DSS participated in this year's "IBM Connect" event organized by regional IBM's VAD - ALSO Baltics. DSS spoke about importance of IT Security in new - digital world that is developing. New technologies bring new business opportunities but as well bring also new security threats and risks that have to be considered in first place.
3. “Data Security Solutions” business card
Specialization – IT Security
IT Security services (consulting,
audit, pen-testing, market analysis,
system testing and integration,
training and technical support)
Solutions and experience portfolio
with more than 20 different
technologies – cyber-security global
market leaders from more than 10
countries
Trusted services provider for
banks, insurance companies,
government and private companies
(critical infrastructure etc.)
4. Role of DSS in Cyber-security
Development in Baltics
Cyber-Security Awareness Raising
Technology and knowledge transfer
Most Innovative Portfolio
Trusted Advisor to its Customers
5. Cybersecurity Awareness Raising
Own organized conference “DSS ITSEC”
5th annual event this year (30.10.2014)
More than 400 visitors + more than 250 online
live streaming watchers from LV, EE, LT
4 parallel sessions with more than 40
international speakers, including Microsoft, Oracle,
Symantec, IBM, Samsung and many more –
everything free of charge (EVENT.DSS.LV)
Participation in other events & sponsorship
CERT & ISACA conferences & events
RIGA COMM, HeadLight, IBM Pulse Las vegas
Roadshows and events in Latvia / Lithuania /
Estonia (f.i. Vilnius Innovation Forum, Devcon,
ITSEC HeadLight, SFK, business associations)
Participation in cyber security discussions, strategy
preparations, seminaries, publications etc.
6. Innovations – technology & knowledge transfer
Innovative Technology Transfer
Number of unique projects done with
different technology global leadership
vendors
Knowledge transfer (own employees,
customers – both from private & public,
other IT companies in LV, EE, LT)
Specialization areas include:
Endpoint Security
Network Security
Security Management
Application Security
Mobile Security
Data Security
Cyber-security
Security Intelligence
11. AGENDA (hopefully 60mins..)
Introduction of DSS and speaker
Prologue – Digital world & trends
The Saga begins – Cybercrime
Introduction & types
Business behind
Examples
Value of Information Security for business
Risk management
Technology
IBM SIEM, Risk Manager, Forensics
What it is and what for
Architecture
Use cases
Q&A (if time allows)
13. Prologue: Some new technologies
3D Printers
Google Glasses (“glassh**es)
Cloud Computing
Big Data & Supercomputers
Mobile Payment & Virtual Money
Robotics and Intraday Deliveries
Internet of things
Augmented Reality
Extreme development of Aps
Digital prototyping
Gadgets (devices) & Mobility
Technology replaced jobs (automation)
Geo-location power
Biometrics
Health bands and mHealth
Electronic cars
Avegant Glymph and much, much
more
22. Disaster in technology world - NSA
Governments write malware and
exploits (USA started, others follow..)
Cyber espionage
Sabotage
Cyber wars
Infecting own citizens
Surveillance
Known NSA “partners”
Microsoft (incl. Skype)
Apple
Adobe
Facebook
Google
Many, many others
Internet is changing!!!
USA thinks that internet is their
creation and foreign users should
think of USA as their masters…
27. Cybercriminal type #1
“2014.gadā vidēji katram
izglītotam darbiniekam būs vidēji
3.3 mobīlās ierīces, salīdzinot ar
vidējo statistiku ar 2.8 mobīlajām
ierīcēm 2013.gadā.” 1
37. Mobility & Security
“2014.gadā vidēji katram
izglītotam darbiniekam būs vidēji
3.3 mobīlās ierīces, salīdzinot ar
vidējo statistiku ar 2.8 mobīlajām
ierīcēm 2013.gadā.” 1
43. Bright future of the internet way ahead..
1995 – 2005
1st Decade of the
Commercial Internet
2005 – 2015
2nd Decade of the
Commercial InternetMotive
Script-kiddies or hackers
Insiders
Organized crime
Competitors, hacktivists
National Security
Infrastructure Attack
Espionage
Political Activism
Monetary Gain
Revenge
Curiosity
45. Conclusion: The Saga will continue anyway
For many companies security is like salt, people just
sprinkle it on top.
46. Think security first & Where are You here?
Organizations Need an Intelligent View of Their Security Posture
Proactive
AutomatedManual
Reactive
Optimized
Organizations use
predictive and
automated security
analytics to drive toward
security intelligence
Proficient
Security is layered
into the IT fabric and
business operations
Basic
Organizations
employ perimeter
protection, which
regulates access and
feeds manual reporting
47. “DSS” is here for You! Just ask for…
Si vis pacem, para bellum. (Lat.)
48. IBM Security Intelligence
Suspected
Incidents
Prioritized Incidents
Embedded intelligence offers automated offense identification
Servers and mainframes
Data activity
Network and virtual activity
Application activity
Configuration information
Security devices
Users and identities
Vulnerabilities and threats
Global threat intelligence
Extensive Data Sources
Automated
Offense
Identification
• Massive data reduction
• Automated data collection,
asset discovery and profiling
• Automated, real-time,
and integrated analytics
• Activity baselining
and anomaly detection
• Out-of-the box rules
and templates
Embedded
Intelligence
49. Security Intelligence = SIEM+RM+…+….
IBM QRadar
Security Intelligence
Platform
Packets
Vulnerabilities
Configurations
Flows
Events
Logs
Big data consolidation of
all available security
information
Traditional SIEM
6 products from 6 vendors are needed
IBM Security
Intelligence and Analytics
54. SIEM installation – plug&play
Higher capacity / performance support
Basic installation in one week, immediate ROI
Continuous development of features and integration
Biggest IT Security solutions portfolio in today’s Security market
55. IBM leadership – taking it back
CA
(DataMinder)
Novell
(Sentinel)
Nitro
Fortify,
WebInspect
ArcSight
TippingPoint
RSA Access
Mgr.
ProtectTools
RSA Live
Intelligence
System
Team: RSA
FirstWatch
OAM, Novell
AM, CA
SiteMinder
Norton AV, iPS
Symantec Client/
Svr. Mgmt. Suite
Symantec DLP Data Theft
ProtectionDLP
FW, NBA, IPS
Access Rights
Reviews
SecureSphere
Web App FW
SecureSphere
App Virt. Patching FW, IPS
DLP
Endpoint Disk
Encryption
FW, IPS, AV Mobile security
FIM
57. SIEM Use Cases DefinitionSIEM Use Cases Definition
Requirements
Scope
Event Sources
Response
58. Your Use Case
Build YOUR own use case!
React faster
Improve Efficiency
Automate Compliance
59. Use Cases
Vulnerability Correlation
Suspicious Access Correlation
Flow and Event Combo Correlation
Botnet Application Identity
VMware Flow Analysis
Unidirectional Flows Detection
Vulnerability Reporting
Data Loss Prevention
Double Correlation
Policy and Insider Threat Intelligence (Social Media Use
Case)
60. Use Cases
Detecting Threats or Suspicious Changes in Behaviour
Preventative Alerting and Monitoring
Compliance Monitoring
Client-side vulnerability correlation
Excessive Failed Logins to Compliance Servers
Remote Access from Foreign Country Logons
Communication with Known Hostile Networks
Long Durations
Multi-Vector Attack
Device stopped sending Data (Out of Compliance)
61. Social Media Intelligence
Problem:
Social media is an increasing threat to an organization's policies and network;
company employees are the ones who are most likely to fall victim to social
engineering based threats, and serve as entry points for Advanced Persistent
Threats.
Solution: Social media Monitoring& Correlation in real-time:
Qradar’s real-time monitoring and correlation of hundreds of social media sites, such
as Twitter, Facebook, Gmail, LinkedIn, etc., offers automated application aware
insight and identifies social media-based threats by user and application.
62. Social Media Intelligence
With Qradar, you can:
Identify all the source,
destination and the actual
corporate credit card number
leaked.
With Qradar, you can:
Identify the user responsible for
the data leak.
63. Data Loss Prevention
Customer Requirement:
Customer wants to detect when an employee may be stealing customer
contact info in preparation for leaving the company
Solution:
Baseline employee access to CRM
Detect deviations from norm: 1,000 transactions (access to customer
records) vs normal 50 per day
BUT…what if the user is tech savvy or has a geek nephew, and makes
a single SQL query to the back end database?
Profile network traffic between workstations and back-end database or
policy shouldn’t allow direct access to database from workstations
65. Indavertent Wrongdoing
A/V Server
Trying to update the
entire internet
Issue bubbled to the
top of the offense
manager immediately
post-installation
Problem had existed for
months, but was lost in
firewall logs.
A/V clients were badly
out of date.
66. System Misconfiguration
QRadar reports remote sources scanning internal SQL servers
Firewall admin insists QRadar is incorrect – absolutely no inbound
SQL traffic permitted.
But … months earlier user had requested access to SQL server from
outside campus
Administrator fat-fingered the FW rule and unintentionally allowed
SQL access to & from all hosts
67. Teleportation
Customer Requirement:
Customer wanted to detect users that logged in from IP addresses in
different locations simultaneously.
Solution:
Create rule to test for 2 or more logins from VPN or AD from different
country within 15 minutes
Can be extended to check for local login within corporate network and
simultaneous remote login
68. Purell for your VPN
Customer Requirement:
Customer wanted to detect when external systems over the VPN
accesses sensitive servers
Customer was concerned that external system could be infected /
exploited through split tunneling and infect sensistive internal servers
Solution:
Use latest VA scan of user systems
Create BB of OSVDB IDs of concern
Detect when external systems with vulnerabilities access sensitive
servers
69. Uninvited Guests
Customer Requirement:
Wants to identify new systems attached to network. There are active wall
jacks throughout building
Solution:
Set asset database retention to just beyond DHCP lease time (1-2
days)—user out of office/on vacation, asset expires
New machine attaches, rule alerts
Flows for real-time detection: no other SIEM can do this
Can alert on VA import
In 7.0, can build up MAC list in reference sets (~2 wks), then alert
when new MAC appears on network
70. Policy Vialation / Resource Misuse
Customer Requirement:
Detect if there are P2P Server located in Local Area Network
71. Communication to known Bot C&C
Customer Requirement:
Detect if any of internal system is communicating to known Bot
Command and Contrlol
72. Forensic of Administrative Change
Customer Requirement:
New User account creation with administrative privileges
System registry change, Application Installed/Uninstalled
Password reset
Service started/stopped
74. Use Cases Summary
Identify the goal for each
event correlation rule (and
use case).
Determine the conditions
for the alert.
Select the relevant data
sources.
Test the rule.
Determine response
strategies, and document
them.
75. Qradar latest updates
Increased scalability, best HW in market
Enhanced asset and vulnerability functionality
Centralized license management
Multicultural support (languages)
Improved bar and pie charts on the Dashboard tab
Data obfuscation
Identity and Access Management (IAM) integration
Browser support
Java 7 support
2500 + reports
New “QRadar 2100 Light” appliance for SMB’s
New Qradar Forensics appliance
New Data Node Appliances