Data Security Solutions made a presentation about new #1 technology by Gartner in SIEM market in the world at headtechnology Baltics annual IT Security conference "Headlight2012" (22nd of May, Riga, Latvia) regarding innovations in IT Security market.
2. “Data Security Solutions” brief intro
Specialization – IT Security
IT Security consulting
(vulnerability assessment
tests, security audit, new
systems integration, HR
training, technical support)
Innovative & selected
software / hardware & hybrid
solutions from leading
technology vendors from
over 10 different countries
3. Agenda
Introduction - threats, technology era, definitions
Business drivers for log management and SIEM
(Security Information and Events Management)
Market analysis, critical capabilities of solutions
Selected Q1 Labs solutions for Your review for -
SEM (Log management)
SEM (Wider scope)
SIEM
4. Global figures - cybercrime
2011 – 431 million people
affected, with more than 114
million USD directly and
another 274 million USD
related to direct loss
(Source: Symantec, Dec 2011)
Cybercrime costs the world significantly more than
the global black market of marijuana, cocaine and heroin
combined ($228 million world wide)
5. Attack Type Bethesda
Software
SQL Injection
URL Tampering Northrop Italy
Grumman IMF PM
Fox News Site
Spear Phishing X-Factor
3rd Party SW Citigroup
Spanish Nat. Sega
DDoS Police
Secure ID Gmail Booz
Accounts
Epsilon PBS Allen
Hamilton
Unknown
Vanguard
Sony PBS SOCA Defense
Monsanto
Malaysian
Gov. Site Peru
HB Gary RSA Lockheed
Special
Police
Martin
Nintendo
Brazil
Gov.
L3 SK
Communications Sony BMG Communications
Size of circle estimates relative Greece Turkish
Government
Korea
impact of breach AZ Police
US Senate NATO
Feb Mar April May June July Aug
IBM Security X-Force® 2011 Midyear Trend and Risk Report September 2011
6.
7. SaaS
PaaS
IaaS
VoI
P
Big data mgmt.
Mobility
Security as a Service
8. Security today -
Financially motivated
Bank Accounts
Identity theft
Insiders
Intellectual Property Theft
“Hacktivists”
Denial of Service
Reputation Damage
Customer data
9. Around 1500 IT Security vendors for
Endpoint Security
Platforms and point solutions
Data Security
DLP suites and point solutions
Network Security
Gateway solutions
NAC, visibility, NBA
Authentication, authorization etc.
Traditional and next generation’s
Identity protection
Virtualization and cloud security
IT Security governance
Operational management & Security
Mobile Security
10. Do You have one, central
solutions for collecting ALL
events (logs), correlate them Operational IT & Network Identity Governance &
Security Operations Management Compliance
and have real time intelligent Log
Log
visibility? ?
Tool
Silo ?
?
? ? ? ???
Do You monitor the ? ? ?? ?? ???
business processes instead ? ? ? ? ? ???
? ? ? ???
Log Jam
?
of network? ? ? ?
? ??
? ????
??
? ?
LOGS
Do You monitor identities,
applications, information and ???
their context instead of just IP Network Servers ??
Databases Homegrown
?
Applications
addresses, OS’s and
devices?
If not – You are vulnerable!!!
11. Failed Logon User and System Activity
Privileges Assigned/
Security Breach
Changed
File Up/Download
Credit Card
Data Access
50%? Runaway Application
Customer Transaction
Information Leak Email BCC
12. What logs – From where -
Audit logs Firewalls / Intrusion
Transaction logs prevention
Intrusion logs Routers / Switches
Connection logs Intrusion detection
System performance Servers, desktops,
records mainframes
User activity logs Business applications
Different systems alerts Databases
and different other systems Antivirus software
messages VPN’s
There is no standard format, transportation method for
logs, there are more than 800 log file formats used..
13. EU directives
Such as for data protection
Critical infrastructure protection
Cooperation
Industry standards and regulations
Banks, Insurance
Health organizations etc.
NATO directives
Security, military orgs
Related to NATO work
IT Security ISO 2700X
Local laws and regulations
Personal data protection
IT Security policy
14. Definitions from IT Security solutions / technologies –
SEM – Security Events Management (Correlation – events
relation together for security benefits)
SIM – Security Information Management (Log
management – e.g. collecting the events of the applications
and operational systems.)
SIEM (Security Information And Event Management)
You cannot control what You cannot see!
15. Collect Alert Store Report
Time-stamping and Alerts based on real time As much as you want, Should have reasy to
secure collection of log forensics according to as little as your compliance configure and report.
100% of all log data, policies. According to needs dictate. Automated, Should be easy-to-use
100% of the time, from anomalies, incidents. In secure storage and templates and more
any device, including any possible alerting way. archival of critical log data. than 10K custom
network, storage, Maintain chain of custody. reports. Packaged SOX,
servers, applications! PCI reporting + more.
Process Integration & Information Share
16. Security Intelligence
--noun
1. the real-time collection, normalization, and analytics of the
data generated by users, applications and infrastructure that
impacts the IT security and risk posture of an enterprise
Security Intelligence provides actionable and comprehensive insight
for managing risks and threats from protection and detection
through remediation.
17. Scope of usage and quality control
SIEM – A must to have!
Log and context data collection (SIM)
Normalization and categorization (SIM)
Correlation (SEM)
Notification / Alerting (SEM)
Prioritization (SEM)
Dashboards and visualization
Reporting and reports delivery (SIM)
Security roles workflow
SIEM – next generation solutions work looking at level of –
File integrity Monitoring
Database Activity Monitoring
Application Monitoring
Identity Monitoring
User Activity Monitoring
Plug & Play functionality
18. Clear & concise delivery of the most relevant information …
What was the
attack?
Was it
Who was successful?
responsible?
Where do I find
them? How valuable are
How many they to the business?
targets
involved?
Are any of them
vulnerable?
Where is all the
evidence?
19. Q1 Labs (IBM Group company):
– Innovative Security Intelligence software company
– Largest independent SIEM vendor
– Leader in Gartner 2011, 2010 and 2009 Magic
Quadrants
Award winning solutions:
– Family of next-generation Risk Management, Log
Management, SIEM, security intelligence solutions
Executing, growing rapidly:
– Thousands of customers worldwide
– Five-year average revenue growth +70%
– North America, EMEA and Asia Pacific
20.
21.
22. Exceed
Regulation Mandates
Detect
Detect
Threats
Insider
Others
Fraud
Miss
Predict Consolidate
Risk Data Silos
23.
24.
25. Auto-discovery of log Asset-based prioritization
sources, applications and Auto-update of threats
assets Auto-response
Asset auto-grouping Monitor Analyze Directed remediation
Centralized log mgmt.
Automated configuration
audits
Act
Auto-tuning
Auto-detect threats
Thousands of pre-defined rules and
role based reports
Easy-to-use event filtering
Advanced security analytics
26. • Turnkey log management
Log Management One Console Security
• SME to Enterprise
• Upgradeable to enterprise SIEM
• Integrated log, threat, risk & compliance mgmt.
• Sophisticated event analytics
SIEM • Asset profiling and flow analytics
• Offense management and workflow
• Predictive threat modeling & simulation
Risk • Scalable configuration monitoring and audit
• Advanced threat visualization and impact analysis
Management
Network Activity • Network analytics
& Anomaly • Behavior and anomaly detection
• Fully integrated with SIEM
Detection
Network and Built on a Single Data Architecture
• Layer 7 application monitoring
• Content capture
Application
• Physical and virtual environments
Visibility
28. Potential Botnet Detected?
This is as far as traditional SIEM can go.
IRC on port 80?
QFlow enables detection of a covert channel.
Irrefutable Botnet Communication
Layer 7 data contains botnet command and control
instructions.
29. Authentication Failures
Perhaps a user who forgot their
password?
Brute Force Password
Attack
Numerous failed login attempts against
different user accounts.
Host Compromised
All this followed by a successful login.
Automatically detected, no custom
tuning required.
30. Sounds Nasty…
But how to we know this?
The evidence is a single click away.
Network Scan Buffer Overflow
Detected by QFlow Exploit attempt seen by Snort
Total Visibility
Targeted Host Vulnerable Convergence of Network, Event and Vulnerability data.
Detected by Nessus
33. Increased Awareness and Accuracy
Prevent advanced threats with real-time intelligence correlation across security domains
Increase situational awareness by leveraging real-time feeds of X-Force Research and Global Threat
Intelligence across IBM security products, such as QRadar SIEM and Network Security appliances
Conduct complete incident investigations with unified identity, database, network and endpoint activity
monitoring and log management
Ease of Management
Simplify risk management and decision-making
with automated reporting though a unified console
Enhance auditing and access capabilities by sharing
Identity context across multiple IBM security products
Build automated, customized application
protection policies by feeding AppScan results into
IBM Network Intrusion Prevention Systems
Reduced Cost and Complexity
Deliver faster deployment, increased value and
lower TCO by working with a single strategic partner