3 Steps to Security Intelligence - How to Build a More Secure Enterprise
•Download as PPTX, PDF•
4 likes•3,778 views
We are in the midst of upheaval in the world of IT Security. Attackers are highly organized and using increasingly sophisticated methods to gain entry to your most sensitive data. At the same time, Cloud and mobile are redefining the concept of the perimeter. Check out this insightful discussion of how today's CISO is building a more secure enterprise using analytics, risk-based protection, and activity monitoring to protect the most valuable assets of the organization. For more visit: http://securityintelligence.com
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to 3 Steps to Security Intelligence - How to Build a More Secure Enterprise
Similar to 3 Steps to Security Intelligence - How to Build a More Secure Enterprise (20)
More from IBM Security
More from IBM Security (20)
Recently uploaded
Recently uploaded (20)
3 Steps to Security Intelligence - How to Build a More Secure Enterprise
- 1. Three Steps to Security Intelligence How To Build a More Secure Enterprise Brendan Hannigan General Manager, IBM Security Systems © 2013 IBM Corporation
- 3. CISO Challenge: Competing priorities 14%increase 83% of enterprises have difficulty filling in Web application vulnerabilities security roles from 2011 to 2012 Common Vulnerabilities and Exposures Increase in compliance mandates 3
- 4. CISO Challenge: Inadequate tools 85 tools from 45 vendors 0 out of 46 vendors detected malware Source: IBM client example 4
- 5. CISO Challenge: Business pressures 75%+ of organizations are using at least one cloud platform 70% of CISOs are concerned about Cloud and mobile security 5
- 6. CISO Challenge: Evolving Threats INTERNAL EXTERNAL PAYOFFS 59% 43% $78M of C-level execs say that negligent insiders are their biggest concern increase in critical web browser vulnerabilities stolen from bank accounts in Operation High Roller 6
- 10. Focus on users, not devices Implement identity intelligence Pay special attention to trusted insiders 60,000 employees Provisioning took up to 2 weeks No monitoring of privileged users USERS Privilege Identity Management Monitoring and same-day de-provisioning for 100+ privileged users Source: IBM client example 10
- 11. Harden and secure repositories Discover critical business data Monitor and prevent unauthorized access Thousands of databases containing HR, ERP, credit card, and other PII in a world where 98% of breaches hit databases ASSETS Database Access and Monitoring Secured 2,000 $21M critical databases Source: IBM client example Saved in compliance costs 11
- 12. Identify most critical transactions Monitor sessions, access, and devices Look for anomalies and attacks 30 Million customers in an industry where $3.4B industry losses from online fraud 85% of breaches go undetected TRANSACTIONS Advanced Fraud Protection on over 1 million customer endpoints Zero instances of fraud reported Source: IBM client example 12
- 14. Don’t rely on signature detection Use baselines and reputation Identify outliers Mutated threats by analyzing 250+ protocols and file types Identify entire classes of ANALYTICS Pattern matching Context, clustering, baselining, machine learning, and heuristics 14
- 15. Get full coverage, No more blind spots Reduce and prioritize alerts Reduce VISIBILITY Source: IBM client example Continuous monitoring 2 Billion logs and events per day to 25 high priority offenses 15
- 16. Eliminate silos and point solutions Build upon a common platform Share information between controls 8 Million subscribers with an integrated Platform Monitor threats across INTEGRATION Siloed Point Products Source: IBM client example Integrated Platforms 16
- 18. Cloud is an opportunity for enhanced security Traditional Security Cloud-enhanced Security Manual and static Automated, customizable, and elastic 18
- 19. Mobility is the opportunity to get security right Endpoint Management Network and Access Control Fraud Protection Application and Data Security 19
- 20. IBM Security Framework Intelligence Integration Expertise Professional, Managed, and Cloud Services 20
- 21. Advanced Threat Protection Staying ahead of sophisticated attacks Attack Chain 1 Break-in 2 Expand 4 Gather 5 IBM Capabilities and Services Harden QRadar Vulnerability Manager Endpoint Manager AppScan Detect Network Protection InfoSphere Guardium Trusteer Apex Latch-on 3 Defense Strategy Exfiltrate Analyze QRadar Security Intelligence X-Force Threat Intelligence Remediate Emergency Response Services 21
- 23. Analytics-powered security Leaning forward. Felix Mohan Bharti Airtel Limited © 2013 IBM Corporation
- 24. Align. Make intelligent. Concerns Voice to data shift Competitive pressure Disruptive technologies Culture Competency Communication Advanced attacks Regulatory compliance Third-party risk Aggravators Business-aligned Align. Make intelligent. Intelligence Automation Optimization Analytics-driven 24
- 25. Airtel intelligence structure. Analytics Security devices QFlow and VFlow Collector Vulnerability Manager Risk Manager Network devices X-Force external threat feed SIEM Technology Interaction Broader and deeper vulnerability insight Better protection from advanced attacks Quicker response QRadar Context Events Flows Information Integration Contextual assessments Better risk management Prioritized and actionable intelligence Trusteer*(2014) Openpages*, BigInsights*(2015-16) 25
- 26. Understand. Prioritize. Act. Advanced threat protection Event data Context Vulnerability scan data Configuration data Risk management Activity data Network topology Compliance Fraud protection Resource optimization Simulate “what ifs” for risk impact Remediate zero-days and new security threats Monitor asset profiles & behaviour continuously Visualize traffic patterns and connections Comply with regulatory mandates and policies Prioritize vulnerability remediation Protect transactions Carry out advanced incident analysis & forensics Optimize resources and efforts We are moving from dousing fires to ensuring they don’t happen in the first place! 26
- 27. Thank You #IBMINTERCONNECT © 2013 IBM Corporation
- 28. • Visit the Security Intelligence All area in the Solution Center • Meet experts from the IBM Security Singapore Lab 10+ demos 5 appliances Don’t miss… Day 1 • Solution Center Sessions: Enhancing IBM Security solutions with Trusteer fraud detection capabilities Day 2 • Technical Session: Dedicated Security track featuring Identity and Access Management, Security Intelligence, Mobile Security, and more Also, don’t miss customer speakers including YaData and Asian Paints 28
- 29. Disclaimer Please Note: IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. 29
- 30. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 30
Editor's Notes
- We are in the midst of upheaval in the world of IT Security. Attackers are highly organized and using increasingly sophisticated methods to gain entry to your most sensitive data. At the same time, Cloud and mobile are redefining the concept of the perimeter. Join us for this insightful discussion of how today's CISO is building a more secure enterprise using analytics, risk-based protection, and activity monitoring to protect the most valuable assets of the organization.
- The threat landscape continues to be a challenge with advanced attacks, international rings of cyber criminals, new vulnerabilities and zero-day attacks.But, you know all this. It’s bad out there and it’s getting worse…Let’s take a look at the “CISO Landscape”The role of the CISO is changing. It’s not just a technologist role. The CISO is just as likely to have an MBA as a degree in computer science. Building a team, forecasting, budgeting, understanding the regulatory environment, managing to metrics all become a factor. And the CISO has to be able to go in front of the board and explain how the importance of security strategy and how it is aligned to the business strategy of the organization.But… there are challenges…
- Challenge 1 -- Too much to do, too little time……you simply just can’t do it all!The CISO has to balance the need to meet an ever expanding set of compliance requirements, an increasing number of vulnerabilities and attack vectors, at the same time as he/she is facing a shortage of critical security talent. It is a real challenge to manage, and to communicate upward to executives.Vulnerability overload 14% increase in Web application vulnerabilities: IBM X-Force 2012 Full Year Trend and Risk ReportSkills shortage83% of enterprises having difficulty filling security roles: Enterprise Strategy Group, 2012
- Challenge #2 – Tools lacking…Too Many ProductsWe have multiple examples of customers who have invested in many, many tools. One US government agency alone has 200 security products – that entails the license costs, but perhaps more problematically, the configuration and maintenance of all of those products in a constantly changing infrastructure. They’re not getting their money’s worth. They can’t. It’s too complex and too costly.Point ProductsBesides having too many products, they have too many vendors – point products from each vendor that do not integrate in any way. And those point products cannot find the advanced attacks that these enterprises are experiencing.Products don’t workAntivirus products cannot reliably defend against malware.http://krebsonsecurity.com/
- Challenge #3 – The CISO is facing a changing business environmentLine of business execs want to move fast to meet changing customer demands and competitive pressures. In today’s world that includes developing and deployment mobile apps and taking advantage of cloud services. But CISOs are concerned about the security and costs of both mobile and cloud initiatives. Unless CISOs can develop a strategy to respond, they end up being in the position of saying “No” to innovation (cloud, mobile)… and being circumvented by those same LoB execs.75% of organizations using at least one Cloud platform: North Bridge Venture Partners, 2013 Cloud survey; Saugatuck Technology, 2013 Cloud survey.70% of CISOs are concerned about Cloud and mobile security: IBM 2013 CISO survey.
- CISOs have to be concerned about insiders who may compromise their security, either with malicious intent or simply because they are not being vigilant. They also have to be concerned about external attack vectors, and particularly as the world moves toward cloud and mobile devices. At the same time, the payoff for the attackers keeps going up, meaning that the motivation to attack continues to escalate.Negligent insiders: IBM and Ponemon Survey of 265 C-Level Executives, Feb 2012, “The Source of Greatest Risk to Sensitive Data”Web browser vulnerabilities: IBM X-Force 2012 Full Year Trend and Risk ReportOperation High Roller: http://www.networkworld.com/news/2012/062612-operation-high-roller-260478.html and other web sources
- Point of ViewAttackers are reinventing how they attack. CISOs have to reinvent their job. When attackers were targeting the whole world, the CISO wasn’t so worried.But now they’re coming after you…
- 1. Focus on what’s important: Users, assets, transactions, take a risk-based approach to security, invest in protecting what is most important2. Intelligence: Apply visibility, integration, analytics to solving todays advanced threats3. Innovation: Apply security innovation to new business models such as Cloud and mobile
- Easier said than done, right? Well, not exactly, we’re already doing it.
- 600,000 clients, 60,000 employees HR, payroll, tax, and benefits informationManually provisioning took up to 2 weeksNo monitoring of 100+ privileged users with unlimited accessPrivileged User and Identity Management Example: http://www-01.ibm.com/software/success/cssdb.nsf/CS/SSAO-95T4JN?OpenDocument&Site=tivoli&cty=en_usAutomatic Data Processing (ADP) is one of the world's largest providers of business outsourcing solutions—including HR, payroll, tax and benefits administration solutions—with nearly USD10 billion in revenues and about 600,000 clients. At many companies, it can take days or weeks when an employee departs to revoke his or her access to buildings and IT systems. And ADP was no exception. When ADP associates left, revoking their access rights was predominantly a manual process that depended on each system administrator’s schedule and availability. What’s more, without a centralized, consolidated approach to identity management it was time-consuming and challenging for staff to confirm compliance for regulatory requirements, such as the Sarbanes-Oxley Act, SAS 70 and ISO 27001. They implemented zero-day-based provisioning. As part of the initial provisioning process and integrating additional layers of the IBM IAM solution, ADP now has the ability to implement zero-day-based provisioning for key applications and enable federated access to SaaS vendors that enrich the associate’s day-one experience at ADP. Zero-based provisioning is the ability to provide access to applications and systems without the associate and or consultant knowing what their credential information is for those respective systems and applications. With zero-based provisioning implemented, privileged system and application access is significantly secured from internal and external attacks during and after the associate’s or consultant’s engagement with ADP. As part of its evaluation of identity management solutions, ADP invited IBM and several large IAM vendors to participate in an on-site Proof of Concept demonstration. Identity Manager was up and running within two days.Transactions: Trusteer Client Example: Synovus Bank, one of the largest community banks in the southeastern US with a total asset size of approximately $31B, serving more than 96K commercial accounts. Wanted to mitigate client-side malware and stop man-in-the-middle and man-in-the-browser attacks
- Assets:CitiGroup200 million customer accounts in 160 countries, consumer banking and credit, corporate and investment banking, securities brokerage, transaction services, wealth management2,000 databases containing HR, ERP, credit card, PII, and intellectual propertySaved $20M in compliance costsSaved $1.5M per year in audit trail storage costsAdopted new processes to investigate insider threats
- Sources:JPMorgan: 2012 Online Fraud ReportGartner: 2290415 Analysts estimate that $3.4 B is lost to online fraud and 85% of breaches go undetectedThe Royal Bank of Scotland uses Trusteer Rapport to protect their online banking customers. The product is delivered as an optional capability to the bank’s customers and is installed on over 1M customer endpoints to provide active protection. Additionally, the bank works actively with Trusteer to investigate fraud cases, and will occasionally ask customers who have been victims of a fraud case to install Rapport and work with Trusteer to perform forensics analysis on the impacted device.
- http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=SA&subtype=WH&htmlfid=WGL03019USENTolly Test report:Tests showed the GX7800 to be more effective in blocking publicly-available exploits than Snort and dramatically more effective when blocking mutated exploits-blocking 100% compared to 52% for Snort.Stopped 99% of tests, publicly available attacks.Using its protocol analysis module (PAM), the GX 7800 is able to review the application traffic and identify malicious code, helping to maintain a more secure network than signature-based IPS alone.
- Fortune 5 Energy Company Deploys Global Security Operations Center and Compliance Monitoring, reduces 2B logs and events per day to 25 high priority offensesBusiness ChallengeProtect critical assets from diverse global threats; help detect advanced threatsFind “needle in the haystack” of 2 billion daily logs and eventsAutomate compliance operations for PCI (6 million daily transactions) and NERC (SCADA system monitoring)SolutionQRadar SIEMReal-time correlation of 100,000 systems and devices30 appliances deployed globally as a federated solutionHundreds of out-of-the-box reports and rules for compliance and securityValueSIEM solution powers global threat detection and security operations, finding key risks among billions of daily eventsSupports and automates compliance for PCI and NERCProvides unified security platform for 100 users across 4 operational teams worldwide
- https://w3-connections.ibm.com/wikis/home?lang=en-us#!/wiki/W2d9715d42210_49a1_9f51_74d34634effc/page/Ziggo%20develops%20complete%20security%20operations%20center%20with%20with%20IBM%20Security%20QRadar%2C%20NIPS%20appliances%20and%20ServicesZiggo develops complete security operations center with with IBM Security QRadar, NIPS appliances and ServicesZiggo is a Dutch provider of entertainment, information and communication through television, broadband internet and telephony services. The company serves around 3.0 million households, with 1.6 million broadband internet customers, more than 2.0 million customers for digital television and 1.3 million telephony subscribers. Business to business customers use services such as data communication, telephony, television and internet. The company owns a next-generation network capable of providing the bandwidth required for all future services currently foreseen.Client Need: Ziggo´s current Network Operations Center is not adequately equipped to deal with today´s security challenges.For this reason Ziggo needed to extend towards a complete Security Operations Center (SOC) with a SIEM solution as the core component to enable the new SOC to monitor pro-actively and real-time, 24x7 on security related events and incidents in all Ziggo’s domains and services.SOC should be able to detect possible security incidents, like Advanced Persistent Threats (APT’s), malware outbreaks, DDoS and other malicious behaviour, and provide an appropriate and adequate response to the threats as part of Security Incident Management Response procedures.SOC should be capable to monitor Ziggo network, IT domains and business applications on security events.This should work rule-based as well as on the occurrence of anomalous behavior, whereas the detection of such events should be real-time or nearly real-time.IBM Solution:IBM QRadar Security Intelligence Platform– including SIEM, Risk Management, Log Management, Network Behaviour Analytics and Security Event ManagementIBM Security Network Intrusion Prevention AppliancesSWG ServicesWhy IBM?The QRadar Security Intelligence Platform combined with the IBM Intrusion Protection appliances and X-Force enables Ziggo to have the most intelligent, integrated and automated security intelligence solution available.The out-of-the-box experience and short deployment time, the integration of flows and events enabling ZIGGO to detect issues even during the POC phase gave IBM the upperhand over the competition.The QRadar Security Intelligence Platform will help protect the ZIGGO brand image and their confidential data.
- Cloud is expanding the boundaries of today’s traditional business models and creating opportunity for enhanced security.Securing your traditional datacenter can be manual and static, while managing your security leveraging the cloud offers… Automated security that can be quickly provisioned in the cloudCustomizable security that can be tuned to individual applicationsElastic security that monitors activities in the virtual datacenter
- Mobile Device Management: Security for endpoint device and dataNetwork, Data, and Access Control: Achieve visibility and adaptive security policiesApplication Layer Security: Develop and test applicationsFraud Protection: Advanced transaction protection against fraud
- IBM offers integrated security intelligence and industry-leading experience enabled by the IBM Security Framework solution capabilities. All of the IBM Security offerings are backed by an extensive business partner ecosystem which consists of industry-leading technology, sales and service partners.These capabilities are delivered through a comprehensive and robust set of tools and best practices (including software and hardware) that are supported by the services needed to address:Intelligence: Through a common and intuitive view that combines deep analytics with real-time security intelligence.Integration: Through unifying existing tools and infrastructures with new forms of defense in order to reduce complexity and lower the cost of maintaining a strong security posture.Expertise: Through a more proactive and trusted source of threat research and security data in order to stay ahead of emerging threats and risks.
- Advanced attacks follow a consistent attack chain:Break in: Reconnaissance, spear phishing, and remote exploits to gain accessLatch on: Malware and backdoors installed to establish a footholdExpand: Lateral movement to increase access and maintain a presenceGather: Acquisition and aggregation of confidential dataExfiltrate: Data exfiltration to external networksAt each stage of the defense strategy, IBM has integrated capabilities that help harden, detect, analyze, and remediate these advanced attacks.
- CHALLENGE: Are you ready to stop managing tens of vendors? Integrate between silos? Understand what’s most important to the business and if it’s being properly secured? Stand confidently in front of the board?Start saying “Yes” again?
- Visit the Security Intelligence Area in the Solution Center to meet our experts from the IBM Security Singapore Lab featuring:10+ demos and 5 appliances being showcasedDon’t miss… Day 2 - Solution Center Sessions including the introduction of the new capabilities that will enhance our portfolio through the IBM acquisition of TrusteerDay 3 - Technical Session - Dedicated Security track featuring content on Identity and Access Management, Security Intelligence, Mobile Security and moreAlso, don’t miss customer speakers including YaData and Asian Paints