ibm security overview bp enablement 22 feb-2012 v harper

© 2012 IBM Corporation

IBM Security Systems

1© 2012 IBM Corporation

IBM SecurityIntelligence, Integration and Expertise

Vaughan HarperIBM Security Architect

22 February, 2012



2

The world is becoming more digitized and interconnected, opening the door to emerging threats and leaks…

Organizations continue to move to new platforms including cloud, virtualization, mobile, social business and more

EVERYTHING IS EVERYWHERE

With the advent of Enterprise 2.0 and social business, the line between personal and professional hours, devices and data has disappeared

CONSUMERIZATION OF IT

The age of Big Data – the explosion of digital information – has arrived and is facilitated by the pervasiveness of applications accessed from everywhere

DATA EXPLOSION

The speed and dexterity of attacks has increased coupled with new actors with new motivations from cyber crime to terrorismto state-sponsored intrusions

ATTACK SOPHISTICATION



3

Targeted Attacks Shake Businesses and Governments

IBM Security X-Force® 2011 Midyear Trend and Risk Report September 2011

Attack Type

SQL Injection

URL Tampering

Spear Phishing

3rd Party SW

DDoS

Secure ID

Unknown

Mar April May June July AugFeb

Sony

Epsilon

L3 Communications Sony BMG

Greece

US Senate NATO

AZ Police

TurkishGovernment

SK Communications

Korea

Monsanto

RSAHB Gary

NintendoBrazilGov.

Lockheed Martin

Vanguard Defense

Booz Allen

Hamilton

PBS

PBS

SOCA

Malaysian Gov. Site Peru

Special Police

Gmail Accounts

Spanish Nat. Police

Citigroup

Sega

Fox News X-Factor

Italy PM Site

IMF

Northrop Grumman

Bethesda Software

Size of circle estimates relative impact of breach



4

IT Security is a board room discussion

Business results

Sony estimates potential $1B long term impact –$171M / 100 customers*

Supply chain

Epsilon breach impacts 100 national brands

Legal exposure

TJX estimates $150M class action settlement in release of credit / debit card info

Impact of hacktivism

Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony …

Audit risk

Zurich Insurance PLcfined £2.275M ($3.8M) for the loss and exposure of 46K customer records

Brand image

HSBC data breach discloses 24K private banking customers

*Sources for all breaches shown in speaker notes



5

Solving a security issue is a complex, four-dimensional puzzle

5

People

Data

Applications

Infrastructure

Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers

Systems applications

Web applications Web 2.0 Mobile apps

Structured Unstructured At rest In motion

It is no longer enough to protect the perimeter –siloed point products will not secure the enterprise



6

In this “new normal”, organizations need an intelligent view of their security posture

Security

Intelligence

Proficient

Proactive

Au

tom

ate

dM

an

ual

Reactive

Proficient

Basic

Optim

ized

OptimizedOrganizations use predictive and automated security analytics to drive toward security intelligence

ProficientSecurity is layered into the IT fabric and business operations

BasicOrganizations

employ perimeter protection, which

regulates access and feeds manual reporting



7

IBM Security: Delivering intelligence, integration and expertise across a comprehensive framework

Intelligence ● Integration ● ExpertiseIntelligence ● Integration ● Expertise

� Only vendor in the market with end-to-end coverage of the security foundation

� 6K+ security engineers and consultants

� Award-winning X-Force® research

� Largest vulnerability database in the industry



8

Intelligence: Leading products and services in every segment



9

Expertise: Unmatched global coverage and security awareness

� 20,000+ devices under contract

� 3,700+ MSS clients worldwide

� 9B+ events managed per day

� 1,000+ security patents

� 133 monitored countries (MSS)

� 20,000+ devices under contract

� 3,700+ MSS clients worldwide

� 9B+ events managed per day

� 1,000+ security patents

� 133 monitored countries (MSS)

World Wide Managed Security Services Coverage

Security Operations Centers

Security Research Centers

Security Solution Development Centers

Institute for Advanced Security Branches

IBM Research



10

Problem #1: Passwords…

� Most users need to log on to multiple systems to do their job

� It takes time to log on to each system

� It’s difficult to remember all the passwords

� It’s impossible to remember all your passwords if they’re all strong, all different, and some are used infrequently

� Volume of different applications (17 applications for one user we were talking to)



11

Demonstration…



12

Latest IBM Security Access Manager for Enterprise Single Sign-OnDesktop Single Sign-On, Strong Authentication and Fine-Grained User Activity Audit Logs

• Virtual Appliance for faster time to value

- Easier deployment and management leading to lower TCO

• Virtualized desktops and applications virtualization support

- Support VMware View, IBM Virtual Desktop for Smart Business

- Desktop access to virtualized MSFT App-V or Citrix XenApp

• Wider platform support

- Support for Win 7 64-bit, Win 2008, Internet Explorer 8 & 9

• Enhanced Strong Authentication Support

- Hybrid RFID smart card, support for National IDs

Key solution highlights

Reduce help desk costs, improve productivity and strengthen security on traditional, virtual, shared desktop environments

Business challenge

Simplify password management and strengthen end user security

“IBM’s Security Access Manager for Enterprise Single Sign-On helped achieve a ROI of 244% over 3 years with a payback period of 11 months” (Large UK financial services company)



13

Problem #2: Badly developed websites…



14

Application Vulnerabilities Continue to Dominate

Web application vulnerabilities represented the largest category in vulnerability disclosures (55% in 2008)

In 1H09, 50.4% of all vulnerabilities are Web application vulnerabilities

SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot

-

2,000

4,000

6,000

8,000

10,000

12,000

14,000

16,000

18,000

1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

H1

Vulnerability Disclosures Affecting Web Applications(Cumulative, Year Over Year)

IBM Internet Security Systems 2009 X-Force®

Mid-Year Trend & Risk Report



15

Why Security Matters ?

ICO £500K fines from 6th April 2010

� New powers to impose fines of up to £500,000 for serious breaches of the DPA will come into force on 6 April

Data Breach Notification Law approved by EU� Member states required to introduce the new rules by May 2011

PCI Compliance� New prioritised approach in place, banks and card acquirers demanding

progress

Other Compliance� Basel II, Sarbanes Oxley, ISO 27001 etc…

Non-compliance reasons� Reputational damage

� Fraud, etc



16

IBM Rational AppScan End-to-End Application Security

REQUIREMENTSREQUIREMENTS CODECODE BUILDBUILD SECURITYSECURITY PRODUCTIONPRODUCTIONQAQA

AppScan Standard

AppScan Source AppScan Tester

Security Requirements

Definition

AppScan onDemand

(SaaS)

AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting)

Security / compliance testing incorporated

into testing & remediation workflows

Security requirements

defined before design &

implementation

Outsourced testing for security audits &

production site monitoring

Security & Compliance

Testing, oversight, control, policy,

audits

Build security testing into the

IDE

Application Security Best Practices

Automate Security / Compliance testing in the Build Process



17

IBM Rational AppScan End-to-End Application Security

SECURITYSECURITY

AppScan Standard

Security & Compliance

Testing, oversight, control, policy,

audits

� IBM Rational AppScan: A Web Application Security Scanner

– Helps users find and remediate application-layer security issues in their web applications & web services

� IBM Rational AppScan Standard or Express Edition

– A standalone desktop application

� Who uses it?

– Security Auditors and IT Security Teams - To reach beyond network security

– QA engineers - To add Security to Functionality & Performance testing

– Developers (to a lesser extent) – Wanting to be proactive about security



18

How does AppScan work?

� Approaches an application as a black-box

� Traverses a web application and builds the site model

� Determines the attack vectors based on the selected Test policy

� Tests by sending modified HTTP requests to the application and examining the HTTP response according to validate rules

HTTP Request Web Application

HTTP Response



19

The ROI of Application Security Testing

Cost Avoidance – of a security breach

Costs as a result of a security breach can include (but are not limited to) audit fees, legal fees, regulatory fines, lost customer revenue and brand damage

Cost Savings – of automated vs manual testing

Automated testing provides tremendous productivity savings over manual testingAutomated source code testing with periodic penetration testing allows for cost effective security analysis of applications

The cost to companies is $202 per compromised record**

The average cost per data breach is $6.6 Million**

Outsourced audits can cost $10,000 to $50,000 per application

At $20,000 an app, 50 audits will cost $1M.

With 1 hire + 4 quarterly outsourced audits (ex: $120,000+$80,000), $800,000/yr can be saved (less the cost of testing software)

* Source: Capers Jones, Applied Software Measurement, 1996

** Source: Ponemon Institute, Privacy Rights Clearinghouse, 2008

Cost Savings – of testing early in the development process

80% of development costs are spent identifying and correcting defectsTesting for vulnerabilities earlier in the development process can help avoid that unnecessary expense

Cost of finding & fixing problems:

code stage is $25, QA/Testing is $450, Production $16,000 *

E.g.: 50 applications annually & 25 issues per application, testing at code stage saves $780,000over testing at QA stage.



20

AppScan Standard(floating user)



AppScan Product Path

AppScan Express(single user)


AppScan Reporting Console(enterprise-wide reporting)

More than 1 user

Upgrade to

floating licence

Multiple users

Enterprise wide

reporting & visibility






21

Q3 2011 – UK digital media production company

� A UK digital media production company had been using some open source tools for security testing and had suffered some recent security incidents that were driving them to improve their security posture

� Initial Demonstration of AppScan via webinar on 22nd August. Evaluation of AppScan completed via Webinars over following weeks. Deal for one licence of AppScan Standard Edition closed within the Quarter.

Recent UK General Business sales…

� UK magazine company: increasing focus on online content is driving a greater need for security

� Initial Demonstration of AppScan via webinar during Oct. Evaluation of AppScan completed within 1 week via onsite visit on 16th November. Deal for one licence of AppScan Standard Edition closed within the quarter.

Q4 2011 – UK publishing company



22

Problem #3: Managing workstations and servers…

How long does it take you to…

…determine the number of PCs that are infected?

…patch all infected systems and protect the healthy ones?

…realize that a user/malware just uninstalled a critical patch?

…deploy patches not only on Windows but Linux, AIX, Solaris or Mac OS? X?



23

Tivoli Endpoint Manager: See More, Secure More

� Asset Discovery and Visibility

� Patch Management

� Security Configuration Management

� Vulnerability Management

� Multi-Vendor Endpoint Protection Management

� Network Self Quarantine

Tivoli Endpoint Manager for Security & Compliance

Discover 10% - 30% more assets than previously reported

Achieve 95%+ first-pass success rates within hours of policy or patch deployment

Library of 5,000+ compliance settings, including support for FDCC SCAP, DISA STIG

Automatically and continuously enforce policy at the end point



24

The Tivoli Endpoint Manager Approach

ISO/IEC

27001

Reporting and Enforcement on 5,000+ Controls

PIPEDA/

PIPA



25

TEM for SCM – Meeting Endpoint Compliance Requirements

Requirement PCI ISO 27001 CobIT NIST 800-53

Implement anti-malware and keep endpoints current 5.1, 5.2 A12.6 DS5.9 SI-3

Define, implement, and enforce security configuration baselines

2.1, 2.2, 6.2

A12.1, A15.2

DS9 CM-2,4,6

Keep endpoints patched 6.1 A12.6 DS5.9 CM-2

Perform regular vulnerability scans and address findings 11.2 A12.6 PO9.3 RA-5

Keep a current network diagram, know when things are added to the network

1.1 A7.1 DS13.3 CM-8

Install, maintain endpoint firewalls, NAC 1.4 A11.4 DS5.10 AC-19



26

Compliance Dashboard / Reporting

• Real-time and historical visibility into the state of compliance

• Identify critical gaps in compliance to defined policy

• Customize dashboard to create different “lenses” into the compliance state• Computer Groups• Categories• Policy Templates

• Drill-down into specific details of non-compliant or compliant systems

• Compliance Focused executive reporting via web reports and DSS



27

Security & Compliance Customer Success Stories

Financial Company

• Failed internal audit of information security configuration compliance

• Highly distributed infrastructure with centralized visibility and reporting

• Customized SCM Controls to meet internal SCM requirements

• Failed PCI Audit due to poor configuration policy enforcement

• No visibility into system configurations and no ability to report on

compliance status

• No ability to enforce configuration standards across infrastructure

• Leveraged SCM Controls to achieve PCI specific requirements

• Ongoing failures to secure systems and mitigate against threats caused

by poorly configured and badly managed systems

• Systems highly susceptible to internal abuse and external attack

• Leveraged out-of-the-box DISA STIG SCM checklists to assess

compliance and automate remediation of non-compliant systems.Government Agency

Retail Chain



28

Problem #4: Network threats…

� X-Force R&D team discovers and analyzes previously unknown vulnerabilities in critical software and infrastructure such as: e-mail, networks, Internet applications, security protocols, business applications and VoIP.

� Additional to its own research, X-Force reviews each published vulnerability in order to monitor the threat landscape, determining new attack vectors, and offering a higher level of protection.

� One of X-Force’s publications is the quarterly Threat Insight report

28

Source: IBM X-Force Database

IBM Security Research and Development: X-Force



29

Preemptive Ahead of the Threat Security – backed up by data

29

Top 61 Vulnerabilities 2009

341 Average days Ahead of the Threat

91 Median days Ahead of the Threat

35 Vulnerabilities Ahead of the Threat

57% Percentage of Top Vulnerabilities –Ahead of the Threat

9 Protection released post announcement

17 same day coverage

1H2010 – Average days Ahead of the Threat

increased to 437!



30

IBM Security Network IPS

� IBM Security Network IPS is an Appliance

� Core protection engine – Protocol Analysis Module (PAM) –delivers the most efficient IPS engine available

� Vulnerability-based protection requires fewer detection algorithms than competitive solutions that require a new signature for every new exploit

� Clients benefit with greater protection from fewer detection algorithms

– Provides capacity for new features like Content Analysis and Web application security

– Protection for older threats don’t have to be removed to maintain speed/ performance

� Clients benefit as X-Force continues to invest in PAM

– Multithreaded version in development http://nsslabs.blogspot.com/2009/05/nss-awards-first-gold-in-5-years.html

IBM is the first vendor to

secure three NSS Labs Gold Awards in a row



31

IBM Virtual Server Protection for VMwareIntegrated threat protection for VMware vSphere 4

� 5 Security Features

– Rootkit Detection, Firewall, Intrusion Prevention, Virtual Network Admission Control, Auditing.

� VSP cannot monitor host-based events (e.g. file integrity) which require local installation

� VSP plugs into VMsafe and therefore cannot prevent threats to the underlying hardware and virtual network cards.



32

ibm.com/security

© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

ibm security overview bp enablement 22 feb-2012 v harper

Technology

ibm security systemsexpertise

ibm security systemssolving

ibm security systemsproblem

security patents

security issue

security engineers

security foundation

ibm security systemsthe