According to a GovLoop survey, 90% of respondents don’t think their agency is fully prepared for a cyber attack and named the ever-changing nature of threats, as well as inadequate training, as their biggest obstacles. For all levels of government, the number of cyber attacks on networks are growing in frequency, and becoming more sophisticated and aggressive. The threat of Sophisticated Attacks, Security Breaches, Phishing, and Social Media Fraud is very real for everyone, especially government. But that’s where the Continuous Diagnostics and Monitoring (CDM) program comes in.
The Department of Homeland Security designed CDM to help other agencies understand their vulnerabilities and identify threats in real-time. CDM is a dynamic, collaborative program that provides a holistic approach to protecting important information. Join IBM Security to learn first hand from government and industry thought leaders how it can help your agency.
View the full on-demand webcast: https://www2.gotomeeting.com/register/369078578
On February 12, 2013 Jim Lewis of CSIS reported:Executive Summary Analysis of successful attacks has provided good data on both the techniques used in breaching corporatenetworks and the steps needed to prevent such breaches. However, this information is not reflected inpractice. Companies underestimate the risk they face of being breached or hacked. Most companies only find out thatthey have been hacked when told by a third party. This could raise questions of fiduciary responsibility asgreater awareness of risk grows in the business community and in government. Hacking is incredibly easy; survey data consistently shows that 80 to 90 percent of successful breaches ofcorporate networks required only the most basic techniques. Hacking tools are easily acquired from the Internet, including tools that “crack” passwords in minutes. In the last few years, in 2009 and 2010, Australia’s Defense Signals Directorate (DSD) and the U.S. NationalSecurity Agency (NSA) independently surveyed the techniques hackers used to successfully penetrate networks.NSA (in partnership with private experts) and DSD each came up with a list of measures that stop almost allattacks. DSD found that four risk reduction measures block most attacks. Agencies and companies implementing thesemeasures saw risk fall by 85 percent and, in some cases, to zero.CDM includes 3 of 4 measures in Phase I.
A new security reality is hereSophisticated attackers break through conventional safeguards every day.Organized criminals, hacktivists, governments and adversaries are compelled by financial gain, politics and notoriety to attack your most valuable assets. Their operations are well-funded and business-like ‒ attackers patiently evaluate targets based on potential effort and reward. Their methods are extremely targeted ‒ they use social media and other entry points to track down people with access, take advantage of trust, and exploit them as vulnerabilities. Meanwhile, negligent employees inadvertently put the business at risk via human error. Even worse, security investments of the past fail to protect against these new classes of attacks. The result is more severe security breaches more often. In fact, 61% of organizations say data theft and cybercrime are the greatest threats to their reputation.1 And the costs are staggering. By one estimate, the average cost of a breach is over $7million.2Sources: (1) 2012 Global Reputational Risk & IT Study, IBM; (2) 2013 Cost of Cyber Crime Study, Ponemon Institute<MOUSE CLICK> Cloud, mobile, social and big data drive unprecedented change. Businesses are adopting mobile, social, big data and cloud to analyze and share information at unprecedented rates. This influx of new innovation, technologies, and end-points push more and more business transactions outside company walls and completely transform enterprise security as we know it. As the traditional network perimeter permanently dissolves, it is more difficult to defend company data from the increasing gaps in security, and to verify that users accessing data are protected. In one study, 70% of security executives expressed concern about cloud and mobile security.3Theft or loss of mobile devices, privacy concerns associated with cloud, and accidental sharing of sensitive data are some of the key fears. Without dynamic protection, an organization may spend more time recovering from attacks than it does preventing them. And those who do not prepare for change are leaving their companies dangerously exposed.Sources: (3) 2013 CISO Survey, IBM;2013 Juniper Mobile Threat Report<MOUSE CLICK> Yesterday’s security practices are not sustainable Up to now, organizations have responded to security concerns by deploying a new tool to address each new risk. Now they have to install, configure, manage, patch, upgrade, and pay for dozens of non-integrated solutions with limited views of the landscape. Costly and complex, these fragmented security capabilities do not provide the visibility and coordination needed to stop today’s sophisticated attacks. Moreover, the skills and expertise needed to keep up with a constant stream of new threats is not always available. 83% of enterprises report having difficulty finding the security skills they need.4And as new risks emerge, the environment will grow more complex and the skills gap wider. 49% of IT executives say that they are challenged by an inability to measure the effectiveness of their current security efforts5and 31% of IT professionals have no risk strategy at all6. Many security teams are simply operating in the dark.Sources: (4) 2012 ESG Research; (5) Security Intelligence Can Deliver Value Beyond Expectations And Needs To Be Prioritized, Forrester; (6) 2013 Global Reputational Risk & IT Study, IBM
Challenge #2 – Tools lacking…Too Many ProductsWe have multiple examples of customers who have invested in many, many tools. One US government agency alone has 200 security products – that entails the license costs, but perhaps more problematically, the configuration and maintenance of all of those products in a constantly changing infrastructure. They’re not getting their money’s worth. They can’t. It’s too complex and too costly.Point ProductsBesides having too many products, they have too many vendors – point products from each vendor that do not integrate in any way. And those point products cannot find the advanced attacks that these enterprises are experiencing.Products don’t workAntivirus products cannot reliably defend against malware.http://krebsonsecurity.com/
2012 was a record year for reported data breaches and security incidents, with a 40 percent increase in total volume over 2011.1 In the first half of 2013, security incidents have already surpassed the total number reported in 2011 and are on track to surpass 2012.This year kicked off with a number of high profile sophisticated attacks on major websites, media, and tech companies
With more than 6,000 researchers, developers and subject matter experts engaged in security initiatives, IBM operates one of the world’s broadest enterprise security research, development and delivery organizations. This powerful combination of expertise is made up of the award-winning X-Force research and development team—with one of the largest vulnerability databases in the industry—and includes nine security operations centers, nine IBM Research centers, 14 software security development labs and the IBM Institute for Advanced Security with chapters in the United States, Europe and the Asia Pacific region.________________________Security Operations Centers: Atlanta, Georgia; Detroit, Michigan; Boulder, Colorado; Toronto, Canada; Brussels, Belgium; Tokyo, Japan; Brisbane, Australia; Hortolandia, Brazil; Bangalore, India; Wroclaw, Poland Security Research Centers: Yorktown Heights, NY; Atlanta, GA; Almaden, CA; Ottawa, Canada; Zurich, CH; Kassel, DE; Herzliya, IL; Haifa, IL; New Delhi, IN; Tokyo, JPSecurity Development Labs: Littleton, MA; Raleigh, NC; Atlanta, GA; Austin, TX; Costa Mesa, CA; Fredericton, Canada; Toronto, CAN; Ottowa, CAN; Belfast, NIR; Delft, NL; Pune, IN; Bangalore, IN, Taipei, TW; Singapore, SG; Gold Coast, AUNote: IBM patent search performed by Paul Landsberg, IBM IP Office
To support the role of successful CISO’s, IBM offers integrated security intelligence and industry-leading experience enabled by the IBM Security Framework solution capabilities. All of the IBM Security offerings are backed by an extensive business partner ecosystem which consists of industry-leading technology, sales and service partners.These capabilities are delivered through a comprehensive and robust set of tools and best practices (including software and hardware) that are supported by the services needed to address:Intelligence: Through a common and intuitive view that combines deep analytics with real-time security intelligence.Integration: Through unifying existing tools and infrastructures with new forms of defense in order to reduce complexity and lower the cost of maintaining a strong security posture.Expertise: Through a more proactive and trusted source of truth in order to stay ahead of emerging threats and risks.Addressing these three key imperatives enables a more holistic, comprehensive perspective and can enhance your security maturity.
Why should organizations act now?... Because your department is a keystroke away from being in the headlines. Criminals will not relent: Once you are a target, criminals will spend as much time trying to break into your enterprise as you do on your core business. If you do not have visibility, they will succeed.Recently, Trusteer came across a complex new criminal scheme involving the Tatanga Trojan that conducts an elaborate Man in the Browser (MitB) attack to bypass SMS based transaction authorization to commit online banking fraud. The scam targets online banking customers of several German banks. When the victim logs on to the online banking application, Tatanga uses a MitBwebinject that alleges the bank is performing a security check on their computer and ability to receive a Transaction Authorization Number (TAN) on their mobile device. In the background, Tatanga initiates a fraudulent money transfer to a mule account. It even checks the victim’s account balance, and will transfer funds from the account with the highest balance if there is more than one to choose from. The victim is asked to enter the SMS-delivered TAN they receive from the bank into the fake web form, as a way to complete this security process. By entering the TAN in the injected HTML page the victim is in fact approving the fraudulent transaction originated by Tatanga against their account. Even though the victim is presented with the fund transfer amount and the destination account information in the SMS message that contains the TAN, the injected HTML page claims that the process uses “experimental” data and that no money will leave their account. Once the victim enters the TAN in the fake form and hits submit, the funds are transferred to the fraudster’s account. Meanwhile, Tatanga modifies the account balance reports in the online banking application to hide the fraudulent transaction. This is a very sophisticated and multi-faceted attack. By combining a MitB attack and social engineering, Tatanga is able to circumvent out-of-band authentication used by many banks. Then it goes one step further by hiding evidence of the fraudulent transaction from the victim using a post transaction attack mechanism. Fortunately, the text in the injected HTML page is littered with grammar and spelling mistakes and appears not to have been written by a German speaker. This may make it less effective. Clearly, grammar is easy for fraudsters to improve. The fact that they are blending multiple attack methods in a single fraud scam is not good news. However, they still need to compromise the endpoint with malware, which can be prevented.Torpig is a notorious criminal gang that has their own malware. They targeted one of our customers (a large financial services company) and put up a long battle with us. They kept changing and evolving their malware in order for it to avoid being detected by our products. FYI: Products used: Rapport and PPMD (our cloud based solution) was used by the client.Every business is impacted: In the past, banks were the primary targets of cyber criminals. Today, diverse actors move with lightning speed to steal money, intellectual property, customer information, and state-secrets across all sectors.Your perimeter is breached, criminals are inside: Recent attacks demonstrate that victims were compromised for months before they discovered it. Assuming that you have been breached is today’s prudent security posture.Because this new era offers an opportunity to transform IT security. Change will expand and accelerate: Cloud, Mobile, Social and Big Data are radically changing the business landscape. Adoption is accelerating as your business realizes the opportunity they present – the new era is here to stay.New innovations provide the opportunity to get it right: By building security in from the start, you have a chance to secure the new era of computing better than the old.Big Data, Social and Cloud will enable greater security: Now is the chance to embrace the new era of computing to modernize your security capability. Assess how your security team can leverage these disruptive forces to strengthen and streamline your security infrastructure.Because security leaders are held more accountable than ever before. Your Board and CEO demand a strategy: After reading about recent breaches, business leaders are asking you for a plan. You need a strategy and roadmap that gets you to best-in-class. Security is now a business, not technology, initiative.Your team is blind to the business risk: With disparate IT security tools deployed and silos preventing visibility, your team is blindfolded and unable to develop an effective risk-based program for improvement. You cannot do this alone: Skills shortages and rapidly changing techniques mean you lack the staff and expertise to counter the threat at hand.
Building new, proactive defenses requires thinking like an attacker--------------------------------------------------------------------------Identify, discover, protect high-value assetsGather and preserve evidenceSecuring the weakest link (most attractive), all linksBaselining systems and networksFollowing the trail
Securing today’s businesses requires a new approach. Companies need to gain insights across the entire security event timeline. While IBM is widely known for our Security Information and Event Management or SIEM, and for our Log Management solutions, our product strategy delivers a complete set of solutions that span the security event timeline that all IT organizations wrestle with. Our SIEM, Log Management and Network behavioral analysis solutions lead the market in helping customers react and respond to exploits as they occur in a network. But we also provide much needed value to customers as they seek to predict and prevent incidents in the first place through our solutions that help to model risk, evaluate configurations and prioritize vulnerabilities.“Security Intelligence” is the actionable information derived from the sum of all security data available to an organization, which improves accuracy and provides context throughout the entire security event timeline – from detection and protection through remediation. Our product strategy supports the entire security intelligence timeline. What you want in these sorts of situations is to recognize the attack as early as possible, flag it to the appropriate manager and activate your incident response processes, aimed at stopping the attack on the one hand and identifying the culprit on the other.
The Framework does NOT:Require organizations to use the framework - This is a voluntary approach that should be used because it provides a structure for creating, guiding, assessing or improving comprehensive cybersecurity programs based on risksLimit the choice of standards, guidelines, and practices to be used by any organization - The framework suggests references that are widely recognized as useful and up-to-dateProvide a one-size-fits all approach to addressing cybersecurity risks - Each organization should customize the way in which it uses the framework based on its degree of risk, current cybersecurity efforts, and business needs. The framework does not specify how much risk organizations should takeRely strictly on U.S.–based approaches - It builds on global standards that will harmonize practices
Core:Consists of Functions, Categories, Subcategories, and Informative ReferencesFunctions: Identify, Protect, Prevent, Respond, RecoverFunctions provide the anchor that enable communication of cyber risk across an organization.Profiles:Helps organizations progress from current level of cybersecurity sophistication to a target improved state that meets business needsTiers:Tier options: Partial (Tier 1) Risk-Informed (Tier 2) Risk-Informed and Repeatable (Tier 3) Adaptive (Tier 4)Each organization will decide which tier matches its risk management needs and capabilities.It is not a race to the top.
Graphical representation of the Framework CoreFunctions (Identify, Protect, Detect, Respond, Recover)CategoriesSubcategoriesInformative References (identified standards and guidelines: ISO 27001:2013; ISO/IEC 62443; COBIT5; Critical Security Controls (CSC) Top 20; NIST Special Publication 800-53 Revision 4
<Presenter note: Slide animates>According to the insights gathered from the 2012 IBM Chief Information Security Officer Assessment from May of 2012…<mouse click>Responders are the…Least confidentFocus on protection and compliance<mouse click>Protectors are…Less confidentSomewhat strategicLack necessary structural elements<mouse click>Influencers are…Confident / preparedStrategic focusThe Influencers have the attention of business leaders and their boards. Security is not an ad hoc topic, but rather a regular part of business discussions and, increasingly, the culture. These leaders understand the need for more pervasive risk awareness – and are far more focused on enterprise-wide education, collaboration and communication. They are working closely with business functions to create a culture in which employees take a more proactive role in protecting the enterprise. Because they are more integrated with the business, these security organizations are also able to influence the design of new products and services, incorporating security considerations early in the process. Security leaders are going to become more key to their organizations, their budgets will increase and they will move from the fringe to being embedded.
The IBM Security Systems portfolio is built around protecting the security domains of People, Data, Applications, and Infrastructure, with a layer of Security Intelligence and Analytics providing true integration and visibility into the enterprise security landscape, and underpinned by IBM X-Force Research providing threat intelligence. The acquisition of Trusteer provides enhanced endpoint protection and threat research, while extending the portfolio with a layer of advanced fraud protection.