undgå sikkerhedstrusler med security intelligence. filip schepers, ibm

1

© 2012 IBM Corporation

Advanced Threat ProtectionAnd Security Intelligence

Filip SchepersIBM Security Systems “SWAT”X-Force [email protected]

2


Agenda

� The Threat Landscape: X-Force Trend and Risk Report

� Research Driven Threat Mitigation: the Advanced Threat Protection Platform

� Security Intelligence: QRadar and the IBM Security Framework

3


2011: The Year of the Security Breach

4


The Threat Landscape● Over 7,000 publicly disclosed vulnerabilities

in 2011● 95% of vulnerabilities in 2011 were rated as

Medium or Higher (CVSS) – Critical vulnerabilities tripled vs 2010

● 41% of all vulnerabilities are web application vulnerabilities

● Cross-Site Scripting & SQL injection vulnerabilities continue to dominate

● Shell Injection attacks on the rise

5


“We had a case in Europe where workers went on strike for 3 days after Facebook was completely blocked…so granularity is key.”

– IBM Business Partner

“We had a case in Europe where workers went on strike for 3 days after Facebook was completely blocked…so granularity is key.”

– IBM Business Partner

Block attachments on all outgoing emails and chats

Allow marketing and sales teams to access social networking sites

Advanced inspection of web application traffic destined to my web servers

Allow, but don’t inspect, traffic to financial and medial sites

Block known botnet servers and phishing sites

A more strict security policy is applied to traffic from countries where I do not do business

Client-Side Protection

Network Awareness

Reputation

Web Protection

Botnet Protection

Web Category Protection

Access Control

Protocol Aware Intrusion

Protection

Web ApplicationsNon-web Applications

The Need to Understand the Who, What, and When

Server

Geography

User or Group

Reputation

Network

172.29.230.15, Bob, Alice 80, 443, 21, webmail, social networks ?

Who What PolicyTraffic Controls

July

6


Customer Challenges

Detecting threats• Arm yourself with comprehensive security

intelligence

Consolidating data silos• Collect, correlate and report on data in one

integrated solution

Detecting insider fraud• Next-generation SIEM with identity correlation

Better predicting risks to your business• Full life cycle of compliance and risk management

for network and security infrastructures

Addressing regulation mandates• Automated data collection and configuration audits

7


Advanced Threat Protection PlatformAbility to prevent sophisticated threats and detect abnormal network behavior by leveraging an extensible set of network security capabilities - in conjunction with real-time threat information and Security Intelligence

Expanded X-Force Threat IntelligenceIncreased coverage of world-wide threat intelligence harvested by X-Force and the consumption of this data to make smarter and more accurate security decisions across the IBM portfolio

Security Intelligence IntegrationTight integration between the Advanced Threat Protection Platform and QRadar Security Intelligence platform to provide unique and meaningful ways to detect, investigate and remediate threats

Log Manager SIEMNetwork Activity

MonitorRisk Manager

Vulnerability Data Malicious Websites Malware Information IP Reputation

Intrusion Prevention

Content and DataSecurity

Web ApplicationProtection

Network Anomaly Detection

IBM Network Security

SecurityIntelligencePlatform

Threat Intelligenceand Research

Advanced Threat ProtectionPlatform

Application Control

The Advanced Threat Protection Platform

8

© 2012 IBM Corporation8

X-Force Mission

Provide the most respected security brand to IBM, o ur Customers and Business Partners.

• Support content streams

• Expand current capabilities in research to provide industry knowledge to the greater IBM

• Support content stream needs and capabilities

• Support requirements for engine enhancement

• Maintenance and tool development

• Continue third party testing Dominance

• Execute to deliver new content streams for new engines

Research

Engine Content Delivery

Industry/Customer Deliverables

• Blog, Marketing and Industry Speaking Engagements

• X-Force Database Vulnerability Tracking

• Trend Analysis and Security Analytics

IBM X-Force Research and Development

The world’s leading enterprise security R&D organization

Global security operations center (infrastructure monitoring)

9


Unmatched Global Coverage and Security Awareness

� 20,000+ devices under contract

� 3,700+ MSS clients worldwide

� 9B+ events managed per day

� 1,000+ security patents

� 133 monitored countries (MSS)

� 20,000+ devices under contract

� 3,700+ MSS clients worldwide

� 9B+ events managed per day

� 1,000+ security patents

� 133 monitored countries (MSS)

World Wide Managed Security Services Coverage

Security Operations Centers

Security Research Centers

Security Solution Development Centers

Institute for Advanced Security Branches

IBM Research

10


IBM Security Network Protection offerings are based on amodular, research-driven protocol analysis engine

for vulnerability based deep packet inspection

We Have the Technology

Protecting against exploits is reactiveProtecting against vulnerabilities and malicious behaviors is preemptive

11


We Have a LOT of Data…

Online ServicesFilter Database Server

Crawling• Crawler robots search

the web in parallel.• They download the websites

and images, and place them in the cache. The information is stored in the database.

Analysis• Server cluster analyze the

data acquired by the crawlers.• The analyzed results are

stored in the database.

17 billion analyzed web pages & images

5M/d spam & phishing attacks

60K documented vulnerabilities

9B+ of security events daily

Millions of unique malware samples

71M catalogued URLs

270+ web applications

Millions IP addresses in IP reputation feed – Geo location, Spam, anonymous proxies, dynamic IPs, malware, C&C, …

12






MonitorRisk Manager










Application Control


13


Ensure appropriate application and network use

Understand the Who, What and When for all

network activity

Extensible, 0-Day protection powered

by X-Force®

Introducing IBM Security Network Protection XGS 500 0

PROVEN SECURITY ULTIMATE VISIBILITY COMPLETE CONTROL

IBM Security Network Protection XGS 5000builds on the proven security of IBM intrusion prevention solutions by delivering the addition of next generation visibility and control to help balance security and

business requirements

NEW WITH XGS NEW WITH XGS

14


Extensible 0-day protection and ultimate visibility

Network Traffic and Flows

Complete Identity Awareness associates valuable users and groups with their network activity, application usage and application actions

Application Awareness fully classifies network traffic, regardless of address, port , protocol, application, application action or security event

Increase Security Reduce Costs Enable Innovation

Network Flow Data provides real time awareness of anomalous activities and QRadar integration facilitates enhanced analysis and correlation

Protocol Analysis based Deep Packet Inspection

Employee B

Employee C

Employee A

Good Application

Good Application

Bad Application

Protocol analysis module provides “Ahead of the Threat” protection against known and emerging threats

15


QRadar Network Anomaly Detection

� Optimized version of QRadar Network Activity Monitoring for IBM Security Network Protection solutions

� Behavioral analytics and real-time correlation help better detect and prioritize stealthy attacks

� Integrated analysis of network flow data brings additional security intelligence to IBM Security Network Protection solutions:

– Traffic profiling to detect zero-day threats– Correlation of threat & flow data for enhanced incident

analysis– Network activity monitoring to profile user and system

behavior to improve threat intelligence and complem ent risk based access strategies

– Consolidation and correlation of data bring out the “needle in the haystack”

� Incorporates X-Force IP Reputation Feed, providing insight into suspect entities on the Internet, feeding correlation intelligence

16






MonitorRisk Manager









Application Control



17


Prediction & Prevention Reaction & RemediationSIEM. Log Management. Incident Response.

Network and Host Intrusion Prevention. Network Anomaly Detection. Packet Forensics.

Database Activity Monitoring. Data Loss Prevention.

Risk Management. Vulnerability Management. Configuration Monitoring. Patch Management.

X-Force Research and Threat Intelligence. Compliance Management. Reporting and Scorecards.

What are the external and internal threats?

Are we configuredto protect against

these threats?

What is happening right now?

What was the impact?

The Security Intelligence Timeline

18


Intelligence: Leading products and services in ever y segment

19


Fully Integrated Security Intelligence

• Turnkey log management• SME to Enterprise• Upgradeable to enterprise SIEM

• Integrated log, threat, risk & compliance mgmt.• Sophisticated event analytics• Asset profiling and flow analytics• Offense management and workflow

SIEM

Log Management

Network Activity & Anomaly Detection

Network and Application

Visibility

• Network analytics• Behavioral anomaly detection• Fully integrated with SIEM

• Layer 7 application monitoring• Content capture for deep insight• Physical and virtual environments

• Predictive threat modeling & simulation• Scalable configuration monitoring and audit• Advanced threat visualization and impact analysis

Risk & Configuration Management

20


Fully Integrated Security Intelligence

SIEM

Log Management

Network Activity & Anomaly Detection

Network and Application

Visibility

Risk & Configuration Management One Console Security

Built on a Single Data Architecture

21


QRadar SIEM Overview

� QRadar SIEM provides full visibility and actionable insight to protect networks and IT assets from a wide range of advanced threats, while meeting critical compliance mandates.

� Key Capabilities:– Sophisticated correlation of events, flows, assets,

topologies, vulnerabilities and external data to identify & prioritize threats

– Network flow capture and analysis for deep application insight

– Workflow management to fully track threats and ensure resolution

– Scalable architecture to support the largest deployments

22


Security Intelligence: Context and Correlation driv e Deep Insight

Sources IntelligenceMost Accurate &

Actionable Insight+ =

23


IBM X-Force® ThreatInformation Center

Real-time Security Overvieww/ IP Reputation Correlation

Identity and User Context

Real-time Network Visualizationand Application Statistics

InboundSecurity Events

24


QRadar SIEM: Clear, concise and comprehensive deliv ery of relevant information:

What was the attack?

Who was responsible?

How many targets involved?

Was it successful?

Where do I find them?

Are any of them vulnerable?

How valuable are the targets to the business?

Where is all the evidence?

25


QRadar SIEM: Threat Detection and Correlation

Sounds Nasty…But how do we know this?The evidence is a single click away.

Buffer OverflowExploit attempt seen by IDS

Network ScanDetected by QFlow

Targeted Host VulnerableDetected by Vulnerability Scanner

Total Security IntelligenceConvergence of Network, Event and Vulnerability data

26


QRadar: Compliance Rules and Reporting

• Out-of-the-box templates for specific regulations and best practices:

• COBIT, SOX, GLBA, NERC, FISMA, PCI, HIPAA, UK GCSx

• Easily modified to include new definitions

• Extensible to include new regulations and best practices

• Can leverage existing correlation rules

27






MonitorRisk Manager










Application Control


28

© 2012 IBM Corporation28

Benefits of the IBM Advanced Threat Protection Platform� Dramatically reduces risks and costs

associated with a security breach through constantly updated, preemptive, research driven protection

� Reduces cost and complexity through simplified security management and consolidation of security point solutions

� Delivers full visibility and actionable insight for Total Security Intelligence.

� As your trusted partner in security, IBM Security delivers solutions that fit your organization to keep it protected as security risks evolve

The uniqueness “is in the ability to set up security at the user level, correlate that information (with QRadar ), and utilize

cloud-based threat intelligence to uncover malicious websites and files.” - Network World, July 31, 2012

29


Get Engaged with IBM X-Force Research and Developme nt

Follow us at @ibmsecurity, @ibmxforce and @Q1Labs

Download X-Force security trend & risk

reportshttp://www-

935.ibm.com/services/us/iss/xforce/

Subscribe to the security channel for latest security

videos www.youtube.com/ibmsecuritysolutions

Attend in-person events

http://www.ibm.com/events/calendar/

Subscribe to X-Force alerts athttp://iss.net/rss.php or

Frequency X at http://blogs.iss.net/rss.php

Join the Institute for Advanced Security

www.instituteforadvancedsecurity.com

30


IBM X-Force 2012 Mid Year Trend Report

20 September 2012

http://bit.ly/OzWzNS

31


Marcus Eriksson

Sales Leader, ISS & Qradar

Sara Anwar

Nordic Sales

Sven-Erik Vestergaard

Security Architect

Comments or Questions?

Come see the Security Systems Team in the Expo area:

Jesper Glahn

Denmark Sales Leader

32


Please note:� IBM’s statements regarding its plans, directions, and intent are

subject to change or withdrawal without notice at IBM’s sole discretion. � Information regarding potential future products is intended to outline

our general product direction and it should not be relied on in making a purchasing decision.

� The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

� Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

33


ibm.com/security

© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

undgå sikkerhedstrusler med security intelligence. filip schepers, ibm

Technology

ibm security framework2

security analyticsibm

security patents133

security breach3

ibm portfolioinvestigate

ibm corporationjuly

respected security brand

xforce research