3. Is the smarter planet secure? Pervasive instrumentation creates vast amounts of data New services built using that data, raises Privacy and Security concerns… Critical physical and IT infrastructure Sensitive information protection New denial of service attacks Increasing risks of fraud The planet is getting more Instrumented, Interconnected and Intelligent. New possibilities. New risks...
4. Security challenges in a smarter planet Source http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1375707,00.html Increasing Complexity Rising Costs Ensuring Compliance Key drivers for security projects Spending by U.S. companies on governance, risk and compliance will grow to $29.8 billion in 2010 The cost of a data breach increased to $204 per compromised customer record Soon, there will be 1 trillion connected devices in the world, constituting an “internet of things”
5. Cost, complexity and compliance Data and information explosion Rising Costs: Do more with less Compliance fatigue Emerging technology Death by point products People are becoming more and more reliant on security IBM believes that security is progressively viewed as every individual’s right
6. The IBM Security Framework foundation addresses your challenges of cost, complexity and compliance Create and sustain security governance Manage risk Ensure compliance Build a strong foundation for IT security
7. DATA AND INFORMATION Understand, deploy, and properly test controls for access to and usage of sensitive data PEOPLE AND IDENTITY Mitigate the risks associated with user access to corporate resources APPLICATION AND PROCESS Keep applications secure, protected from malicious or fraudulent use, and hardened against failure NETWORK, SERVER AND END POINT Optimize service availability by mitigating risks to network components PHYSICAL INFRASTRUCTURE Provide actionable intelligence on the desired state of physical infrastructure security and make improvements In addition to the foundational elements, the Framework identifies five security focus areas as starting points GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE Design, and deploy a strong foundation for security & privacy 9 GRC
8.
9. Security governance, risk management and compliance This is not intended to be a comprehensive list of all IBM products and services Ensure comprehensive management of security activities and compliance with all security mandates BUSINESS VALUE Security Strategy Design Pen Testing & Vuln. Assessment Sec. Compliance Assessment Incident Response Business Challenge Design and implement secure deployment strategies for advanced technologies such as Cloud, virtualization, etc. Identify and eliminate security threats that enable attacks against systems, applications and devices Perform security compliance assessments against PCI, ISO and other standards and regulations Design and implement policy and processes for security governance, incident response; perform timely response and computer forensics Software Rational® AppScan®; Guardium Database Monitoring & Protection Tivoli Security Information and Event Manager; Guardium Database Monitoring & Protection; Tivoli zSecure suite Tivoli® Security Information and Event Manager; Tivoli zSecure suite Professional Services Consulting Services; Security Design Ethical hacking and AppSec assessment Qualified Security Assessors Policy definition services; CERT team Managed Services App Vulnerability and Source Code Scanning OnDemand Managed Protection Services
10.
11. Data and information This is not intended to be a comprehensive list of all IBM products and services Understand, deploy and properly test controls for access to and usage of sensitive business data BUSINESS VALUE * " Fifth Annual U.S. Cost of Data Breach Study”, Ponemon Institute, Jan 2010 Protecting Critical Databases Messaging Security and Content Filtering Managing Data Access and Encryption Monitoring Data Access and Preventing Data Loss Business Challenge Mitigate threats against databases from external attacks and internal privileged users Spam and inappropriate Web sites pose major productivity drains, resource capacity strains, and leading attack vector for malware Over 82% of firms have had more than one data breach in the past year involving loss or theft of 1,000+ records with personal information; cost of a data breach increased to $204 per compromised customer record * 42% of all cases involved third-party mistakes and flubs… magnitude of breach events ranged from about 5,000 to 101,000 lost or stolen customer records * Software Guardium Database Monitoring & Protection Multi-Function Security appliance, Lotus Protector Tivoli® Key Lifecycle Manager, Tivoli Security Policy Manager, Tivoli Federated Identity Manager Data Loss Prevention; Tivoli Security Information and Event Manager Professional Services Data Security Assessment Services Data Security Assessment Services Data Security, Compliance Assessment Services Data Security, Compliance Assessment Services
12.
13. Network, server and end point This is not intended to be a comprehensive list of all IBM products and services Optimize service availability by mitigating risks while optimizing expertise, technology and process BUSINESS VALUE * Gartner Desktop Total Cost of Ownership: 2008 Update, Jan 2008 Systems Storage Virtual Network Protecting Servers Protecting Endpoints Protecting Networks Protecting Mainframes Business Challenge Mitigate threats against servers; prevent data loss Effective management can cut total cost of ownership for secured desktops by 42%* Mitigate network based threats and prevent data loss Mitigate threats against mainframes; protect against vulnerabilities from configuration; contain the privileged users Software Server Protection, Server Protection for VMWare Desktop security platform; encryption Network Intrusion Prevention System (IPS) Tivoli® zSecure suite Professional Services Server security, data security assessment services Desktop security, data security assessment services Network security assessment services Managed Services Managed IDS, Privileged User Mgmt Managed Desktop security platform Managed Network IPS
14. Physical infrastructure This is not intended to be a comprehensive list of all IBM products and services Provide actionable intelligence and improve effectiveness of physical infrastructure security BUSINESS VALUE Video Surveillance Video Analytics Command and Control Business challenge Legacy analog video systems with proprietary interfaces are hard to integrate with IT infrastructure Video information from many cameras present an information overload to human security personnel, detection is often after the fact and response management is problematic IT and physical security operate in silos and do not integrate. It is increasingly difficult and expensive to consolidate security information across locations for effectiveness and compliance Software IT infrastructure, Logical Security products, and DVS partner products Smart Vision Suite Command Control Center Solution Professional Services Base Digital Video Surveillance Infrastructure services Design, Implementation, Optimization services Command Control Center Solution Services
Editor's Notes
At IBM we see change happening on a global scale. And we see an exciting transformation happening – we see organizations of all types making bold investments in new technologies and new processes that make them more efficient, more agile and more competitive. On a global scale, we see our world literally becoming a Smarter Planet – a planet that is ubiquitously instrumented, interconnected and intelligent. Instrumented, in that sensors are being embedded everywhere. From cars, to roads, to pipelines. Interconnected, in that soon there will be 2 billion people on the Internet and 4 billion mobile subscribers. And, we are seeing an explosion of machine-to-machine communications. Imagine a world with one trillion interconnected people and machines. That’s where our future lies. Intelligent, in that instrumentation and interconnection is causing a data explosion. Powerful new systems for analyzing and deriving insight from this data are providing the world with a new generation of intelligence. Intelligence that not only enables us to run our businesses better, but also helps us save energy, improve crop yields and reduce the impact of natural disasters. “ Smarter Planet” is not just a thought or idea from IBM, it is a vision for IBM and for our customers. It is about how we can work together to make the planet a better place to live, work and play. This higher level of analytics, intelligence and interconnectedness enable new possibilities, and begets new risks. Pervasive instrumentation creates vast amount of data, and the new services built using that data, raises privacy and security concerns. Greater efficiency relies on better data, and often very sensitive data. Greater control relies on physical assets installed well outside of the data center or at consumer’s locations. Thus the need to protect physical infrastructure which may be geographically dispersed in addition to IT infrastructure. This also opens new avenues for criminals, new kinds of denial of service attacks, and increasing risks of fraud.
Our work with thousands of clients worldwide has taught us there are 3 key focus areas that drive security projects. Complexity Cost and, Compliance IBM’s vision and research for IT security aligns to these areas so we can help clients achieve maximum results:
Complexity The security complexities of disruptive technologies like cloud computing, virtualization, smart devices, SOA & Web 2.0 The sheer magnitude of the data that we can collect about the events and activities in our everyday lives, our ability to interconnect, collect, share and protect that data in a world where billions of devices have built-in intelligence. Technology innovation makes it possible to access more data, more quickly than ever before. In this interconnected world, the need for securing the data and information the business relies on is a requirement for participating in the “smarter planet”, and the potential costs to reputation, profit and stakeholder confidence mean you must assess risk and implement appropriate controls today. Death by point products that are do not work together, provide the big picture view or scale as needed Confusion on approach – where to start, best practices Rapidly changing threat environment; increasingly sophisticated attackers with increasingly sophisticated tools; new complex threat models Cost: Do more with less The technical skills to securely deploy new technologies like virtualization and cloud computing can be very costly. A lack of skills or expertise in this area compounds the security challenge. The security administration and help desk resources are strained to support a dramatically increasing base of users IT departments have increasing responsibilities and time pressures – being asked to do more with less budget Compliance fatigue Increasing pressure from regulations and litigation The public awareness of expensive, high profile data breaches in the news is causing organizations and governments to focus on compliance The average organization is subject to 100s of regulations which increasingly have financial or business penalties, and proving and demonstrating compliance to these regulations is in itself very costly Organizations need to ensure compliance to minimize the risks of fraud ( Note to presenter: There are backup charts on cost, complexity and compliance for use if needed)
( Note to presenter: In presentation mode, you can click on the icon displayed on the top left hand side of the red highlighted box to quickly navigate to the appropriate drill down slide.) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- It all starts with understanding and communicating that there is an IBM Security Framework. There are 3 key foundational components that must be in place for all clients: Security Governance – the rules that an organization creates that provide strategic direction on security, create the policies and processes to be followed, ensure that policies and processes are followed, define the risks to be addressed, identify the organizational resources, compliance responsibility, and monitor the success or failure of the enterprise security program Risk Management – the process of analyzing the organization’s exposure to risk, current and future threats, and determining how to best handle such exposure Compliance – being in, and proving that, the current state of IT security meets all established organizational guidelines, specifications, and government legislation in a cost-effective manner
( Note to presenter: If there is interest in a certain domain (i.e., people and identity, application and process, etc.), use the drill down slides that provide the next level of information on our offerings – including how we can help with our software, professional and managed services In presentation mode, you can click on the icons displayed on the top left hand side of the focus area boxes to quickly navigate to the appropriate drill down slide.) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- In addition to the foundational elements, there are 5 unique security focus areas in the Framework and that we have organized our solutions around, each with their own value proposition and financial payback: People and Identity Mitigate the risks associated with user access to corporate resources Data and Information Understand, deploy and properly test controls for access to and usage of sensitive business data Application and Process Keep applications secure, protected from malicious or fraudulent use, and hardened against failure Network, Server and End Point Optimize service availability by mitigating risks to network components Physical Infrastructure Provide actionable intelligence on the desired state of physical infrastructure security and make improvements. Note to presenter : IBM is the only vendor in the marketplace that has solutions in the physical infrastructure space.
( Note to presenter: The purpose of this slide is to leverage the key projects/activities that companies implement to meet their security challenges and use them as a conversation starter. Highlight the breadth and depth – unlike any other vendor -- with our security portfolio ( Note to presenter: If there is interest in a certain domain (i.e., people and identity, application and process, etc.), use the drill down slides that provide the next level of information on our offerings – including how we can help with our software, professional and managed services In presentation mode, you can click on the icons displayed on the top left hand side of the focus area boxes to quickly navigate to the appropriate drill down slide.) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- IBM has a unique position in the market as an end-to-end security provider – we can address virtually any dimension of a secure infrastructure – and provide the services and consulting to help customers develop a strategic approach to their security challenges. Across our portfolio, we provide many capabilities that help customers solve a wide range of security problems completely and in the process result in cutting costs , reducing complexity, and assuring compliance . So depending on the types of security risks that are impacting your business, and the key controls that should be in place, we can look more closely at how we can help address those issues.
(Note to presenter: In the presentation mode, click on the framework next to the title of the slide to get back to the Framework in the body of the deck) The Security Governance Risk & Compliance domain is actually IBM’s security backplane… tying all other resource domains together. Organizations today are faced with a growing number of IT security risks and it’s a lot of COMPLEXITY that they need to deal with. Many of our customers realize that even if they were to deal with it all it would be TOO COSTLY. At the same time, they feel urgency because they inevitably have an auditor breathing down their neck trying to assess COMPLIANCE with the latest and greatest requirement. The average enterprise will be subject to 100s of compliance requirements . What are our key messages/offerings? IBM’s capabilities in the area of S-GRC deliver the following values: With IBM’s professional services, design a comprehensive security strategy – in other words, know where to go With IBM’s professional services and market leading solutions like AppScan from Rational or Guardium from IM, assess overall security posture across all domains – and define where gaps lie With IBM’s professional services, assess compliance posture against a wide range of regulatory dictates or industry standards, getting ahead of the auditor. With offerings like SIEM from IBM Tivoli, automate the compliance monitoring and reporting process. Finally, to define process for responding to security incidents which – statistically – are more likely to happen than ever before, automate incident handling through SIEM, or outsource management to IBM GTS
(Note to presenter: In the presentation mode, click on the framework next to the title of the slide to get back to the Framework in the body of the deck) People and Identity End-to-end security solutions from IBM: Identity is a focal point in today’s global economy; trustworthy credentials required for any interaction or transaction. Organizations typically spend between 3 days to 3 weeks getting users productive within IT systems; Up to 40% of user accounts are invalid Analysts estimate that up to 80% of help desk calls are for password resets, at a cost of $20 per call A financial services firm spent $60K per application (across 400 applications) implementing security access rules Privileged internal users cause 87% of internal security incidents, while firms cannot effectively monitor the thousands of security events generated each day (Source: Forrester research, IdM Trends 2006; USSS/CERT Insider Threat Survey 2005; CSI/FBI Survey, 2005; National Fraud Survey; CERT, various documents) IAM products and services help our customers define their strategy, assess where they are today and where they need to go tomorrow, reduce cost associated with user provisioning and access management, as well as audit and monitor user compliance with acceptable use policy. What are our key messages /offerings? With its Professional Services, Managed Services, Hardware and software offerings, IBM can reduce the cost and complexity of managing identities by automating the provisioning process. IBM can improve the ability for businesses to grant access to applications. IBM can help audit and report on activity associated with privileged users. At Kohl’s Department Stores, the user provisioning process has been shortened from an average of 15 business days to *20 minutes* on average[3]. Banco Mercantil do Brasil saved up to 30% in help desk resources by automating identity management and offering self-service password resets. They also were able to cut their account provisioning time by 80%. (Source: IBM Security Solutions Client Case Studies--Managing Security Costs, Risks and Complexity for Improved Business Results. October 2009, p. 39. https://i2.infoprint.com/sales/catalogs.nsf/agdetailsint?openagent&unid=C94D1B7DD7CB4DD1872574CF00753487 )
(Note to presenter: In the presentation mode, click on the framework next to the title of the slide to get back to the Framework in the body of the deck) Today, securing information assets and reducing the risk of information loss, corruption, or misuse has become a matter of business survivability. 90% of firms have had at least three documented invalid disclosures of sensitive data in the past year Over 80% of sensitive business data is typically stored in unstructured form 63% of firms have had multiple invalid disclosures of sensitive data that required notification in the past year Since terms like privacy, confidentiality and security often create confusion — the label information protection was coined to encompass the range of mechanisms that guide collection, use and disclosure of information. For those of you who may be thinking – yeah, I really don’t get the difference either, let me explain. Privacy is a personal right. It’s your right to control your data. A third party that collects your personal data has the responsibility to enforce your right by assuring confidentiality, integrity and availability, or CIA (also as security) of the data they collect. An information protection regulation – like HIPAA, GLBA, or PCI - is one that enforces the right of privacy by dictating, among other things, requirements regarding the maintenance of CIA of protected data. What are our key messages /offerings? There are 3 key areas where customers tend to struggle. The first is securing structured data… aka data in databases. It is here IBM has a unique asset in the form of Guardium, a recent acquisition, which provides best of breed database security solutions. The second – managing who has access to data and ensuring that the data is protected via encryption whether at rest or in flight through IBM’s Data Security Services or via Tivoli Key Lifecycle Mgmt The Third – monitoring information use and where possible – proactively preventing loss through IBM’s DLP offerings through GTS or via SIEM A global manufacturer implemented Guardium’s real-time monitoring technology to protect corporate data and enforce change controls for critical databases supporting SAP, Siebel and 22 other key financial systems. The customer is a Fortune 500 manufacturer whose brands are household names around the world. The Guardium solution delivered a risk-adjusted ROI of 239 percent and payback period of less than 6 months compared to the “significant labor and capital costs” that would have otherwise been required using an in-house solution and traditional database logging utilities. ******************************* Info on Ponemon annual study published in various article, including Network World (Jan 25, 2010) http://www.networkworld.com/news/2010/012510-data-breach-costs.html Data breach costs top $200 per customer record Ponemon Institute's annual study says overall organization cost per incident rises to $6.75 million By Ellen Messmer, Network World January 25, 2010 12:01 AM ET The cost of a data breach increased last year to $204 per compromised customer record, according to the Ponemon Institute's annual study. The average total cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009. Ponemon Institute based its estimates on data from 45 companies that publicly acknowledged a breach of sensitive customer data last year and were willing to discuss it. Breach costs increased just $2 per compromised customer record, as compared to 2008 costs. However in the five years that Ponemon Institute has conducted its study, costs have increased from $138 per compromised customer record. In tallying the cost of a data breach, Ponemon Institute looks at several factors including: the cost of lost business because of an incident; legal fees; disclosure expenses related to customer contact and public response; consulting help; and remediation expenses such as technology and training. There appear to be three main causes for a data breach, says Dr. Larry Ponemon, chair and founder of the Institute, as indicated by the 45 companies that shared their stories for the "Fifth Annual U.S. Cost of Data Breach Study," sponsored by PGP. "As part of our analysis, we try to get at the root cause of the data breach," Ponemon says. "There's negligence, where people make mistakes, such as lost laptops, accounting for 40% of the data breach cases. There are system glitches, such as a third-party sending out statements they shouldn't, which was 36%. And there are malicious and criminal attacks, at 24%." Ponemon adds that 2009 brought "more sophisticated criminal attacks that didn't show up on our radar screen" the previous year. These malicious attacks often involved botnets and were carried out for reasons of financial gain. Overall, 42% of all cases in the Ponemon data-breach study involved third-party mistakes and flubs. In addition, more than 82% of the cases in the Ponemon study were organizations that had more than one data breach in 2009 involving the loss or theft of more than 1,000 records containing personal information. At about 40% of the companies that participated in the study, the chief information security officer (CISO) was in charge of managing the response related to the data breach. The management skills of the CISO, or an individual in an equivalent position, seemed to help hold down the cost of a data breach: The average per capita cost of an incident was $157 per record for companies with a CISO, versus $236 for companies without one. The magnitude of the breach events, according to the study, ranged from about 5,000 to about 101,000 lost or stolen customer records. Among the incidents reported, the most expensive data breach cost nearly $31 million to resolve, and the least expensive cost $750,000.
(Note to presenter: In the presentation mode, click on the framework next to the title of the slide to get back to the Framework in the body of the deck) One of the most important areas to watch in security is around security at the application layer. The average application deployed will have dozens, sometimes hundreds, of defects and accordingly, the bulk of security threats today target the application layer. The vast majority of new vulnerabilities are emerging at the application layer. 74% of application vulnerabilities have no patch available today Up to 20% of application development costs can be for coding custom access controls and their corresponding infrastructure Establishing trust and high performance for services that span corporate boundaries is a top priority for SOA-based deployments Today, much of IBM’s strategy is dedicated to the concept of security by design… and to bringing solutions to market that allow our customers to build security into the software development lifecycle. No other vendor has such a comprehensive strategy and portfolio as IBM What are our key messages /offerings? Secure by design, not after disruption. It is both cheaper and more effective in the long run. How? Routinely scan for vulnerabilities using AppScan Implement capabilities to continuously monitor your applications – patching virtually even where no patch exists using Web Application Firewall Embed application controls Assure continuous security and integrity of your SOA environment through DataPower and Federated Identity Management Agentrics provides business integration optimization in the retail market between retailers, suppliers and manufacturers. Over a six year period, Agentrics solutions have helped their clients save 5B$ in cost by using their integrated platform. The AppScan solution has become part of Agentrics’ overall security and development strategy, resulting in increased confidence and safer applications for the company’s high profile retail clients. (Source: Source: IBM Security Solutions Client Case Studies--Managing Security Costs, Risks and Complexity for Improved Business Results. October 2009, p. 13. https://i2.infoprint.com/sales/catalogs.nsf/agdetailsint?openagent&unid=C94D1B7DD7CB4DD1872574CF00753487 )
(Note to presenter: In the presentation mode, click on the framework next to the title of the slide to get back to the Framework in the body of the deck) The Network Server, Endpoint domain is also known as “Infrastructure” domain, and represents all the components that provide an enterprise processing platform: switches, routers, and firewalls; servers, desktops, storage systems, etc. Infrastructure is often the target for attack or compromise, increasingly by sophisticated attackers with increasingly sophisticated tools at their disposal. Infrastructure Security is critical in ensuring that there are functional systems for applications to run in line with operational SLAs Bulk of outages today can be tied back to mis-configurations or poor change management processes executed by privileged users (IT admins) Privileged users cause 87% of internal security incidents Effective management can cut total cost of ownership for secured desktops by 42% (Source: Gartner Desktop Total Cost of Ownership: 2008 Update, dated 24th January 2008. Michael A. Silver, Federica Troni and Mark A Margevicius http://www.gartner.com/it/page.jsp?id=636308) IT Security costs are expected to reach 12% of total IT costs in 2009 (Source: Meta Group, June 2004) IBM helps you manage more risk in more ways than any other vendor... Protecting servers, endpoints, networks and mainframes . What are our key messages/offerings? Elevator pitch: IBM helps you manage more risk in more ways than any other vendor... Protecting servers, endpoints, networks and mainframes . IBM has a unique, pre-emptive set of offerings for Infrastructure Security, ‘We protect clients' infrastructure against tomorrow's attacks today’ IBM is the only organisation to offer a Managed Protection Service with unique financial indemnity, guaranteeing that you won’t suffer a security incident. IBM security research is world class (Xforce.iss.net), continually staying on top of threats before they become a danger. IBM security research, managed security offerings and product development, a continuous improvement loop Pension and life insurance provider Aviva literally transformed their mainframe auditing and monitoring with zSecure. They moved off of homegrown auditing and monitoring scripts and replaced them with zSecure that provide them with efficient security administration, security auditing and real-time monitoring. In addition to huge cost savings, this also helped Aviva address their compliance needs. (Source: Source: IBM Security Solutions Client Case Studies--Managing Security Costs, Risks and Complexity for Improved Business Results. October 2009, p. 33. https://i2.infoprint.com/sales/catalogs.nsf/agdetailsint?openagent&unid=C94D1B7DD7CB4DD1872574CF00753487 )
(Note to presenter: In the presentation mode, click on the framework next to the title of the slide to get back to the Framework in the body of the deck) The physical security regime covers a wide range of aspects including the physical security perimeter and physical entry controls. Intruder alarms, CCTV and lighting are commonly used to deter crime, detect offenders and delay their actions. All these systems must be integrated so that they work together in an effective and co-ordinated manner. Intrusion detection technology can play an important role in an integrated security system; it is as much a deterrent as a means of protection. New and increased threats mean organisations want more CCTV and sensors, but this can simply lead to data overload Increasing need to physical evidence and data such as capturing faces, number plates, etc. Need to manage the security of multiple sites from one central location Need to save money by consolidation of monitoring and remote guarding) IBM can address both the physical and logical security spaces with a range of capabilities… What are our key messages/offerings? Through its digital video surveillance capabilities which help modernize legacy analog surveillance systems Unique analytic capabilities, these are key to getting the most from the available security data Integration of physical surveillance and security systems with IT systems or via strong partnerships with leading security solution vendors in physical space