Presentation from the Cyber Security Briefing held in Ottawa on June 12, 2013.
-Keynote: Security Trends and Risk Mitigation for the Public Sector - Presented by: Sandy Bird, CTO - Security Division, IBM Canada Ltd.
- Application Security for mobile and web applications - Presented by: Patrick Vandenberg, Program Director, IBM Security Segment Marketing
- Detect Threat and Mitigate Risk Using Security Intelligence - Presented by: Sandy Bird, CTO - Security Division, IBM Canada Ltd.
57. 57
57
Attacker motivations are rapidly escalating
National
Security
Nation-state
actors
Stuxnet
Espionage,
Activism
Sponsored groups
and Hacktivists
Aurora
Monetary
Gain
Organized
crime
Zeus
Revenge,
Curiosity
Insiders and
Script-kiddies
Code Red
58. 58
58
Organized groups are using multiple techniques
Using social networking and social engineering to
perform reconnaissance on spear-phishing targets,
leading to compromised hosts and accounts
Infiltrating a trusted partner and then loading malware
onto the target’s network
Creating designer malware tailored to only infect the
target organization, preventing positive identification
by security vendors
Exploiting zero-day vulnerabilities to gain access to
data, applications, systems, and endpoints
Communicating over accepted channels such as port
80 to exfiltrate data from the organization
63. 63
63
By monitoring for subtle indicators across all fronts
Break-in Spoofed email with malicious
file attachment sent to users
Command
& Control (CnC)
Latch-on Anomalous system behavior
and network communications
Expand
Device contacting internal
hosts in strange patterns
Gather Abnormal user behavior and
data access patterns
Command
& Control (CnC)
Exfiltrate Movement of data in chunks
or streams to unknown hosts
66. 66
66
Security Intelligence
Platform
Real-time Processing
• Real-time data correlation
• Anomaly detection
• Event and flow normalization
• Security context & enrichment
• Distributed architecture
Security Operations
• Pre-defined rules and reports
• Offense scoring & prioritization
• Activity and event graphing
• Compliance reporting
• Workflow management
Big Data Warehouse
• Long-term, multi-PB storage
• Unstructured and structured
• Distributed infrastructure
• Preservation of raw data
• Hadoop-based backend
Big Data
Platform
Analytics and Forensics
• Advanced visuals and interaction
• Predictive & decision modeling
• Ad hoc queries
• Spreadsheet UI for analysts
• Collaborative sharing tools
• Pluggable UI
Complementary analytics and workflow from IBM
IBM
Security
Intelligence
with
Big Data
67. 67
67
QRadar leverages Big Data to identify security threats
Appliances
with massive scale
Intelligent data
policy management
Payload indexing leveraging
a purpose-built data store
Advanced threat visualization
and impact analysis
Google-like search
of large data sets
Enrichment with X-Force
and external intelligence
68. 68
68
Example QRadar uses cases
Irrefutable Botnet
Communication
Layer 7 flow data shows botnet
command and control
instructions
Improved
Breach Detection
360-degree visibility helps
distinguish true breaches
from benign activity, in real-
time
Network Traffic
Doesn’t Lie
Attackers can stop logging
and erase their tracks, but
can’t cut off the network
(flow data)
69. 69
69
Extending Security Intelligence with additional
Big Data analytics capabilities
1. Analyze a variety of
non-traditional and
unstructured datasets
2. Significantly increase
the volume of data
stored for forensics and
historic analysis
3. Visualize and query
data in new ways
4. Integrate with my
current operations
IBM Security QRadar
• Data collection and
enrichment
• Event correlation
• Real-time analytics
• Offense prioritization
Advanced Threat Detection
Traditional data sources
Security Intelligence Platform
70. 70
70
By integrating QRadar with IBM’s Enterprise
Hadoop-based offering
Real-time
Streaming
Insights
IBM Security QRadar
• Hadoop-based
• Enterprise-grade
• Any data / volume
• Data mining
• Ad hoc analytics
• Data collection and
enrichment
• Event correlation
• Real-time analytics
• Offense prioritization
Big Data Platform
Custom Analytics
Traditional data sources
IBM InfoSphere BigInsights
Non-traditional
Security Intelligence Platform
Advanced Threat Detection
72. 72
ATTACKER
User receives risky
email from personal
social network
TARGET
Drive-by exploit is
used to install
malware on target PC
User is redirected to
a malicious website
73. 73
73
Using Big Data to mine for trends within email
Use BigInsights to
identify phishing targets
and redirects
Build visualizations,
such as heat maps, to
view top targets
75. 75
ATTACKER
Attacker registers
or acquires a domain Compromised hosts
“phone home” to
attacker C&C servers
Attacker changes the
location of servers, but
domains stay the same
Internal attacks lead
to more infections
Hosts and servers
phone home and
exfiltrate data
78. 78
78
Advanced analytics identify suspicious domains
Why only a few hits
across the entire
organization to these
domains?
Correlating to
public DNS registry
information
increases suspicions
79. 79
79
Importing results to QRadar for real-time analysis
Correlate against
network activity
and visualize
View real-time data and look for active connections
80. 80
80
1
IBM QRadar
Security Intelligence
unified architecture for collecting, storing,
analyzing and querying log, threat,
vulnerability and risk related data
2
IBM Big Data Platform (Streams, Big Insights, Netezza)
addresses the speed and flexibility required for customized data
exploration, discovery and unstructured analysis
3
IBM i2
Analyst Notebook
helps analysts
investigate fraud by
discovering patterns and
trends across volumes of
data
4
IBM SPSS
unified product family to
help capture, predict,
discover trends, and
automatically deliver
high-volume, optimized
decisions
Additional IBM analytics capabilities for security
81. 81
1. Traditional defenses are insufficient
2. Security has become a Big Data problem
3. Security Intelligence is a Big Data solution
4. New analysis can lead to new insights