SlideShare une entreprise Scribd logo

Disrupt the advanced attack chain with intelligent, integrated security

IBM Security
IBM Security

Today’s advanced threats use low and slow techniques to hide below the radar of traditional security products and approaches. Join this engaging presentation on IBM’s strategy to disrupt the attack chain. Learn how applying intelligence and integrating across security silos can help harden defenses, detect exploits, analyze attacks, and remediate weaknesses to defeat advanced threats. View the on-demand webinar: https://www2.gotomeeting.com/register/472103354

Technologie
1  sur  30
IBM Security Systems IBM Security Systems Disrupt the Advanced Attack Chain with Intelligent, Integrated Security Marc van Zadelhoff VP, Strategy and Product Management Brian Mulligan Security Strategist November 19, 2013 © 2013 IBM Corporation 1 © 2013 IBM Corporation
IBM Security Systems Security can be a complex landscape… 85 tools from 2 45 vendors © 2013 IBM Corporation
IBM Security Systems …where your security team sees noise 3 © 2013 IBM Corporation
IBM Security Systems Attack frequency increased to record in H1 2013 4 Source: IBM X-Force® Research 2013 Trend and Risk Report © 2013 IBM Corporation
IBM Security Systems IBM Security Integrating across domains to make sense of the noise and stop attackers IBM Security Framework Intelligence Integration Expertise 5 © 2013 IBM Corporation
IBM Security Systems Advanced attackers follow a five-stage attack chain Reconnaissance, spear phishing, and remote exploits to gain access 1 Break-in ATTACK CHAIN 2 Latch-on Command and Control Malware and backdoors installed to establish a foothold 3 Expand Lateral movement to increase access and maintain a presence 4 Gather Acquisition and aggregation of confidential data 5 Exfiltrate 6 Command and Control Data exfiltration to external networks © 2013 IBM Corporation
IBM Security Systems Defenders follow an iterative approach, utilizing integrated solutions ATTACK CHAIN 1 Break-in 2 Latch-on 3 Expand 4 Gather 5 Exfiltrate 7 © 2013 IBM Corporation
IBM Security Systems Hardening environments is difficult and growing increasingly complex The ever expanding number of endpoints, applications, databases and network devices create multiple attack surfaces Endpoints • Validate endpoint patch status Hardening challenges: • Mobile device proliferation and adoption of BYOD Integrated Defense Strategy HARDEN DETECT ANALYZE Networks • Secure network traffic • Adoption of hybrid and public cloud • Rapid growth of big data Applications • Prevent web application vulnerabilities 8 • Continued exploitation of SQL injection and cross site scripting vulnerabilities Databases • Lock down database usage © 2013 IBM Corporation
IBM Security Systems Harden through integrated security solutions Scan assets for vulnerabilities, prioritize the severity of each vulnerability, and patch or block the most critical Integrated Defense Strategy HARDEN IBM Endpoint Manager IBM QRadar Vulnerability Manager / Risk Manager • Validate endpoint patch status DETECT ANALYZE IBM Security Network Protection XGS • Secure network traffic 6 22 102 AT RISK CRITICAL BLOCKED IBM Security AppScan IBM InfoSphere Guardium • Prevent web application vulnerabilities • Lock down database usage 75 SQL injection 50 Cross-site scripting 5 Unusual database requests IBM X-Force Research and Development 9 © 2013 IBM Corporation
IBM Security Systems How hardening works: practical steps • Manage hundreds of thousands of endpoints Harden Endpoints • Automatically enforce security baselines across all endpoints IBM Endpoint Manager IBM QRadar Vulnerability Manager / Risk Manager Find and Prioritize Vulnerabilities • Leverage multiple source code scanning technologies Harden Applications • Scan production web apps to detect vulnerabilities IBM AppScan Harden Network Traffic • Virtually patch detected vulnerabilities The security administrator… • Filter internet traffic according to security policies • Performs real-time vulnerability scans IBM Network Protection XGS • Scan database exposures Harden Databases • Detect behavioral vulnerabilities IBM InfoSphere Guardium 10 • Ensures hardened network device configurations • Views prioritization of vulnerabilities in context • Addresses the most critical risks first © 2013 IBM Corporation
IBM Security Systems Integrated products provide rich context for vulnerability risk scoring Risk score adjusted +10 on data from XGS and X-Force, the asset has communicated with malicious IPs Risk score adjusted -10 on context from Endpoint Manager, the asset is scheduled to be patched Risk score adjusted +50 on context from QRadar Risk Manager, the asset is not protected by firewall or IPS • QRadar Vulnerability Manager conducts native vulnerability scan and incorporates from other vulnerability sources • Each vulnerability is given a base risk score, in this case 10 11 © 2013 IBM Corporation
IBM Security Systems Hardening people is essential and becoming more complex Multiple identity stores and increasing connections from outside the enterprise complicate identity security Validate Identity • Determine who is who Identity hardening challenges: • Multiple user access points a weak link for attackers to break-in (employees, contractors, partners) Integrated Defense Strategy HARDEN DETECT ANALYZE Prevent Insider Threat and Identity Fraud • Secure shared identities and prevent targeted attacks • Extending identity security to mobile, cloud and social interactions Integrate Identity • Unify “Universe of identities” • Highly privileged insiders have access to the “crown jewels” • Compliance exposure from multiple identity silos and fragment user data Manage Identity • Enable identity lifecycle management • Increasing security demands for realtime user activity data 12 © 2013 IBM Corporation
IBM Security Systems Define a new perimeter with threat-aware Identity and Access Mgmt Simplify identity silos to safeguard mobile, cloud and social interactions, mitigate insider threat and deliver intelligent identity and access assurance IBM Security Access Manager • Unify “Universe of identities” HARDEN DETECT ANALYZE IBM Security Privileged Identity Manager • Determine who is who IBM Security Directory Server and Integrator Integrated Defense Strategy • Secure shared identities and prevent targeted attacks Create a secure perimeter around identities • Manage all users connecting from within and outside the enterprise IBM Security Identity Manager • Enable identity lifecycle management • Defend web applications against targeted web attacks • Enhance user activity monitoring and security intelligence across security domains 13 © 2013 IBM Corporation
IBM Security Systems Integrated products provide user activity and anomalies detection • Identity and Access Manager event logs offers rich insights into actual users and their roles • IAM integration with QRadar SIEM provides detection of break-ins tied to actual users & roles 14 © 2013 IBM Corporation
IBM Security Systems Patient, sophisticated attackers make detection a challenge Detect subtle anomalies across domains and correlate them to create a cohesive picture of threat activity Network Traffic • Blocks exploits as they traverse the network Detect challenges: • Attackers modify signatures to bypass signature based detection Defense Strategy HARDEN DETECT ANALYZE Privileged Users • Sends privileged user details to correlate with user’s activity • Users connect from new devices and locations • Lack of control over privileged users passwords and access Application Access • Blocks attacks before they reach applications • Increasing number endpoints, device types and operating systems Endpoint Protection • Dynamically detect and block endpoint malware Threat Research 15 © 2013 IBM Corporation
IBM Security Systems Integrated capabilities enable real-time discovery and blocking Detect and block malicious activity across networks, users, applications and endpoints IBM Security IBM QRadar Network Protection XGS Security Intelligence • Blocks exploits as they traverse the network HARDEN DETECT ANALYZE IBM Privileged Identity Manager • Sends privileged user details to correlate with user’s activity IBM Trusteer Apex IBM Security Access Manager • Blocks attacks before they reach applications Defense Strategy Creates an activity baseline to detect anomalous activity • Dynamically detect and block endpoint malware • Intelligent correlation of events, flows, assets, topologies, vulnerabilities and external threats • Produce actionable intelligence IBM X-Force Research and Development 16 © 2013 IBM Corporation
IBM Security Systems Defend against persistent attacks with integrated capabilities IBM QRadar SIEM X-Force Research Email with malicious link Network Protection XGS Access Manager AMP 5100 SQL injection AppScan SiteProtector Network Protection XGS • XGS blocks zero-day exploit from malicious link after incorporating X-Force security content Security Event • XGS natively creates network flow activity for QRadar to detect additional anomalies Network Flow Investigate Alerts • Access Manager blocks SQL injection from web application and alerts QRadar • Based on QRadar alert, analyst runs AppScan to find the application vulnerability Security Event • AppScan creates virtual patch in SiteProtector to block the attack at the network level  Event correlation • SiteProtector deploys policy to Network Protection XGS devices  Historic forensics  Real-time analysis  Predictive analytics Privilege escalation Email with malicious file 17 Privileged Identity Manager Trusteer Apex • Privileged Identity Manager detects anomalous privilege escalation Security Event • Privileged Identity Manager records the session and sends the escalation event to QRadar • Apex detects and block the zero-day exploit using application state context Security Event © 2013 IBM Corporation
IBM Security Systems Incorporate the latest threat intelligence IBM X-Force research is utilized in Network Protection XGS Network Protection XGS console showing security policies X-Force URL reputation data incorporated by category 2 Policy on XGS set to reject connections to malicious URLs 18 1 3 © 2013 IBM Corporation
IBM Security Systems Integrate to prevent web application exploits at the network level Access Manager flags a SQL injection, alerts QRadar and then… Analyst runs AppScan and finds the SQL injection vulnerabilities 1 AppScan sends vulnerability 2 details to SiteProtector SiteProtector creates virtual patch to block the SQL injection at the network level while 3 the vulnerabilities are patched Policy deploys to Network 4 Protection XGS devices Types of Protection • Client-side attacks • Injection attacks • Malicious file execution 19 • Cross-site request forgery • Information disclosure • Path traversal • Authentication • Buffer overflow • Brute force • Directory indexing • Miscellaneous attacks © 2013 IBM Corporation
IBM Security Systems Monitor privileged users to detect malicious activity An attacker steals system administrator login credentials then grants increased permissions to invalid user Privileged Identify Manager sends QRadar details of the privilege escalation QRadar notifies a security analyst 1 2 Security analyst views a recording that shows compromised administrator granting a user rights outside of the formal process 3 Security analyst revokes compromised account access to prevent further malicious action 20 © 2013 IBM Corporation
IBM Security Systems Security analysis is a big data problem Security analysts are overwhelmed by a variety of data and lack of visibility Defense Strategy HARDEN DETECT ANALYZE Detect challenges: Flows • Rapid growth in the volume of security data • Incompatible information from diverse data sources Events • Multiple, siloed security systems each with its own dashboard • Lack of application, configuration and user context Assets 21 © 2013 IBM Corporation
IBM Security Systems Integrated IBM solutions provide actionable security intelligence QRadar SIEM correlates and analyzes millions of events with contextual data to produce a detailed view of key offenses • Network traffic with user and application context from IBM Network Protection XGS devices Defense Strategy HARDEN DETECT ANALYZE IBM QRadar SIEM • Database context and activity from IBM InfoSphere Guardium Flows • IBM QFlow and VFlow Events • User context from IAM integration • Security events from IBM Network Protection XGS devices • Endpoint status from IBM Endpoint Manager 22 Assets • Network topology from IBM QRadar Risk Manager Advanced analytics combine network and contextual data to perform: • Event correlation • Activity baselining • Anomaly detection • Offense identification IBM X-Force Research and Development © 2013 IBM Corporation
IBM Security Systems Correlate events across security domains to gain visibility IBM QRadar Security Event • User connects from country where company does not do business Security Event • User accesses database outside normal business hours Guardium Security Event • Unusual network traffic identified XGS Investigations… IAM XGS QFlow Guardium Endpoint Manager 23 Look for recent changes in the user’s permissions Lookup all activity from user’s IP address SIEM IAM Results… QRadar correlates 3 security events and triggers an offense 1 2 User requested access to sensitive DB 6 days ago, the user connected to an unknown IP located in a suspicious region 5 days ago, the user’s machine began opening suspicious connections Find other users who connected to the same suspicious IP 3 other users have connected with similar suspicious traffic Determine which DBs and records these users accessed in last 6 days Users accessed unannounced quarterly financial results Check patch status of compromised machines All compromised users have latest browser patches 3 Remediation • Update XGS to block malware command and control • Alert security team to remove the endpoint malware • Produce sensitive data access report © 2013 IBM Corporation
IBM Security Systems QRadar integrates data to answer the important questions What was the attack? Was it successful? Who was responsible? Where do I find them? How many targets involved? How valuable are the targets to the business? Are any of them vulnerable? Where is all the evidence? 24 © 2013 IBM Corporation
IBM Security Systems Clients gain visibility with integrated security Confidence Actionable Intelligence “IBM Security Network Protection has been a great solution for us in stopping bad traffic and it’s given us great confidence in how we operate.” “IBM QRadar SIEM has also allowed us to gain efficiencies by providing our security analysts with actionable intelligence and information instead of searching through a haystack of information…” Chief Security Officer Large Financial Services Firm 25 Source: Protecting consumer and business information with advanced threat protection http://public.dhe.ibm.com/common/ssi/ecm/en/wgc12350usen/WGC12350USEN.PDF © 2013 IBM Corporation
IBM Security Systems Effective advanced threat defense requires diverse capabilities ATTACK CHAIN 1 Break-in 2 Latch-on Persistent HARDEN 3 Expand Patient DETECT  Configure and patch endpoints  Monitor and analyze network configurations  Develop behavior / activity baselines and detect anomalies  Securely develop, deploy, and audit web applications  Automate rules and alerts focused on privileged user activity  Intelligently scan and prioritize vulnerabilities  Detect application attacks and unauthorized access  Enforce proactive access policies and monitor user behavior 26  Inspect and block suspicious traffic 4 Gather 5 Exfiltrate Sophisticated ANALYZE  Correlate events, flows, assets, configurations, vulnerabilities and external threats  Identify compromised endpoints  Drill into security data across domains from a single interface  Produce actionable intelligence © 2013 IBM Corporation
IBM Security Systems A diverse range of business partners enhance IBM’s offerings Advanced Persistent Threat 27 Insider Threat Data Breach Please note: logos shown represent a subset of all security business partners Malware Detection © 2013 IBM Corporation
IBM Security Systems IBM offers a comprehensive portfolio of security products IBM Security Systems Portfolio Security Intelligence and Analytics QRadar Log Manager QRadar SIEM QRadar Risk Manager QRadar Vulnerability Manager Advanced Fraud Protection Trusteer Rapport Trusteer Pinpoint Malware Detection Trusteer Pinpoint ATO Detection Trusteer Mobile Risk Engine People Data Applications Identity Management Guardium Data Security and Compliance AppScan Source Network Intrusion Prevention Trusteer Apex Access Management Guardium DB Vulnerability Management AppScan Dynamic Next Generation Network Protection Mobile and Endpoint Management Privileged Identity Manager Guardium / Optim Data Masking DataPower Web Security Gateway SiteProtector Threat Management Virtualization and Server Security Federated Access and SSO Key Lifecycle Manager Security Policy Manager Network Anomaly Detection Mainframe Security Network Infrastructure Endpoint IBM X-Force Research 28 © 2013 IBM Corporation
IBM Security Systems IBM Security Integrating across domains to help prevent advanced attacks IBM Security Framework Intelligence Integration Expertise 29 © 2013 IBM Corporation
IBM Security Systems Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 30 © 2013 IBM Corporation

Recommandé

Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Lancope, Inc.
 
IBM Security Software Solutions
IBM Security Software Solutions IBM Security Software Solutions
IBM Security Software Solutions
Thierry Matusiak
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
IBM Security
 
IBM QRadar Xforce
IBM QRadar XforceIBM QRadar Xforce
IBM QRadar Xforce
sreenivas1591
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
IBM Security
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
IBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
IBM Security
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM Resilient
IBM Security
 

Recommandé

Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Lancope, Inc.
 
IBM Security Software Solutions
IBM Security Software Solutions IBM Security Software Solutions
IBM Security Software Solutions
Thierry Matusiak
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
IBM Security
 
IBM QRadar Xforce
IBM QRadar XforceIBM QRadar Xforce
IBM QRadar Xforce
sreenivas1591
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
IBM Security
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
IBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
IBM Security
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM Resilient
IBM Security
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
IBM Security
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
IBM Security
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon Black
IBM Security
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
IBM Security
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?
IBM Security
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
IBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
IBM Security
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
IBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
IBM Security
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
IBM Security
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
IBM Security
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
IBM Security
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020
IBM Security
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and Security
IBM Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident Response
IBM Security
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
IBM Security
 
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
IBM Security
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile Metrics
IBM Security
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware
IBM Security
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
IBM Security
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
 

Contenu connexe

Plus de IBM Security

Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon Black
IBM Security
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
IBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
IBM Security
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
IBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
IBM Security
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
IBM Security
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
IBM Security
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
IBM Security
 

Plus de IBM Security (20)

The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon Black
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident Response
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
 
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile Metrics
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
 

Dernier

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 

Dernier (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Disrupt the advanced attack chain with intelligent, integrated security

  • 1. IBM Security Systems IBM Security Systems Disrupt the Advanced Attack Chain with Intelligent, Integrated Security Marc van Zadelhoff VP, Strategy and Product Management Brian Mulligan Security Strategist November 19, 2013 © 2013 IBM Corporation 1 © 2013 IBM Corporation
  • 2. IBM Security Systems Security can be a complex landscape… 85 tools from 2 45 vendors © 2013 IBM Corporation
  • 3. IBM Security Systems …where your security team sees noise 3 © 2013 IBM Corporation
  • 4. IBM Security Systems Attack frequency increased to record in H1 2013 4 Source: IBM X-Force® Research 2013 Trend and Risk Report © 2013 IBM Corporation
  • 5. IBM Security Systems IBM Security Integrating across domains to make sense of the noise and stop attackers IBM Security Framework Intelligence Integration Expertise 5 © 2013 IBM Corporation
  • 6. IBM Security Systems Advanced attackers follow a five-stage attack chain Reconnaissance, spear phishing, and remote exploits to gain access 1 Break-in ATTACK CHAIN 2 Latch-on Command and Control Malware and backdoors installed to establish a foothold 3 Expand Lateral movement to increase access and maintain a presence 4 Gather Acquisition and aggregation of confidential data 5 Exfiltrate 6 Command and Control Data exfiltration to external networks © 2013 IBM Corporation
  • 7. IBM Security Systems Defenders follow an iterative approach, utilizing integrated solutions ATTACK CHAIN 1 Break-in 2 Latch-on 3 Expand 4 Gather 5 Exfiltrate 7 © 2013 IBM Corporation
  • 8. IBM Security Systems Hardening environments is difficult and growing increasingly complex The ever expanding number of endpoints, applications, databases and network devices create multiple attack surfaces Endpoints • Validate endpoint patch status Hardening challenges: • Mobile device proliferation and adoption of BYOD Integrated Defense Strategy HARDEN DETECT ANALYZE Networks • Secure network traffic • Adoption of hybrid and public cloud • Rapid growth of big data Applications • Prevent web application vulnerabilities 8 • Continued exploitation of SQL injection and cross site scripting vulnerabilities Databases • Lock down database usage © 2013 IBM Corporation
  • 9. IBM Security Systems Harden through integrated security solutions Scan assets for vulnerabilities, prioritize the severity of each vulnerability, and patch or block the most critical Integrated Defense Strategy HARDEN IBM Endpoint Manager IBM QRadar Vulnerability Manager / Risk Manager • Validate endpoint patch status DETECT ANALYZE IBM Security Network Protection XGS • Secure network traffic 6 22 102 AT RISK CRITICAL BLOCKED IBM Security AppScan IBM InfoSphere Guardium • Prevent web application vulnerabilities • Lock down database usage 75 SQL injection 50 Cross-site scripting 5 Unusual database requests IBM X-Force Research and Development 9 © 2013 IBM Corporation
  • 10. IBM Security Systems How hardening works: practical steps • Manage hundreds of thousands of endpoints Harden Endpoints • Automatically enforce security baselines across all endpoints IBM Endpoint Manager IBM QRadar Vulnerability Manager / Risk Manager Find and Prioritize Vulnerabilities • Leverage multiple source code scanning technologies Harden Applications • Scan production web apps to detect vulnerabilities IBM AppScan Harden Network Traffic • Virtually patch detected vulnerabilities The security administrator… • Filter internet traffic according to security policies • Performs real-time vulnerability scans IBM Network Protection XGS • Scan database exposures Harden Databases • Detect behavioral vulnerabilities IBM InfoSphere Guardium 10 • Ensures hardened network device configurations • Views prioritization of vulnerabilities in context • Addresses the most critical risks first © 2013 IBM Corporation
  • 11. IBM Security Systems Integrated products provide rich context for vulnerability risk scoring Risk score adjusted +10 on data from XGS and X-Force, the asset has communicated with malicious IPs Risk score adjusted -10 on context from Endpoint Manager, the asset is scheduled to be patched Risk score adjusted +50 on context from QRadar Risk Manager, the asset is not protected by firewall or IPS • QRadar Vulnerability Manager conducts native vulnerability scan and incorporates from other vulnerability sources • Each vulnerability is given a base risk score, in this case 10 11 © 2013 IBM Corporation
  • 12. IBM Security Systems Hardening people is essential and becoming more complex Multiple identity stores and increasing connections from outside the enterprise complicate identity security Validate Identity • Determine who is who Identity hardening challenges: • Multiple user access points a weak link for attackers to break-in (employees, contractors, partners) Integrated Defense Strategy HARDEN DETECT ANALYZE Prevent Insider Threat and Identity Fraud • Secure shared identities and prevent targeted attacks • Extending identity security to mobile, cloud and social interactions Integrate Identity • Unify “Universe of identities” • Highly privileged insiders have access to the “crown jewels” • Compliance exposure from multiple identity silos and fragment user data Manage Identity • Enable identity lifecycle management • Increasing security demands for realtime user activity data 12 © 2013 IBM Corporation
  • 13. IBM Security Systems Define a new perimeter with threat-aware Identity and Access Mgmt Simplify identity silos to safeguard mobile, cloud and social interactions, mitigate insider threat and deliver intelligent identity and access assurance IBM Security Access Manager • Unify “Universe of identities” HARDEN DETECT ANALYZE IBM Security Privileged Identity Manager • Determine who is who IBM Security Directory Server and Integrator Integrated Defense Strategy • Secure shared identities and prevent targeted attacks Create a secure perimeter around identities • Manage all users connecting from within and outside the enterprise IBM Security Identity Manager • Enable identity lifecycle management • Defend web applications against targeted web attacks • Enhance user activity monitoring and security intelligence across security domains 13 © 2013 IBM Corporation
  • 14. IBM Security Systems Integrated products provide user activity and anomalies detection • Identity and Access Manager event logs offers rich insights into actual users and their roles • IAM integration with QRadar SIEM provides detection of break-ins tied to actual users & roles 14 © 2013 IBM Corporation
  • 15. IBM Security Systems Patient, sophisticated attackers make detection a challenge Detect subtle anomalies across domains and correlate them to create a cohesive picture of threat activity Network Traffic • Blocks exploits as they traverse the network Detect challenges: • Attackers modify signatures to bypass signature based detection Defense Strategy HARDEN DETECT ANALYZE Privileged Users • Sends privileged user details to correlate with user’s activity • Users connect from new devices and locations • Lack of control over privileged users passwords and access Application Access • Blocks attacks before they reach applications • Increasing number endpoints, device types and operating systems Endpoint Protection • Dynamically detect and block endpoint malware Threat Research 15 © 2013 IBM Corporation
  • 16. IBM Security Systems Integrated capabilities enable real-time discovery and blocking Detect and block malicious activity across networks, users, applications and endpoints IBM Security IBM QRadar Network Protection XGS Security Intelligence • Blocks exploits as they traverse the network HARDEN DETECT ANALYZE IBM Privileged Identity Manager • Sends privileged user details to correlate with user’s activity IBM Trusteer Apex IBM Security Access Manager • Blocks attacks before they reach applications Defense Strategy Creates an activity baseline to detect anomalous activity • Dynamically detect and block endpoint malware • Intelligent correlation of events, flows, assets, topologies, vulnerabilities and external threats • Produce actionable intelligence IBM X-Force Research and Development 16 © 2013 IBM Corporation
  • 17. IBM Security Systems Defend against persistent attacks with integrated capabilities IBM QRadar SIEM X-Force Research Email with malicious link Network Protection XGS Access Manager AMP 5100 SQL injection AppScan SiteProtector Network Protection XGS • XGS blocks zero-day exploit from malicious link after incorporating X-Force security content Security Event • XGS natively creates network flow activity for QRadar to detect additional anomalies Network Flow Investigate Alerts • Access Manager blocks SQL injection from web application and alerts QRadar • Based on QRadar alert, analyst runs AppScan to find the application vulnerability Security Event • AppScan creates virtual patch in SiteProtector to block the attack at the network level  Event correlation • SiteProtector deploys policy to Network Protection XGS devices  Historic forensics  Real-time analysis  Predictive analytics Privilege escalation Email with malicious file 17 Privileged Identity Manager Trusteer Apex • Privileged Identity Manager detects anomalous privilege escalation Security Event • Privileged Identity Manager records the session and sends the escalation event to QRadar • Apex detects and block the zero-day exploit using application state context Security Event © 2013 IBM Corporation
  • 18. IBM Security Systems Incorporate the latest threat intelligence IBM X-Force research is utilized in Network Protection XGS Network Protection XGS console showing security policies X-Force URL reputation data incorporated by category 2 Policy on XGS set to reject connections to malicious URLs 18 1 3 © 2013 IBM Corporation
  • 19. IBM Security Systems Integrate to prevent web application exploits at the network level Access Manager flags a SQL injection, alerts QRadar and then… Analyst runs AppScan and finds the SQL injection vulnerabilities 1 AppScan sends vulnerability 2 details to SiteProtector SiteProtector creates virtual patch to block the SQL injection at the network level while 3 the vulnerabilities are patched Policy deploys to Network 4 Protection XGS devices Types of Protection • Client-side attacks • Injection attacks • Malicious file execution 19 • Cross-site request forgery • Information disclosure • Path traversal • Authentication • Buffer overflow • Brute force • Directory indexing • Miscellaneous attacks © 2013 IBM Corporation
  • 20. IBM Security Systems Monitor privileged users to detect malicious activity An attacker steals system administrator login credentials then grants increased permissions to invalid user Privileged Identify Manager sends QRadar details of the privilege escalation QRadar notifies a security analyst 1 2 Security analyst views a recording that shows compromised administrator granting a user rights outside of the formal process 3 Security analyst revokes compromised account access to prevent further malicious action 20 © 2013 IBM Corporation
  • 21. IBM Security Systems Security analysis is a big data problem Security analysts are overwhelmed by a variety of data and lack of visibility Defense Strategy HARDEN DETECT ANALYZE Detect challenges: Flows • Rapid growth in the volume of security data • Incompatible information from diverse data sources Events • Multiple, siloed security systems each with its own dashboard • Lack of application, configuration and user context Assets 21 © 2013 IBM Corporation
  • 22. IBM Security Systems Integrated IBM solutions provide actionable security intelligence QRadar SIEM correlates and analyzes millions of events with contextual data to produce a detailed view of key offenses • Network traffic with user and application context from IBM Network Protection XGS devices Defense Strategy HARDEN DETECT ANALYZE IBM QRadar SIEM • Database context and activity from IBM InfoSphere Guardium Flows • IBM QFlow and VFlow Events • User context from IAM integration • Security events from IBM Network Protection XGS devices • Endpoint status from IBM Endpoint Manager 22 Assets • Network topology from IBM QRadar Risk Manager Advanced analytics combine network and contextual data to perform: • Event correlation • Activity baselining • Anomaly detection • Offense identification IBM X-Force Research and Development © 2013 IBM Corporation
  • 23. IBM Security Systems Correlate events across security domains to gain visibility IBM QRadar Security Event • User connects from country where company does not do business Security Event • User accesses database outside normal business hours Guardium Security Event • Unusual network traffic identified XGS Investigations… IAM XGS QFlow Guardium Endpoint Manager 23 Look for recent changes in the user’s permissions Lookup all activity from user’s IP address SIEM IAM Results… QRadar correlates 3 security events and triggers an offense 1 2 User requested access to sensitive DB 6 days ago, the user connected to an unknown IP located in a suspicious region 5 days ago, the user’s machine began opening suspicious connections Find other users who connected to the same suspicious IP 3 other users have connected with similar suspicious traffic Determine which DBs and records these users accessed in last 6 days Users accessed unannounced quarterly financial results Check patch status of compromised machines All compromised users have latest browser patches 3 Remediation • Update XGS to block malware command and control • Alert security team to remove the endpoint malware • Produce sensitive data access report © 2013 IBM Corporation
  • 24. IBM Security Systems QRadar integrates data to answer the important questions What was the attack? Was it successful? Who was responsible? Where do I find them? How many targets involved? How valuable are the targets to the business? Are any of them vulnerable? Where is all the evidence? 24 © 2013 IBM Corporation
  • 25. IBM Security Systems Clients gain visibility with integrated security Confidence Actionable Intelligence “IBM Security Network Protection has been a great solution for us in stopping bad traffic and it’s given us great confidence in how we operate.” “IBM QRadar SIEM has also allowed us to gain efficiencies by providing our security analysts with actionable intelligence and information instead of searching through a haystack of information…” Chief Security Officer Large Financial Services Firm 25 Source: Protecting consumer and business information with advanced threat protection http://public.dhe.ibm.com/common/ssi/ecm/en/wgc12350usen/WGC12350USEN.PDF © 2013 IBM Corporation
  • 26. IBM Security Systems Effective advanced threat defense requires diverse capabilities ATTACK CHAIN 1 Break-in 2 Latch-on Persistent HARDEN 3 Expand Patient DETECT  Configure and patch endpoints  Monitor and analyze network configurations  Develop behavior / activity baselines and detect anomalies  Securely develop, deploy, and audit web applications  Automate rules and alerts focused on privileged user activity  Intelligently scan and prioritize vulnerabilities  Detect application attacks and unauthorized access  Enforce proactive access policies and monitor user behavior 26  Inspect and block suspicious traffic 4 Gather 5 Exfiltrate Sophisticated ANALYZE  Correlate events, flows, assets, configurations, vulnerabilities and external threats  Identify compromised endpoints  Drill into security data across domains from a single interface  Produce actionable intelligence © 2013 IBM Corporation
  • 27. IBM Security Systems A diverse range of business partners enhance IBM’s offerings Advanced Persistent Threat 27 Insider Threat Data Breach Please note: logos shown represent a subset of all security business partners Malware Detection © 2013 IBM Corporation
  • 28. IBM Security Systems IBM offers a comprehensive portfolio of security products IBM Security Systems Portfolio Security Intelligence and Analytics QRadar Log Manager QRadar SIEM QRadar Risk Manager QRadar Vulnerability Manager Advanced Fraud Protection Trusteer Rapport Trusteer Pinpoint Malware Detection Trusteer Pinpoint ATO Detection Trusteer Mobile Risk Engine People Data Applications Identity Management Guardium Data Security and Compliance AppScan Source Network Intrusion Prevention Trusteer Apex Access Management Guardium DB Vulnerability Management AppScan Dynamic Next Generation Network Protection Mobile and Endpoint Management Privileged Identity Manager Guardium / Optim Data Masking DataPower Web Security Gateway SiteProtector Threat Management Virtualization and Server Security Federated Access and SSO Key Lifecycle Manager Security Policy Manager Network Anomaly Detection Mainframe Security Network Infrastructure Endpoint IBM X-Force Research 28 © 2013 IBM Corporation
  • 29. IBM Security Systems IBM Security Integrating across domains to help prevent advanced attacks IBM Security Framework Intelligence Integration Expertise 29 © 2013 IBM Corporation
  • 30. IBM Security Systems Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 30 © 2013 IBM Corporation

Notes de l'éditeur

  1. Too many productsWe have multiple examples of customers who have invested in many, many tools. One US government agency alone has 200 security products – that entails the license costs, but perhaps more problematically, the configuration and maintenance of all of those products in a constantly changing infrastructure. They’re not getting their money’s worth. They can’t. It’s too complex and too costly.Too many point products from too many vendorsBesides having too many products, they have too many vendors – point products from each vendor that do not integrate in any way. And those point products cannot find the advanced attacks that these enterprises are experiencing. One customer had 85 products from 45 different security vendors.Products don’t workAntivirus products cannot reliably defend against malware. In another case a customer had 46 security vendors who all failed to prevent a malware attack.http://krebsonsecurity.com/ 
  2. Too many productsWe have multiple examples of customers who have invested in many, many tools. One US government agency alone has 200 security products – that entails the license costs, but perhaps more problematically, the configuration and maintenance of all of those products in a constantly changing infrastructure. They’re not getting their money’s worth. They can’t. It’s too complex and too costly.Too many point products from too many vendorsBesides having too many products, they have too many vendors – point products from each vendor that do not integrate in any way. And those point products cannot find the advanced attacks that these enterprises are experiencing. One customer had 85 products from 45 different security vendors.Products don’t workAntivirus products cannot reliably defend against malware. In another case a customer had 46 security vendors who all failed to prevent a malware attack.http://krebsonsecurity.com/ 
  3. This chart highlights the volume of threat activity that is happening out there -- you can see its quite a lot considering this is a mere sampling of what was probably actually going on.Color of circles represent the technical means used by attackers to breach these customers.The size of the circle estimates the financial impact that might have occurred based on what was reported publically.Though the seemingly insurmountable magnitude of these threats is alarming, they’re certainly preventable if you’re armed with the right approach.
  4. Sophisticated attackers will exploit a multitude of technical and social engineering vulnerabilities to attack an organization, however, attacks tend to follow a five stage sequence. The attacker will break into the system, frequently by using social engineering to gain access to a users’ credentials.Once inside the attacker will install malware and phone home that it has successfully compromised the system. Advanced attackers are generally patient and use a ‘low and slow’ attack style to expand across systems to maximize access to sensitive data.Once they have succeeded in accessing the desired data, attackers assemble the data they are looking for in preparation for transmittal out of they system.The attacker covertly transmits the data to an external location.These attacks can be spread out over days, weeks or months and may feather the ongoing exfiltration of data from the target, rather than a one time event.
  5. Countering an advanced attack is an continuous process that requires integration between the multifaceted security tools. First, security admins must harden their systems against known vulnerabilities. Second, they must monitor activity with as much context as possible to detect attacks when they occur. Then, they must have to data and capability to drill into a suspected attack to determine the extent of the compromised systems and data, and enough about the attack vector that they can stop the attack and remediate systems to prevent similar attacks in the future.As you will see, the IBM Security portfolio is well suited and integrated to give security professionals the tools they need to harden against, detect and analyze advanced attacks.
  6. Harden EndpointsManage hundreds of thousands of endpoints regardless of location, connection type or status Automatically enforce security baselines across all endpoints, including software versions and configuration settingsHardenApplicationsLeverage multiple source code scanning technologies for issue discovery and remediation across security and development teamsScan production web apps to detect vulnerabilitiessuch as SQL injection and cross-site scriptingHarden Network TrafficVirtually patch detected vulnerabilities at the network levelFilters internet traffic according to enterprise security policiesHarden DatabasesVirtually patch detected vulnerabilities at the network levelFilters internet traffic according to enterprise security policiesScan database exposures(missing patches, weak passwords, unauthorized changes, and misconfigured privileges)Detect behavioral vulnerabilities(account sharing, excessive administrative logins and after-hours activity)Vulnerability ManagementPerforms real-time vulnerability scans for 70,000+ vulnerabilities on router, firewall, OS, DB, web servers, DNS, mail serverEnsures hardened network device configuration across all assetsViews prioritization of vulnerabilities using context from IBM tools and X-Force threat intelligence Addresses the most critical risks first when hardening the system
  7. Thanks Marc. We have here a great screenshot from QRadar Vulnerability Manager. What makes Vulnerability Manager so powerful is the ability to not just identify, but also risk adjust vulnerabilities using context specific to your environment. You can see from this screen capture that the server vulnerability shown has a score of 60. That’s good to know, but what does a score of 60 really mean? How did Vulnerability Manager come up with that? That 60 is comprised of a base score of 10, which is the score given by QRadar vulnerability manager’s native scanner. The base score is then adjusted using context specific to the environment. The risk is increased by 10 because Network Protection XGS provided context showing that the vulnerably system had communicated with malicious IPs identified by X-Force research. The risk was reduced by 10 because this server’s vulnerability is scheduled to be patched by IBM Security Endpoint Manager. Finally, the risk score is increased by 50 because the network topology from QRadar Risk manager indicates that the server in question is not adequately protected behind firewall and intrusion prevention systems.It is this context from integrated solutions that helps the security analyst sort through numerous vulnerabilities to identify the most risky.
  8. As Marc explained, hardening against unusual behavior from users is key to successfully defend from advanced threats. An important part of hardening people is having the integration in place to be alerted when suspicious identity events occur. As you can see in the screen capture here, intelligence from identity and access manager, is captured in the QRadar dashboard. The security analyst using QRadar sees immediately the multiple login failures from the same user. Right from QRadar, the analyst can then can drill into the details of the failed logins.
  9. In this scenario, our persistent attacker has sent an email containing a link to malware, in an attempt to compromise your organization. A powerful Intrusion Prevention system is a key component in detecting attack on your environment. However, intrusion prevention is only as effective as the intelligence it is using to identify and block suspicious traffic. That is why the close integration between our Network Protection XGS and X-Force threat research is so important. This series of screen captures from the XGS user interface demonstrates the integration. In the top screenshot you can see url reputation data from X-Force, one of the largest URL reputation databases in the world. In the second screenshot you can see that URLs are broken into category for example, botnet command and controls, malware etc, finally you can see the actual policy telling the XGS to reject any connections to this source, the link from the attacker’s email, because it is a known malware host.URL reputation data is only the first way that integrations between X-Force research and the network protection XGS Device is protecting you from malware. The XGS also integrates X-Force intelligence into its protocol analysis module, this deep understanding of protocols allows the XGS to identify and block malware traversing the network regardless of the source.Now that we’ve prevented the malicious link….
  10. ..our attacker has moved on in an attempt to exploit an SQL injection vulnerability.The security analyst is first made aware of the attempted SQL injection through an event sent to from Access Manager’s web application firewall that is protecting the application where the attempted exploit is taking place. The security analyst can use IBM Security AppScan to run a scan of the web application in question. AppScan, shown in the top screen shot will identify the SQL injection vulnerability in the application. If that was the end of this action, we would have a problem because it can take some time for developers create a patch and update the vulnerable application. Luckily, this analyst has SiteProtector. The integration between AppScan and SiteProtector means that right from the AppScan interface, as shown in the second screen capture, the analyst can select vulnerabilities and click export to SiteProtetor. Once in SiteProtector, the analyst can deploy a virtual patch that will block SQL injection to that web application at the network level while the development team is working on a patch. SiteProtector then pushes the virtual patch out at once to all Security Network XGS devices protecting the network.
  11. Still undaunted, our persistent attacker manages to steal a highly privileged system administrator’s login credentials. He realizes that using the system administrator's credentials won’t go unnoticed for long so he decides to use the account only briefly, to give increased permissions to a non-administrator who’s account he has also compromised. Later, he intends to use this account to gather and exfiltrate sensitive data.Fortunately for this organization, the system administrator is being monitored by privileged identity manager. Like we saw with the Identity and Access Manager example earlier, Privileged Identity manager is integrated with QRadar. As you can see in the top screen capture, Privileged Identity Manager sends the detail of increased permission to QRadar. Because of this deep integration, right from QRadar the security analyst can drill into detail to see, for example, that the user bouncy15, elevated the privileges of user bouncy17. Because the organization is using Privileged Identity Manager, the security analyst can open a recording of the administrator, bouncy15’s, screen while he was granting the increased permission. After reviewing the recording, the analyst determines that the compromised administrator account was giving permissions outside of the normal procedure and revokes both access to both the administrator and the user whose permissions were escalated.
  12. IBM Security QRadar SIEM analyzes tremendous amounts of data (logs, network flows) and uses context to transform it useful, actionable information as is depicted in this slide. Here's what a security team member would see when they begin to investigate an offense record triggered by a correlation rule. The analyst can see the who, what and where behind the offense and quickly determine if it's a legitimate threat or a false positive.  IBM Security QRadar SIEM is strong from an event-management and analysis perspective and is very effective in detecting threats because it can leverage a broad range of data, analyze it, and apply context from an extensive range of sources. This reduces false positives, and tells users not only what has been exploited but also what kind of activity is taking place. This results in quicker threat detection and response. QRadar continuously monitors data sources across the IT infrastructure, leveraging the full context in which systems are operating. That context includes security and network device logs, vulnerabilities, configuration data, network traffic telemetry, application events and activities, user identities, assets, geo-location, and application content. This generates a staggering amount of data, and QRadar SIEM leverages it to establish very specific context around each potential area of concern, and uses sophisticated analytics to accurately detect more and different types of threats. For example, a potential exploit of a web server reported by an intrusion detection system can be validated by unusual outbound network activity detected by QRadar network behavioral anomaly detection (NBAD) capabilities.QRadar uses intelligence, automation and analytics to provide very actionable security information including the number of targets involved in a threat, who was responsible, what kind of attack occurred, whether it was successful, vulnerabilities, evidence for forensics, etc.
  13. Source: Protecting consumer and business information with advanced threat protectionhttp://public.dhe.ibm.com/common/ssi/ecm/en/wgc12350usen/WGC12350USEN.PDF
  14. The IBM Security Systems portfolio is built around protecting the security domains of People, Data, Applications, and Infrastructure, with a layer of Security Intelligence and Analytics providing true integration and visibility into the enterprise security landscape, and underpinned by IBM X-Force Research providing threat intelligence. The acquisition of Trusteer provides enhanced endpoint protection and threat research, while extending the portfolio with a layer of advanced fraud protection.