trends in security intelligence jonathan fraleigh

© 2013 IBM Corporation

IBM Security

1 IBM Confidential1 IBM Confidential© 2013 IBM Corporation

Trends in Security and

Security Intelligence

Jon Fraleigh

Security Intelligence World Wide Sales Leader

November, 2013


IBM Security

2 IBM Confidential2 IBM Confidential

Targeted attacks remain top of mind

Saudi Arabia Says Aramco Cyberattack Came From Foreign States

– Bloomberg, Dec 2012

How to Hack Facebook In 60 Seconds

– InformationWeek, June 2013

Hackers in China Attacked The Times for the Last 4 Months

– The New York Times, Jan 2013

Fed Acknowledges Cybersecurity Breach– The Wall Street Journal, Feb 2013

South Carolina taxpayer server hacked, 3.6 million Social Security numbers compromised

– CNN, Oct 2012

Facebook hacked in 'sophisticated attack'

– The Guardian, Feb 2013

Adobe Systems Reports Attack on Its Computer Network

– The Wall Street Journal, Oct 2013

Apple Hacked: Company Admits Development Website Was Breached

– Huffington Post, July 2013

Chinese hacking of US media is 'widespread phenomenon‘– Wired, Feb 2013


IBM Security

3 IBM Confidential3 IBM Confidential IBM Security X-Force® 2011, 2012 Trend and Risk Report, IBM Security X-Force 2013 Mid Year Trend and Risk Report


IBM Security


What is Security Intelligence?


--noun

1.The real-time collection, normalization, and analysis of the data generated by users, applications, and infrastructure that impacts the IT security and risk posture of an enterprise.

2.A complete approach to defending an organization’s critical assets, intellectual property, and private data using advanced anomaly detection capabilities balanced with preventative risk and vulnerability management activities.

Delivers actionable and comprehensive insight for managing risks and combatting threats, from protection and detection

through remediation and mitigation


IBM Security


Security Intelligence & Business Intelligence offer insightful parallels

Managed Security Services

Mainframe and Server Security - RACF

SOA Security

Network Intrusion Prevention

Database Monitoring

Identity and Access Management

Application Security

Security as a Service

Compliance Management

Security IntelligenceIBM Security Intelligence

DASCOM

Enterprise Reporting

Performance Management Platform

Business Intelligence Suite

IOD Business Optimization

BI Convergence with Collaboration

Text & Social Media Analytics

Simplified Delivery (i.e., Cloud )

Predictive Analytics

Decision Management

BI Convergence with Security

IBM Business Intelligence

Ma

rke

t C

ha

ng

es

Time


IBM Security Systems

66

Solutions for the full Security Intelligence timeline

Prediction & Prevention Reaction & Remediation

Network and Host Intrusion Prevention. Network Anomaly Detection. Packet Forensics.

Database Activity Monitoring. Data Leak Prevention. Security Information and Event Management.

Log Management. Incident Response.

Risk Management. Vulnerability Management. Configuration and Patch Management.

X-Force Research and Threat Intelligence. Compliance Management.Reporting and Scorecards.

What are the external and internal threats?

Are we configuredto protect against

these threats?

What is happening right now?

What was the impact?



77

Built upon common foundation of QRadar SIOS

Reporting Engine

Workflow Rules EngineReal-Time

Viewer

Analytics Engine

Warehouse Archival

Reporting API

Forensics API

LEEF AXIS Configuration NetFlow Offense

Security Intelligence Solutions

Security Intelligence Operating

System(SIOS)

Normalization

QRadar SIEM

QRadar Log Manager

QRadar Risk Manager

QRadar QFlow and

VFlow

QRadar Vulnerability

Manager

New



88

Taking in data from wide spectrum of feeds



99

And continually adding context for increased accuracy

Security Intelligence FeedsSecurity Intelligence Feeds

Internet ThreatsInternet ThreatsGeo LocationGeo Location Vulnerabilities Vulnerabilities



1010

Deployed upon scalable appliance architecture

Network and Application

Visibility

• Layer 7 application monitoring• Content capture for deep insight & forensics• Physical and virtual environments

• Log, flow, vulnerability & identity correlation• Sophisticated asset profiling• Offense management and workflow

SIEM

Network Activity & Anomaly Detection

• Network analytics• Behavioral anomaly detection• Fully integrated in SIEM

• Turn-key log management and reporting• SME to Enterprise• Upgradeable to enterprise SIEM

Log Management

Scale

• Event Processors• Network Activity Processors• High Availability & Disaster Recovery• Stackable Expansion

• Network security configuration monitoring• Vulnerability scanning & prioritization• Predictive threat modeling & simulation

Configuration & Vulnerability Management



1111© 2013 IBM Corporation


Use Case Examples



1212

Overview of use cases

Detecting threats• Arm yourself with comprehensive security

intelligence

Consolidating data silos• Collect, correlate and report on data in one

integrated solution

Detecting insider fraud• Next-generation SIEM with identity correlation

Better predicting risks to your business• Full life cycle of compliance and risk management

for network and security infrastructures

Addressing regulation mandates• Automated data collection and configuration audits



1313

Challenge 1: Detecting Threats

Potential Botnet Detected?This is as far as traditional SIEM can go

IRC on port 80?IBM Security QRadar QFlow detects a covert channel

Irrefutable Botnet CommunicationLayer 7 flow data contains botnet command control instructions

Application layer flow analysis can detect threats others miss



1414

Challenge 2: Consolidating Data SilosAnalyzing both flow and event data. Only IBM Security QRadar fully utilizes Layer 7 flows.

Reducing big data to manageable volumes

Advanced correlation for analytics across silos

1153571 : 1Data Reduction Ratio



1515

Challenge 3: Detecting Insider Fraud

Who?An internal user

Potential Data LossWho? What? Where?

What?Oracle data

Where?Gmail

Threat detection in the post-perimeter worldUser anomaly detection and application level visibility are critical

to identify inside threats



1616

Challenge 4: Better Predicting Risks to Your BusinessAssess assets with high-risk input manipulation vulnerabilities

Which assets are affected?How should I prioritize them?

What are the details?Vulnerability details, ranked by risk score

How do I remediate the vulnerability?

Pre-exploit Security IntelligenceMonitor the network for configuration and compliance risks,

and prioritize them for mitigation



1717

Challenge 5: Addressing Regulatory Mandates

Unencrypted TrafficIBM Security QRadar QFlow saw a cleartext service running on the Accounting server

PCI Requirement 4 states: Encrypt transmission of cardholder data across open, public networks

PCI compliance at risk?Real-time detection of possible violation

Compliance SimplifiedOut-of-the-box support for major compliance and regulatory standards

Automated reports, pre-defined correlation rules and dashboards




Thank you



1919

Using fully integrated architecture and interface

• Turn-key log management and reporting• SME to Enterprise• Upgradeable to enterprise SIEM

• Log, flow, vulnerability & identity correlation• Sophisticated asset profiling• Offense management and workflow

• Network security configuration monitoring• Vulnerability prioritization• Predictive threat modeling & simulation

SIEM

Log Management

Configuration & Vulnerability Management

Network Activity & Anomaly Detection

Network and Application

Visibility

• Network analytics• Behavioral anomaly detection• Fully integrated in SIEM

• Layer 7 application monitoring• Content capture for deep insight & forensics• Physical and virtual environments

One Console Security

Built on a Single Data Architecture



2020

Employing automation to accelerate time-to-value, preserve currency

Simplified deployment delivers results in days Syslog device detection configures log data sources Passive flow asset detection populates asset

database Out-of-the-box rules and reports reduce incident

investigations and meet compliance mandates

Real time events keep information current Immediate discovery of network asset additions

triggers proactive vulnerability scans, configuration comparisons and policy compliance checks

Daily and weekly updates to rules, reports, vulnerabilities, patches, searches, support modules, protocols and signatures



2121

Log management products collect subset of available data Netflows enable visibility into attacker communications

Stored as aggregated, bi-directional records of IP addresses, ports, and protocols Offer advanced detection and forensics via flow pivoting, drill-down and data

mining

QFlow Collectors dig deeper, adding Layer 7 application insights

Differentiated by network flow analytics



2222

Including baselining and anomaly detection capabilities

Correlation of log and flow data creates profiles of user, application and data access patterns

Anomaly Detection uses multiple measurements to signal change Thresholds – above or below normal

range Anomaly – Detects appearance of

new objects Behavior – Reveals deviations from

established ‘seasonal’ patterns Large Window Small Window

5 Hours 1 Hour



2323

Strengthened by integrated vulnerability insights

QRadar Vulnerability Manager

Your Vulnerabilities

CVE CVECVECVECVECVECVE CVECVECVECVECVE














Patched

CriticalBlocked

Inactive

Exploited!

At risk!

Questions remain:•Has that been patched?•Has it been exploited? •Is it likely to be exploited ?•Does my firewall block it?•Does my IPS block it?•Does it matter?

Existing vulnerability management tools

Improves visibility– Intelligent, event-driven

scanning, asset discovery, asset profiling and more

Reduces data load

– Bringing rich context to Vulnerability Management

Breaks down silos– Leveraging all QRadar

integrations and data

– Unified vulnerability view across all products


CVE CVECVECVECVE CVE CVE CVE CVECVECVECVE

CVE CVECVE CVECVE CVECVE CVECVECVE CVECVE

CVE CVECVE CVECVE CVECVE CVE CVECVECVECVE


CVE CVECVECVE CVE CVECVE CVECVECVE CVECVE

CVE CVECVE CVE CVECVE CVE CVE CVECVECVE CVE

CVE CVECVECVE CVE CVE CVE CVECVECVE CVECVE

CVE CVECVE CVECVE CVE CVE CVE CVECVE CVECVE

CVE CVECVECVE CVECVE CVE CVE CVECVECVECVE


CVE CVECVE CVE CVECVE CVE CVE CVECVE CVECVE

CVE CVECVE CVECVECVE CVE CVECVECVE CVECVE

CVE CVECVECVE CVE CVE CVE CVE CVECVE CVECVE

CVE CVECVE CVECVECVE CVE CVE CVECVECVECVE































Answers delivered:•Real-time scanning•Early warning capabilities•Advanced pivoting and filtering

Security Intelligence Integration


IBM Security

24 IBM Confidential24 IBM Confidential© 2013 IBM Corporation

Security Intelligence portfolio components



2525

Employs intuitive, browser-based UI

Presents customizable dashboards (work spaces) per user

Delivers real-time & historical visibility and reporting

QRadar Log Manager: Foundation for Security Intelligence

Provides easy to use rules engine with out-of-the-box security intelligence

Allows advanced data mining and drill down

Contains role-based access to information & functions



2626

Automatically discovers log sources simplifying deployment and speeding ROI

Performs distributed log collection, analysis, archival, searching and reporting that scales to any size network

Provides fast, free-text search and analysis of normalized data

Contains reliable, tamper-proof log storage for forensic investigations and evidentiary use

Includes compliance-driven report templates for regulatory reporting and auditing

Shares common architecture with QRadar SIEM for seamless upgrade

Establishes security capability to exceed compliance requirements



2727

Out-of-the-box templates for specific regulations and best practices:

- COBIT, SOX, GLBA, NERC, FISMA, PCI, HIPAA, UK GCSx

Easily modified to include new definitions

Extensible to include new regulations and best practices

Can leverage existing correlation rules

Best practices compliance rules and reports speed ROI



2828

QRadar SIEM: Command console for Security Intelligence

Provides full visibility and actionable insight to protect against advanced threats

Adds network flow capture and analysis for deep application insight

Employs sophisticated correlation of events, flows, assets, topologies, vulnerabilities and external data to identify & prioritize threats

Contains workflow management to fully track threats and ensure resolution

Uses scalable hardware, software and virtual appliance architecture to support the largest deployments



2929

Previous 24hr period of network and security activity

(2.7M logs)

QRadar correlation & analysis of data

creates ‘offenses’

Offenses include complete history of threat or violation with full context

including network, asset and user

identity information

Offenses further prioritized by

business impact

Data reduction and correlation analysis identify top threats

Focuses security teams and eliminates false positives Reduces millions/billions of events to dozens requiring further investigation



3030

QRadar judges “magnitude” of offenses:

1. Credibility:A false positive or true positive?

2. Severity:Alarm level contrasted with target vulnerability

3. Relevance: Priority according to asset or network value

Priorities can change over time based on situational awareness

Intelligent offense scoring further directs security team investigations



3131

Helps detect zero-day attacks that have no signature Enables policy monitoring and rogue server identification Provides visibility into all attacker communications Uses passive monitoring to build asset profiles and classify hosts Improves network visibility and helps resolve traffic problems

Flows provide context for true network intelligence



3232

QRadar Risk Manager: Visualize network, configurations and risks

Depicts network topology views and helps visualize current and alternative network traffic patterns

Identifies active attack paths and assets at risk of exploit

Collects network device configuration data to assess vulnerabilities and facilitate analysis and reporting

Discovers firewall configuration errors and improves performance by eliminating ineffective rules

Analyzes policy compliance for network traffic, topology and vulnerability exposures



3333

Fully integrated risk management solution

Compiles comprehensive risk assessments covering network usage, configuration data, vulnerability posture, and current threat environment

Provides powerful, visualizations of network usage and attack paths simplifying risk and incident response actions

Simplifies configuration change comparisons and alerts users to risky or out-of-compliance configurations

Improves consistency of firewall rules, including detection of shadowed rules and other configuration errors

Delivers reduced total cost of ownership through product consolidation



3434

Connections view shows and records network traffic activity

Drastically reduces time required to conduct offense forensics Correlates events and flows with source and destination IPs Identifies active vs. inactive applications and associated hosts Enables connection searches between hosts and networks using specific protocols and

applications or traffic analysis to/from specific geo regions



3535

Investigating offense attack path

Clicking ‘attack path’ button for an offense performs search showing precise path (and all permutations) between involved source and destination IPs

Firewall rules enabling the attack path can then be quickly analyzed to understand the exposure

Allows “virtual patch” to be applied by quickly showing which firewall rules may be changed to immediately shut down attack path—before patching or other configuration changes can typically be implemented



3636

QRadar Vulnerability Manager: Scan, assess and remediate vulnerabilities

Employs embedded, well proven, scalable, PCI-certified scanner

Provides complete vulnerability view including 3rd party vulnerability system data feeds

Supports exception and remediation processes with seamlessly integrated reporting and dash boarding

Leverages QRadar log and flow collectors and processors to conduct scans

Includes hosted external scanning service

Tracks National Vulnerability Database (CVE) and detects 70,000+ vulnerabilities



3737

Fully integrated vulnerability management solution

Analyses data stored in QRadar asset model database, so includes all vulnerability sources

Displays vulnerability posture by asset, network, open service, vulnerability type and vulnerability instances

Provides powerful filtering & pivoting functionality similar to flow and event viewer Offers saved searches, quick searches and a Google’esq quick filter



3838

QVM enables customers to interpret ‘sea’ of vulnerabilities

CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE

Inactive

Inactive: QFlow Collector data helps QRadar Vulnerability Manager sense application activity Blocked

Blocked: QRadar Risk Manager helps QVM understand which vulnerabilities are blocked by firewalls and IPSs

PatchedPatched: IBM Endpoint Manager helps QVM understand which vulnerabilities will be patched

Critcal

Critical: Vulnerability knowledge base, remediation flow and QRM policies inform QVM about business critical vulnerabilities

At Risk: X-Force Threat and SIEM security incident data, coupled with QFlow network traffic visibility, help QVM see assets communicating with potential threats

At Risk! Exploited!

Exploited: SIEM correlation and IPS data help QVM reveal which vulnerabilities have been exploited





platform summary



4040

Continued journey towards Total Security Intelligence



4141

Upgrade Log Manager to QRadar SIEM – Additional security telemetry data

– Rules-based correlation analysis engine

– Data overload reduction ‘magic’ compressing millions or even billions of daily raw events to manageable list of issues

Add QRadar Risk Manager – Enables pre-exploit configuration investigations

– Simplifies security policy reviews for compliance tests

– Provides network topology depictions and permits attack simulations

Implement QRadar Vulnerability Manager – Extends pre-exploit analysis activities by adding integrated,

vulnerability insights

– Reduces magnitude of pre-exploit conditions as QRadar SIEM does for post-exploit conditions

– Helps identify and measure exposures to external threats

Inject IBM X-Force Threat Research Intelligence– Provides intelligence feed to QRadar

– Includes vulnerabilities, IP reputations, malware reports and attack histories

QRadar Security Intelligence customer roadmap



4242

QRadar’s unique advantages

Scalability for largest deployments, using an embedded database and unified data architecture Impact: QRadar supports your business needs at any scale

Real-time correlation and anomaly detection based on broadest set of contextual data Impact: More accurate threat detection, in real-time

Intelligent automation of data collection, asset discovery, asset profiling, vulnerability scanning and more Impact: Reduced manual effort, fast time to value, lower-cost operation

Integrated flow analytics with Layer 7 content (application) visibility Impact: Superior situational awareness and threat identification

Flexibility and ease of use enabling “mere mortals” to create and edit correlation rules, reports and dashboards Impact: Maximum insight, business agility and lower cost of ownership



4343

Learn more about IBM QRadar Security Intelligence

Watch executive Interview Video with Steve Robinson (VP)Watch executive Interview Video with Steve Robinson (VP)

Visit our WebsiteVisit our Website

Review latest solution announcement Review latest solution announcement

Read new blog posts: securityintelligence.comRead new blog posts: securityintelligence.com

Follow us on Twitter: @q1labs @ibmsecurity



4444

ibm.com/security

© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.



4545

Case study: An international energy company reduces billions of events per day to find those that should be investigated

An international energy firm analyzes

Business challenge:Reducing huge number of events to find the ones that need to be investigatedAutomating the process of analyzing security data

Solution: (QRadar SIEM, QFlow, Risk Manager)

Real-time correlation of hundreds of data sources, anomaly detection to help identify “low and slow” threats, flexibility for easy customization and expansion

potential offences to investigate

20 – 25events per day to find

2,000,000,000

Optimize threat analysis



4646

Case Study: A financial information provider hardens defenses against threats and fraud

Business challenge:Detect wide range of security threats affecting public-facing Web applicationsHelp identify subtle changes in user behavior that could indicate fraud or misuseExceed ISO 27001 standard

Solution: (QRadar SIEM, QFlow, X-Force, Network IPS)

Combine analysis of historical data with real-time alerts to gain a ‘big picture’ view and uncover patterns of unusual activity humans miss and immediately block suspected traffic

Saved 50-80% on staffing vs. alternative solutions

Tracks 250 activity baselines dynamically adjusted over time

Optimize risk management



4747

Case Study: Financial services firm uses real-time analysis to defend against rising DDoS attacks

Canadian-based international financial services firm analyzes

potential offences to investigate

30events per day to find

30,000,000

Business challenge:Dealing with 500% increase in cyber threats and a 527% increase in denial of service attacks in the past two yearsGaining 24x7 visibility without hiring additional analysts

Solution: (QRadar SIEM, QFlow, Risk Manager, X-Force, IPS)

Real-time correlation, anomaly detection and X-Force Intelligence to help improve visibility and generate more than 50% in annual licensing and maintenance costs

Optimize staff resources



4848

Case Study: A credit card firm simplifies complexity, reduces costs and optimizes resources

Business challenge:8-year old SIEM technology did not provide visibility into and protection from current threatsHigh cost of tuning and maintenance of incumbent SIEM product

Solution: (QRadar SIEM)

Advanced security analytics engine for real-time threat detection and analysis and scalable architecture to meet client’s large data and infrastructure requirements

50% reduction in cost of deployment, tuning and maintenance vs. competitor

Optimize security ROI



4949

Case Study: Growth markets payments processor achieves PCI compliance / exceeds regulatory mandates

Business challenge:Protect client data at the heart of this businessPCI compliance for processing of >$25 billion in annual transactionsRapidly implement proven solution, 0 tolerance for delays or errors

Solution: (QRadar SIEM, IBM Security Network IPS)Integrated solution to provide visibility into PCI and data exposure risks with expert implementation services helping client pass PCI audit four weeks after purchase

Global electronic payments firm operates in 32 countries and processes over 2 billion transactions per year

Re-engineer profitable growth

trends in security intelligence jonathan fraleigh

Technology

ibm ibm corporation

ibm security systemssolutions

ibm securitytrends

ibm securitywhat

security intelligence

security information

mitigation4 ibm confidential

ibm securitytargeted