Contenu connexe Similaire à Reducing IT Costs and Improving Security with Purpose Built Network Appliances (20) Plus de IBMGovernmentCA (20) Reducing IT Costs and Improving Security with Purpose Built Network Appliances1. IBM Security Services
Essential Practice:
Managing Incidents
with Intelligence
Stewart Cawthray
Chief Security Architect – GTS Security Services
IBM Canada Ltd.
October 2012
IBM Defense Summit – Ottawa
© 2011 IBM Corporation
2. IBM Security Services
IBM is well qualified to secure the enterprise
One of the largest and most complex internal IT
infrastructures in the world
2,000+ major 400,000+ employees 1M+ traditional
sites Approx. 200,000+ endpoints
170+ contractors ~50% of employees
countries are mobile
Major Employee Sites
Customer Fulfillment
Manufacturing
Employee Service Centers
IBM Research Centers
IBM Internal Data Centers
2 © 2012 IBM Corporation
3. IBM Security Services
IBM developed 10 essential practices required to
achieve security intelligence
Essential
Practices
1. Build a risk aware
6. Control network
culture and
access and
management
assure resilience
system
Maturity based 7. Address new
2. Manage security approach S complexity of
incidents with e
in cur cloud and
te ity
intelligence llig
en virtualization
ce
Automated
O
pt
im
3. Defend the mobile 8. Manage third
ize
and social
d
party security
Pr
of
workplace compliance
ic
ie
n t
Manual
Ba
9. Secure data
si
4. Secure services,
c
and protect
by design
Reactiv Proactiv privacy
e e
5. Automate security 10. Manage the
“hygiene” identity lifecycle
3 © 2012 IBM Corporation
4. IBM Security Services
What problems are
incidents causing
and how do they happen?
4 4 © 2012 IBM Corporation
5. IBM Security Services
Attacks are inevitable. Are you prepared? How well are they handled?
Source: IBM X-Force ® Research and Development
5 © 2012 IBM Corporation
6. IBM Security Services
A major security incident can significantly affect an
organization’s data, business continuity and
reputation
LinkedIn sued for $5 Sony Pegs PSN Attack
million over data breach Costs at $170 Million
An Illinois woman has filed a $5 The Sony attacks in 2011 will
million lawsuit against cost it 14 billion yen ($170
LinkedIn Corp, saying the million dollars) in increased
social network violated customer support costs,
promises to consumers by not welcome-back packages,
having better security in place legal fees, lower sales and
when more than 6 million measures to strengthen
customer passwords were security, part of a $3.1B total
stolen loss in 2011.
In the event of a security breach, organizations need expert guidance
Source: Reuters, June 2012 Source: Forbes, May 2011
to protect the availability of critical business systems, and to find and
solve the root causes of the problem quickly.
Vectors for attack are most often well-known vulnerabilities that should
be addressed given a unified incident identification and management
process
These issues and their resulting impact were preventable should
organizations have brought on a knowledgeable security partner early
on Business + Technology = Incident
6 © 2012 IBM Corporation
7. IBM Security Services
You can’t stop the attackers, but majority of
incidents can be easily avoided through proactive
measurements and intelligence
TARGETED ATTACK DENIAL OF SERVICE
INCIDENT
INCIDENT
INTELLIGENCE
INCIDENT
INCIDENT
BREACH
SYSTEM COMPROMISE APPLICATION CRASH
DATA LEAGAGE SYSTEM OVERLOAD
7 © 2012 IBM Corporation
8. IBM Security Services
Know thy self, know thy enemy. A thousand battles, a thousand
victories.
Security Intelligence is the gathering
of information to identify and
understand Threats, Risks and
Opportunities.
The data needed for actionable, quality
intelligence is all round you.
It is a good bet what you don’t know is
what your attackers will use against you.
8 © 2012 IBM Corporation
8
9. IBM Security Services
Security Intelligence
Which of my systems is
most vulnerable?
What gets attacked the
most?
Are these targeted
attacks, or automated
attacks?
Who is attacking me?
Which department has
the most security
violations?
Is my security
awareness program
effective?
9 © 2012 IBM Corporation
9
10. IBM Security Services
Intelligence examples
14:53:16 drop gw.foobar.com >eth0 product VPN-1 & Firewall-1
src xxx.xxx.146.12 s_port 2523 dst xxx.xxx.10.2 service ms-sql-m
proto udp rule 49
Normal
Slammer
Virus
14:55:20 accept gw.foobar.com >eth1 product VPN-1 & Firewall-1
src 10.5.5.1 s_port 4523 dst xxx.xxx.10.2 service http proto tcp
xlatesrc xxx.xxx.146.12 rule 15
Code Red or
Abnormal
Nimba Virus
10 © 2012 IBM Corporation
10
11. IBM Security Services
Organizations face four major challenges in operations around
incident management
Assumption Assumption Assumption
#1: #2: #3:
I am under Attackers No endpoint
attack are device is
right now. already in. secure.
Organizations typically lack:
Unified, cross-company policy and process for
incident response
Actionable insight and information upon which to act
Incident management and forensic analysis tooling for
remote system capture and analysis
Resources or skills to actively respond to and
investigate security incidents
“Information is the new worldwide currency. Every
piece of data is valuable to someone, somewhere,
somehow”
(IDC, Worldwide and U.S. Security Services Threat Intelligence 2011-
2014 Forecast)
11 © 2012 IBM Corporation
12. IBM Security Services
Sources of Security Intelligence
Log Files
– Network (firewalls,
routers, etc.)
– System (event logs,
access logs, syslogs)
Network
– Netflows (IP statistics
from device interfaces)
– Activity (bandwidth,
utilization)
– Togography
People
– Help Desk calls/tickets
Services
– Commercial feeds (X-
Force, Secunia, etc.)
12 © 2012 IBM Corporation
12
13. IBM Security Services
IBM help organizations define a roadmap and
implement solutions to address these challenges
and reach an optimized state
S
In ec
te ur
lli ity
ge
automated
nc
e
O
pt
im
iz
ed
Pr
of
ic
ie
nt
manual
Ba
s
ic
reactive proactive
13 © 2012 IBM Corporation
16. IBM Security Services
Which one of these steps should we take first?
• Incident
Response 4
Strategic Approach 1 Program
Development
Tactical Approach
• Security
Information & 3
2 Event
Management
• Forensic 2
Solution
3 Implementation
• Emergency
response 1
4 services with
XFTAS
16 © 2012 IBM Corporation
17. IBM Security Services
IBM is a provider of end-to-end services both proactively and
reactively, helping clients achieve proficiency and optimization
Challenge Recommendation
Lack of unified incident Incident Response Program
response policy and
BASIC
Development
process
Lack of resources or Emergency response services
skills to respond to
X-Force Threat Analysis
PROFICIENT
incidents
Service
Investment in forensic Forensic Solution
tools for automation Implementation
and analysis
OPTIMIZED
Need for actionable Security Information & Event
insight and intelligence Management (SIEM)
17 © 2012 IBM Corporation
18. IBM Security Services
Incident Response Program Development
When an incident occurs, businesses need the right
process, tools, and resources to respond and minimize
impact
Being prepared to minimize the impact of a security incident
and to recover faster
Protecting critical systems and data from downtime and/or
information theft
Analyzing the root cause of an incident and preventing its
spread
Restoring affected systems to
normal operations
Preventing similar incidents from causing
future damage
Meeting regulatory compliance requirements
for incident response
18 © 2012 IBM Corporation
19. IBM Security Services
Incident Response Program Development – continued
The Incident Response Plan is the foundation on
which all
incident response and recovery activities are based
• It specifically defines the organization, roles and
responsibilities of the Computer Security Incident Response
Team (CSIRT)
• It should have criteria to assist an organization determine
what is considered an incident versus an event
• It defines escalation procedures to management, executive,
legal, law enforcement, and media depending on incident
conditions and severity
• The plan and process should be fully tested via dry runs
and incident mock tests
A well-developed plan provides a framework for
effectively responding to any number of potential
security incidents
19 © 2012 IBM Corporation
20. IBM Security Services
Emergency response services
Without the need of in-house expertise, IBM
emergency response subscription service can provide
real-time, on-site support
– Clients retain expert security consultants prior to an
incident in order to better prepare, manage and respond;
subscription includes:
• Incident response
• Incident management
• Basic data acquisition
• In-depth data analysis
– Subscription includes activities designed to manage
incident response from an end to end perspective
• Prevention
• Intelligence gathering
• Containment
• Eradication
• Recovery
• Compliance
20 © 2012 IBM Corporation
21. IBM Security Services
X-Force Threat Analysis Service (XFTAS)
X-Force Threat Analysis Service provides customized
security intelligence about a wide array of threats with
global insight
– Offers detailed analyses of global online threat conditions
and includes:
• Up-to-the minute, customized security information about
threats
and vulnerabilities
• Expert analysis and correlation of global security threats
• Actionable data and recommendations that help clients
maintain
their network security
21 © 2012 IBM Corporation
22. IBM Security Services
Forensic Solution Implementation
Examples of tools that can be deployed to
improve defense and automate the incident
response and forensic analysis process
DDoS Prevention Malware / APT Forensics
Defense Analysis
22 © 2012 IBM Corporation
23. IBM Security Services
Security Information & Event Management (SIEM)
Are we
What are the What is
configured What was the
external and happening right
to protect against impact?
internal threats? now?
these threats?
Prediction & Reaction &
Prevention
Risk Management. Vulnerability Management. Remediation
SIEM. Log Management. Incident
Configuration Monitoring. Patch Response.
Management. Network and Host Intrusion Prevention.
X-Force Research and Threat Intelligence. Network Anomaly Detection. Packet
Compliance Management. Reporting and Forensics.
Scorecards. Database Activity Monitoring. Data
Loss Prevention.
23 © 2012 IBM Corporation
24. IBM Security Services
With great power comes great responsibility
“ A fool with a tool is still a fool”
Security Intelligence still requires experienced, knowledgeable
professionals
– Understand the log data formats
– Understand the risks presented by the gathered intelligence
– Present the intelligence to decision makers
Managed Security Intelligence
– In house managed solutions
– Outsourced managed solutions
24 © 2012 IBM Corporation
24
25. IBM Security Services
ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is
provided for informational purposes only, and is provided AS IS without warranty of any kind, express or
implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to,
these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating
any warranties or representations from IBM or its suppliers or licensors, or altering the terms and
conditions of the applicable license agreement governing the use of IBM software. References in these
materials to IBM products, programs, or services do not imply that they will be available in all countries in
which IBM operates. Product release dates and/or capabilities referenced in these materials may change
25 at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended © 2012 IBM Corporation
to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM
products and services are trademarks of the International Business Machines Corporation, in the United
26. IBM Security Services
Trademarks and notes
IBM Corporation 2012
IBM, the IBM logo, the IBM Business Partner emblem, ibm.com, Rational, AppScan, smarter planet and
X-Force are registered trademarks, and other company, product or service names may be trademarks or
service marks of International Business Machines Corporation in the United States, other countries, or
both. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at
www.ibm.com/legal/copytrade.shtml
Adobe, the Adobe logo, PostScript, the PostScript logo, Cell Broadband Engine, Intel, the Intel logo, Intel
Inside, the Intel Inside logo, Intel Centrino, the Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep,
Itanium, IT Infrastructure Library, ITIL, Java and all Java-based trademarks, Linux, Microsoft, Windows,
Windows NT, the Windows logo, and UNIX are trademarks or service marks of others as described under
“Special attributions” at: http://www.ibm.com/legal/copytrade.shtml#section-special
Other company, product and service names may be trademarks or service marks of others.
References in this publication to IBM products or services do not imply that IBM intends to make them
available in all countries in which IBM operates.
26 © 2012 IBM Corporation
27. IBM Security Services
Why IBM? Research and Operations
Security Operations Centers
Security Research Centers
Security Solution Development Centers
Institute for Advanced Security Branches
World Wide Managed
IBM 10B analyzed Web Security Services
Coverage
Research pages & images
150M intrusion attempts 20,000+ devices under
contract
daily
3,300 GTS service delivery
40M spam & phishing experts
attacks 3,700+ MSS clients
46K documented worldwide
vulnerabilities 15B+ events managed per
day
27 Millions of unique malware © 2012 IBM Corporation
1,000+ security patents
samples