avoiding data breach using security intelligence and big data to stay out of the headlines

© 2012 IBM Corporation

IBM Security Systems

1 IBM Security Systems1 IBM Security Systems © 2012 IBM Corporation

AMPLIFYING SECURITY INTELLIGENCEWITH BIG DATA AND ADVANCED ANALYTICS

Vijay DheapGlobal Product Manager, Master InventorBig Data Security Intelligence & Mobile [email protected]



2 IBM Security Systems2 IBM Security Systems

Welcome to a Not So Friendly Cyber World…

Biggest Bank Heist in History Nets $45MillionAll without setting foot in a Bank…

CYBER ESPIONAGE VIA SOCIAL NETWORKING SITESTARGET: US DOD OFFICIALS

Hidden Malware Steals 3000 Confidential Documents – Japanese Ministry




Playing Defense…

Traditional Approach to Security Predicated on a Defensive Traditional Approach to Security Predicated on a Defensive MindsetMindset Assumes explicit organizational perimeter

Optimized for combating external threats

Presumes standardization mitigates risk

Dependent on general awareness of attack methodologies

Requires monitoring and control of traffic flows

Layered Defenses Essential for Good Security Hygiene and Addressing Traditional Security Threats…but attackers adapting too

Origins of Security Intelligence




Business Change is Coming…If Not Already Here

Enterprises are Undergoing Dynamic TransformationsEnterprises are Undergoing Dynamic Transformations

The Organization’s Cyber Perimeter is Being Blurred…It can no longer be assumed




Evolving Attack Tactics…Focus on Breaching Defenses




A Look at the Emerging Threat Landscape

Targeted, Persistent, Clandestine

Situational, Subversive, Unsanctioned

Focused, Well-Funded, ScalableTopical, Disruptive, Public

Concealed, Motivated, Opportunistic




Questions CISO Want to be Able to Answer…




Incorporating a More Proactive Mindset to Enterprise Security

Detect, Analyze & RemediateThink like an attacker, counter intelligence mindset

Protect high value assets

Emphasize the data

Harden targets and weakest links

Use anomaly-based detection

Baseline system behavior

Consume threat feeds

Collect everything

Automate correlation and analytics

Gather and preserve evidence

Audit, Patch & BlockThink like a defender, defense-in-depth mindset

Protect all assets

Emphasize the perimeter

Patch systems

Use signature-based detection

Scan endpoints for malware

Read the latest news

Collect logs

Conduct manual interviews

Shut down systems

Broad Targeted




Greater Need for Security Intelligence…

• Visibility across organizational security systems

• Improved response times

• Adaptability/flexibility required for early detection of threats and risky behaviors

Log Manager SIEM

Network Activity Monitor

Risk Manager

Vulnerability Manager




Evolution of Security Intelligence

Log

ManagementLog

Management

Network

Flow

Asset

Discovery

SIEM

Log

Management

Network

Flow

Users/

Identities

Asset

Discovery

Users/

Identities

Full Packet

Capture

Shared Intel

…other relevant data

Security Intelligence

Initial Visibility Facilitates Compliance Attackers adapt not to leave a trace

Network Does Not Lie Greater Coverage across

organization Attackers adapt to hide in the

noise

Filters out the noise, improves incident and offense identification

Proactive to detect targeted and zero-day attacks Needs scalability to add more data sources and

extensibility to support additional security analytics




Amplifying Security Intelligence with Big Data Analytics

The Triggers That Motivate Big Data Analytics for Security Intelligence:




Extending the IQ of a Security Intelligence Solution to Big Data

Distilling

Need to derive security relevant semantics from syntactic elements contained in raw data.

Availability of codified human know-how and understanding to enable machine processing and progressively automate manual processes

Analytical functions, tools and workflows that can be employed to deliver insights

© 2011 IBM Corporation13 IBM Confidential13 IBM Confidential

IBM Security Strategy

Confidential – for division executives only


Use Cases




Security Intelligence From Real-time Processing of Big Data

Behavior monitoring and flow analytics

Activity and data access monitoring

Stealthy malware detection

Irrefutable Botnet CommunicationLayer 7 flow data shows botnetcommand and control instructions

Irrefutable Botnet CommunicationLayer 7 flow data shows botnetcommand and control instructions

Improved Breach Detection360-degree visibility helps distinguish true breaches from benign activity, in real-time

Improved Breach Detection360-degree visibility helps distinguish true breaches from benign activity, in real-time

Network Traffic Doesn‘t Lie Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)

Network Traffic Doesn‘t Lie Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)




Security Intelligence Amplified by Advanced Analytics

Hunting for External Command & Control Hunting for External Command & Control (C&C) Domains of an Attacker(C&C) Domains of an Attacker

Advanced analytics identify suspicious domainsWhy only a few hits across the entire organization to these domains? Correlating to public DNS registry information increases suspicions

Historical analysis of DNS activity within organization

Automate correlation against external DNS registries

Pursue Active Spear-Phishing Campaigns Pursue Active Spear-Phishing Campaigns Targeting the Organization Targeting the Organization

Employ Big Data Analytics on email to identify patterns to identify targets and redirects

Build visualizations, such as heat maps, to view top targets of a spear-phishing attacks

Load Spear-Phishing targets and redirect URLs into real-time security intelligence analysis to thwart the attack





Employ Big Data Analytics on structured attributes and un structured communications to link identities

Attributes have a tendency to cross identities, similar problems with device profiles

Who am I? Who are you? Who do we communicate with? What devices do we own?

Name: John SmithCorporate ID: [email protected] analytics: [email protected]: 613-334-6572, MAC, IPPublic Community: BigPipes11Laptop: Several IPs, MAC Addresses,

HostNamesTablet: IP Address, MAC Address

Other linking attributes: Fonts installed, language, user agent, installed software, web sites commonly visited, people who are communicated with, etc…

Tracking Multiple Unrelated Identities Tracking Multiple Unrelated Identities





Big Data not only allows us to store everything, we can extract the attributes used for detection up front to speed up analysis of old data:

PCAP Data -> •List of all IPs and Domains•All File MD5s•All Links in email and social communicationsHost Inventory Data ->•Registry Values•Patches Applied•File System Audit

Quickly check for new indicators in yesterday’s values

Today breached organizations go weeks or months un-aware of someone who has already infiltrated their network

Why not use today’s knowledge to analyze yesterday’s data?

Capture all traffic from for a period of time.. As Security Detection technics are updated (AV, IPS Signatures, BlackLists, MD5s, etc…) run them against yesterdays data…

Today’s Knowledge Applied to Yesterday’s ProblemsToday’s Knowledge Applied to Yesterday’s Problems

© 2011 IBM Corporation18 IBM Confidential18 IBM Confidential


Confidential – for division executives only


Designing a Purpose-Built Security Intelligence Solution with Big Data Analytics



IBM QRadar: More than a SIEM it is a Security Intelligence Platform

SIEMLog Management

Configuration &

Vulnerability Management

Network Activity & Anomaly Detection

Network and Application

Visibility

Purpose-Built Security Intelligence Solution Pre-built support for 100s of scenarios Capability to ingest security data from 1000s of IT devices and numerous data feeds including

XForce Single Console with Unified Data Architecture

Powerful correlation engine to add security context to data Rich Asset Database with profiles of assets, applications, vulnerabilities and other security

related content

QRadar: Filters out the noise, improves incident & offense identificationEnables proactive detection of targeted & zero-day attacks Is scalable to add more data sources and extensible to incorporate logic to detect new attack patterns




High Volume

Security Events

and Network Activity

IBM QRadar Big Data Capabilities Customer Results

New SIEM appliances with massive scale Quickly find critical insights among 1000s of devices and years of data

Payload indexing for rapid ad hoc query leveraging a purpose-built data store

Search 7M+ events in <0.2 sec

Google-like Instant Search of large data sets (both logs and flows)

Instant, free-text searching for easier and faster forensics

Intelligent data policy management Granular management of log and flow data

Advanced Threat Visualization and Impact Analysis Attack path visualization and device / interface mapping

High PrioritySecurity Offenses

QRadar uses Big Data capabilities to identify critical security events




Big Data Processing

•Long-term, multi-PB storage

•Unstructured and structured

•Distributed Hadoop infrastructure

•Real-time stream computing

•Preservation of raw data

•Enterprise Integration

Big DataPlatform

Analytics and Forensics

• Advanced visuals and interaction

• Predictive & decision modeling

• Ad hoc queries

• Interactive visualizations

• Collaborative sharing tools

• Pluggable, intuitive UI

Security IntelligencePlatform

Real-time Processing

•Real-time network data correlation

•Anomaly detection

•Event and flow normalization

•Security context & enrichment

•Distributed architecture

Security Operations

•Pre-defined rules and reports

•Offense scoring & prioritization

•Activity and event graphing

•Compliance reporting

•Workflow management

Integrated analytics and exploration in a new architecture




Design Pattern: Security Intelligence Employing Big Data

Visualizations & Reporting

Operational Management

Data Exploration

Security IQ




IBM’s Purpose-Built Security Intelligence with Big Data Solution

Coupling Real-time Security Analysis With Asymmetric Big Data Analytics Broaden use cases supported while enabling ad hoc analysis

– Establish a Baseline– Counter Cyber Attacks– Qualify Insider Threats– Protect against Advanced Persistent Threats– Mitigate Fraud– Predict Hacktivism




Cyber Intelligence

1 IBM QRadar Security Intelligenceunified architecture for collecting, storing, analyzing and querying log, threat, vulnerability and risk related data

2 IBM Big Data Platform (Streams, Big Insights, Netezza)addresses the speed and flexibility required for customized data exploration, discovery and unstructured analysis

3 IBM i2 Analyst Notebookhelps analysts investigate fraud by discovering patterns and trends across volumes of data

4 IBM SPSSunified product family to help capture, predict, discover trends, and automatically deliver high-volume, optimized decisions



25 IBM Security Systems25 IBM Security Systems25

New architecture to leverage all data and analytics

Data inMotion

Data atRest

Data inMany Forms

Information Ingestion and Operational Information

Information Ingestion and Operational Information

Decision Management

BI and Predictive Analytics

Navigation and Discovery

IntelligenceAnalysis

Landing Area,Analytics Zoneand Archive

Landing Area,Analytics Zoneand Archive

Raw Data Structured Data Text Analytics Data Mining Entity Analytics Machine Learning

Real-timeAnalyticsReal-timeAnalytics Video/Audio Network/Sensor Entity Analytics Predictive

Stream Processing Data Integration Master Data

StreamsStreams

Information Governance, Security and Business Continuity Information Governance, Security and Business Continuity

Security IntelligencePlatform

• Data collection and enrichment

• Event correlation• Real-time analytics• Offense prioritization




Customizing & Extending IBM’s Security Intelligence with Big Data SolutionTriggers for Specific Capabilities to Augment Core Security Intelligence with Big Data Solution:

Ingesting and Pre-processing Domain or Industry Specific Very High Velocity Data Streams for correlation with cyber security data

Example Data Sources:Telecom: Customer Data RecordsEnergy & Utilities: Grid Sensor DataSurveillance: Video/Audio content

Performing Advanced Statistical, Predictive and/or Identity Analytics on all data captured to yield security insights

Example Analysis:•Visualize linkages of users to privileged identities•Which user group has the highest propensity for insider fraud?

Executing Frequently Repeated Queries and other Analytical workloads best suited for massive parallel processing on Warehoused Security-enriched data

Example Queries:•Quarterly reporting on historical warehoused security data




Watch a demonstration :http://ibm.co/1cn4O6Z

Blog: www.securityintelligence.com

Website : http://ibm.co/SIBD

Read our White Paper :http://ibm.co/Big_Data

Learn more about Security Intelligence with Big Data

Download the latest ESG report on Big Data Security Analytics :http://ibm.co/early_leader




ibm.com/security

© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.