DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
-
date post
19-Oct-2014 -
Category
Technology
-
view
1.084 -
download
0
description
Transcript of DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
© 2012 IBM Corporation
IBM Security Systems
1 © 2012 IBM Corporation
Security strategies to
stay out of the
headlines
Q1 Labs, an IBM Company
Andris Soroka, Data Security Solutions
Q1 Labs 1st Certified Partner in Baltics
© 2012 IBM Corporation
IBM Security Systems
2
Who we are – specialization security:
Innovative & selected software / hardware
& hybrid solutions from leading technology
vendors from over 10 different countries
IT Security consulting (vulnerability
assessment tests, security audit, new
systems integration, HR training, technical
support)
First in Baltics who had integrated several
innovative IT Security solutions that no one
before has done
First Certified Q1 Labs Partner in the
Baltic States and now IBM Business
Partner continuing working with IBM
Security Portfolio
© 2012 IBM Corporation
IBM Security Systems
3
According to the 2011 Verizon Data Breach Report, 86 percent of breached organizations failed to detect that their networks were hacked.
© 2012 IBM Corporation
IBM Security Systems
4
Headlines change, cybercrime increases
Adversary
National Security
Monetary Gain
Espionage,
Political Activism
Revenge
Curiosity Script-kiddies or hackers using tools, web-based “how-to’s”
Insiders, using inside information
Organized Crime, using sophisticated tools
Competitors, Hacktivists
Nation-state Actors; Targeted Attacks /
Advanced Persistent Threat
1995 – 2005 1st Decade of the Commercial Internet
2005 – 2015 2nd Decade of the Commercial Internet
Motive
© 2012 IBM Corporation
IBM Security Systems
5
What happens in IT security world? Maze..
Around 1500 IT Security vendors for
Endpoint Security
Platforms and point solutions
Data Security
DLP suites and point solutions
Network Security
Gateway solutions
NAC, visibility, NBA
Authentication, authorization etc.
Traditional and next generation’s
Identity protection
Virtualization and cloud security
IT Security governance
Operational management & Security
Mobile Security
© 2012 IBM Corporation
IBM Security Systems
6
Security Intelligence provides actionable and comprehensive insight for managing
risks and threats from protection and detection through remediation.
Security Intelligence
--noun
1. the real-time collection, normalization, and analytics of
the data generated by users, applications and
infrastructure that impacts the IT security and risk
posture of an enterprise
What do we propose?
© 2012 IBM Corporation
IBM Security Systems
7
What logs –
Audit logs
Transaction logs
Intrusion logs
Connection logs
System performance records
User activity logs
Different systems alerts and
different other systems messages
From where -
Firewalls / Intrusion prevention
Routers / Switches
Intrusion detection
Servers, desktops, mainframes
Business applications
Databases
Antivirus software
VPN’s
Network Servers Databases Homegrown Applications
Log
Silo
????
??
????
?
????
???
??
?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ? ? ? ? ?
LOGS ? ?
? ?
?
? ? ? ? ? ?
?
Identity Management
IT & Network Operations
Operational Security
Governance & Compliance
Log
Tool
Log Jam
You cannot control what You cannot see!
© 2012 IBM Corporation
IBM Security Systems
8
© 2012 IBM Corporation
IBM Security Systems
9
© 2012 IBM Corporation
IBM Security Systems
10
Fully Integrated Security Intelligence
• Turnkey log management
• SME to Enterprise
• Upgradeable to enterprise SIEM
• Integrated log, threat, risk & compliance mgmt.
• Sophisticated event analytics
• Asset profiling and flow analytics
• Offense management and workflow
• Predictive threat modeling & simulation
• Scalable configuration monitoring and audit
• Advanced threat visualization and impact analysis
• Network analytics
• Behavior and anomaly detection
• Fully integrated with SIEM
• Layer 7 application monitoring
• Content capture
• Physical and virtual environments
SIEM
Log
Management
Risk
Management
Network
Activity &
Anomaly
Detection
Network and
Application
Visibility
One Console Security
Built on a Single Data Architecture
© 2012 IBM Corporation
IBM Security Systems
11
Fully Integrated Security Intelligence
• Turnkey log management
• SME to Enterprise
• Upgradeable to enterprise SIEM
• Integrated log, threat, risk & compliance mgmt.
• Sophisticated event analytics
• Asset profiling and flow analytics
• Offense management and workflow
• Predictive threat modeling & simulation
• Scalable configuration monitoring and audit
• Advanced threat visualization and impact analysis
• Network analytics
• Behavior and anomaly detection
• Fully integrated with SIEM
• Layer 7 application monitoring
• Content capture
• Physical and virtual environments
SIEM
Log
Management
Risk
Management
Network
Activity &
Anomaly
Detection
Network and
Application
Visibility
© 2012 IBM Corporation
IBM Security Systems
12
Q1 Labs- The Security Intelligence Leader
Who is Q1 Labs:
Innovative Security Intelligence software company
One of the largest and most successful SIEM vendors
Leader in Gartner Magic Quadrant (2009-2012)
Award-winning solutions:
Family of next-generation Log Management, SIEM, Risk Management,
Security Intelligence solutions
Proven and growing rapidly:
Thousands of customers worldwide
Five-year average annual revenue growth of 70%+
Now part of IBM Security Systems:
Unmatched security expertise and breadth of integrated capabilities
© 2012 IBM Corporation
IBM Security Systems
13 © 2012 IBM Corporation 13
Security Intelligence Use Cases
© 2012 IBM Corporation
IBM Security Systems
14
What was the
attack?
Who was
responsible?
How many
targets
involved?
Was it
successful?
Where do I find
them?
Are any of
them
vulnerable?
How valuable are
they to the
business?
Where is all
the evidence?
Clear & concise delivery of the most relevant information …
© 2012 IBM Corporation
IBM Security Systems
15
Total Security Intelligence: How do we address the challenges?
Reduce Big Data
Detect Advanced Persistent Threats
Predict attacks
Manage risk
© 2012 IBM Corporation
IBM Security Systems
16
Big Data: Reduce your data silo down
© 2012 IBM Corporation
IBM Security Systems
17
QRadar automatically pulls all related
events and flows into a single security
incident
Highlights the magnitude / importance
Reduction into manageable daily
number
Single incident
derived from ~20k
events and 355
flows
Reducing Data Silos: How it looks in QRadar
© 2012 IBM Corporation
IBM Security Systems
18
Total Security Intelligence: How do we address the challenges?
Reduce Big Data
Detect Advanced Persistent Threats
Predict attacks
Manage risk
© 2012 IBM Corporation
IBM Security Systems
19
Anatomy of an APT: Communications Company
Attackers
create Trojan
3rd Party Software Update Server
Compromised
Attackers create Trojan
Trojan “auto-updated” to Corporate network
60+ Corporate computers infected w/ backdoor agent
Port 8080 used for C&C activities
35M records stolen
Day 0 –6 Months Day 8
© 2012 IBM Corporation
IBM Security Systems
20
Behaviour / activity base lining of users and processes
Helps detect day-zero attacks and covert channels that have no signature or AV / IPS detection
Provides definitive evidence of attack
Enables visibility into attacker communications
Network traffic does not lie Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)
Activity / Behaviour Monitoring, Flow Analytics, Anomaly Detection
© 2012 IBM Corporation
IBM Security Systems
21
Activity and data access monitoring
Visualize Data Risks Automated charting and reporting
on potential database breaches
Correlate Database and
Other Network Activity Enrich database security alerts
with anomaly detection and flow
analysis
Better Detect Serious Breaches 360-degree visibility helps distinguish true
breaches from benign activity, in real-time
© 2012 IBM Corporation
IBM Security Systems
22
User & Application Activity Monitoring alerts to a user anomaly for
Oracle database access.
Identify the user, normal
access behavior and the
anomaly behavior with all
source and destination
information for quickly resolving
the persistent threat.
Anomaly Detection & APTs
© 2012 IBM Corporation
IBM Security Systems
23
Stealthy malware detection
Potential Botnet Detected? This is as far as traditional SIEM can go
IRC on port 80? QFlow detects a covert channel,
using Layer 7 flows and deep
packet inspection
Irrefutable Botnet Communication Layer 7 flow data shows botnet
command and control instructions
© 2012 IBM Corporation
IBM Security Systems
24
Total Security Intelligence: How do we address the challenges?
Reduce Big Data
Detect Advanced Persistent Threats
Predict attacks
Manage risk
© 2012 IBM Corporation
IBM Security Systems
25
The Security Intelligence Timeline: Proactive vs Headlines
© 2012 IBM Corporation
IBM Security Systems
26
Multiple IP’s attack an IP
Drilling into one superflow record shows all IP records contributing to the attack
All pulled together in one offence which is detected and
raised immediately to the security team
Predicting an Attack: How it looks in QRadar
© 2012 IBM Corporation
IBM Security Systems
27
Total Security Intelligence: How do we address the challenges?
Reduce Big Data
Detect Advanced Persistent Threats
Predict attacks
Manage risk
© 2012 IBM Corporation
IBM Security Systems
28
Managing risk
CISOs know it’s not if, it’s when they get hacked; yet there is still a gap in ability to
detect breach.
Breaches are taking longer to discover
Breaches are not being discovered internally
Charts from Verizon 2011 Investigative Response Caseload Review
© 2012 IBM Corporation
IBM Security Systems
29
Potential Data Loss?
Who? What? Where?
Who? An internal user
What? Oracle data
Where? Gmail
How it looks in QRadar
© 2012 IBM Corporation
IBM Security Systems
30
QRadar: The Most Intelligent, Integrated,
Automated Security Intelligence Platform
• Eliminates silos
• Highly scalable
• Flexible, future-proof
• Easy deployment
• Rapid time to value
• Operational efficiency
• Proactive threat management
• Identifies most critical anomalies
• Rapid, complete impact analysis
© 2012 IBM Corporation
IBM Security Systems
31
What to do next?
Visit our stand
Download the Gartner SIEM Critical Capabilities Report
http://q1labs.com/resource-center/analyst-reports/details.aspx?id=151
Read our blog http://blog.q1labs.com/
Follow us on Twitter: @q1labs @ibmsecurity
© 2012 IBM Corporation
IBM Security Systems
32
ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is
provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to,
these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its
suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials
to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities
referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a
commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International
Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of
others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper
access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to
or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure
can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will
necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT
THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.