text in the injected HTML page is littered with grammar and spelling mistakes and appears not to have been written by a German speaker. This may make it less effective. Clearly, grammar is easy for fraudsters to improve. The fact that they are blending multiple attack methods in a single fraud scam is not good news. However, they still need to compromise the endpoint with malware, which can be prevented.Torpig is a notorious criminal gang that has their own malware. They targeted one of our customers (a large financial services company) and put up a long battle with us. They kept changing and evolving their malware in order for it to avoid being detected by our products. FYI: Products used: Rapport and PPMD (our cloud based solution) was used by the client.Every business is impacted: In the past, banks were the primary targets of cyber criminals. Today, diverse actors move with lightning speed to steal money, intellectual property, customer information, and state-secrets across all sectors.Your perimeter is breached, criminals are inside: Recent attacks demonstrate that victims were compromised for months before they discovered it. Assuming that you have been breached is today’s prudent security posture.Because this new era offers an opportunity to transform IT security. Change will expand and accelerate: Cloud, Mobile, Social and Big Data are radically changing the business landscape. Adoption is accelerating as your business realizes the opportunity they present – the new era is here to stay.New innovations provide the opportunity to get it right: By building security in from the start, you have a chance to secure the new era of computing better than the old.Big Data, Social and Cloud will enable greater security: Now is the chance to embrace the new era of computing to modernize your security capability. Assess how your security team can leverage these disruptive forces to strengthen and streamline your security infrastructure.Because security leaders are held more accountable than ever before. Your Board and CEO demand a strategy: After reading about recent breaches, business leaders are asking you for a plan. You need a strategy and roadmap that gets you to best-in-class. Security is now a business, not technology, initiative.Your team is blind to the business risk: With disparate IT security tools deployed and silos preventing visibility, your team is blindfolded and unable to develop an effective risk-based program for improvement. You cannot do this alone: Skills shortages and rapidly changing techniques mean you lack the staff and expertise to counter the threat at hand.
- Building new, proactive defenses requires thinking like an attacker--------------------------------------------------------------------------Identify, discover, protect high-value assetsGather and preserve evidenceSecuring the weakest link (most attractive), all linksBaselining systems and networksFollowing the trail
- Securing today’s businesses requires a new approach. Companies need to gain insights across the entire security event timeline. While IBM is widely known for our Security Information and Event Management or SIEM, and for our Log Management solutions, our product strategy delivers a complete set of solutions that span the security event timeline that all IT organizations wrestle with. Our SIEM, Log Management and Network behavioral analysis solutions lead the market in helping customers react and respond to exploits as they occur in a network. But we also provide much needed value to customers as they seek to predict and prevent incidents in the first place through our solutions that help to model risk, evaluate configurations and prioritize vulnerabilities.“Security Intelligence” is the actionable information derived from the sum of all security data available to an organization, which improves accuracy and provides context throughout the entire security event timeline – from detection and protection through remediation. Our product strategy supports the entire security intelligence timeline. What you want in these sorts of situations is to recognize the attack as early as possible, flag it to the appropriate manager and activate your incident response processes, aimed at stopping the attack on the one hand and identifying the culprit on the other.
- The Framework does NOT:Require organizations to use the framework - This is a voluntary approach that should be used because it provides a structure for creating, guiding, assessing or improving comprehensive cybersecurity programs based on risksLimit the choice of standards, guidelines, and practices to be used by any organization - The framework suggests references that are widely recognized as useful and up-to-dateProvide a one-size-fits all approach to addressing cybersecurity risks - Each organization should customize the way in which it uses the framework based on its degree of risk, current cybersecurity efforts, and business needs. The framework does not specify how much risk organizations should takeRely strictly on U.S.–based approaches - It builds on global standards that will harmonize practices
- Core:Consists of Functions, Categories, Subcategories, and Informative ReferencesFunctions: Identify, Protect, Prevent, Respond, RecoverFunctions provide the anchor that enable communication of cyber risk across an organization.Profiles:Helps organizations progress from current level of cybersecurity sophistication to a target improved state that meets business needsTiers:Tier options: Partial (Tier 1) Risk-Informed (Tier 2) Risk-Informed and Repeatable (Tier 3) Adaptive (Tier 4)Each organization will decide which tier matches its risk management needs and capabilities.It is not a race to the top.
- Graphical representation of the Framework CoreFunctions (Identify, Protect, Detect, Respond, Recover)CategoriesSubcategoriesInformative References (identified standards and guidelines: ISO 27001:2013; ISO/IEC 62443; COBIT5; Critical Security Controls (CSC) Top 20; NIST Special Publication 800-53 Revision 4
- <Presenter note: Slide animates>According to the insights gathered from the 2012 IBM Chief Information Security Officer Assessment from May of 2012…<mouse click>Responders are the…Least confidentFocus on protection and compliance<mouse click>Protectors are…Less confidentSomewhat strategicLack necessary structural elements<mouse click>Influencers are…Confident / preparedStrategic focusThe Influencers have the attention of business leaders and their boards. Security is not an ad hoc topic, but rather a regular part of business discussions and, increasingly, the culture. These leaders understand the need for more pervasive risk awareness – and are far more focused on enterprise-wide education, collaboration and communication. They are working closely with business functions to create a culture in which employees take a more proactive role in protecting the enterprise. Because they are more integrated with the business, these security organizations are also able to influence the design of new products and services, incorporating security considerations early in the process. Security leaders are going to become more key to their organizations, their budgets will increase and they will move from the fringe to being embedded.
- The IBM Security Systems portfolio is built around protecting the security domains of People, Data, Applications, and Infrastructure, with a layer of Security Intelligence and Analytics providing true integration and visibility into the enterprise security landscape, and underpinned by IBM X-Force Research providing threat intelligence. The acquisition of Trusteer provides enhanced endpoint protection and threat research, while extending the portfolio with a layer of advanced fraud protection.