Mais conteúdo relacionado Semelhante a Defining Security Intelligence for the Enterprise - What CISOs Need to Know (20) Mais de IBM Security (20) Defining Security Intelligence for the Enterprise - What CISOs Need to Know1. Defining Security Intelligence for the Enterprise:
What Today’s CISOs Need to Know
Chris Poulin
Industry Security Systems Strategist
IBM Institute for Advanced Security
© 2012 IBM Institute for Advanced Security
2. IBM Institute for Advanced Security
You will get hacked, but…
CISOs know it’s not if, it’s when they get hacked; yet there is still a gap in ability to
detect breach.
Breaches are taking longer to discover
Breaches are not being discovered internally
Charts from Verizon 2011 Investigative Response Caseload Review
© 2012 IBM Institute for Advanced Security
3. IBM Institute for Advanced Security
92% of Breaches Are Undetected by Breached Organization
Source: 2012 Data Breach Investigations Report
© 2012 IBM Institute for Advanced Security
4. IBM Institute for Advanced Security
SQL Injection Still #1
© 2012 IBM Institute for Advanced Security
5. IBM Institute for Advanced Security
Sophistication of cyber threats, attackers and motives is rapidly escalating
1995 – 2005
1st
2005 – 2015
Decade of the Commercial Internet
2nd
Decade of the Commercial Internet
Motive
National Security
Espionage,
Political Activism
Monetary Gain
Revenge
Curiosity
Nation-state Actors;
Targeted Attacks / Advanced
Persistent Threat
Competitors, Hacktivists
Organized Crime, using sophisticated tools
Insiders, using inside information
Script-kiddies or hackers using tools, web-based “how-to’s”
Adversary
© 2012 IBM Institute for Advanced Security
6. IBM Institute for Advanced Security
Solving a security issue is a complex, four-dimensional puzzle
People
Employees
Consultants
Hackers
Terrorists
Outsourcers
Customers
Suppliers
Data
Structured
Unstructured
At rest
In motion
Applications
Systems applications
Web applications
Web 2.0
Mobile apps
Infrastructure
It is no longer enough to protect the perimeter –
siloed point products will not secure the enterprise
© 2012 IBM Institute for Advanced Security
7. IBM Institute for Advanced Security
Choose the Right Technology
Protection technology is
critical, but choose wisely
There is no magic
security technology
© 2012 IBM Institute for Advanced Security
8. IBM Institute for Advanced Security
People and Processes First
A lesson from airport security:
Instead of expensive equipment, use what works
In Israel
• No plane departing Ben Gurion Airport has ever been hijacked
• Use human intelligence
• “Questioning” looks for suspicious behavior
• Simple metal detectors
Scotland Yard
• 24+ men planned to smuggle explosive liquids
• Foiled beforehand because of intelligence
• Before they even got to the airport
© 2012 IBM Institute for Advanced Security
9. IBM Institute for Advanced Security
What is Security Intelligence?
Security Intelligence
--noun
1.the real-time collection, normalization, and analytics of the
data generated by users, applications and infrastructure that
impacts the IT security and risk posture of an enterprise
Security Intelligence provides actionable and comprehensive
insight for managing risks and threats from protection and
detection through remediation
© 2012 IBM Institute for Advanced Security
10. IBM Institute for Advanced Security
What Gartner is Saying About the Need for Context
Mark Nicollet, Managing VP,
Gartner Security, Risk &
Compliance
“The rapid discovery of a breach is key to minimizing the damage of a
targeted attack, but most organizations do not have adequate breach
detection capabilities.”
“Since perfect defenses are not practical or achievable, organizations
need to augment vulnerability management and shielding with moreeffective monitoring.”
“The addition of context, such as user, application, asset, data and
threat, to security event monitoring will increase the likelihood of early
discovery of a targeted attack.”
“We need to get better at discovering the changes in normal activity
patterns that are the early signal of an attack or breach.”
#1-3 from “Effective Security Monitoring Requires Context,” Gartner, 16 January 2012, G00227893
© 2012 IBM Institute for Advanced Security
#4 from “Using SIEM for Targeted Attack Detection,” Gartner, 20 March 2012, G00227898
11. IBM Institute for Advanced Security
Context and correlation
Deep visibility into users, data, applications, and assets
Sources
+
Intelligence
=
Most Accurate &
Actionable Insight
© 2012 IBM Institute for Advanced Security
12. IBM Institute for Advanced Security
Solving complex problems that point solutions cannot
Improving threat
detection
Discovered 500 hosts with “Here You
Have” virus, which all other security
products missed
Consolidating
data silos
2 billion log and events per day reduced
to 25 high priority offenses
Predicting risks
against your
business
Automating the policy monitoring and
evaluation process for configuration
changes in the infrastructure
Addressing
regulatory mandates
Real-time monitoring of all network
activity, in addition to PCI mandates
© 2012 IBM Institute for Advanced Security
13. IBM Institute for Advanced Security
How Security Intelligence Can Help
Continuously monitor all activity & correlate
in real-time
Gain visibility into unauthorized or anomalous activities
– Server (or thermostat) communicating with IP address in China.
– Unusual Windows service -- backdoor or spyware program
– Query by DBA to credit card tables during off-hours – possible SQL injection attack
– Spike in network activity -- high download volume from SharePoint server
– High number of failed logins to critical servers -- brute-force password attack
– Configuration change -- unauthorized port being enabled for exfiltration
– Inappropriate use of protocols -- sensitive data being exfiltrated via P2P
© 2012 IBM Institute for Advanced Security
14. IBM Institute for Advanced Security
Why Should a CISO Care?
Detect suspicious behavior
– Privileged actions being conducted from a contractor’s workstation
– DNS communications with external system flagged as C&C
Detect policy violations
– Baseline against reality (CMDB)
– Social media, P2P, etc
Detect APTs
– File accesses out of the norm—behavior anomaly detection
– Least used applications or external systems; occasional traffic
Detect fraud
– Baseline credit pulls or trading volumes and detect anomalies
– Correlate eBanking PIN change with large money transfers
Forensic evidence for prosecution
Impact analysis
Compliance
– Change & configuration management
Metrics
14
© 2012 IBM Institute for Advanced Security
15. IBM Institute for Advanced Security
Network Activity for Total Visibility
• Attackers can stop logging and erase their tracks, but can’t
cut off the network (flow data)
• Helps detect day-zero attacks that have no signature
• Provides definitive evidence of attack
• Enables visibility into all attacker communications
• Passively builds up asset profiles—and keeps them up to date
© 2012 IBM Institute for Advanced Security
16. IBM Institute for Advanced Security
Application Detection & Forensic Evidence
Botnet Detected?
This is/ as far as traditional
SIEM can go.
IRC on port 80?
QFlow enables detection of a
covert channel.
Irrefutable
Layer 7 data contains botnet command and
control instructions.
© 2012 IBM Institute for Advanced Security
17. IBM Institute for Advanced Security
Data Leakage
Who is responsible for the data leak?
Alert on data patterns, such as credit card
number, in real time.
© 2012 IBM Institute for Advanced Security
18. IBM Institute for Advanced Security
Insider Fraud
Potential Data Loss?
Who? What? Where?
Who?
An internal user
What?
Oracle data
Where?
Gmail
© 2012 IBM Institute for Advanced Security
19. IBM Institute for Advanced Security
User Behavior Monitoring & APTs
User & Application Activity Monitoring alerts to a user anomaly for
Oracle database access.
Identify the user, normal
access behavior and the
anomaly behavior with all
source and destination
information for quickly resolving
the persistent threat.
© 2012 IBM Institute for Advanced Security
20. IBM Institute for Advanced Security
Configuration & Risk
Network topology and open
paths of attack add context
Rules can take exposure
into account to:
• Prioritize offenses and
remediation
• Enforce policies
• Play out what-if scenarios
© 2012 IBM Institute for Advanced Security
21. IBM Institute for Advanced Security
Real-Time Activity for Prioritized Response
Network monitoring + configuration management =
deeper level of forensics & accurate impact analysis
© 2012 IBM Institute for Advanced Security
22. IBM Institute for Advanced Security
Integration: Increasing Security, Collapsing Silos, and Reducing Complexity
Increased Awareness and Accuracy
Prevent advanced threats with real-time intelligence correlation across security domains
Increase situational awareness by leveraging real-time feeds of X-Force Research and Global Threat
Intelligence across IBM security products, such as QRadar Security Intelligence Platform and Network
Security appliances
Conduct complete incident investigations with unified identity, database, network and endpoint activity
monitoring and log management
Ease of Management
Simplify risk management and decision-making
with automated reporting though a unified console
Enhance auditing and access capabilities by sharing
Identity context across multiple IBM security products
Build automated, customized application
protection policies by feeding AppScan results into
IBM Network Intrusion Prevention Systems
Reduced Cost and Complexity
Deliver faster deployment, increased value and
lower TCO by working with a single strategic partner
© 2012 IBM Institute for Advanced Security
23. IBM Institute for Advanced Security
Security Intelligence Timeline
Prediction & Prevention
Reaction & Remediation
Risk Management. Vulnerability Management.
Configuration Monitoring. Patch Management.
X-Force Research and Threat Intelligence.
Compliance Management. Reporting and Scorecards.
SIEM. Log Management. Incident Response.
Network and Host Intrusion Prevention.
Network Anomaly Detection. Packet Forensics.
Database Activity Monitoring. Data Loss Prevention.
© 2012 IBM Institute for Advanced Security
24. IBM Institute for Advanced Security
In 1996 Gartner Group said…..
“Making business decisions
based on accurate and current
information takes more than
intuition. Data analysis,
reporting and query tools can
help business users wade
through a sea of data to
synthesize valuable
information from it.
Today these tools collectively
fall into a category called
“Business Intelligence”’
© 2012 IBM Institute for Advanced Security
25. IBM Institute for Advanced Security
In 1958 IBM …
…researcher Hans Peter Luhn
used the term business intelligence.
He defined business intelligence as:
"the ability to apprehend the interrelationships
of presented facts in such a way as to guide
action towards a desired goal.“
© 2012 IBM Institute for Advanced Security
26. IBM Institute for Advanced Security
Security and Business Intelligence Parallels
IBM Security Intelligence
Security Intelligence
DASCOM
Security as a Service
Application Security
Database Monitoring
SOA Security
Decision Management
Market Changes
Managed Security Services
Network Intrusion Prevention
Simplified Delivery (i.e., Cloud )
Compliance Management
BI Convergence with Collaboration
Identity and Access Management
Text & Social Media Analytics
Mainframe and
Server Security - RACF
Predictive Analytics
IOD Business Optimization
IBM Business Intelligence
Performance Management
Business Intelligence Suite
Enterprise Reporting
Time
© 2012 IBM Institute for Advanced Security