Detect and Respond to Threats Better with IBM Security App Exchange Partners

IBM Security App Exchange
Spotlight:
IMMERSE YOUR SECURITY IN THREAT INTELLIGENCE
Russ Warren
Program Manager – Security Intelligence Technology Alliance

2 IBM Security
Today’s attacks require a strategic security approach
• Build multiple perimeters
• Protect all systems
• Use signature-based methods
• Periodically scan for known threats
• Shut down systems
Tactical Approach
Compliance-driven, reactionary
Today’s Attacks
• Assume constant compromise
• Prioritize high-risk assets
• Use behavioral-based methods
• Continuously monitor activity
• Gather, preserve, retrace evidence
Strategic Approach
Intelligent, orchestrated,
automated
Indiscriminate malware,
spam and DDoS activity
Advanced, persistent, organized,
politically or financially motivated
It takes power and precision to stop adversaries and unknown threats
Yesterday’s Attacks

3 IBM Security
Continuously stop attacks
and remediate vulnerabilities
Upgrade your defenses with a coordinated platform to
outthink threats
• Disrupt malware and exploits
• Discover and patch endpoints
• Automatically fix vulnerabilities
Respond to incidents quickly, with precision
• Hunt for indicators
using deep forensics
• Orchestrate and automate
incident response
Discover unknown threats
with advanced analytics
• See attacks across the enterprise
• Sense abnormal behaviors
• Automatically prioritize threats
RESPOND

4 IBM Security
Imagine if you could…
PROTECT against tomorrow’s risks, today

5 IBM Security
How do I get started when all I see is chaos?
IP reputation
Indicators of compromiseThreat sharing
Firewalls
Incident and threat management
Virtual patching
Sandboxing
Network visibility
Endpoint patching and managementMalware protection
Antivirus
Data access control Data monitoring
Application security management
Application scanning
Access management
Entitlements and roles
Identity management
Transaction protection
Device management
Content security
Workload
protection
Cloud access
security brokerAnomaly detection
Log, flow, data analysis
Vulnerability management
Privileged identity management
Incident response
Criminal detection
Fraud protection

6 IBM Security
Integration to help prevent, detect and respond to advanced threatsIntegration to help prevent, detect and block insider threatIntegration to manage compliance and governanceIntegration for risk-based access to critical assetsIntegration to help secure mobile transformationIntegration for secure adoption of cloud apps
Integrated protection to optimize security posture
Via our IBM Technology Partners and their QRadar Extensions,
we can gain more visibility, clearer context and collaborate
on suspicious activities for the Security Operations and Incident
Response teams

Prevoty
Kunal Anand
November 8, 2016
Co-founder and CTO

8 IBM Security
Prevoty Overview
Prevoty provides Application Security Detection and Protection
at Runtime
̶ Agent Installation: no code changes required
̶ Application Integrations: C#, Java, Node.js, PHP, Python, Ruby, etc.
̶ DevOps Integrations: Ansible, Chef, Jenkins, Puppet, etc.
Detection: Application and Data Security Intelligence
̶ Visibility into attack execution in production applications
̶ Use cases: asset tagging, database monitoring/exfiltration, fraud, etc.
Protection: RASP (Runtime Application Self-Protection)
̶ Instant mitigation against attacks including the OWASP Top 10,
including content, database and command injections
Application and Data Security at Runtime
Inspect
Prevoty plug-ins use
deep instrumentation
to INSPECT
application activity at
runtime
Detect
The engine uses patented
language security
“LANGSEC” to DETECT
malicious behavior
Alert
If the payload is malicious,
ALERTSare issued to log
ﬁles and any conﬁgured
SIEMS
Protect
PROTECT mode can modify
or block malicious payloads
in real time

9 IBM Security
Prevoty Intelligence
Pre-Correlated Intelligence (Everything in One Place)
̶ Network – HTTP Request, HTTP Response, IP Addresses,
Hosts Info
̶ Application – User Session, Code Execution, Filename, Line
Number
̶ Operating System – File Reads/Writes, Process Executions
̶ Database – Query Execution, Modified Rows via Execution
The Four W’s
̶ Who – IP Address, Session, Cookie Identifier
̶ What – Contents of the payload (HTTP variables, database
queries)
̶ Where – URL, Stack Trace (includes Filename and Line
Number)
̶ When – Nanosecond Timestamp
Unparalleled Security Application and Database Security Insights
{
category : ‘SQL’,
event : ‘Data Exfiltration’,
engine : ‘query’,
severity : ‘HIGH’,
query : ‘SELECT name, pw FROM u WHERE name=‘’ OR 1=1’,
returnedRows : 10,
tautology : true,
file : ‘UserRepository.java’,
line : 30,
ip : ‘127.0.0.1’,
session_id : ‘8fOEWOQ890a’,
url : ‘http://acme.com/search?name='%20OR%201=1’,
timestamp : 1478552486344
}

10 IBM Security
Prevoty & IBM QRadar
1. Add a Prevoty Agent to your application
̶ Prevoty travels with the application through the entire SSDLC
̶ DevOps integrations with CI and CD solutions
̶ Insights are logged in many formats: CEF, LEEF, JSON
2. Download the Prevoty / QRadar Extension
̶ https://exchange.xforce.ibmcloud.com/hub/extension/Prevoty
RASP
̶ Forward Prevoty LEEF log output to your QRadar deployment
3. Analyze and Visualize Security Insights
̶ Pre-built dashboards/reports for visualizing runtime insights
̶ Correlate Prevoty with AppScan (vulnerability management),
Guardium (DAM) and Trusteer (fraud)
3 Steps to Analyze and Visualize Real-Time Application and Data Security Insights

11 IBM Security
Dashboards
̶ Dashboards aggregate Prevoty intelligence into a unified view
across all applications
̶ Dashboards provide a quick way to see the security posture
while allowing analysts to jump in
Pre-Built Dashboards, Saved Searches, Reports and Offenses
Saved Searches & Reports
̶ Prevoty has pre-built saved searches and reports to speed up
common tasks that analysts typically execute during their day-
to-day works and investigations.
̶ Example searches: Intelligence Grouped by Src & Dest,
Intelligence Grouped by Application, Offenses, etc.

12 IBM Security
• Visibility into
applications and
databases
• Application and
database monitoring
and protection
• Authentication,
authorization and
transactional fraud
• Insights into what’s
happening in the
app and beyond
• Performance within
applications
Addressing Top Security Use Cases & Questions Together

13 IBM Security
Prevoty & IBM AppScan
Pre-Production SSDLC is Resource Intensive
̶ Developers are not security experts
̶ Push to Agile Development and CI/CD represents the
desire to deploy new applications and features to
production faster
Production Risk Management
̶ Acceptable risk management allows for vulnerable
applications to be deployed to production while
organizations know their application is protected by
Prevoty
Correlate Real-World Attacks with Vulnerabilities
̶ Prioritize vulnerability remediation efforts based on actual
attacks
̶ Improves the cost and resource efficiency of remediation
Unparalleled Security Application and Database Security Insights

14 IBM Security
Prevoty & IBM QRadar Ecosystem
Runtime Visibility Improves Security Decision-Making Across the Ecosystem
ProductionPre-Prod
Applications
On-PremCloud
Databases
SSDLC
Vulnerability Management
Authentication, Authorization &
Transactional Fraud
Static&DynamicTesting
Intelligence
(LEEF)
Data
Monitoring&
Protection
Database
Activity Monitoring

Niara UBA Application for
QRadar
MACHINE LEARNING-DRIVEN ATTACK DETECTION AND ACCELERATED INVESTIGATION
Karthik Krishnan
November 8, 2016
VP Product Line Management

16 IBM Security
Two major value propositions
DETECTION OF ATTACKS AND
RISKY BEHAVIORS
on the inside
ACCELERATED INCIDENT
RESPONSE
via integrated forensic data

17 IBM Security
Machine learning combined with big data forensics
Behavioral
Analytics

18 IBM Security
SOLUTION AT A GLANCE
Console / Workflow
QRadar
PACKET
BROKER
NETWORK TRAFFIC
PACKETS
FLOWS
IDENTITY
INFASTRUCTURE
Logs
SaaS
laaS
ALERTS
AD, DHCP
DNS, Firewall, Proxy,
VPN, Email, DLP
Endpoint, Network, STIX
ANALYZER
ENTITY360
ANALYTICS FORENSICS
DATA
FUSION BIG DATA
Spark/Hadoop
Box, Office360
AWS, Azure

20 IBM Security
Entity360™ Security Dossier

21 IBM Security
Behavioral analytics across multiple dimensions

22 IBM Security
Model Confidence and Business Impact
Business
Impact
Model
Confidence

23 IBM Security
Niara Alert Details

24 IBM Security
Choice of Niara Entry Points

25 IBM Security
Entity 360 security dossier

26 IBM Security
Network Conversations Drill Down

28 IBM Security
UBA Incident response ROI

29 IBM Security
Certified to Integrate with QRadar

30 IBM Security
Basics of Behavioral Analytics
ABNORMAL INTERNAL
RESOURCE ACCESS
Behavioral
Analytics
UNSUPERVISED
+
SEMI-SUPERVISED
HISTORICAL
+
PEER GROUP
MACHINE LEARNING BASELINES

31 IBM Security
Finding the Malicious in the Anomalous
Behavioral
Analytics
SUSPICIOUS
FILE DOWNLOAD
ANOMALOUS
DNS REQUEST
UNUSUAL PRIVILEGE
ESCALATION
ABNORMAL INTERNAL
RESOURCE ACCESS
IRREGULAR EXTERNAL
DATA UPLOAD
SUPERVISED
MACHINE LEARNING
DLP
Sandbox
Firewalls
STIX
Rules
Etc.
THIRD PARTY ALERTS

32 IBM Security
Niara Alert Dashboards on QRadar Console

Check Point SmartView
FOR QRADAR
Bill Sheeran – Check Point
IBM Global Account Manager
[RESTRICTED] ONLY FOR DESIGNATED GROUPS AND INDIVIDUALS

34 IBM Security
THE CYBERTHREAT
LANDSCAPE IS RAPIDLY
EVOLVING
more sophisticated
and more advanced

35 IBM Security
IT environments have EVOLVED with new EMERGING technologies
EVOLVING AND COMPLEX IT ENVIRONMENTS

36 IBM Security
HOW TO PROTECT
TODAY’S BOUNDLESS ENVIRONMENTS?

37 IBM Security [RESTRICTED] ONLY FOR DESIGNATED GROUPS AND INDIVIDUALS
SOFTWARE-DEFINED PROTECTION (SDP) ARCHITECTURE
CONVERTING INTELLIGENCE INTO PROTECTION
ENFORCEMENT LAYER
THREAT PREVENTION
ENDPOINT
SECURITY
NETWORK SECURITY
GATEWAY
MOBILE
SECURITY
VIRTUAL
SYSTEMS
CLOUD
SECURITY
CONTROL LAYER
MANAGEMENT LAYER SINGLE MANAGEMENT

38 IBM Security
A Single View into Security Risk

39 IBM Security
Fully Integrated Threat Management
Logging
Event
Correlation
Reporting
Monitoring
For Full Visibility Across Your Network
SECURITY MANAGEMENT

40 IBM Security
Forensics: Converting Intelligence into Protection

41 IBM Security
Investigate the Threat

45 IBM Security
Easily Customize Your Reports
Management Helpdesk Auditor
Accessible from
any device

48 IBM Security
Consolidate all your security
Deploy security without impeding innovation
Gain full visibility to prevent the next attack
Keep pace with dynamic environments

49 IBM Security
THINK ABOUT IT…
We blocked 1,700,000 attacks
We detected 140,000 bots communicating
with command and control
We created 1,500 new protections
minutes since we started?
The value to our customers…
5

ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU

Detect and Respond to Threats Better with IBM Security App Exchange Partners

Detect and Respond to Threats Better with IBM Security App Exchange Partners

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados(19)

Destaque

Destaque(19)

Similar a Detect and Respond to Threats Better with IBM Security App Exchange Partners

Similar a Detect and Respond to Threats Better with IBM Security App Exchange Partners(20)

Mais de IBM Security

Mais de IBM Security(20)

Último

Último(20)

Detect and Respond to Threats Better with IBM Security App Exchange Partners