security operations and response

SECURITY OPERATIONS AND RESPONSEORCHESTRATE YOUR DEFENSES THROUGHOUT THE ENTIRE ATTACK LIFECYCLE

Ahmed Sharaf

2016

Managing Director Xband Enterprises, Inc.

2 IBM Security

Todays attacks require a strategic security approach

Build multiple perimeters Protect all systems Use signature-based methods Periodically scan for known threats Shut down systems

Tactical ApproachCompliance-driven, reactionary

Todays Attacks

Assume constant compromise Prioritize high-risk assets Use behavioral-based methods Continuously monitor activity Gather, preserve, retrace evidence

Strategic ApproachIntelligent, orchestrated, automated

Indiscriminate malware,spam and DDoS activity

Advanced, persistent, organized, politically or financially motivated

It takes power and precision to stop adversaries and unknown threats

Yesterdays Attacks

3 IBM Security

Continuously stop attacks and remediate vulnerabilities

Upgrade your defenses with a coordinated platform to outthink threats

Disrupt malware and exploits Discover and patch endpoints Automatically fix vulnerabilities

Respond to incidents quickly, with precision Hunt for indicators

using deep forensics Orchestrate and automate

incident response

Discover unknown threats with advanced analytics See attacks across the enterprise Sense abnormal behaviors Automatically prioritize threats

RESPOND

4 IBM Security

IBM Security offers the industrys first integrated, end-to-end Security Operations and Response Platform

Security Operations and Incident Response Services

Incident Response

Endpoint andNetwork Protection

Vulnerability and Patch Management

User BehaviorAnalytics

Security Intelligence and Analytics

SECURITY OPERATIONS AND RESPONSE

CEO CISOHR ITLEGAL

IDS | NIPS | AV | DLP | FW | DBs | Apps |

Prevent, detect, and respond to threats with an intelligent, orchestrated, automated platform

IBM BigFixFind, fix, and secure endpoint threats and vulnerabilities

IBM Security Network ProtectionPrevent network exploits and limit malware communications

IBM QRadar Security IntelligenceUse advanced analytics to discover and eliminate threats

IBM Resilient Incident Response PlatformGenerate response playbooks and coordinate activity

IBM X-Force ExchangeAutomatically update incident artifacts with threat intelligence

IBM Security ServicesDeliver operations consulting to help implement processes and response experts when something goes wrong

5 IBM Security

Monitor, protect, and respond quickly to endpoint threatsIBM BigFix

Find, fix, and secure endpoints

Prevent advanced network attacks

Use analytics to discover and eliminate threats

Coordinate response activity

Understand the latest threat actors

Get help from security experts

Find It.Discover unmanaged endpoints and get real-time visibility into all endpoints to identify vulnerabilities and non-compliant endpoints

Secure It.Continuously monitor and enforce compliance with security, regulatory and operational policies while proactively responding to threats

Fix It.Fix vulnerabilities and apply patches across all endpoints on and off the network in minutes regardless of endpoint type or network connectivity

6 IBM Security

Bridge the gap between IT operations and securityIBM BigFix

ENDPOINT SECURITY

Discoveryand Patching

Lifecycle Management

Software Compliance and Usage

ContinuousMonitoring

ThreatProtection

IncidentResponse

ENDPOINT MANAGEMENT

Shared visibility and control between

IT operations and security___________

IBM BigFix

Reduce operational costs while improving your

endpoint security posture







7 IBM Security

Protect against the latest attacks IBM Security Network Protection

IBM SecurityNetwork

Protection

VISIBILITYGain insight into network traffic patterns to detect anomalies

PROTECTIONDisrupt known and unknown exploits and malware attacks

CONTROLLimit the use of risky applications to reduce your attack surface







8 IBM Security

Protect and control your network trafficIBM Security Network Protection

Identity and Application Awareness Associates users and groups with their network activity, application usage and actions

Deep Packet InspectionClassifies network traffic, regardless of port or protocol

SSLVisibilityIdentifies encrypted threats, withouta separate appliance

400+Protocols and file formats

analyzed

2,000+Applications and actions

identified

25+ BillionURLs classified in 70 categories

Inbound Traffic

Outbound Traffic

Application A

Application B

Employee A

Employee B

Employee C

Prohibited Application

Attack Traffic

Botnet Traffic

Good Application

Clean Traffic







9 IBM Security

Stop threats and limit risk with the leading analytics platform for actionable security intelligence IBM QRadar

Threat Protection

Incident Forensics

Compliance Reporting

User Behavior Analytics

VulnerabilityManagement

Cloud Visibility







10 IBM Security

Understand deep security context across your organization in hours, not weeks

Prioritized incidents

EmbeddedIntelligence

IBM QRadarSense Analytics

Servers and mainframes

Data activity

Network and virtual activity

Application activity

Configuration information

Security devices

Users and identities

Vulnerabilities and threats

Global threat intelligence

EXTENSIVE DATA SOURCES

IBM QRadar







11 IBM Security

Manage vulnerabilities and analyze behaviorIBM QRadar

Quickly gain insights into the highest risk users

Out-of-the-box behavioral analytics and rules

User risk-based incidents

Streamline user investigations

Gain a unified view of all vulnerability information

Dramatically improve actionable information through rich context

Quickly find specific product vulnerabilities







12 IBM Security

Quickly get the answers you need to help detect and remediate attacksIBM QRadar







13 IBM Security

Enable rapid innovation through an online collaboration platformIBM X-Force App Exchange

Access user and business partner innovations

Extend QRadar functionality to new use cases

Download validated security apps from a single platform







14 IBM Security

Streamline incident response with a single hub to align people, process, and technologyIBM Resilient Incident Response Platform

Align people, process, and technology

Automate response processes and measure the ROI of security investments

Gain centralized collaboration and intelligence

Easily configure Incident Response plans in hours or days not weeks or months

RESPOND FASTER. SMARTER. BETTER.







15 IBM Security

Modify your response as needs and incidents evolve IBM Resilient Incident Response Platform

Security Module

Industry standard workflows (NIST, SANS)

Threat intelligence feeds Organizational SOPs Community best practices

Action Module

Automate processes Enrich incident details Gather forensics Enact mitigation

Privacy Module

Global breach regulations Contractual obligations Third-party requirements Organizational SOPs Privacy best practices







16 IBM Security

Gain integrated, real-time threat intelligenceIBM X-Force Exchange

Crowd-sourced information sharingbased on 700+TB of threat intelligence

https://exchange.xforce.ibmcloud.com







17 IBM Security

Transform and modernize your security operations IBM Security Intelligence and Operations Services

Assess, plan and develop your security maturity and operations

Assess and transform your security posture

Build next generation security operations

Deploy intelligence-driven security capabilities

Optimize your ability to react to and contain events, while reducing impact

Identify capability gaps, plan and deploy a robust strategy and roadmap to close them

Gain insight to prioritize security investments

PLAN

DEPLOY

OPTIMIZE

BUILD

DESIGN







18 IBM Security

Plan, prepare and respond to incidents with proven expertiseIBM X-Force Incident Response Services

Onsite expertise within 24 hours

Incident containment, handling and remediation

Forensics collection and analysis

ONSITEINCIDENTRESPONSE

Help clients build effective incident response plans

Test plans and procedures with simulated exercises

Assist with removal of known threats

Continuous monitoring and rapid response to confirmed threats

Intelligent correlation to reduce alert fatigue

Initiate proactive incident response activities

INCIDENTRESPONSEPLANNING

REMOTETHREAT RESPONSE

IBM X-ForceIncident Response Services







19 IBM Security

Example: Disrupt the attack chain in real-time

GATHERAuthorized system attempts to access resources

BREAK-INRemote employee triggers drive-by download

LATCH-ONInternal system infected as part of a botnet

EXPANDTargeted internal email sent to high-profile employees

EXFILTRATEPersistent attackers quietly siphoning out data

ATTACK CHAIN

1 2 3 4 5

QRadar Incident Forensics reconstructs abnormal user and database activity from network packets

BigFix patches the latest vulnerabilities and quarantines infected endpoints to prevent more damage

Network Protection blocks zero-day exploit traffic and sends flows to QRadar for anomaly detection

QRadar correlates network flows and security events from other security controls into a list of priority offenses

Resilient Incident Response Platform allows responders to coordinate activity before damage occurs

20 IBM Security

Why IBM Security Operations and Response?

Cognitive Analytics Open Ecosystem Deep Threat Intelligence

IBM Security App Exchange provides access to apps from leading security partners

Out-of-the-box integrations for 500+ third-party security products

Open APIs allow for custom integrations and apps

QRadar Sense Analytics allows you to inspect events, flows, users, and more

Speed analysis visuals, query, and auto-discovery across the platform

Get ready to augment your analysts Watson for Cyber Security

IBM X-Force Exchange helps you stay ahead of the latest threats and attacks

Powered by the X-Force Research team and 700TB+ threat data

Share data with a collaborative portal and STIX / TAXII standards

21 IBM Security

SECURITY TRANSFORMATION SERVICESManagement consulting | Systems integration | Managed security

IBM has the worlds broadest and deepest security portfolio

SECURITYECOSYSTEM

App Exchange

MaaS360

INFORMATION RISKAND PROTECTION

Trusteer Pinpoint

Trusteer Mobile

Trusteer Rapport

Privileged Identity ManagerIdentity Governance and Access

AppScan

Guardium

Cloud SecurityEnforcer

Cloud Identity ServicezSecure

Key Manager

QRadar Vulnerability Manager Resilient Incident Response

X-Force Exchange

QRadar Incident ForensicsNetwork Protection XGSBigFix

SECURITY OPERATIONSAND RESPONSE

QRadar SIEM QRadar Risk Manager

22 IBM Security

COGNITIVE, CLOUD,and COLLABORATION

The next era of security

INTELLIGENCEand INTEGRATION

PERIMETER CONTROLS

23 IBM Security

IBM Security invests in best-of-breed solutions

Incidentresponse

Cloud-enabledidentity managementIdentity governance

Application securityRisk management Data management

Security services and network security

Database monitoringand protection Application security

SOA management and security

IBM Security is making all the right moves...Forbes

2011 2012 2013 2014 2015 20162005 2006 2007 2008 2009 20102002

IBM SecuritySystems

IBM SecurityServices

Identity managementDirectory integration

Enterprisesingle-sign-on

Endpoint managementand security

Security Intelligence

Advanced fraud protectionSecure mobile mgmt.

CyberTap

24 IBM Security

Industry analysts rank IBM SecurityDOMAIN SEGMENT MARKET SEGMENT / REPORT ANALYST RANKINGS

Security Operations and Response

Security Intelligence Security Information and Event Management (SIEM) LEADER

Network and Endpoint Protection

Intrusion Prevention Systems (IPS) LEADER

Endpoint: Client Management Tools LEADER

Endpoint Protection Platforms (EPP) Strong Performer

Information Riskand Protection

Identity Governance and Access Management

Federated Identity Management and Single Sign-On LEADER

Identity and Access Governance LEADER

Identity and Access Management as a Service (IDaaS) LEADER

Web Access Management (WAM) LEADER

Mobile Access Management LEADER

Identity Provisioning Management LEADER

Data Security Data Masking LEADER

Application Security Application Security Testing (dynamic and static) LEADER

Mobile Protection Enterprise Mobility Management (MaaS360) LEADER

Fraud Protection Web Fraud Detection (Trusteer) LEADER

Security Transformation Services

Consulting and Managed Services

Managed Security Services (MSS) LEADER

Information Security Consulting Services LEADER

V2016-06-16Note: This is a collective view of top analyst rankings, compiled as of July, 2016

25 IBM Security

Adaptive integration with ecosystem partners

100+ ecosystem partners, 500+ QRadar integrations

26 IBM Security

A Global Leader in Enterprise Security

#1 in enterprise security software and services*

7,500+ people

12,000+ customers

133 countries

3,500+ security patents

15 acquisitions since 2005*According to Technology Business Research, Inc. (TBR) 2016

Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

FOLLOW US ON:

THANK YOU

SECURITY OPERATIONS AND RESPONSETodays attacks require a strategic security approachUpgrade your defenses with a coordinated platform to outthink threatsIBM Security offers the industrys first integrated, end-to-end Security Operations and Response PlatformMonitor, protect, and respond quickly to endpoint threatsBridge the gap between IT operations and securityProtect against the latest attacks Protect and control your network trafficStop threats and limit risk with the leading analytics platform for actionable security intelligence Understand deep security context across your organization in hours, not weeksManage vulnerabilities and analyze behaviorQuickly get the answers you need to help detect and remediate attacksEnable rapid innovation through an online collaboration platformStreamline incident response with a single hub to align people, process, and technologyModify your response as needs and incidents evolve Gain integrated, real-time threat intelligenceTransform and modernize your security operations Plan, prepare and respond to incidents with proven expertiseExample: Disrupt the attack chain in real-timeWhy IBM Security Operations and Response?IBM has the worlds broadest and deepest security portfolioThe next era of securityIBM Security invests in best-of-breed solutions Industry analysts rank IBM SecurityAdaptive integration with ecosystem partnersA Global Leader in Enterprise SecuritySlide Number 27