We are in the midst of upheaval in the world of IT Security. Attackers are highly organized and using increasingly sophisticated methods to gain entry to your most sensitive data. At the same time, Cloud and mobile are redefining the concept of the perimeter. Check out this insightful discussion of how today's CISO is building a more secure enterprise using analytics, risk-based protection, and activity monitoring to protect the most valuable assets of the organization.
For more visit: http://securityintelligence.com
3. CISO Challenge: Competing priorities
14%increase
83% of enterprises
have difficulty filling
in Web application
vulnerabilities
security roles
from 2011 to 2012
Common
Vulnerabilities
and Exposures
Increase in
compliance
mandates
3
4. CISO Challenge: Inadequate tools
85 tools from
45 vendors
0 out of 46
vendors detected
malware
Source: IBM client example
4
5. CISO Challenge: Business pressures
75%+ of organizations
are using at least one
cloud platform
70% of CISOs are
concerned about Cloud and
mobile security
5
6. CISO Challenge: Evolving Threats
INTERNAL
EXTERNAL
PAYOFFS
59%
43%
$78M
of C-level execs
say that negligent
insiders are their biggest
concern
increase
in critical
web browser
vulnerabilities
stolen from
bank accounts
in Operation
High Roller
6
10. Focus on users,
not devices
Implement identity
intelligence
Pay special attention
to trusted insiders
60,000 employees
Provisioning took up to 2 weeks
No monitoring of privileged users
USERS
Privilege Identity Management
Monitoring and same-day
de-provisioning
for 100+ privileged users
Source: IBM client example
10
11. Harden and
secure repositories
Discover critical business data
Monitor and prevent
unauthorized access
Thousands of databases containing
HR, ERP, credit card, and other PII
in a world where 98%
of breaches hit databases
ASSETS
Database Access and Monitoring
Secured
2,000
$21M
critical databases
Source: IBM client example
Saved
in compliance costs
11
12. Identify most
critical transactions
Monitor sessions,
access, and devices
Look for anomalies
and attacks
30 Million customers in an industry where
$3.4B industry losses from online fraud
85% of breaches go undetected
TRANSACTIONS
Advanced Fraud Protection
on over 1 million customer endpoints
Zero instances of fraud
reported
Source: IBM client example
12
14. Don’t rely on
signature detection
Use baselines
and reputation
Identify
outliers
Mutated threats
by analyzing 250+ protocols and file types
Identify entire classes of
ANALYTICS
Pattern
matching
Context, clustering, baselining,
machine learning, and heuristics
14
15. Get full coverage,
No more blind spots
Reduce and
prioritize alerts
Reduce
VISIBILITY
Source: IBM client example
Continuous
monitoring
2 Billion logs and events per day
to 25 high priority offenses
15
16. Eliminate silos and
point solutions
Build upon a
common platform
Share information
between controls
8 Million subscribers
with an integrated Platform
Monitor threats across
INTEGRATION
Siloed
Point Products
Source: IBM client example
Integrated
Platforms
16
18. Cloud is an opportunity
for enhanced security
Traditional Security
Cloud-enhanced Security
Manual
and static
Automated, customizable,
and elastic
18
19. Mobility is the opportunity
to get security right
Endpoint
Management
Network
and Access
Control
Fraud
Protection
Application
and Data
Security
19
26. Understand. Prioritize. Act.
Advanced threat
protection
Event
data
Context
Vulnerability
scan data
Configuration
data
Risk
management
Activity
data
Network
topology
Compliance
Fraud
protection
Resource
optimization
Simulate “what ifs” for risk impact
Remediate zero-days and new security threats
Monitor asset profiles & behaviour continuously
Visualize traffic patterns and connections
Comply with regulatory mandates and policies
Prioritize vulnerability remediation
Protect transactions
Carry out advanced incident analysis & forensics
Optimize resources and efforts
We are moving from dousing fires to ensuring they don’t happen in the first place!
26
28. • Visit the Security Intelligence
All
area in the Solution Center
• Meet experts from the IBM
Security Singapore Lab
10+ demos
5 appliances
Don’t miss…
Day
1
• Solution Center Sessions: Enhancing IBM Security solutions
with Trusteer fraud detection capabilities
Day
2
• Technical Session: Dedicated Security track featuring
Identity and Access Management, Security Intelligence,
Mobile Security, and more
Also, don’t miss customer speakers including YaData and Asian Paints
28
29. Disclaimer
Please Note:
IBM’s statements regarding its plans, directions, and intent are subject to change
or withdrawal without notice at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general
product direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a
commitment, promise, or legal obligation to deliver any material, code or functionality.
Information about potential future products may not be incorporated into any contract.
The development, release, and timing of any future features or functionality described
for our products remains at our sole discretion.
29
We are in the midst of upheaval in the world of IT Security. Attackers are highly organized and using increasingly sophisticated methods to gain entry to your most sensitive data. At the same time, Cloud and mobile are redefining the concept of the perimeter. Join us for this insightful discussion of how today's CISO is building a more secure enterprise using analytics, risk-based protection, and activity monitoring to protect the most valuable assets of the organization.
The threat landscape continues to be a challenge with advanced attacks, international rings of cyber criminals, new vulnerabilities and zero-day attacks.But, you know all this. It’s bad out there and it’s getting worse…Let’s take a look at the “CISO Landscape”The role of the CISO is changing. It’s not just a technologist role. The CISO is just as likely to have an MBA as a degree in computer science. Building a team, forecasting, budgeting, understanding the regulatory environment, managing to metrics all become a factor. And the CISO has to be able to go in front of the board and explain how the importance of security strategy and how it is aligned to the business strategy of the organization.But… there are challenges…
Challenge 1 -- Too much to do, too little time……you simply just can’t do it all!The CISO has to balance the need to meet an ever expanding set of compliance requirements, an increasing number of vulnerabilities and attack vectors, at the same time as he/she is facing a shortage of critical security talent. It is a real challenge to manage, and to communicate upward to executives.Vulnerability overload 14% increase in Web application vulnerabilities: IBM X-Force 2012 Full Year Trend and Risk ReportSkills shortage83% of enterprises having difficulty filling security roles: Enterprise Strategy Group, 2012
Challenge #2 – Tools lacking…Too Many ProductsWe have multiple examples of customers who have invested in many, many tools. One US government agency alone has 200 security products – that entails the license costs, but perhaps more problematically, the configuration and maintenance of all of those products in a constantly changing infrastructure. They’re not getting their money’s worth. They can’t. It’s too complex and too costly.Point ProductsBesides having too many products, they have too many vendors – point products from each vendor that do not integrate in any way. And those point products cannot find the advanced attacks that these enterprises are experiencing.Products don’t workAntivirus products cannot reliably defend against malware.http://krebsonsecurity.com/
Challenge #3 – The CISO is facing a changing business environmentLine of business execs want to move fast to meet changing customer demands and competitive pressures. In today’s world that includes developing and deployment mobile apps and taking advantage of cloud services. But CISOs are concerned about the security and costs of both mobile and cloud initiatives. Unless CISOs can develop a strategy to respond, they end up being in the position of saying “No” to innovation (cloud, mobile)… and being circumvented by those same LoB execs.75% of organizations using at least one Cloud platform: North Bridge Venture Partners, 2013 Cloud survey; Saugatuck Technology, 2013 Cloud survey.70% of CISOs are concerned about Cloud and mobile security: IBM 2013 CISO survey.
CISOs have to be concerned about insiders who may compromise their security, either with malicious intent or simply because they are not being vigilant. They also have to be concerned about external attack vectors, and particularly as the world moves toward cloud and mobile devices. At the same time, the payoff for the attackers keeps going up, meaning that the motivation to attack continues to escalate.Negligent insiders: IBM and Ponemon Survey of 265 C-Level Executives, Feb 2012, “The Source of Greatest Risk to Sensitive Data”Web browser vulnerabilities: IBM X-Force 2012 Full Year Trend and Risk ReportOperation High Roller: http://www.networkworld.com/news/2012/062612-operation-high-roller-260478.html and other web sources
Point of ViewAttackers are reinventing how they attack. CISOs have to reinvent their job. When attackers were targeting the whole world, the CISO wasn’t so worried.But now they’re coming after you…
1. Focus on what’s important: Users, assets, transactions, take a risk-based approach to security, invest in protecting what is most important2. Intelligence: Apply visibility, integration, analytics to solving todays advanced threats3. Innovation: Apply security innovation to new business models such as Cloud and mobile
Easier said than done, right? Well, not exactly, we’re already doing it.
600,000 clients, 60,000 employees HR, payroll, tax, and benefits informationManually provisioning took up to 2 weeksNo monitoring of 100+ privileged users with unlimited accessPrivileged User and Identity Management Example: http://www-01.ibm.com/software/success/cssdb.nsf/CS/SSAO-95T4JN?OpenDocument&Site=tivoli&cty=en_usAutomatic Data Processing (ADP) is one of the world's largest providers of business outsourcing solutions—including HR, payroll, tax and benefits administration solutions—with nearly USD10 billion in revenues and about 600,000 clients. At many companies, it can take days or weeks when an employee departs to revoke his or her access to buildings and IT systems. And ADP was no exception. When ADP associates left, revoking their access rights was predominantly a manual process that depended on each system administrator’s schedule and availability. What’s more, without a centralized, consolidated approach to identity management it was time-consuming and challenging for staff to confirm compliance for regulatory requirements, such as the Sarbanes-Oxley Act, SAS 70 and ISO 27001. They implemented zero-day-based provisioning. As part of the initial provisioning process and integrating additional layers of the IBM IAM solution, ADP now has the ability to implement zero-day-based provisioning for key applications and enable federated access to SaaS vendors that enrich the associate’s day-one experience at ADP. Zero-based provisioning is the ability to provide access to applications and systems without the associate and or consultant knowing what their credential information is for those respective systems and applications. With zero-based provisioning implemented, privileged system and application access is significantly secured from internal and external attacks during and after the associate’s or consultant’s engagement with ADP. As part of its evaluation of identity management solutions, ADP invited IBM and several large IAM vendors to participate in an on-site Proof of Concept demonstration. Identity Manager was up and running within two days.Transactions: Trusteer Client Example: Synovus Bank, one of the largest community banks in the southeastern US with a total asset size of approximately $31B, serving more than 96K commercial accounts. Wanted to mitigate client-side malware and stop man-in-the-middle and man-in-the-browser attacks
Assets:CitiGroup200 million customer accounts in 160 countries, consumer banking and credit, corporate and investment banking, securities brokerage, transaction services, wealth management2,000 databases containing HR, ERP, credit card, PII, and intellectual propertySaved $20M in compliance costsSaved $1.5M per year in audit trail storage costsAdopted new processes to investigate insider threats
Sources:JPMorgan: 2012 Online Fraud ReportGartner: 2290415 Analysts estimate that $3.4 B is lost to online fraud and 85% of breaches go undetectedThe Royal Bank of Scotland uses Trusteer Rapport to protect their online banking customers. The product is delivered as an optional capability to the bank’s customers and is installed on over 1M customer endpoints to provide active protection. Additionally, the bank works actively with Trusteer to investigate fraud cases, and will occasionally ask customers who have been victims of a fraud case to install Rapport and work with Trusteer to perform forensics analysis on the impacted device.
http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=SA&subtype=WH&htmlfid=WGL03019USENTolly Test report:Tests showed the GX7800 to be more effective in blocking publicly-available exploits than Snort and dramatically more effective when blocking mutated exploits-blocking 100% compared to 52% for Snort.Stopped 99% of tests, publicly available attacks.Using its protocol analysis module (PAM), the GX 7800 is able to review the application traffic and identify malicious code, helping to maintain a more secure network than signature-based IPS alone.
Fortune 5 Energy Company Deploys Global Security Operations Center and Compliance Monitoring, reduces 2B logs and events per day to 25 high priority offensesBusiness ChallengeProtect critical assets from diverse global threats; help detect advanced threatsFind “needle in the haystack” of 2 billion daily logs and eventsAutomate compliance operations for PCI (6 million daily transactions) and NERC (SCADA system monitoring)SolutionQRadar SIEMReal-time correlation of 100,000 systems and devices30 appliances deployed globally as a federated solutionHundreds of out-of-the-box reports and rules for compliance and securityValueSIEM solution powers global threat detection and security operations, finding key risks among billions of daily eventsSupports and automates compliance for PCI and NERCProvides unified security platform for 100 users across 4 operational teams worldwide
https://w3-connections.ibm.com/wikis/home?lang=en-us#!/wiki/W2d9715d42210_49a1_9f51_74d34634effc/page/Ziggo%20develops%20complete%20security%20operations%20center%20with%20with%20IBM%20Security%20QRadar%2C%20NIPS%20appliances%20and%20ServicesZiggo develops complete security operations center with with IBM Security QRadar, NIPS appliances and ServicesZiggo is a Dutch provider of entertainment, information and communication through television, broadband internet and telephony services. The company serves around 3.0 million households, with 1.6 million broadband internet customers, more than 2.0 million customers for digital television and 1.3 million telephony subscribers. Business to business customers use services such as data communication, telephony, television and internet. The company owns a next-generation network capable of providing the bandwidth required for all future services currently foreseen.Client Need: Ziggo´s current Network Operations Center is not adequately equipped to deal with today´s security challenges.For this reason Ziggo needed to extend towards a complete Security Operations Center (SOC) with a SIEM solution as the core component to enable the new SOC to monitor pro-actively and real-time, 24x7 on security related events and incidents in all Ziggo’s domains and services.SOC should be able to detect possible security incidents, like Advanced Persistent Threats (APT’s), malware outbreaks, DDoS and other malicious behaviour, and provide an appropriate and adequate response to the threats as part of Security Incident Management Response procedures.SOC should be capable to monitor Ziggo network, IT domains and business applications on security events.This should work rule-based as well as on the occurrence of anomalous behavior, whereas the detection of such events should be real-time or nearly real-time.IBM Solution:IBM QRadar Security Intelligence Platform– including SIEM, Risk Management, Log Management, Network Behaviour Analytics and Security Event ManagementIBM Security Network Intrusion Prevention AppliancesSWG ServicesWhy IBM?The QRadar Security Intelligence Platform combined with the IBM Intrusion Protection appliances and X-Force enables Ziggo to have the most intelligent, integrated and automated security intelligence solution available.The out-of-the-box experience and short deployment time, the integration of flows and events enabling ZIGGO to detect issues even during the POC phase gave IBM the upperhand over the competition.The QRadar Security Intelligence Platform will help protect the ZIGGO brand image and their confidential data.
Cloud is expanding the boundaries of today’s traditional business models and creating opportunity for enhanced security.Securing your traditional datacenter can be manual and static, while managing your security leveraging the cloud offers… Automated security that can be quickly provisioned in the cloudCustomizable security that can be tuned to individual applicationsElastic security that monitors activities in the virtual datacenter
Mobile Device Management: Security for endpoint device and dataNetwork, Data, and Access Control: Achieve visibility and adaptive security policiesApplication Layer Security: Develop and test applicationsFraud Protection: Advanced transaction protection against fraud
IBM offers integrated security intelligence and industry-leading experience enabled by the IBM Security Framework solution capabilities. All of the IBM Security offerings are backed by an extensive business partner ecosystem which consists of industry-leading technology, sales and service partners.These capabilities are delivered through a comprehensive and robust set of tools and best practices (including software and hardware) that are supported by the services needed to address:Intelligence: Through a common and intuitive view that combines deep analytics with real-time security intelligence.Integration: Through unifying existing tools and infrastructures with new forms of defense in order to reduce complexity and lower the cost of maintaining a strong security posture.Expertise: Through a more proactive and trusted source of threat research and security data in order to stay ahead of emerging threats and risks.
Advanced attacks follow a consistent attack chain:Break in: Reconnaissance, spear phishing, and remote exploits to gain accessLatch on: Malware and backdoors installed to establish a footholdExpand: Lateral movement to increase access and maintain a presenceGather: Acquisition and aggregation of confidential dataExfiltrate: Data exfiltration to external networksAt each stage of the defense strategy, IBM has integrated capabilities that help harden, detect, analyze, and remediate these advanced attacks.
CHALLENGE: Are you ready to stop managing tens of vendors? Integrate between silos? Understand what’s most important to the business and if it’s being properly secured? Stand confidently in front of the board?Start saying “Yes” again?
Visit the Security Intelligence Area in the Solution Center to meet our experts from the IBM Security Singapore Lab featuring:10+ demos and 5 appliances being showcasedDon’t miss… Day 2 - Solution Center Sessions including the introduction of the new capabilities that will enhance our portfolio through the IBM acquisition of TrusteerDay 3 - Technical Session - Dedicated Security track featuring content on Identity and Access Management, Security Intelligence, Mobile Security and moreAlso, don’t miss customer speakers including YaData and Asian Paints