Contenu connexe
Plus de Arrow ECS UK (20)
Ibm security overview bp enablement 22 feb-2012 v harper
- 1. IBM Security Systems
IBM Security
Intelligence, Integration and Expertise
Vaughan Harper
IBM Security Architect
22 February, 2012
© 2012 IBM Corporation
1 © 2012 IBM Corporation
- 2. IBM Security Systems
The world is becoming more digitized and interconnected,
opening the door to emerging threats and leaks…
The age of Big Data – the explosion of digital
DATA information – has arrived and is facilitated by
EXPLOSION the pervasiveness of applications accessed
from everywhere
With the advent of Enterprise 2.0 and social
CONSUMERIZATION business, the line between personal and
OF IT professional hours, devices and data has
disappeared
Organizations continue to move to new
EVERYTHING
platforms including cloud, virtualization,
IS EVERYWHERE mobile, social business and more
The speed and dexterity of attacks has
ATTACK increased coupled with new actors with new
SOPHISTICATION motivations from cyber crime to terrorism
to state-sponsored intrusions
2 © 2012 IBM Corporation
- 3. IBM Security Systems
Targeted Attacks Shake Businesses and Governments
Attack Type Bethesda
Software
SQL Injection
URL Tampering Northrop Italy
Grumman IMF PM
Fox News Site
Spear Phishing X-Factor
3rd Party SW Citigroup
Spanish Nat. Sega
DDoS Police
Secure ID Gmail Booz
Accounts
Epsilon PBS Allen
Hamilton
Unknown
Vanguard
Sony PBS SOCA Defense
Monsanto
Malaysian
Gov. Site Peru
HB Gary RSA Lockheed
Special
Police
Martin
Nintendo
Brazil
Gov.
L3 SK
Communications Sony BMG Communications
Size of circle estimates relative Greece Turkish
Government
Korea
impact of breach AZ Police
US Senate NATO
Feb Mar April May June July Aug
3 IBM Security X-Force® 2011 Midyear Trend and Risk Report September 2011 © 2012 IBM Corporation
- 4. IBM Security Systems
IT Security is a board room discussion
Business Brand image Supply chain Legal Impact of Audit risk
results exposure hacktivism
Sony estimates HSBC data Epsilon breach TJX estimates Lulzsec 50-day Zurich
potential $1B breach impacts 100 $150M class hack-at-will Insurance PLc
long term discloses 24K national brands action spree impacts fined £2.275M
impact – private banking settlement in Nintendo, CIA, ($3.8M) for the
$171M / 100 customers release of PBS, UK NHS, loss and
customers* credit / debit UK SOCA, exposure of
card info Sony … 46K customer
records
4 *Sources for all breaches shown in speaker notes © 2012 IBM Corporation
- 5. IBM Security Systems
Solving a security issue is a complex, four-dimensional puzzle
People Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers
Data Structured Unstructured At rest In motion
Systems
Applications Web applications Web 2.0 Mobile apps
applications
Infrastructure
It is no longer enough to protect the perimeter –
siloed point products will not secure the enterprise
5 © 2012 IBM Corporation
- 6. IBM Security Systems
In this “new normal”, organizations need an intelligent view of their
security posture
In Sec
te u
lli rit
ge y
nc
e
O
Automated
pt
im
iz
ed
Optimized
Prr
P Organizations use
offi
o predictive and
ic i
ci automated security
en
en analytics to drive toward
tt
security intelligence
Basic
Ba
Manual
Organizations
s
employ perimeter Proficient
ic
protection, which Security is layered
regulates access and into the IT fabric and
feeds manual reporting business operations
Reactive Proactive
6 © 2012 IBM Corporation
- 7. IBM Security Systems
IBM Security: Delivering intelligence, integration and expertise across a
comprehensive framework
Only vendor in the market with end-to-
end coverage of the security foundation
6K+ security engineers and consultants
Award-winning X-Force® research
Largest vulnerability database in the
industry
Intelligence
Intelligence ●
● Integration
Integration ●
● Expertise
Expertise
7 © 2012 IBM Corporation
- 9. IBM Security Systems
Expertise: Unmatched global coverage and security awareness
Security Operations Centers
Security Research Centers
Security Solution Development Centers
Institute for Advanced Security Branches
World Wide Managed
IBM Research Security Services Coverage
20,000+ devices under contract
20,000+ devices under contract
3,700+ MSS clients worldwide
3,700+ MSS clients worldwide
9B+ events managed per day
9B+ events managed per day
1,000+ security patents
1,000+ security patents
133 monitored countries (MSS)
133 monitored countries (MSS)
9 © 2012 IBM Corporation
- 10. IBM Security Systems
Problem #1: Passwords…
Most users need to log on to multiple systems to do their job
It takes time to log on to each system
It’s difficult to remember all the passwords
It’s impossible to remember all your passwords if they’re all strong, all
different, and some are used infrequently
Volume of different applications (17 applications for one user we were
talking to)
10 © 2012 IBM Corporation
- 12. IBM Security Systems
Latest IBM Security Access Manager for Enterprise Single Sign-On
Desktop Single Sign-On, Strong Authentication and Fine-Grained User Activity Audit Logs
Simplify password management and
strengthen end user security
Business challenge
Reduce help desk costs, improve productivity and strengthen
security on traditional, virtual, shared desktop environments
Key solution highlights
• Virtual Appliance for faster time to value
- Easier deployment and management leading to lower TCO
• Virtualized desktops and applications virtualization support
- Support VMware View, IBM Virtual Desktop for Smart Business
- Desktop access to virtualized MSFT App-V or Citrix XenApp
• Wider platform support
- Support for Win 7 64-bit, Win 2008, Internet Explorer 8 & 9
• Enhanced Strong Authentication Support “IBM’s Security Access Manager for Enterprise Single
- Hybrid RFID smart card, support for National IDs Sign-On helped achieve a ROI of 244% over 3 years
with a payback period of 11 months” (Large UK financial
services company)
12 © 2012 IBM Corporation
- 14. IBM Security Systems
Application Vulnerabilities Continue to Dominate
Web application vulnerabilities represented the largest category in vulnerability
disclosures (55% in 2008)
In 1H09, 50.4% of all vulnerabilities are Web application vulnerabilities
SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot
Vulnerability Disclosures Affecting Web Applications
(Cumulative, Year Over Year)
18,000
16,000
14,000
12,000
10,000
8,000
6,000
4,000
2,000
-
1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
H1
IBM Internet Security Systems 2009 X-Force®
Mid-Year Trend & Risk Report
14 © 2012 IBM Corporation
- 15. IBM Security Systems
Why Security Matters ?
ICO £500K fines from 6th April 2010
New powers to impose fines of up to £500,000 for serious breaches of the DPA
will come into force on 6 April
Data Breach Notification Law approved by EU
Member states required to introduce the new rules by May 2011
PCI Compliance
New prioritised approach in place, banks and card acquirers demanding
progress
Other Compliance
Basel II, Sarbanes Oxley, ISO 27001 etc…
Non-compliance reasons
Reputational damage
Fraud, etc
15 © 2012 IBM Corporation
- 16. IBM Security Systems
IBM Rational AppScan End-to-End Application Security
REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION
Security AppScan
Requirements AppScan Source AppScan AppScan onDemand
Definition Tester Standard (SaaS)
AppScan Enterprise / Reporting Console
(enterprise-wide scanning and reporting)
Security Security / compliance Security & Outsourced testing
requirements Automate Security
Build security / Compliance testing incorporated Compliance for security audits &
defined before testing into the into testing & Testing, oversight, production site
design & testing in the
IDE Build Process remediation control, policy, monitoring
implementation workflows audits
Application Security Best Practices
16 © 2012 IBM Corporation
- 17. IBM Security Systems
IBM Rational AppScan End-to-End Application Security
IBM Rational AppScan: A Web Application SECURITY
Security Scanner
– Helps users find and remediate application-layer
security issues in their web applications & web
services
AppScan
Standard
IBM Rational AppScan Standard or Express
Edition
– A standalone desktop application
Security &
Compliance
Who uses it? Testing, oversight,
control, policy,
– Security Auditors and IT Security Teams - To audits
reach beyond network security
– QA engineers - To add Security to Functionality &
Performance testing
– Developers (to a lesser extent) – Wanting to be
proactive about security
17 © 2012 IBM Corporation
- 18. IBM Security Systems
How does AppScan work?
Approaches an application as a black-box
Traverses a web application and builds the site model
Determines the attack vectors based on the selected Test policy
Tests by sending modified HTTP requests to the application and examining the HTTP
response according to validate rules
HTTP Request Web Application
HTTP Response
18 © 2012 IBM Corporation
- 19. IBM Security Systems
The ROI of Application Security Testing
Cost Savings – of testing early in the development process
80% of development costs are spent identifying Cost of finding & fixing problems:
and correcting defects code stage is $25, QA/Testing is $450, Production
Testing for vulnerabilities earlier in the $16,000 *
development process can help avoid that E.g.: 50 applications annually & 25 issues per
unnecessary expense application, testing at code stage saves $780,000
over testing at QA stage.
Cost Savings – of automated vs manual testing
Automated testing provides tremendous Outsourced audits can cost $10,000 to $50,000 per
productivity savings over manual testing application
Automated source code testing with periodic At $20,000 an app, 50 audits will cost $1M.
penetration testing allows for cost effective With 1 hire + 4 quarterly outsourced audits (ex:
security analysis of applications $120,000+$80,000), $800,000/yr can be saved (less
the cost of testing software)
Cost Avoidance – of a security breach
Costs as a result of a security breach can The cost to companies is $202 per
include (but are not limited to) audit fees, compromised record**
legal fees, regulatory fines, lost customer The average cost per data breach is $6.6
revenue and brand damage Million**
* Source: Capers Jones, Applied Software Measurement, 1996
** Source: Ponemon Institute, Privacy Rights Clearinghouse, 2008
19 © 2012 IBM Corporation
- 20. IBM Security Systems
AppScan Product Path
AppScan Express
(single user) More than 1 user
Upgrade to AppScan Standard
(floating user)
floating licence
Multiple users
AppScan Reporting Console
(enterprise-wide reporting)
Enterprise wide
reporting & visibility
AppScan Standard AppScan Standard
(floating user) (floating user)
AppScan Standard AppScan Standard
(floating user) (floating user)
AppScan Standard AppScan Standard
(floating user) (floating user)
20 © 2012 IBM Corporation
- 21. IBM Security Systems
Recent UK General Business sales…
Q3 2011 – UK digital media production company
A UK digital media production company had been using some open source tools for security
testing and had suffered some recent security incidents that were driving them to improve their
security posture
Initial Demonstration of AppScan via webinar on 22nd August. Evaluation of AppScan completed
via Webinars over following weeks. Deal for one licence of AppScan Standard Edition closed
within the Quarter.
Q4 2011 – UK publishing company
UK magazine company: increasing focus on online content is driving a greater need for security
Initial Demonstration of AppScan via webinar during Oct. Evaluation of AppScan completed
within 1 week via onsite visit on 16th November. Deal for one licence of AppScan Standard
Edition closed within the quarter.
21 © 2012 IBM Corporation
- 22. IBM Security Systems
Problem #3: Managing workstations and servers…
How long does it take you to…
…determine the number of PCs that are infected?
…patch all infected systems and protect the healthy ones?
…realize that a user/malware just uninstalled a critical patch?
…deploy patches not only on Windows but Linux, AIX, Solaris or Mac OS? X?
22 © 2012 IBM Corporation
- 23. IBM Security Systems
Tivoli Endpoint Manager: See More, Secure More
Tivoli Endpoint Manager for Security & Compliance
Asset Discovery and Visibility
Patch Management Multi-Vendor Endpoint Protection
Security Configuration Management Management
Vulnerability Management
Network Self Quarantine
Discover 10% - 30% more Library of 5,000+ compliance
assets than previously reported settings, including support for
FDCC SCAP, DISA STIG
Automatically and continuously Achieve 95%+ first-pass
enforce policy at the end point success rates within hours of
policy or patch deployment
23 © 2012 IBM Corporation
- 24. IBM Security Systems
The Tivoli Endpoint Manager Approach
PIPEDA/
PIPA
ISO/IEC
27001
Reporting and Enforcement on 5,000+ Controls
24 © 2012 IBM Corporation
- 25. IBM Security Systems
TEM for SCM – Meeting Endpoint Compliance Requirements
Requirement PCI ISO 27001 CobIT NIST 800-53
Implement anti-malware and keep endpoints current 5.1, 5.2 A12.6 DS5.9 SI-3
Define, implement, and enforce security configuration 2.1, 2.2, A12.1, DS9 CM-2,4,6
baselines 6.2 A15.2
Keep endpoints patched 6.1 A12.6 DS5.9 CM-2
Perform regular vulnerability scans and address findings 11.2 A12.6 PO9.3 RA-5
Keep a current network diagram, know when things are added 1.1 A7.1 DS13.3 CM-8
to the network
Install, maintain endpoint firewalls, NAC 1.4 A11.4 DS5.10 AC-19
25 © 2012 IBM Corporation
- 26. IBM Security Systems
Compliance Dashboard / Reporting
• Real-time and historical visibility into
the state of compliance
• Identify critical gaps in compliance to
defined policy
• Customize dashboard to create
different “lenses” into the compliance
state
• Computer Groups
• Categories
• Policy Templates
• Drill-down into specific details of non-
compliant or compliant systems
• Compliance Focused executive
reporting via web reports and DSS
26 © 2012 IBM Corporation
- 27. IBM Security Systems
Security & Compliance Customer Success Stories
• Failed internal audit of information security configuration compliance
• Highly distributed infrastructure with centralized visibility and reporting
• Customized SCM Controls to meet internal SCM requirements
Financial Company
• Failed PCI Audit due to poor configuration policy enforcement
• No visibility into system configurations and no ability to report on
compliance status
• No ability to enforce configuration standards across infrastructure
Retail Chain
• Leveraged SCM Controls to achieve PCI specific requirements
• Ongoing failures to secure systems and mitigate against threats caused
by poorly configured and badly managed systems
• Systems highly susceptible to internal abuse and external attack
• Leveraged out-of-the-box DISA STIG SCM checklists to assess
Government Agency compliance and automate remediation of non-compliant systems.
27 © 2012 IBM Corporation
- 28. 2
8
IBM Security Systems
Problem #4: Network threats…
IBM Security Research and Development: X-Force
X-Force R&D team discovers and analyzes previously
unknown vulnerabilities in critical software and
infrastructure such as: e-mail, networks, Internet
applications, security protocols, business applications
and VoIP.
Additional to its own research, X-Force reviews each
published vulnerability in order to monitor the threat
landscape, determining new attack vectors, and
offering a higher level of protection.
One of X-Force’s publications is the quarterly Threat
Insight report
Source: IBM X-Force Database
28 © 2012 IBM Corporation
- 29. 2
9
IBM Security Systems
Preemptive Ahead of the Threat Security – backed up by data
Top 61 Vulnerabilities 2009
341 Average days Ahead of the Threat
91 Median days Ahead of the Threat
35 Vulnerabilities Ahead of the Threat
57% Percentage of Top Vulnerabilities –
Ahead of the Threat
9 Protection released post
announcement
17 same day coverage
1H2010 – Average days
Ahead of the Threat
increased to 437!
29 © 2012 IBM Corporation
- 30. IBM Security Systems
IBM Security Network IPS
IBM Security Network IPS is an Appliance
Core protection engine – Protocol Analysis Module (PAM) –
delivers the most efficient IPS engine available
Vulnerability-based protection requires fewer detection
algorithms than competitive solutions that require a new
signature for every new exploit
Clients benefit with greater protection from fewer detection
algorithms
– Provides capacity for new features like
Content Analysis and Web application
security
– Protection for older threats don’t have to
be removed to maintain speed/
performance
Clients benefit as X-Force continues to invest in PAM
– Multithreaded version in development http://nsslabs.blogspot.com/2009/05/nss-
awards-first-gold-in-5-years.html
IBM is the first vendor to
secure three NSS Labs Gold
Awards in a row
30 © 2012 IBM Corporation
- 31. IBM Security Systems
IBM Virtual Server Protection for VMware
Integrated threat protection for VMware vSphere 4
5 Security Features
– Rootkit Detection, Firewall,
Intrusion Prevention, Virtual
Network Admission Control,
Auditing.
VSP cannot monitor host-based events (e.g.
file integrity) which require local installation
VSP plugs into VMsafe and therefore cannot
prevent threats to the underlying hardware
and virtual network cards.
31 © 2012 IBM Corporation
- 32. IBM Security Systems
ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
32 States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. © 2012 IBM Corporation