Security strategies to stay off the Børsen front page - Dubex · Security strategies to stay off...
Transcript of Security strategies to stay off the Børsen front page - Dubex · Security strategies to stay off...
© 2012 IBM Corporation
IBM Security Systems
1 © 2012 IBM Corporation
Security strategies to stay off the
Børsen front page
Steve Durkin,
Channel Director for Europe,
Q1 Labs, an IBM Company
© 2012 IBM Corporation
IBM Security Systems
2
“Given the dynamic nature of the
challenge, measuring the state of
security within an organization is
increasingly important. Since threats
are always moving and solutions are
more complex, dynamic and often
partial, knowing where you are is
essential.”
John Meakin
Global Head of Security Solutions & Architecture,
Deutsche Bank
“Finding a strategic voice”, IBM Center for Applied Insights
© 2012 IBM Corporation
IBM Security Systems
3
Q1 Labs- The Security Intelligence Leader
Who we are:
Innovative Security Intelligence software company
One of the largest and most successful SIEM vendors
Leader in Gartner Magic Quadrant (2009-2012)
Award-winning solutions:
Family of next-generation Log Management, SIEM, Risk Management,
Security Intelligence solutions
Proven and growing rapidly:
Thousands of customers worldwide
Five-year average annual revenue growth of 70%+
Now part of IBM Security Systems:
Unmatched security expertise and breadth of integrated capabilities
© 2012 IBM Corporation
IBM Security Systems
4
Targeted Attacks Shake Businesses and Governments
Source: IBM X-Force® 2011 Trend and Risk Report – March 2012
© 2012 IBM Corporation
IBM Security Systems
5
IT Security is a board room discussion
Business
results
Sony estimates
potential $1B
long term
impact –
$171M / 100
customers*
Supply chain
Epsilon breach
impacts 100
national brands
Legal
exposure
TJX estimates
$150M class
action
settlement in
release of
credit / debit
card info
Impact of
hacktivism
Lulzsec 50-day
hack-at-will
spree impacts
Nintendo, CIA,
PBS, UK NHS,
UK SOCA,
Sony …
Audit risk
Zurich
Insurance PLc
fined £2.275M
($3.8M) for the
loss and
exposure of
46K customer
records
Brand image
HSBC data
breach
discloses 24K
private banking
customers
*Sources for all breaches shown in speaker notes
© 2012 IBM Corporation
IBM Security Systems
6 © 2012 IBM Corporation 6
Security Intelligence Use Cases
© 2012 IBM Corporation
IBM Security Systems
7
Total Security Intelligence: How do we address the challenges?
Reduce Big Data
Detect Advanced Persistent Threats
Predict attacks
Manage risk
© 2012 IBM Corporation
IBM Security Systems
9
Case study: An international energy company reduces billions of events per day to find those that should be investigated
An international
energy firm analyzes
Business challenge:
Reducing huge number of events to find the ones that need
to be investigated
Automating the process of analyzing security data
Solution: (QRadar SIEM, QFlow)
Real-time correlation of hundreds of data sources, anomaly
detection to help identify “low and slow” threats, flexibility for
easy customization and expansion
potential offences to
investigate
20 – 25
events per day to find
2,000,000,000
© 2012 IBM Corporation
IBM Security Systems
10
QRadar automatically pulls all related
events and flows into a single security
incident
Highlights the magnitude / importance
Reduction into manageable daily
number
Single incident
derived from ~20k
events and 355
flows
Reducing Data Silos: How it looks in QRadar
© 2012 IBM Corporation
IBM Security Systems
11
Total Security Intelligence: How do we address the challenges?
Reduce Big Data
Detect Advanced Persistent Threats
Predict attacks
Manage risk
© 2012 IBM Corporation
IBM Security Systems
12
Anatomy of an APT: Communications Company
Attackers
create Trojan
3rd Party Software Update Server
Compromised
Attackers create Trojan
Trojan “auto-updated” to Corporate network
60+ Corporate computers infected w/ backdoor agent
Port 8080 used for C&C activities
35M records stolen
Day 0 –6 Months Day 8
© 2012 IBM Corporation
IBM Security Systems
13
Behaviour / activity base lining of users and processes
Helps detect day-zero attacks and covert channels that have no signature or AV / IPS detection
Provides definitive evidence of attack
Enables visibility into attacker communications
Network traffic does not lie Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)
Activity / Behaviour Monitoring, Flow Analytics, Anomaly Detection
© 2012 IBM Corporation
IBM Security Systems
14
Activity and data access monitoring
Visualize Data Risks Automated charting and reporting
on potential database breaches
Correlate Database and
Other Network Activity Enrich database security alerts
with anomaly detection and flow
analysis
Better Detect Serious Breaches 360-degree visibility helps distinguish true
breaches from benign activity, in real-time
© 2012 IBM Corporation
IBM Security Systems
15
User & Application Activity Monitoring alerts to a user anomaly for
Oracle database access.
Identify the user, normal
access behavior and the
anomaly behavior with all
source and destination
information for quickly resolving
the persistent threat.
Anomaly Detection & APTs
© 2012 IBM Corporation
IBM Security Systems
16
Stealthy malware detection
Potential Botnet Detected? This is as far as traditional SIEM can go
IRC on port 80? QFlow detects a covert channel,
using Layer 7 flows and deep
packet inspection
Irrefutable Botnet Communication Layer 7 flow data shows botnet
command and control instructions
© 2012 IBM Corporation
IBM Security Systems
17
Total Security Intelligence: How do we address the challenges?
Reduce Big Data
Detect Advanced Persistent Threats
Predict attacks
Manage risk
© 2012 IBM Corporation
IBM Security Systems
18
The Security Intelligence Timeline: Proactive vs Headlines
© 2012 IBM Corporation
IBM Security Systems
19
Unmatched global coverage and security awareness
20,000+ devices under contract
3,700+ MSS clients worldwide
9B+ events managed per day
1,000+ security patents
133 monitored countries (MSS)
World Wide Managed
Security Services Coverage
Security Operations Centers
Security Research Centers
Security Solution Development Centers
Institute for Advanced Security Branches
IBM Research
© 2012 IBM Corporation
IBM Security Systems
20
Case study: A financial information provider hardens defenses against threats and fraud
A European Bank
Business challenge:
On-line banking system targeted
DDOS attack, three times
Had ‘security’ in place
Early warning capability
Solution: (QRadar SIEM, QFlow)
Real-time correlation of hundreds of data sources, anomaly
detection to help identify DDoS to “low and slow” threats.
activity baselines
dynamically adjusted
over time and saved on
staffing versus
alternative solutions
250
© 2012 IBM Corporation
IBM Security Systems
21
Multiple IP’s attack an IP
Drilling into one superflow record shows all IP records contributing to the attack
All pulled together in one offence which is detected and
raised immediately to the security team
Predicting an Attack: How it looks in QRadar
© 2012 IBM Corporation
IBM Security Systems
22
Total Security Intelligence: How do we address the challenges?
Reduce Big Data
Detect Advanced Persistent Threats
Predict attacks
Manage risk
© 2012 IBM Corporation
IBM Security Systems
23
Managing risk
CISOs know it’s not if, it’s when they get hacked; yet there is still a gap in ability to
detect breach.
Breaches are taking longer to discover
Breaches are not being discovered internally
Charts from Verizon 2011 Investigative Response Caseload Review
© 2012 IBM Corporation
IBM Security Systems
24
Insider threat case study: Fashion Designer uses compliance mandate to detect insider fraud & use evidence in court
Fashion Designer
Business challenge:
Employee
Downloading information
Erasing files
Time stamped
Solution: (QRadar SIEM)
Ability to detect who, what and how specific events occurred.
Saving of raw files allowed for exact timings and application
layer 7 provided methods used
Using deep forensic
analysis, ability to detect
insider fraud to be used
in court
© 2012 IBM Corporation
IBM Security Systems
25
Potential Data Loss?
Who? What? Where?
Who? An internal user
What? Oracle data
Where? Gmail
How it looks in QRadar
© 2012 IBM Corporation
IBM Security Systems
26
QRadar: The Most Intelligent, Integrated,
Automated Security Intelligence Platform
• Eliminates silos
• Highly scalable
• Flexible, future-proof
• Easy deployment
• Rapid time to value
• Operational efficiency
• Proactive threat management
• Identifies most critical anomalies
• Rapid, complete impact analysis
© 2012 IBM Corporation
IBM Security Systems
27
Fully Integrated Security Intelligence
• Turnkey log management
• SME to Enterprise
• Upgradeable to enterprise SIEM
• Integrated log, threat, risk & compliance mgmt.
• Sophisticated event analytics
• Asset profiling and flow analytics
• Offense management and workflow
• Predictive threat modeling & simulation
• Scalable configuration monitoring and audit
• Advanced threat visualization and impact analysis
• Network analytics
• Behavior and anomaly detection
• Fully integrated with SIEM
• Layer 7 application monitoring
• Content capture
• Physical and virtual environments
SIEM
Log
Management
Risk
Management
Network
Activity &
Anomaly
Detection
Network and
Application
Visibility
© 2012 IBM Corporation
IBM Security Systems
28
Fully Integrated Security Intelligence
• Turnkey log management
• SME to Enterprise
• Upgradeable to enterprise SIEM
• Integrated log, threat, risk & compliance mgmt.
• Sophisticated event analytics
• Asset profiling and flow analytics
• Offense management and workflow
• Predictive threat modeling & simulation
• Scalable configuration monitoring and audit
• Advanced threat visualization and impact analysis
• Network analytics
• Behavior and anomaly detection
• Fully integrated with SIEM
• Layer 7 application monitoring
• Content capture
• Physical and virtual environments
SIEM
Log
Management
Risk
Management
Network
Activity &
Anomaly
Detection
Network and
Application
Visibility
One Console Security
Built on a Single Data Architecture
© 2012 IBM Corporation
IBM Security Systems
29
IBM X-Force® Threat
Information Center Real-time Security Overview
w/ IP Reputation Correlation
Identity and
User Context Real-time Network Visualization
and Application Statistics
Inbound
Security Events
Security Intelligence: QRadar provides security visibility
© 2012 IBM Corporation
IBM Security Systems
30
What to do next?
Visit our stand
Download the Gartner SIEM Critical Capabilities Report
http://q1labs.com/resource-center/analyst-reports/details.aspx?id=151
Read our blog http://blog.q1labs.com/
Follow us on Twitter: @q1labs @ibmsecurity
© 2012 IBM Corporation
IBM Security Systems
31
ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is
provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to,
these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its
suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials
to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities
referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a
commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International
Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of
others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper
access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to
or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure
can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will
necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT
THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.