undgå sikkerhedstrusler med security intelligence. filip schepers, ibm
DESCRIPTION
Præsentation fra IBM Smarter Business 2012TRANSCRIPT
1
© 2012 IBM Corporation
Advanced Threat ProtectionAnd Security Intelligence
Filip SchepersIBM Security Systems “SWAT”X-Force [email protected]
2
© 2012 IBM Corporation
Agenda
� The Threat Landscape: X-Force Trend and Risk Report
� Research Driven Threat Mitigation: the Advanced Threat Protection Platform
� Security Intelligence: QRadar and the IBM Security Framework
3
© 2012 IBM Corporation
2011: The Year of the Security Breach
4
© 2012 IBM Corporation
The Threat Landscape● Over 7,000 publicly disclosed vulnerabilities
in 2011● 95% of vulnerabilities in 2011 were rated as
Medium or Higher (CVSS) – Critical vulnerabilities tripled vs 2010
● 41% of all vulnerabilities are web application vulnerabilities
● Cross-Site Scripting & SQL injection vulnerabilities continue to dominate
● Shell Injection attacks on the rise
5
© 2012 IBM Corporation
“We had a case in Europe where workers went on strike for 3 days after Facebook was completely blocked…so granularity is key.”
– IBM Business Partner
“We had a case in Europe where workers went on strike for 3 days after Facebook was completely blocked…so granularity is key.”
– IBM Business Partner
Block attachments on all outgoing emails and chats
Allow marketing and sales teams to access social networking sites
Advanced inspection of web application traffic destined to my web servers
Allow, but don’t inspect, traffic to financial and medial sites
Block known botnet servers and phishing sites
A more strict security policy is applied to traffic from countries where I do not do business
Client-Side Protection
Network Awareness
Reputation
Web Protection
Botnet Protection
Web Category Protection
Access Control
Protocol Aware Intrusion
Protection
Web ApplicationsNon-web Applications
The Need to Understand the Who, What, and When
Server
Geography
User or Group
Reputation
Network
172.29.230.15, Bob, Alice 80, 443, 21, webmail, social networks ?
Who What PolicyTraffic Controls
July
6
© 2012 IBM Corporation
Customer Challenges
Detecting threats• Arm yourself with comprehensive security
intelligence
Consolidating data silos• Collect, correlate and report on data in one
integrated solution
Detecting insider fraud• Next-generation SIEM with identity correlation
Better predicting risks to your business• Full life cycle of compliance and risk management
for network and security infrastructures
Addressing regulation mandates• Automated data collection and configuration audits
7
© 2012 IBM Corporation
Advanced Threat Protection PlatformAbility to prevent sophisticated threats and detect abnormal network behavior by leveraging an extensible set of network security capabilities - in conjunction with real-time threat information and Security Intelligence
Expanded X-Force Threat IntelligenceIncreased coverage of world-wide threat intelligence harvested by X-Force and the consumption of this data to make smarter and more accurate security decisions across the IBM portfolio
Security Intelligence IntegrationTight integration between the Advanced Threat Protection Platform and QRadar Security Intelligence platform to provide unique and meaningful ways to detect, investigate and remediate threats
Log Manager SIEMNetwork Activity
MonitorRisk Manager
Vulnerability Data Malicious Websites Malware Information IP Reputation
Intrusion Prevention
Content and DataSecurity
Web ApplicationProtection
Network Anomaly Detection
IBM Network Security
SecurityIntelligencePlatform
Threat Intelligenceand Research
Advanced Threat ProtectionPlatform
Application Control
The Advanced Threat Protection Platform
8
© 2012 IBM Corporation8
X-Force Mission
Provide the most respected security brand to IBM, o ur Customers and Business Partners.
• Support content streams
• Expand current capabilities in research to provide industry knowledge to the greater IBM
• Support content stream needs and capabilities
• Support requirements for engine enhancement
• Maintenance and tool development
• Continue third party testing Dominance
• Execute to deliver new content streams for new engines
Research
Engine Content Delivery
Industry/Customer Deliverables
• Blog, Marketing and Industry Speaking Engagements
• X-Force Database Vulnerability Tracking
• Trend Analysis and Security Analytics
IBM X-Force Research and Development
The world’s leading enterprise security R&D organization
Global security operations center (infrastructure monitoring)
9
© 2012 IBM Corporation
Unmatched Global Coverage and Security Awareness
� 20,000+ devices under contract
� 3,700+ MSS clients worldwide
� 9B+ events managed per day
� 1,000+ security patents
� 133 monitored countries (MSS)
� 20,000+ devices under contract
� 3,700+ MSS clients worldwide
� 9B+ events managed per day
� 1,000+ security patents
� 133 monitored countries (MSS)
World Wide Managed Security Services Coverage
Security Operations Centers
Security Research Centers
Security Solution Development Centers
Institute for Advanced Security Branches
IBM Research
10
© 2012 IBM Corporation
IBM Security Network Protection offerings are based on amodular, research-driven protocol analysis engine
for vulnerability based deep packet inspection
We Have the Technology
Protecting against exploits is reactiveProtecting against vulnerabilities and malicious behaviors is preemptive
11
© 2012 IBM Corporation
We Have a LOT of Data…
Online ServicesFilter Database Server
Crawling• Crawler robots search
the web in parallel.• They download the websites
and images, and place them in the cache. The information is stored in the database.
Analysis• Server cluster analyze the
data acquired by the crawlers.• The analyzed results are
stored in the database.
17 billion analyzed web pages & images
5M/d spam & phishing attacks
60K documented vulnerabilities
9B+ of security events daily
Millions of unique malware samples
71M catalogued URLs
270+ web applications
Millions IP addresses in IP reputation feed – Geo location, Spam, anonymous proxies, dynamic IPs, malware, C&C, …
12
© 2012 IBM Corporation
Advanced Threat Protection PlatformAbility to prevent sophisticated threats and detect abnormal network behavior by leveraging an extensible set of network security capabilities - in conjunction with real-time threat information and Security Intelligence
Expanded X-Force Threat IntelligenceIncreased coverage of world-wide threat intelligence harvested by X-Force and the consumption of this data to make smarter and more accurate security decisions across the IBM portfolio
Security Intelligence IntegrationTight integration between the Advanced Threat Protection Platform and QRadar Security Intelligence platform to provide unique and meaningful ways to detect, investigate and remediate threats
Log Manager SIEMNetwork Activity
MonitorRisk Manager
Vulnerability Data Malicious Websites Malware Information IP Reputation
Intrusion Prevention
Content and DataSecurity
Web ApplicationProtection
Network Anomaly Detection
IBM Network Security
SecurityIntelligencePlatform
Threat Intelligenceand Research
Advanced Threat ProtectionPlatform
Application Control
The Advanced Threat Protection Platform
13
© 2012 IBM Corporation
Ensure appropriate application and network use
Understand the Who, What and When for all
network activity
Extensible, 0-Day protection powered
by X-Force®
Introducing IBM Security Network Protection XGS 500 0
PROVEN SECURITY ULTIMATE VISIBILITY COMPLETE CONTROL
IBM Security Network Protection XGS 5000builds on the proven security of IBM intrusion prevention solutions by delivering the addition of next generation visibility and control to help balance security and
business requirements
NEW WITH XGS NEW WITH XGS
14
© 2012 IBM Corporation
Extensible 0-day protection and ultimate visibility
Network Traffic and Flows
Complete Identity Awareness associates valuable users and groups with their network activity, application usage and application actions
Application Awareness fully classifies network traffic, regardless of address, port , protocol, application, application action or security event
Increase Security Reduce Costs Enable Innovation
Network Flow Data provides real time awareness of anomalous activities and QRadar integration facilitates enhanced analysis and correlation
Protocol Analysis based Deep Packet Inspection
Employee B
Employee C
Employee A
Good Application
Good Application
Bad Application
Protocol analysis module provides “Ahead of the Threat” protection against known and emerging threats
15
© 2012 IBM Corporation
QRadar Network Anomaly Detection
� Optimized version of QRadar Network Activity Monitoring for IBM Security Network Protection solutions
� Behavioral analytics and real-time correlation help better detect and prioritize stealthy attacks
� Integrated analysis of network flow data brings additional security intelligence to IBM Security Network Protection solutions:
– Traffic profiling to detect zero-day threats– Correlation of threat & flow data for enhanced incident
analysis– Network activity monitoring to profile user and system
behavior to improve threat intelligence and complem ent risk based access strategies
– Consolidation and correlation of data bring out the “needle in the haystack”
� Incorporates X-Force IP Reputation Feed, providing insight into suspect entities on the Internet, feeding correlation intelligence
16
© 2012 IBM Corporation
Advanced Threat Protection PlatformAbility to prevent sophisticated threats and detect abnormal network behavior by leveraging an extensible set of network security capabilities - in conjunction with real-time threat information and Security Intelligence
Expanded X-Force Threat IntelligenceIncreased coverage of world-wide threat intelligence harvested by X-Force and the consumption of this data to make smarter and more accurate security decisions across the IBM portfolio
Security Intelligence IntegrationTight integration between the Advanced Threat Protection Platform and QRadar Security Intelligence platform to provide unique and meaningful ways to detect, investigate and remediate threats
Log Manager SIEMNetwork Activity
MonitorRisk Manager
Vulnerability Data Malicious Websites Malware Information IP Reputation
Intrusion Prevention
Content and DataSecurity
Web ApplicationProtection
Network Anomaly Detection
IBM Network Security
SecurityIntelligencePlatform
Threat Intelligenceand Research
Application Control
The Advanced Threat Protection Platform
Advanced Threat ProtectionPlatform
17
© 2012 IBM Corporation
Prediction & Prevention Reaction & RemediationSIEM. Log Management. Incident Response.
Network and Host Intrusion Prevention. Network Anomaly Detection. Packet Forensics.
Database Activity Monitoring. Data Loss Prevention.
Risk Management. Vulnerability Management. Configuration Monitoring. Patch Management.
X-Force Research and Threat Intelligence. Compliance Management. Reporting and Scorecards.
What are the external and internal threats?
Are we configuredto protect against
these threats?
What is happening right now?
What was the impact?
The Security Intelligence Timeline
18
© 2012 IBM Corporation
Intelligence: Leading products and services in ever y segment
19
© 2012 IBM Corporation
Fully Integrated Security Intelligence
• Turnkey log management• SME to Enterprise• Upgradeable to enterprise SIEM
• Integrated log, threat, risk & compliance mgmt.• Sophisticated event analytics• Asset profiling and flow analytics• Offense management and workflow
SIEM
Log Management
Network Activity & Anomaly Detection
Network and Application
Visibility
• Network analytics• Behavioral anomaly detection• Fully integrated with SIEM
• Layer 7 application monitoring• Content capture for deep insight• Physical and virtual environments
• Predictive threat modeling & simulation• Scalable configuration monitoring and audit• Advanced threat visualization and impact analysis
Risk & Configuration Management
20
© 2012 IBM Corporation
Fully Integrated Security Intelligence
SIEM
Log Management
Network Activity & Anomaly Detection
Network and Application
Visibility
Risk & Configuration Management One Console Security
Built on a Single Data Architecture
21
© 2012 IBM Corporation
QRadar SIEM Overview
� QRadar SIEM provides full visibility and actionable insight to protect networks and IT assets from a wide range of advanced threats, while meeting critical compliance mandates.
� Key Capabilities:– Sophisticated correlation of events, flows, assets,
topologies, vulnerabilities and external data to identify & prioritize threats
– Network flow capture and analysis for deep application insight
– Workflow management to fully track threats and ensure resolution
– Scalable architecture to support the largest deployments
22
© 2012 IBM Corporation
Security Intelligence: Context and Correlation driv e Deep Insight
Sources IntelligenceMost Accurate &
Actionable Insight+ =
23
© 2012 IBM Corporation
IBM X-Force® ThreatInformation Center
Real-time Security Overvieww/ IP Reputation Correlation
Identity and User Context
Real-time Network Visualizationand Application Statistics
InboundSecurity Events
24
© 2012 IBM Corporation
QRadar SIEM: Clear, concise and comprehensive deliv ery of relevant information:
What was the attack?
Who was responsible?
How many targets involved?
Was it successful?
Where do I find them?
Are any of them vulnerable?
How valuable are the targets to the business?
Where is all the evidence?
25
© 2012 IBM Corporation
QRadar SIEM: Threat Detection and Correlation
Sounds Nasty…But how do we know this?The evidence is a single click away.
Buffer OverflowExploit attempt seen by IDS
Network ScanDetected by QFlow
Targeted Host VulnerableDetected by Vulnerability Scanner
Total Security IntelligenceConvergence of Network, Event and Vulnerability data
26
© 2012 IBM Corporation
QRadar: Compliance Rules and Reporting
• Out-of-the-box templates for specific regulations and best practices:
• COBIT, SOX, GLBA, NERC, FISMA, PCI, HIPAA, UK GCSx
• Easily modified to include new definitions
• Extensible to include new regulations and best practices
• Can leverage existing correlation rules
27
© 2012 IBM Corporation
Advanced Threat Protection PlatformAbility to prevent sophisticated threats and detect abnormal network behavior by leveraging an extensible set of network security capabilities - in conjunction with real-time threat information and Security Intelligence
Expanded X-Force Threat IntelligenceIncreased coverage of world-wide threat intelligence harvested by X-Force and the consumption of this data to make smarter and more accurate security decisions across the IBM portfolio
Security Intelligence IntegrationTight integration between the Advanced Threat Protection Platform and QRadar Security Intelligence platform to provide unique and meaningful ways to detect, investigate and remediate threats
Log Manager SIEMNetwork Activity
MonitorRisk Manager
Vulnerability Data Malicious Websites Malware Information IP Reputation
Intrusion Prevention
Content and DataSecurity
Web ApplicationProtection
Network Anomaly Detection
IBM Network Security
SecurityIntelligencePlatform
Threat Intelligenceand Research
Advanced Threat ProtectionPlatform
Application Control
The Advanced Threat Protection Platform
28
© 2012 IBM Corporation28
Benefits of the IBM Advanced Threat Protection Platform� Dramatically reduces risks and costs
associated with a security breach through constantly updated, preemptive, research driven protection
� Reduces cost and complexity through simplified security management and consolidation of security point solutions
� Delivers full visibility and actionable insight for Total Security Intelligence.
� As your trusted partner in security, IBM Security delivers solutions that fit your organization to keep it protected as security risks evolve
The uniqueness “is in the ability to set up security at the user level, correlate that information (with QRadar ), and utilize
cloud-based threat intelligence to uncover malicious websites and files.” - Network World, July 31, 2012
29
© 2012 IBM Corporation
Get Engaged with IBM X-Force Research and Developme nt
Follow us at @ibmsecurity, @ibmxforce and @Q1Labs
Download X-Force security trend & risk
reportshttp://www-
935.ibm.com/services/us/iss/xforce/
Subscribe to the security channel for latest security
videos www.youtube.com/ibmsecuritysolutions
Attend in-person events
http://www.ibm.com/events/calendar/
Subscribe to X-Force alerts athttp://iss.net/rss.php or
Frequency X at http://blogs.iss.net/rss.php
Join the Institute for Advanced Security
www.instituteforadvancedsecurity.com
30
© 2012 IBM Corporation
IBM X-Force 2012 Mid Year Trend Report
20 September 2012
http://bit.ly/OzWzNS
31
© 2012 IBM Corporation
Marcus Eriksson
Sales Leader, ISS & Qradar
Sara Anwar
Nordic Sales
Sven-Erik Vestergaard
Security Architect
Comments or Questions?
Come see the Security Systems Team in the Expo area:
Jesper Glahn
Denmark Sales Leader
32
© 2012 IBM Corporation
Please note:� IBM’s statements regarding its plans, directions, and intent are
subject to change or withdrawal without notice at IBM’s sole discretion. � Information regarding potential future products is intended to outline
our general product direction and it should not be relied on in making a purchasing decision.
� The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
� Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
33
© 2012 IBM Corporation
ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.