dss itsec conference 2012 - siem q1 labs ibm security systems intelligence

© 2012 IBM Corporation

IBM Security Systems

1 © 2012 IBM Corporation

Security strategies to

stay out of the

headlines

Q1 Labs, an IBM Company

Andris Soroka, Data Security Solutions

Q1 Labs 1st Certified Partner in Baltics



2

Who we are – specialization security:

Innovative & selected software / hardware

& hybrid solutions from leading technology

vendors from over 10 different countries

IT Security consulting (vulnerability

assessment tests, security audit, new

systems integration, HR training, technical

support)

First in Baltics who had integrated several

innovative IT Security solutions that no one

before has done

First Certified Q1 Labs Partner in the

Baltic States and now IBM Business

Partner continuing working with IBM

Security Portfolio



3

According to the 2011 Verizon Data Breach Report, 86 percent of breached organizations failed to detect that their networks were hacked.



4

Headlines change, cybercrime increases

Adversary

National Security

Monetary Gain

Espionage,

Political Activism

Revenge

Curiosity Script-kiddies or hackers using tools, web-based “how-to’s”

Insiders, using inside information

Organized Crime, using sophisticated tools

Competitors, Hacktivists

Nation-state Actors; Targeted Attacks /

Advanced Persistent Threat

1995 – 2005 1st Decade of the Commercial Internet

2005 – 2015 2nd Decade of the Commercial Internet

Motive



5

What happens in IT security world? Maze..

Around 1500 IT Security vendors for

Endpoint Security

Platforms and point solutions

Data Security

DLP suites and point solutions

Network Security

Gateway solutions

NAC, visibility, NBA

Authentication, authorization etc.

Traditional and next generation’s

Identity protection

Virtualization and cloud security

IT Security governance

Operational management & Security

Mobile Security



6

Security Intelligence provides actionable and comprehensive insight for managing

risks and threats from protection and detection through remediation.

Security Intelligence

--noun

1. the real-time collection, normalization, and analytics of

the data generated by users, applications and

infrastructure that impacts the IT security and risk

posture of an enterprise

What do we propose?



7

What logs –

Audit logs

Transaction logs

Intrusion logs

Connection logs

System performance records

User activity logs

Different systems alerts and

different other systems messages

From where -

Firewalls / Intrusion prevention

Routers / Switches

Intrusion detection

Servers, desktops, mainframes

Business applications

Databases

Antivirus software

VPN’s

Network Servers Databases Homegrown Applications

Log

Silo

????

??

????

?

????

???

??

?

? ?

? ?

? ?

? ?

? ?

? ?

? ?

? ? ? ? ? ?

LOGS ? ?

? ?

?

? ? ? ? ? ?

?

Identity Management

IT & Network Operations

Operational Security

Governance & Compliance

Log

Tool

Log Jam

You cannot control what You cannot see!



8



9



10

Fully Integrated Security Intelligence

• Turnkey log management

• SME to Enterprise

• Upgradeable to enterprise SIEM

• Integrated log, threat, risk & compliance mgmt.

• Sophisticated event analytics

• Asset profiling and flow analytics

• Offense management and workflow

• Predictive threat modeling & simulation

• Scalable configuration monitoring and audit

• Advanced threat visualization and impact analysis

• Network analytics

• Behavior and anomaly detection

• Fully integrated with SIEM

• Layer 7 application monitoring

• Content capture

• Physical and virtual environments

SIEM

Log

Management

Risk

Management

Network

Activity &

Anomaly

Detection

Network and

Application

Visibility

One Console Security

Built on a Single Data Architecture



11

Fully Integrated Security Intelligence

• Turnkey log management

• SME to Enterprise

• Upgradeable to enterprise SIEM

• Integrated log, threat, risk & compliance mgmt.

• Sophisticated event analytics

• Asset profiling and flow analytics

• Offense management and workflow

• Predictive threat modeling & simulation

• Scalable configuration monitoring and audit

• Advanced threat visualization and impact analysis

• Network analytics

• Behavior and anomaly detection

• Fully integrated with SIEM

• Layer 7 application monitoring

• Content capture

• Physical and virtual environments

SIEM

Log

Management

Risk

Management

Network

Activity &

Anomaly

Detection

Network and

Application

Visibility



12

Q1 Labs- The Security Intelligence Leader

Who is Q1 Labs:

Innovative Security Intelligence software company

One of the largest and most successful SIEM vendors

Leader in Gartner Magic Quadrant (2009-2012)

Award-winning solutions:

Family of next-generation Log Management, SIEM, Risk Management,

Security Intelligence solutions

Proven and growing rapidly:

Thousands of customers worldwide

Five-year average annual revenue growth of 70%+

Now part of IBM Security Systems:

Unmatched security expertise and breadth of integrated capabilities



13 © 2012 IBM Corporation 13

Security Intelligence Use Cases



14

What was the

attack?

Who was

responsible?

How many

targets

involved?

Was it

successful?

Where do I find

them?

Are any of

them

vulnerable?

How valuable are

they to the

business?

Where is all

the evidence?

Clear & concise delivery of the most relevant information …



15

Total Security Intelligence: How do we address the challenges?

Reduce Big Data

Detect Advanced Persistent Threats

Predict attacks

Manage risk



16

Big Data: Reduce your data silo down



17

QRadar automatically pulls all related

events and flows into a single security

incident

Highlights the magnitude / importance

Reduction into manageable daily

number

Single incident

derived from ~20k

events and 355

flows

Reducing Data Silos: How it looks in QRadar



18


Reduce Big Data


Predict attacks

Manage risk



19

Anatomy of an APT: Communications Company

Attackers

create Trojan

3rd Party Software Update Server

Compromised

Attackers create Trojan

Trojan “auto-updated” to Corporate network

60+ Corporate computers infected w/ backdoor agent

Port 8080 used for C&C activities

35M records stolen

Day 0 –6 Months Day 8



20

Behaviour / activity base lining of users and processes

Helps detect day-zero attacks and covert channels that have no signature or AV / IPS detection

Provides definitive evidence of attack

Enables visibility into attacker communications

Network traffic does not lie Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)

Activity / Behaviour Monitoring, Flow Analytics, Anomaly Detection



21

Activity and data access monitoring

Visualize Data Risks Automated charting and reporting

on potential database breaches

Correlate Database and

Other Network Activity Enrich database security alerts

with anomaly detection and flow

analysis

Better Detect Serious Breaches 360-degree visibility helps distinguish true

breaches from benign activity, in real-time



22

User & Application Activity Monitoring alerts to a user anomaly for

Oracle database access.

Identify the user, normal

access behavior and the

anomaly behavior with all

source and destination

information for quickly resolving

the persistent threat.

Anomaly Detection & APTs



23

Stealthy malware detection

Potential Botnet Detected? This is as far as traditional SIEM can go

IRC on port 80? QFlow detects a covert channel,

using Layer 7 flows and deep

packet inspection

Irrefutable Botnet Communication Layer 7 flow data shows botnet

command and control instructions



24


Reduce Big Data


Predict attacks

Manage risk



25

The Security Intelligence Timeline: Proactive vs Headlines



26

Multiple IP’s attack an IP

Drilling into one superflow record shows all IP records contributing to the attack

All pulled together in one offence which is detected and

raised immediately to the security team

Predicting an Attack: How it looks in QRadar



27


Reduce Big Data


Predict attacks

Manage risk



28

Managing risk

CISOs know it’s not if, it’s when they get hacked; yet there is still a gap in ability to

detect breach.

Breaches are taking longer to discover

Breaches are not being discovered internally

Charts from Verizon 2011 Investigative Response Caseload Review

http://www.verizonbusiness.com/resources/whitepaper/wp_verizon-2011-investigative-response-caseload-review_en_xg.pdf



29

Potential Data Loss?

Who? What? Where?

Who? An internal user

What? Oracle data

Where? Gmail

How it looks in QRadar



30

QRadar: The Most Intelligent, Integrated,

Automated Security Intelligence Platform

• Eliminates silos

• Highly scalable

• Flexible, future-proof

• Easy deployment

• Rapid time to value

• Operational efficiency

• Proactive threat management

• Identifies most critical anomalies

• Rapid, complete impact analysis



31

What to do next?

Visit our stand

Download the Gartner SIEM Critical Capabilities Report

http://q1labs.com/resource-center/analyst-reports/details.aspx?id=151

Read our blog http://blog.q1labs.com/

Follow us on Twitter: @q1labs @ibmsecurity






http://blog.q1labs.com/

http://www.twitter.com/q1labs

http://www.twitter.com/ibmsecurity



32

ibm.com/security

© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is

provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to,

these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its

suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials

to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities

referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a

commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International

Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of

others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper

access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to

or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure

can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will

necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT

THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

dss itsec conference 2012 - siem q1 labs ibm security systems intelligence

Technology

total security

reduce big

ibm security

network analytics

security intelligence

2012 ibm corporation

impact analysis

point solutions