Quantify value of IT Security for business

with IBM tools

Andris Soroka17th of April, 2014

Riga, Latvia

The Saga Begins – Scared vs. Informed

“Data Security Solutions” business card

Specialization – IT Security

IT Security services (consulting, audit, pen-testing, market analysis, system testing and integration, training and technical support)

Solutions and experience portfolio with more than 20 different technologies – cyber-security global market leaders from more than 10 countries

Trusted services provider for banks, insurance companies, government and private companies (critical infrastructure etc.)

Role of DSS in Cyber-security Development in Baltics

Cyber-Security Awareness Raising

Technology and knowledge transfer

Most Innovative Portfolio

Trusted Advisor to its Customers

Cybersecurity Awareness Raising

Own organized conference “DSS ITSEC”5th annual event this year (30.10.2014)More than 400 visitors + more than 250 online live streaming watchers from LV, EE, LT4 parallel sessions with more than 40 international speakers, including Microsoft, Oracle, Symantec, IBM, Samsung and many more – everything free of charge (EVENT.DSS.LV)

Participation in other events & sponsorshipCERT & ISACA conferences & eventsRIGA COMM, HeadLight, IBM Pulse Las vegasRoadshows and events in Latvia / Lithuania / Estonia (f.i. Vilnius Innovation Forum, Devcon, ITSEC HeadLight, SFK, business associations)

Participation in cyber security discussions, strategy preparations, seminaries, publications etc.

Innovations – technology & knowledge transfer

Innovative Technology Transfer Number of unique projects done with different technology global leadership vendorsKnowledge transfer (own employees, customers – both from private & public, other IT companies in LV, EE, LT) Specialization areas include:

Endpoint SecurityNetwork SecuritySecurity ManagementApplication SecurityMobile SecurityData SecurityCyber-securitySecurity Intelligence

Some just basic ideas

AGENDA (hopefully 60mins..)

Introduction of DSS and speakerPrologue – Digital world & trendsThe Saga begins – Cybercrime

Introduction & typesBusiness behindExamples

Value of Information Security for businessRisk managementTechnology

IBM SIEM, Risk Manager, ForensicsWhat it is and what forArchitectureUse cases

Q&A (if time allows)

Prologue

Prologue: Some new technologies

3D PrintersGoogle Glasses (“glassh**es)Cloud ComputingBig Data & SupercomputersMobile Payment & Virtual MoneyRobotics and Intraday DeliveriesInternet of thingsAugmented RealityExtreme development of ApsDigital prototypingGadgets (devices) & MobilityTechnology replaced jobs (automation)

Geo-location powerBiometricsHealth bands and mHealthElectronic carsAvegant Glymph and much, much more

Prologue: Mobility & Gadgets

Multi-OS

Millions of mobile applications

Digital Agenda for European Union

True or fake? In fact this isn’t funny...

Best «success story» describing hackers..

No changes in that perspective

Disaster in software world - NSA

Disaster in technology world - NSA

Governments write malware and exploits (USA started, others follow..)

Cyber espionageSabotageCyber warsInfecting own citizensSurveillance

Known NSA “partners”Microsoft (incl. Skype)AppleAdobeFacebookGoogleMany, many others

Internet is changing!!!USA thinks that internet is their creation and foreign users should think of USA as their masters…

Many countries are in the game now…

Many countries are in the game now…

Many countries are in the game now…

Cyberwars going on!

Cybercriminal type #1

“2014.gadā vidēji katram izglītotam darbiniekam būs vidēji 3.3 mobīlās ierīces, salīdzinot ar vidējo statistiku ar 2.8 mobīlajām ierīcēm 2013.gadā.” 1

Cybercriminal type #2 – Monetary driven

Types of cybercriminals (cont.)

Black market figures

Hacking business services...

Current prices on the Russian underground market:Hacking corporate mailbox: $500Winlocker ransomware: $10-$20Unintelligent exploit bundle: $25Intelligent exploit bundle: $10-$3,000Basic crypter (for inserting rogue code into benign file): $10-$30SOCKS bot (to get around firewalls): $100Hiring a DDoS attack: $30-$70 / day, $1,200 / monthBotnet: $200 for 2,000 botsDDoS Botnet: $700ZeuS source code: $200-$250Windows rootkit (for installing malicious drivers): $292Hacking Facebook or Twitter account: $130Hacking Gmail account: $162Email spam: $10 per one million emailsEmail scam (using customer database): $50-$500 per one million emails

Examples: Advanced Persistent Threat

Mobility & Security...

The Sage Continues: Cybercriminals #2

Weakest link is always the most important

Source: IBM X-Force annual report 2013

Some examples of incidents (DDoS)

Mobility & Security

“2014.gadā vidēji katram izglītotam darbiniekam būs vidēji 3.3 mobīlās ierīces, salīdzinot ar vidējo statistiku ar 2.8 mobīlajām ierīcēm 2013.gadā.” 1

Examples: Hackers searching tool

Examples: Hackers searching tool

Examples (continued)

Examples: Hacker is watching / listening

Cybercriminal type #3 – Insider

Bright future of the internet way ahead..

1995 – 20051st Decade of the

Commercial Internet

2005 – 20152nd Decade of the

Commercial InternetMotive

Script-kiddies or hackers

Insiders

Organized crime

Competitors, hacktivists

National Security Infrastructure Attack

EspionagePolitical Activism

Monetary Gain

Revenge

Curiosity

Global statistics

Conclusion: The Saga will continue anyway

For many companies security is like salt, people just sprinkle it on top.

Think security first & Where are You here?

Organizations Need an Intelligent View of Their Security Posture

Security

Intelligence

Proficient

Proactive

Auto

mat

edM

anu

al

Reactive

Proficient

Basic

Optimized Optimized

Organizations use predictive and automated security analytics to drive toward security intelligence

ProficientSecurity is layered into the IT fabric and business operations

BasicOrganizations

employ perimeter protection, which

regulates access and feeds manual reporting

“DSS” is here for You! Just ask for…

Si vis pacem, para bellum. (Lat.)

IBM Security Intelligence

SuspectedIncidents

Prioritized Incidents

Embedded intelligence offers automated offense identification

Servers and mainframes

Data activity

Network and virtual activity

Application activity

Configuration information

Security devices

Users and identities

Vulnerabilities and threats

Global threat intelligence

Extensive Data Sources

AutomatedOffenseIdentification

• Massive data reduction

• Automated data collection, asset discovery and profiling

• Automated, real-time, and integrated analytics

• Activity baselining and anomaly detection

• Out-of-the box rules and templates

Embedded Intelligence

Security Intelligence = SIEM+RM+…+….

IBM QRadarSecurity Intelligence

Platform

Packets

Vulnerabilities

Configurations

Flows

Events

LogsBig data consolidation of

all available security information

Traditional SIEM6 products from 6 vendors are needed

IBM SecurityIntelligence and Analytics

Single web-based console provides superior visibility

LogManagement

Security Intelligence

Network Activity Monitoring

RiskManagement

Vulnerability Management

Network Forensics

Security Intelligence = SIEM+RM+…+….

QRadar Forensics – new one

Scale

• Event Processors• Network Activity Processors• High Availability & Disaster

Recovery• Stackable Expansion

Network and Application

Visibility

• Layer 7 application monitoring• Content capture for deep insight &

forensics• Physical and virtual environments

• Log, flow, vulnerability & identity correlation• Sophisticated asset profiling• Offense management and workflow

SIEM

Network Activity & Anomaly Detection

• Network analytics• Behavioral anomaly detection• Fully integrated in SIEM

• Turn-key log management and reporting

• SME to Enterprise• Upgradeable to enterprise SIEM

Log Management

• Network security configuration monitoring

• Vulnerability scanning & prioritization• Predictive threat modeling &

simulation

Configuration & Vulnerability Management

QRadar All In One

QRadar Distributed Deployment

SIEM installation – plug&play

Higher capacity / performance support

Basic installation in one week, immediate ROIContinuous development of features and integrationBiggest IT Security solutions portfolio in today’s Security market

IBM leadership – taking it back

CA (DataMinder)

Novell (Sentinel)

Nitro

Fortify, WebInspect

ArcSight

TippingPoint

RSA Access Mgr.

ProtectTools

RSA Live Intelligence

System

Team: RSA FirstWatch

OAM, Novell AM, CA

SiteMinder

Norton AV, iPS

Symantec Client/ Svr. Mgmt. Suite

Symantec DLP Data Theft ProtectionDLP

FW, NBA, IPS

Access Rights Reviews

SecureSphere Web App FW

SecureSphere App Virt. Patching FW, IPS

DLP

Endpoint Disk Encryption

FW, IPS, AV Mobile security

FIM

SIEM Use Cases WordCloud

SIEM Use Cases DefinitionSIEM Use Cases Definition

Requirements

Scope

Event Sources

Response

Your Use Case

Build YOUR own use case!React fasterImprove EfficiencyAutomate Compliance

Use Cases

Vulnerability Correlation Suspicious Access CorrelationFlow and Event Combo CorrelationBotnet Application IdentityVMware Flow AnalysisUnidirectional Flows DetectionVulnerability ReportingData Loss PreventionDouble CorrelationPolicy and Insider Threat Intelligence (Social Media

Use Case)

Use Cases

Detecting Threats or Suspicious Changes in BehaviourPreventative Alerting and Monitoring Compliance MonitoringClient-side vulnerability correlationExcessive Failed Logins to Compliance Servers Remote Access from Foreign Country Logons Communication with Known Hostile NetworksLong Durations Multi-Vector Attack Device stopped sending Data (Out of Compliance)

Social Media Intelligence

Problem:Social media is an increasing threat to an organization's policies and network; company employees are the ones who are most likely to fall victim to social engineering based threats, and serve as entry points for Advanced Persistent Threats.

Solution: Social media Monitoring& Correlation in real-time:

Qradar’s real-time monitoring and correlation of hundreds of social media sites, such as Twitter, Facebook, Gmail, LinkedIn, etc., offers automated application aware insight and identifies social media-based threats by user and application.

Social Media Intelligence

With Qradar, you can:Identify all the source, destination and the actual corporate credit card number leaked.

With Qradar, you can:Identify the user responsible for the data leak.

Data Loss Prevention

Customer Requirement:

Customer wants to detect when an employee may be stealing customer contact info in preparation for leaving the company

Solution:Baseline employee access to CRMDetect deviations from norm: 1,000 transactions (access to

customer records) vs normal 50 per dayBUT…what if the user is tech savvy or has a geek nephew,

and makes a single SQL query to the back end database?Profile network traffic between workstations and back-end

database or policy shouldn’t allow direct access to database from workstations

Data Loss Prevention

Potential Data Loss?Who? What? Where?

Who?An internal user

What?Oracle data

Where?Gmail

Indavertent Wrongdoing

A/V Server

Trying to update the entire internet

Issue bubbled to the top of the offense manager immediately post-installation

Problem had existed for months, but was lost in firewall logs.

A/V clients were badly out of date.

System Misconfiguration

QRadar reports remote sources scanning internal SQL servers Firewall admin insists QRadar is incorrect – absolutely no inbound SQL traffic permitted. But … months earlier user had requested access to SQL server from outside campus Administrator fat-fingered the FW rule and unintentionally allowed SQL access to & from all hosts

Teleportation

Customer Requirement:Customer wanted to detect users that logged in from IP addresses in different locations simultaneously.

Solution: Create rule to test for 2 or more logins from VPN or AD from

different country within 15 minutes Can be extended to check for local login within corporate

network and simultaneous remote login

Purell for your VPN

Customer Requirement:

Customer wanted to detect when external systems over the VPN accesses sensitive servers

Customer was concerned that external system could be infected / exploited through split tunneling and infect sensistive internal servers

Solution: Use latest VA scan of user systems Create BB of OSVDB IDs of concern Detect when external systems with vulnerabilities access

sensitive servers

Uninvited Guests

Customer Requirement:

Wants to identify new systems attached to network. There are active wall jacks throughout building

Solution:Set asset database retention to just beyond DHCP lease time

(1-2 days)—user out of office/on vacation, asset expiresNew machine attaches, rule alertsFlows for real-time detection: no other SIEM can do thisCan alert on VA importIn 7.0, can build up MAC list in reference sets (~2 wks), then

alert when new MAC appears on network

Policy Vialation / Resource Misuse

Customer Requirement:

Detect if there are P2P Server located in Local Area Network

Communication to known Bot C&C

Customer Requirement:

Detect if any of internal system is communicating to known Bot Command and Contrlol

Forensic of Administrative Change

Customer Requirement:New User account creation with administrative privilegesSystem registry change, Application Installed/UninstalledPassword resetService started/stopped

Vulnerability Overview

Customer Requirement:

Generate weekly report for Vulnerabilities

Use Cases Summary

Identify the goal for each event correlation rule (and use case).

Determine the conditions for the alert.

Select the relevant data sources.

Test the rule.

Determine response strategies, and document them.

Qradar latest updates Increased scalability, best HW in market Enhanced asset and vulnerability

functionality Centralized license management Multicultural support (languages) Improved bar and pie charts on the

Dashboard tab Data obfuscation Identity and Access Management (IAM)

integration Browser support Java 7 support 2500 + reports New “QRadar 2100 Light” appliance for

SMB’s New Qradar Forensics appliance New Data Node Appliances

Think security first

www.dss.lvandris@dss.lv +371 29162784

Think security first