Security strategies to stay off the Børsen front page - Dubex · Security strategies to stay off...

© 2012 IBM Corporation

IBM Security Systems

1 © 2012 IBM Corporation

Security strategies to stay off the

Børsen front page

Steve Durkin,

Channel Director for Europe,

Q1 Labs, an IBM Company



2

“Given the dynamic nature of the

challenge, measuring the state of

security within an organization is

increasingly important. Since threats

are always moving and solutions are

more complex, dynamic and often

partial, knowing where you are is

essential.”

John Meakin

Global Head of Security Solutions & Architecture,

Deutsche Bank

“Finding a strategic voice”, IBM Center for Applied Insights



3

Q1 Labs- The Security Intelligence Leader

Who we are:

Innovative Security Intelligence software company

One of the largest and most successful SIEM vendors

Leader in Gartner Magic Quadrant (2009-2012)

Award-winning solutions:

Family of next-generation Log Management, SIEM, Risk Management,

Security Intelligence solutions

Proven and growing rapidly:

Thousands of customers worldwide

Five-year average annual revenue growth of 70%+

Now part of IBM Security Systems:

Unmatched security expertise and breadth of integrated capabilities



4

Targeted Attacks Shake Businesses and Governments

Source: IBM X-Force® 2011 Trend and Risk Report – March 2012



5

IT Security is a board room discussion

Business

results

Sony estimates

potential $1B

long term

impact –

$171M / 100

customers*

Supply chain

Epsilon breach

impacts 100

national brands

Legal

exposure

TJX estimates

$150M class

action

settlement in

release of

credit / debit

card info

Impact of

hacktivism

Lulzsec 50-day

hack-at-will

spree impacts

Nintendo, CIA,

PBS, UK NHS,

UK SOCA,

Sony …

Audit risk

Zurich

Insurance PLc

fined £2.275M

($3.8M) for the

loss and

exposure of

46K customer

records

Brand image

HSBC data

breach

discloses 24K

private banking

customers

*Sources for all breaches shown in speaker notes



6 © 2012 IBM Corporation 6

Security Intelligence Use Cases



7

Total Security Intelligence: How do we address the challenges?

Reduce Big Data

Detect Advanced Persistent Threats

Predict attacks

Manage risk



8

Big Data: Reduce your data silo down



9

Case study: An international energy company reduces billions of events per day to find those that should be investigated

An international

energy firm analyzes

Business challenge:

Reducing huge number of events to find the ones that need

to be investigated

Automating the process of analyzing security data

Solution: (QRadar SIEM, QFlow)

Real-time correlation of hundreds of data sources, anomaly

detection to help identify “low and slow” threats, flexibility for

easy customization and expansion

potential offences to

investigate

20 – 25

events per day to find

2,000,000,000



10

QRadar automatically pulls all related

events and flows into a single security

incident

Highlights the magnitude / importance

Reduction into manageable daily

number

Single incident

derived from ~20k

events and 355

flows

Reducing Data Silos: How it looks in QRadar



11


Reduce Big Data


Predict attacks

Manage risk



12

Anatomy of an APT: Communications Company

Attackers

create Trojan

3rd Party Software Update Server

Compromised

Attackers create Trojan

Trojan “auto-updated” to Corporate network

60+ Corporate computers infected w/ backdoor agent

Port 8080 used for C&C activities

35M records stolen

Day 0 –6 Months Day 8



13

Behaviour / activity base lining of users and processes

Helps detect day-zero attacks and covert channels that have no signature or AV / IPS detection

Provides definitive evidence of attack

Enables visibility into attacker communications

Network traffic does not lie Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)

Activity / Behaviour Monitoring, Flow Analytics, Anomaly Detection



14

Activity and data access monitoring

Visualize Data Risks Automated charting and reporting

on potential database breaches

Correlate Database and

Other Network Activity Enrich database security alerts

with anomaly detection and flow

analysis

Better Detect Serious Breaches 360-degree visibility helps distinguish true

breaches from benign activity, in real-time



15

User & Application Activity Monitoring alerts to a user anomaly for

Oracle database access.

Identify the user, normal

access behavior and the

anomaly behavior with all

source and destination

information for quickly resolving

the persistent threat.

Anomaly Detection & APTs



16

Stealthy malware detection

Potential Botnet Detected? This is as far as traditional SIEM can go

IRC on port 80? QFlow detects a covert channel,

using Layer 7 flows and deep

packet inspection

Irrefutable Botnet Communication Layer 7 flow data shows botnet

command and control instructions



17


Reduce Big Data


Predict attacks

Manage risk



18

The Security Intelligence Timeline: Proactive vs Headlines



19

Unmatched global coverage and security awareness

20,000+ devices under contract

3,700+ MSS clients worldwide

9B+ events managed per day

1,000+ security patents

133 monitored countries (MSS)

World Wide Managed

Security Services Coverage

Security Operations Centers

Security Research Centers

Security Solution Development Centers

Institute for Advanced Security Branches

IBM Research



20

Case study: A financial information provider hardens defenses against threats and fraud

A European Bank

Business challenge:

On-line banking system targeted

DDOS attack, three times

Had ‘security’ in place

Early warning capability

Solution: (QRadar SIEM, QFlow)

Real-time correlation of hundreds of data sources, anomaly

detection to help identify DDoS to “low and slow” threats.

activity baselines

dynamically adjusted

over time and saved on

staffing versus

alternative solutions

250



21

Multiple IP’s attack an IP

Drilling into one superflow record shows all IP records contributing to the attack

All pulled together in one offence which is detected and

raised immediately to the security team

Predicting an Attack: How it looks in QRadar



22


Reduce Big Data


Predict attacks

Manage risk



23

Managing risk

CISOs know it’s not if, it’s when they get hacked; yet there is still a gap in ability to

detect breach.

Breaches are taking longer to discover

Breaches are not being discovered internally

Charts from Verizon 2011 Investigative Response Caseload Review

http://www.verizonbusiness.com/resources/whitepaper/wp_verizon-2011-investigative-response-caseload-review_en_xg.pdf



24

Insider threat case study: Fashion Designer uses compliance mandate to detect insider fraud & use evidence in court

Fashion Designer

Business challenge:

Employee

Downloading information

Erasing files

Time stamped

Solution: (QRadar SIEM)

Ability to detect who, what and how specific events occurred.

Saving of raw files allowed for exact timings and application

layer 7 provided methods used

Using deep forensic

analysis, ability to detect

insider fraud to be used

in court



25

Potential Data Loss?

Who? What? Where?

Who? An internal user

What? Oracle data

Where? Gmail

How it looks in QRadar



26

QRadar: The Most Intelligent, Integrated,

Automated Security Intelligence Platform

• Eliminates silos

• Highly scalable

• Flexible, future-proof

• Easy deployment

• Rapid time to value

• Operational efficiency

• Proactive threat management

• Identifies most critical anomalies

• Rapid, complete impact analysis



27

Fully Integrated Security Intelligence

• Turnkey log management

• SME to Enterprise

• Upgradeable to enterprise SIEM

• Integrated log, threat, risk & compliance mgmt.

• Sophisticated event analytics

• Asset profiling and flow analytics

• Offense management and workflow

• Predictive threat modeling & simulation

• Scalable configuration monitoring and audit

• Advanced threat visualization and impact analysis

• Network analytics

• Behavior and anomaly detection

• Fully integrated with SIEM

• Layer 7 application monitoring

• Content capture

• Physical and virtual environments

SIEM

Log

Management

Risk

Management

Network

Activity &

Anomaly

Detection

Network and

Application

Visibility



28

Fully Integrated Security Intelligence

• Turnkey log management

• SME to Enterprise

• Upgradeable to enterprise SIEM

• Integrated log, threat, risk & compliance mgmt.

• Sophisticated event analytics

• Asset profiling and flow analytics

• Offense management and workflow

• Predictive threat modeling & simulation

• Scalable configuration monitoring and audit

• Advanced threat visualization and impact analysis

• Network analytics

• Behavior and anomaly detection

• Fully integrated with SIEM

• Layer 7 application monitoring

• Content capture

• Physical and virtual environments

SIEM

Log

Management

Risk

Management

Network

Activity &

Anomaly

Detection

Network and

Application

Visibility

One Console Security

Built on a Single Data Architecture



29

IBM X-Force® Threat

Information Center Real-time Security Overview

w/ IP Reputation Correlation

Identity and

User Context Real-time Network Visualization

and Application Statistics

Inbound

Security Events

Security Intelligence: QRadar provides security visibility



30

What to do next?

Visit our stand

Download the Gartner SIEM Critical Capabilities Report

http://q1labs.com/resource-center/analyst-reports/details.aspx?id=151

Read our blog http://blog.q1labs.com/

Follow us on Twitter: @q1labs @ibmsecurity






http://blog.q1labs.com/

http://www.twitter.com/q1labs

http://www.twitter.com/ibmsecurity



31

ibm.com/security

© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is

provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to,

these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its

suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials

to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities

referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a

commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International

Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of

others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper

access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to

or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure

can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will

necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT

THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Security strategies to stay off the Børsen front page - Dubex · Security strategies to stay off...

Documents

Transcript of Security strategies to stay off the Børsen front page - Dubex · Security strategies to stay off...