DSS participated in this year's "IBM Connect" event organized by regional IBM's VAD - ALSO Baltics. DSS spoke about importance of IT Security in new - digital world that is developing. New technologies bring new business opportunities but as well bring also new security threats and risks that have to be considered in first place.

1. Quantify value of IT
Security for business
with IBM tools
Andris Soroka
17th of April, 2014
Riga, Latvia

2. The Saga Begins – Scared vs. Informed

3. “Data Security Solutions” business card
Specialization – IT Security
IT Security services (consulting,
audit, pen-testing, market analysis,
system testing and integration,
training and technical support)
Solutions and experience portfolio
with more than 20 different
technologies – cyber-security global
market leaders from more than 10
countries
Trusted services provider for
banks, insurance companies,
government and private companies
(critical infrastructure etc.)

4. Role of DSS in Cyber-security
Development in Baltics
Cyber-Security Awareness Raising
Technology and knowledge transfer
Most Innovative Portfolio
Trusted Advisor to its Customers

5. Cybersecurity Awareness Raising
Own organized conference “DSS ITSEC”
5th annual event this year (30.10.2014)
More than 400 visitors + more than 250 online
live streaming watchers from LV, EE, LT
4 parallel sessions with more than 40
international speakers, including Microsoft, Oracle,
Symantec, IBM, Samsung and many more –
everything free of charge (EVENT.DSS.LV)
Participation in other events & sponsorship
CERT & ISACA conferences & events
RIGA COMM, HeadLight, IBM Pulse Las vegas
Roadshows and events in Latvia / Lithuania /
Estonia (f.i. Vilnius Innovation Forum, Devcon,
ITSEC HeadLight, SFK, business associations)
Participation in cyber security discussions, strategy
preparations, seminaries, publications etc.

6. Innovations – technology & knowledge transfer
Innovative Technology Transfer
Number of unique projects done with
different technology global leadership
vendors
Knowledge transfer (own employees,
customers – both from private & public,
other IT companies in LV, EE, LT)
Specialization areas include:
Endpoint Security
Network Security
Security Management
Application Security
Mobile Security
Data Security
Cyber-security
Security Intelligence

7. Some just basic ideas

11. AGENDA (hopefully 60mins..)
Introduction of DSS and speaker
Prologue – Digital world & trends
The Saga begins – Cybercrime
Introduction & types
Business behind
Examples
Value of Information Security for business
Risk management
Technology
IBM SIEM, Risk Manager, Forensics
What it is and what for
Architecture
Use cases
Q&A (if time allows)

12. Prologue

13. Prologue: Some new technologies
3D Printers
Google Glasses (“glassh**es)
Cloud Computing
Big Data & Supercomputers
Mobile Payment & Virtual Money
Robotics and Intraday Deliveries
Internet of things
Augmented Reality
Extreme development of Aps
Digital prototyping
Gadgets (devices) & Mobility
Technology replaced jobs (automation)
Geo-location power
Biometrics
Health bands and mHealth
Electronic cars
Avegant Glymph and much, much
more

15. Prologue: Mobility & Gadgets
Multi-OS

16. Millions of mobile applications

17. Digital Agenda for European Union

18. True or fake? In fact this isn’t funny...

19. Best «success story» describing hackers..

20. No changes in that perspective

21. Disaster in software world - NSA

22. Disaster in technology world - NSA
Governments write malware and
exploits (USA started, others follow..)
Cyber espionage
Sabotage
Cyber wars
Infecting own citizens
Surveillance
Known NSA “partners”
Microsoft (incl. Skype)
Apple
Adobe
Facebook
Google
Many, many others
Internet is changing!!!
USA thinks that internet is their
creation and foreign users should
think of USA as their masters…

23. Many countries are in the game now…

24. Many countries are in the game now…

25. Many countries are in the game now…

26. Cyberwars going on!

27. Cybercriminal type #1
“2014.gadā vidēji katram
izglītotam darbiniekam būs vidēji
3.3 mobīlās ierīces, salīdzinot ar
vidējo statistiku ar 2.8 mobīlajām
ierīcēm 2013.gadā.” 1

28. Cybercriminal type #2 – Monetary driven

29. Types of cybercriminals (cont.)

30. Black market figures

31. Hacking business services...
Current prices on the Russian underground market:
Hackingcorporatemailbox: $500
Winlockerransomware: $10-$20
Unintelligentexploitbundle: $25
Intelligentexploitbundle: $10-$3,000
Basiccrypter(forinsertingroguecodeintobenignfile): $10-$30
SOCKSbot(togetaroundfirewalls): $100
Hiringa DDoSattack: $30-$70/day,$1,200/month
Botnet: $200for2,000bots
DDoSBotnet: $700
ZeuSsourcecode: $200-$250
Windowsrootkit(forinstallingmaliciousdrivers): $292
HackingFacebookorTwitteraccount: $130
HackingGmailaccount: $162
Emailspam: $10per onemillionemails
Emailscam(usingcustomerdatabase): $50-$500per onemillionemails

32. Examples: Advanced Persistent Threat

33. Mobility & Security...

34. The Sage Continues: Cybercriminals #2

35. Weakest link is always the most important
Source: IBM X-Force annual report 2013

36. Some examples of incidents (DDoS)

37. Mobility & Security
“2014.gadā vidēji katram
izglītotam darbiniekam būs vidēji
3.3 mobīlās ierīces, salīdzinot ar
vidējo statistiku ar 2.8 mobīlajām
ierīcēm 2013.gadā.” 1

38. Examples: Hackers searching tool

39. Examples: Hackers searching tool

40. Examples (continued)

41. Examples: Hacker is watching / listening

42. Cybercriminal type #3 – Insider

43. Bright future of the internet way ahead..
1995 – 2005
1st Decade of the
Commercial Internet
2005 – 2015
2nd Decade of the
Commercial InternetMotive
Script-kiddies or hackers
Insiders
Organized crime
Competitors, hacktivists
National Security
Infrastructure Attack
Espionage
Political Activism
Monetary Gain
Revenge
Curiosity

44. Global statistics

45. Conclusion: The Saga will continue anyway
For many companies security is like salt, people just
sprinkle it on top.

46. Think security first & Where are You here?
Organizations Need an Intelligent View of Their Security Posture
Proactive
AutomatedManual
Reactive
Optimized
Organizations use
predictive and
automated security
analytics to drive toward
security intelligence
Proficient
Security is layered
into the IT fabric and
business operations
Basic
Organizations
employ perimeter
protection, which
regulates access and
feeds manual reporting

47. “DSS” is here for You! Just ask for…
Si vis pacem, para bellum. (Lat.)

48. IBM Security Intelligence
Suspected
Incidents
Prioritized Incidents
Embedded intelligence offers automated offense identification
Servers and mainframes
Data activity
Network and virtual activity
Application activity
Configuration information
Security devices
Users and identities
Vulnerabilities and threats
Global threat intelligence
Extensive Data Sources
Automated
Offense
Identification
• Massive data reduction
• Automated data collection,
asset discovery and profiling
• Automated, real-time,
and integrated analytics
• Activity baselining
and anomaly detection
• Out-of-the box rules
and templates
Embedded
Intelligence

49. Security Intelligence = SIEM+RM+…+….
IBM QRadar
Security Intelligence
Platform
Packets
Vulnerabilities
Configurations
Flows
Events
Logs
Big data consolidation of
all available security
information
Traditional SIEM
6 products from 6 vendors are needed
IBM Security
Intelligence and Analytics

50. Single web-based console provides superior visibility
Log
Management
Security
Intelligence
Network Activity
Monitoring
Risk
Management
Vulnerability
Management
Network
Forensics
Security Intelligence = SIEM+RM+…+….

51. QRadar Forensics – new one
Scale
•Event Processors
•Network Activity Processors
•High Availability & Disaster
Recovery
•Stackable Expansion
Network and
Application
Visibility
•Layer 7 application monitoring
•Content capture for deep insight &
forensics
•Physical and virtual environments
• Log, flow, vulnerability & identity correlation
• Sophisticated asset profiling
• Offense management and workflow
SIEM
Network
Activity &
Anomaly
Detection
•Network analytics
•Behavioral anomaly detection
•Fully integrated in SIEM
•Turn-key log management and
reporting
•SME to Enterprise
•Upgradeable to enterprise SIEM
Log
Management
•Network security configuration
monitoring
•Vulnerability scanning &
prioritization
•Predictive threat modeling &
simulation
Configuration
& Vulnerability
Management

52. QRadar All In One

53. QRadar Distributed Deployment

54. SIEM installation – plug&play
Higher capacity / performance support
Basic installation in one week, immediate ROI
Continuous development of features and integration
Biggest IT Security solutions portfolio in today’s Security market

55. IBM leadership – taking it back
CA
(DataMinder)
Novell
(Sentinel)
Nitro
Fortify,
WebInspect
ArcSight
TippingPoint
RSA Access
Mgr.
ProtectTools
RSA Live
Intelligence
System
Team: RSA
FirstWatch
OAM, Novell
AM, CA
SiteMinder
Norton AV, iPS
Symantec Client/
Svr. Mgmt. Suite
Symantec DLP Data Theft
ProtectionDLP
FW, NBA, IPS
Access Rights
Reviews
SecureSphere
Web App FW
SecureSphere
App Virt. Patching FW, IPS
DLP
Endpoint Disk
Encryption
FW, IPS, AV Mobile security
FIM

56. SIEM Use Cases WordCloud

57. SIEM Use Cases DefinitionSIEM Use Cases Definition
Requirements
Scope
Event Sources
Response

58. Your Use Case
Build YOUR own use case!
React faster
Improve Efficiency
Automate Compliance

59. Use Cases
Vulnerability Correlation
Suspicious Access Correlation
Flow and Event Combo Correlation
Botnet Application Identity
VMware Flow Analysis
Unidirectional Flows Detection
Vulnerability Reporting
Data Loss Prevention
Double Correlation
Policy and Insider Threat Intelligence (Social Media Use
Case)

60. Use Cases
Detecting Threats or Suspicious Changes in Behaviour
Preventative Alerting and Monitoring
Compliance Monitoring
Client-side vulnerability correlation
Excessive Failed Logins to Compliance Servers
Remote Access from Foreign Country Logons
Communication with Known Hostile Networks
Long Durations
Multi-Vector Attack
Device stopped sending Data (Out of Compliance)

61. Social Media Intelligence
Problem:
Social media is an increasing threat to an organization's policies and network;
company employees are the ones who are most likely to fall victim to social
engineering based threats, and serve as entry points for Advanced Persistent
Threats.
Solution: Social media Monitoring& Correlation in real-time:
Qradar’s real-time monitoring and correlation of hundreds of social media sites, such
as Twitter, Facebook, Gmail, LinkedIn, etc., offers automated application aware
insight and identifies social media-based threats by user and application.

62. Social Media Intelligence
With Qradar, you can:
Identify all the source,
destination and the actual
corporate credit card number
leaked.
With Qradar, you can:
Identify the user responsible for
the data leak.

63. Data Loss Prevention
Customer Requirement:
Customer wants to detect when an employee may be stealing customer
contact info in preparation for leaving the company
Solution:
Baseline employee access to CRM
Detect deviations from norm: 1,000 transactions (access to customer
records) vs normal 50 per day
BUT…what if the user is tech savvy or has a geek nephew, and makes
a single SQL query to the back end database?
Profile network traffic between workstations and back-end database or
policy shouldn’t allow direct access to database from workstations

64. Data Loss Prevention
Potential Data Loss?
Who? What? Where?
Who?
An internal user
What?
Oracle data
Where?
Gmail

65. Indavertent Wrongdoing
A/V Server
Trying to update the
entire internet
Issue bubbled to the
top of the offense
manager immediately
post-installation
Problem had existed for
months, but was lost in
firewall logs.
A/V clients were badly
out of date.

66. System Misconfiguration
QRadar reports remote sources scanning internal SQL servers
Firewall admin insists QRadar is incorrect – absolutely no inbound
SQL traffic permitted.
But … months earlier user had requested access to SQL server from
outside campus
Administrator fat-fingered the FW rule and unintentionally allowed
SQL access to & from all hosts

67. Teleportation
Customer Requirement:
Customer wanted to detect users that logged in from IP addresses in
different locations simultaneously.
Solution:
 Create rule to test for 2 or more logins from VPN or AD from different
country within 15 minutes
 Can be extended to check for local login within corporate network and
simultaneous remote login

68. Purell for your VPN
Customer Requirement:
Customer wanted to detect when external systems over the VPN
accesses sensitive servers
Customer was concerned that external system could be infected /
exploited through split tunneling and infect sensistive internal servers
Solution:
 Use latest VA scan of user systems
 Create BB of OSVDB IDs of concern
 Detect when external systems with vulnerabilities access sensitive
servers

69. Uninvited Guests
Customer Requirement:
Wants to identify new systems attached to network. There are active wall
jacks throughout building
Solution:
Set asset database retention to just beyond DHCP lease time (1-2
days)—user out of office/on vacation, asset expires
New machine attaches, rule alerts
Flows for real-time detection: no other SIEM can do this
Can alert on VA import
In 7.0, can build up MAC list in reference sets (~2 wks), then alert
when new MAC appears on network

70. Policy Vialation / Resource Misuse
Customer Requirement:
Detect if there are P2P Server located in Local Area Network

71. Communication to known Bot C&C
Customer Requirement:
Detect if any of internal system is communicating to known Bot
Command and Contrlol

72. Forensic of Administrative Change
Customer Requirement:
New User account creation with administrative privileges
System registry change, Application Installed/Uninstalled
Password reset
Service started/stopped

73. Vulnerability Overview
Customer Requirement:
Generate weekly report for Vulnerabilities

74. Use Cases Summary
Identify the goal for each
event correlation rule (and
use case).
Determine the conditions
for the alert.
Select the relevant data
sources.
Test the rule.
Determine response
strategies, and document
them.

75. Qradar latest updates
Increased scalability, best HW in market
Enhanced asset and vulnerability functionality
Centralized license management
Multicultural support (languages)
Improved bar and pie charts on the Dashboard tab
Data obfuscation
Identity and Access Management (IAM) integration
Browser support
Java 7 support
2500 + reports
New “QRadar 2100 Light” appliance for SMB’s
New Qradar Forensics appliance
New Data Node Appliances

76. Think security first
www.dss.lv
andris@dss.lv
+371 29162784

77. Think security first