big vulnerabilities + big data = big intelligence
TRANSCRIPT
© 2013 IBM Corporation
Big Vulnerabilities + Big Data = Big IntelligenceJason Keirstead / Rory Bray
IBM Security Systems
● Too many vulnerability disclosures coming in daily
● Too many vulnerable assets reported daily
● Not enough time / money to re-mediate them all
● Prioritization needs to be a priority!
2012 Sampling of Security Incidents by Attack Type, Time and ImpactConjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses
Vulnerabilities Today - I Got 99 Problems...
IBM Security Systems
3
Non-Traditional Security Data Sources Can Help
● Traditional Sources - Security logs, network flows, scanned vulnerabilities, endpoint configurations, device configurations...
● Non-traditional Sources – Browser log data, employee directory information, proprietary corporate data,”Big Data”...
● These non-traditional data sources that already exist can be leveraged to significantly improve upon and add to traditional data sources to help separate the “vulnerability wheat” from the “vulnerability chaff”
● Examples:
– Evaluate user browsing history correlated with website attributes to determine if a user is more likely to visit risky domains, if so increase risk of assets said user accesses
– Evaluate email activity correlated with browsing history to determine if a user is likely to click on suspicious links in emails, if so increase risk of said user's asset
– Evaluate VPN activity correlated with external user directory data to determine if an unauthorized remote log-in is likely due to time of day vs. employee location, if so, increase risk of said assets
– … and more!
IBM Security Systems
QRadar Risk and Vulnerability Managers enable customers to interpret the ‘sea’ of vulnerabilities
CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
Inactive
Inactive: QFlow Collector data helps QRadar Vulnerability Manager sense application activity
Blocked
Blocked: QRadar Risk Manager helps QVM understand which vulnerabilities are blocked by firewalls and IPSs
PatchedPatched: IBM Endpoint Manager helps QVM understand which vulnerabilities will be patched
Critcal
Critical: Vulnerability knowledge base, external data, and QRM policies inform QVM about business critical vulnerabilities
At Risk: X-Force Threat and SIEM security incident data, coupled with QFlow network traffic visibility, help QVM see assets communicating with potential threats
At Risk! Exploited!
Exploited: SIEM correlation and IPS data help QVM reveal which vulnerabilities have been exploited
© 2013 IBM Corporation
Sounds Great!
But.... How Does This Work?
A Big Data Use Case Using IBM Big Insights
IBM Security Systems
6
I I . . ,,,
IBM Secu r"rqr QRad.ar
" Data, oollootion arnd emiohrnernt
" Evernt corredaliorn " Real-1iime a rnalytios " Offernse prioliiUza1io111
t R,a1dar
T 1raditionall data sorurces
D.ata i nges·t
lnsig1hts.
[�[
-=--=---=. = ,�' 1 , �
---- - --- . - - - ---==-= i:-=�
Big D.ata Pl.atfo·rm
llBM I llfoS pltte re Bi1glns g1hts.
" Hadoop-based " Enterpnise-g rade " Any data. I volume " Data. mi rnirng " Ad hoo a rnalytios
Cu.sto·m An.allytiics
No·n-tr.adition.al
Pulse 2014 The Premier Cloud Conference
IBM Security Systems
7
QRadar Reference Data Model
Dynamic Data containers are consumed by the QRadar Correlation Engine and other components in the
Security Intelligence Platform including Risk Manager and
Vulnerability Manager.
Sets MapsMaps
of Sets
Tables
IBM Security Systems
8
QRadar Policy Monitor● Component of QRadar Risk Manager that calculates asset and vulnerability policies
among many disparate data sources● Allows feeding of asset and vulnerability risk calculations to QRadar Vulnerability
Manager● Risk Calculations enable risk reporting and vulnerability remediation prioritization
Policy Monitor
Asset / VulnerabilityData
Reference DataNetwork Topology
(Reach-ability) Flow Connections
Firewall / SwitchConfiguration
VulnerabilityCatalogs
Scan Results External Data
Asset Risk Reports
Vulnerability RiskReports
IBM Security Systems
9
Workflow to analyze Domains in Network Traffic and Cross Reference with External Data.
.
ProxyLogs
Domain Registration Data
(whoisxmlapi.com)
XForce Security Feeds
(Known Risky Domains)
Big Insights Platform
RawProxy Logs
JSONEnrichedNormalizedLogs
JSON FormattedWhois RegistrationData
Lists of knownMalware Domains
Sets of Identified Risky Users, Src IPs and Domains
IBM Security Systems
10
QRadar and Big Insights Data Links
Big Insights
• Forwarding Destinations
• Routing Rules
• Flume Receivers (Syslog TCP)
QRadar Reference Data APIs
JSON Event/Flow Forwarding
IBM Security Systems
Domain Risk Scores
IP Set
User Set
User Browsing History
Risk Modeler
JSON Browser Logs
External Registrar Data
Threat Feeds
Domain Risk
Calculator
IP, User Set Generation
Custom Risk Calculator
White List
External Data
Risky IPs / Users
Policy Monitor Custom Rule Engine
Asset / Vulnerability Risk Scores
Reports / Saved Searches
QRadar SIEM
QRadar Log / Flow Data
© 2013 IBM Corporation
Use Case - Example RulesAnd Policies
IBM Security Systems
13
QRadar Reference Sets
IBM Security Systems
14
QRadar Reference Sets
IBM Security Systems
15
QRadar Reference Set Example – (Risky Users)
IBM Security Systems
16
QRadar – Create Rule On Risky Users
IBM Security Systems
17
QRadar – Risky User Rule Response – Track Risky Asset Use
IBM Security Systems
18
QRadar Risk Manager – Policy On Risky Asset Usage
IBM Security Systems
19
Acknowledgements and Disclaimers:
© Copyright IBM Corporation 2012. All rights reserved.
– U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, ibm.com, QRadar, and Big Insights are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml
Other company, product, or service names may be trademarks or service marks of others.
Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.
The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are
provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
IBM Security Systems
20
ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.