© 2014 IBM Corporation

IBM Security Intelligence

Att ligga steget före in en allt mer hotfylld värld

michael.andersson@se.ibm.com

BusinessConnectA New Era of Smart10/6/2014

© 2014 IBM Corporation3

A New Era of Smart

The threat level is continually intensifying

Operational Sophistication

IBM X-Force declared Year of the

Security Breach

Near Daily Leaks of Sensitive Data

40% increase in reported data

breaches and incidents

Relentless Use of Multiple Methods

500,000,000+ records were leaked, while the future

shows no sign of change

2011 2012 2013

Note: Size of circle estimates relative impact of incident in terms of cost to business.

SQL injection

Spear phishing

DDoS Third-party software

Physical access

Malware XSS Watering hole

UndisclosedAttack types

Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2014

A New Era of Smart

© 2014 IBM Corporation

A new security reality is here

61%

data theft and cybercrimeare their greatest threats2012 IBM Global Reputational Risk & IT Study

of organizations say

Average cost of adata breach

2014 Cost of Data Breach, Ponemon Institute

$3.5M

70%of security

executives have cloud and mobile security concerns2013 IBM CISO Survey

Mobile malware growthin just one year

2012 - 2013 Juniper Mobile Threat Report

614% security tools from

vendors

8545

IBM client example

83%of enterprises

have difficulty finding the security skills they need2012 ESG Research

© 2014 IBM Corporation5

Customer Case 1:Under Attack

A New Era of Smart

© 2014 IBM Corporation

An attack timeline

Company are compliance certified

Malware fully installed

Attacker steals credentials

Anti-Virus Software identifies malicious activity

IDS/NGFW triggers alert

More alerts from IDS/NGFW

Company are notified by government organization

Company confirms millons of records stolen efter story leaked

Attacker first breach customer environment

Attacker test malware Malware upgraded –Begin to exfiltrate data

...and more alerts... Company confirms

breach -removes most malware

Attacker lose foothold in network

Company confirms even more millons of records stolen after story leaked

Company timeline

Attacker timeline

A New Era of Smart

© 2014 IBM Corporation

An attack timeline

Company are compliance certified

Malware fully installed

Attacker steals credentials

Anti-Virus Software identifies malicious activity

IDS/NGFW triggers alert

More alerts from IDS/NGFW

Company are notified by government organization

Company confirms millons of records stolen efter story leaked

Attacker first breach customer environment

Attacker test malware

Malware upgraded –Begin to exfiltrate data

...and more alerts...

Company confirms breach -removes most malware

Attacker lose foothold in network

Company confirms even more millons of records stolen after story leakedCompany

timeline

Attacker timeline

AV and IDS alert False position prone

Users don’t fully trust

No additional activity information

What traffic preceded and followed, from and to where?

Network and business context

Are these or can they reach critical assets

No business process for triaging and analysing

Ignored!

A New Era of Smart

© 2014 IBM Corporation

An attack timeline

Company are compliance certified

Malware fully installed

Attacker steals credentials

Anti-Virus Software identifies malicious activity

IDS/NGFW triggers alert

More alerts from IDS/NGFW

Company are notified by government organization

Company confirms millons of records stolen efter story leaked

Attacker first breach customer environment

Attacker test malware

Malware upgraded –Begin to exfiltrate data

...and more alerts...

Company confirms breach -removes most malware

Attacker lose foothold in network

Company confirms even more millons of records stolen after story leakedCompany

timeline

Attacker timeline

More alerts Different areas of

network Not correlated with

other activity or in the context of the business or network

Not enough visibility or context

Still ignored!

A New Era of Smart

© 2014 IBM Corporation

An attack timeline

Company are compliance certified

Malware fully installed

Attacker steals credentials

Anti-Virus Software identifies malicious activity

IDS/NGFW triggers alert

More alerts from IDS/NGFW

Company are notified by government organization

Company confirms millons of records stolen efter story leaked

Attacker first breach customer environment

Attacker test malware

Malware upgraded –Begin to exfiltrate data

...and more alerts...

Company confirms breach -removes most malware

Attacker lose foothold in network

Company confirms even more millons of records stolen after story leakedCompany

timeline

Attacker timeline

Too Late Nightmare business

scenario unfolds

A New Era of Smart

© 2014 IBM Corporation

An attack timeline

Company are compliance certified

Malware fully installed

Attacker steals credentials

Anti-Virus Software identifies malicious activity

IDS/NGFW triggers alert

More alerts from IDS/NGFW

Company are notified by government organization

Company confirms millons of records stolen efter story leaked

Attacker first breach customer environment

Attacker test malware

Malware upgraded –Begin to exfiltrate data

...and more alerts...

Company confirms breach -removes most malware

Attacker lose foothold in network

Company confirms even more millons of records stolen efter story leakedCompany

timeline

Attacker timeline

Nightmare Worst case business

scenario

A New Era of Smart

© 2014 IBM Corporation

QRadar Security Intelligence - Taking in data from wide spectrum of feeds

A New Era of Smart

© 2014 IBM Corporation

Answering questions to help prevent and remediate attacksWhat data contributed to the offense?

© 2014 IBM Corporation13

Customer Case 2:Vulnerability prioritization

A New Era of Smart

© 2014 IBM Corporation

IE Zero day announced !

Real example, from a real customer

The background– 2013-3893 Use-after-free vulnerability – Most versions of IE are affected– Exploits are available and have been active on the internet at malicious

web sites for a week– Metasploit release an exploit kit within 1 week

The Challenge– 1000’s of windows assets in the enterprise– What ones are vulnerable ?

• Re scan the network – how long will that take ? • Need answers now !

– Length of time to patch• Must prioritise• What ones do I patch first ?

A New Era of Smart

© 2014 IBM Corporation

How did QVM and Security Intelligence help – Stage 1

No need to re-scan

QVM’s early alerts correlated data from the last scan with the zero data vulnerability information to immediately create early warning vulnerabilities

Time saved 1-2 days in scanning time

A New Era of Smart

© 2014 IBM Corporation

How did QVM and Security Intelligence help – Stage 2

Patch them all ? No. No need to patch assets were there has been no web traffic

QVM correlates QFlow Layer 7 traffic with vulnerabilities on assets to remove those without associated traffic

Time saved 15%-20% reduction in patching time− Not wasting time and effort on patching assets where there has been no web traffic

A New Era of Smart

© 2014 IBM Corporation

How did QVM and Security Intelligence help – Stage 3

Patch the remainder ? No. Exploits of this vulnerability live in malicious web sites.

QRadar filter out those that have visited potentially malicious web sites in the last month

21 Assets ! Time saved >90% reduction in patching time – ~5 days

A New Era of Smart

© 2014 IBM Corporation

What action to take next ?

Patch to apply – QVM has the answer

IPS signature to enable – QVM has the answer

A New Era of Smart

© 2014 IBM Corporation

Your Vulnerabilities

CVECVE

CVECVE

CVECVE

CVECVE

CVECVE CVE CVE

CVECVE

CVECVE

CVECVE

CVECVE

CVECVE CVE

CVE

CVECVE

CVECVE

CVECVE

CVECVE

CVECVE CVE CVE

CVECVE

CVECVE

CVECVE

CVECVE

CVECVE CVE CVE

CVECVE

CVECVE

CVECVE

CVECVE

CVECVE CVE CVE

CVECVE

CVECVE

CVECVE

CVECVE

CVECVE CVE CVE

CVECVE

CVE CVECVE

CVECVE

CVECVE

CVE CVECVE

CVECVE

CVECVE

CVECVE

CVECVE

CVECVE CVE CVE

CVECVE

CVECVE

CVECVE

CVECVE

CVECVE CVE CVE

CVECVE

CVECVE

CVECVE

CVECVE

CVECVE CVE CVE

CVECVE

CVECVE

CVECVE

CVECVE

CVECVE CVE

CVE

CVECVE

CVECVE

CVECVE

CVECVE

CVECVE CVE

CVE

CVECVE

CVECVE

CVECVE

CVECVE

CVECVE CVE CVE

CVECVE

CVECVE

CVECVE

CVECVE CVE

CVE CVE CVE

Patched

CriticalBlocked

Inactive

Exploited!

At risk!

Reducing data load by leveraging network context

Inactive: QFlow Collector data helps QRadar Vulnerability Manager sense application activity

Patched: IBM Endpoint Manager helps QVM understand which vulnerabilities will be patched

Blocked: QRadar Risk Manager helps QVM understand which vulnerabilities are blocked by firewalls and IPSs

Critical: Vulnerability knowledge base, remediation flow and QRM policies inform QVM about business critical vulnerabilities

At Risk: X-Force Threat and SIEM security incident data, coupled with QFlow network traffic visibility, help QVM see assets communicating with potential threats

Exploited: SIEM correlation and IPS data help QVM reveal which vulnerabilities have been exploited

© 2014 IBM Corporation20

New threats requires a newapproach

A New Era of Smart

© 2014 IBM Corporation

Security Teams are Adopting a New Approach

Threats have evolved… Broad AttacksIndiscriminate malware,spam and DoS activity

Targeted AttacksAdvanced, persistent, organized,

and politically or financially motivated

Requiring a newapproach to protection…

Traditional ApproachCompliance-driven, Reactionary

Strategic ApproachIntelligence-driven, Continuous

…yet the majority of security teams are still using insufficient defenses

Build strong perimeters

Protect all assets

Use signature-based methods

Periodically scan for known threats

Read the latest news

Collect logs

Conduct manual interviews

Shut down systems

Assume constant compromise

Prioritize high-risk assets

Use behavioral-based methods

Continuously monitor activity

Consume real-time threat feeds

Collect everything

Automate correlation and analytics

Gather, preserve, retrace evidence

© 2012 IBM Corporation

IBM Security Systems

23

Use intelligence and anomaly detection

across every domain

Build an intelligence vault around your

crown jewels

Prepare your response for the inevitable

Use analytics and insights for smarter defense

IBM Security Systems

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.