IBM Security Strategi Talare: Peter Holm, Sweden Country Manager Security Systems, IBM och Kaja Narum, Integrated Business Unit Leader Security, IBM Security Operations Center behind the curtain Talare: Marcus Hallberg, Technical Solution Specialist, IBM Security From Log to SIEM ... and Incident Response Talare: Marcus Hallberg, Marcus Hallberg, Technical Solution Specialist, IBM Security och Victor Grane, Techical Sales, IBM Security IoT Security Talare: Torbjörn Andersson, Senior Security Consultant, IBM Presentationerna hölls på Watson Kista Summit 2018

1. Watson Kista Summit 2018
2018-02-09
Innovera för en ny säkerhetsverksamhet

2. 2 IBM SECURITY
Agenda
09:00 Introduction and IBM Security Strategy - Peter Holm and Kaja Narum
09:15 Security operation center behind the curtains - Marcus Hallberg
09:45 Networking break
10:00 Security intelligence and incident response - Victor Grane and Marcus Hallberg
10:50 Networking break
11:20 IoT Security - Torbjörn Andersson
11:50 Summary - Peter Holm
12:00 Lunch

3. 3 IBM SECURITY
Agenda
09:00 Introduction and IBM Security Strategy - Peter Holm and Kaja Narum

4. IBM SECURITY STRATEGY
SECURING THE THREATS OF TOMORROW, TODAY
Kaja Narum
February 2018
IBU Security Nordics Leader

5. 5 IBM SECURITY
Cybersecurity is a universal challenge
By 2020, there will be…
5 billion
personal data records stolen
20.8 billion
“things” to secure
$8 trillion
lost to cybercrime
Organizations are using
toomany
tools from too many vendors
TOO MANY
TOOLS
GDPR fines can cost
billions
for large global
companies
COMPLIANCE
MANDATES
By 2022, there will be
1.8million
unfulfilled cybersecurity jobs
SKILLS
SHORTAGE
…while security pressures continue to grow

6. 6 IBM SECURITY
Look familiar?
Criminal detection
Fraud protection
Data access control
Application
security management
Application
scanning
Data protection
Device management
Transaction protection
Content security
Malware protection
Endpoint detection
and response
Endpoint patching
and management
Network forensics and threat management
Virtual patching
Firewalls
Sandboxing
Network visibility and segmentation
Access management
Identity governance and administration
Privileged user management
IDaaS
Indicators of compromise
Malware analysis
Threat sharing
Vulnerability management
Security analytics
Threat and anomaly detection
Incident response
User behavior analytics
Threat hunting and investigation
Mainframe security

7. 7 IBM SECURITY
An integrated and intelligent security immune system
Criminal detection
Fraud protection
Data access control
Application
security management
Application
scanning
Data protection
Malware protection
Endpoint detection
and response
Endpoint patching
and management
Network forensics and threat management
Virtual patching
Firewalls
Sandboxing
Network visibility and segmentation
Access management
Identity governance and administration
Privileged user management
IDaaS
Mainframe security
Indicators of compromise
Malware analysis
Threat sharing
Device management
Transaction protection
Content security
Vulnerability management
Security analytics
Threat and anomaly detection
Incident response
User behavior analytics
Threat hunting and investigation

8. 8 IBM SECURITY
IBM Security Immune System
QRadar Incident Forensics
QRadar Network Insights
Managed Network Security
Secure SD-WAN
X-Force Exchange | Malware Analysis
X-Force IRIS
Guardium | Multi-cloud Encryption | Key Manager
Critical Data Protection Services
Identity Governance and Access
Cloud Identity
zSecure
Identity Management Services
MaaS360
Mobile Device
Management
Trusteer
Financial Malware
Research
AppScan
Application
Security on Cloud
X-Force Red
SDLC Consulting
QRadar | Watson | Resilient | i2
Security Operations Consulting
X-Force Command Centers
X-Force IRIS
BigFix
Managed
Detection
& Response
App Exchange
Hybrid Cloud Security Services
Products
Services

9. How do our clients approach cybersecurity challenge?
PeopleApplications Data Infrastructure
Is your SDLC
Secure by Design?
Do your applications
have vulnerabilities?
What applications exist
in your environment?
What are your critical
data assets?
Where are those
critical data assets?
Based on risk and
criticality, what controls
are required?
Who has access to
what in your
environment?
Do you have a proper
identity governance
program?
What are your
privileged users
doing?
Can you identify an
insider threat?
Are your third party
applications secure?
Is your data exposed?
Is your perimeter
able to identify and
prevent an attack?
Can you identify and
prevent the Zero Day
Threat on your
endpoints?
Can you quarantine a
threat before it impacts
your operations?
Can you track an
intruders’ footstepsin
your environment?
Do you have visibilityto
all assets (e.g. mobile,
IoT) in all environments
(e.g. on-prem, cloud)?
Have you addressed
known vulnerabilities?
An Integrated And Comprehensive Lifecycle Approach Is Required

10. IBM Threat Management Framework
A proven, standards-based approach to prevent, detect, respond to and recover from cybersecurity threats
PROGRAM GOVERNANCE
Threat
Insight
Threat
Prevention
Threat
Detection
Threat
Response
Threat
Recovery
Applications PeopleData Infrastructure
Technology
People

11. NIST Cybersecurity Framework
A globally recognized policy framework to prevent, detect, respond to and recover from cybersecurity threats
Identify Prevent Detect Respond Recover
Organizational understanding to
manage cyber risk to systems,
assets, capabilities and data
The controls and safeguards
necessary to protect or deter
cybersecurity threats
Continuous monitoring to provide
proactive and real-time alerts of
cybersecurity events
Activities to take action
regarding a detected
cybersecurity event
Business continuity
plans to maintain
resilience and recover
capabilities after an
attack

12. ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall
not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM
or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will
be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not
intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other
countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can
result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure
and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which
will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT
OF ANY PARTY.
FOLLOW US ON:
THANK YOU

13. 13 IBM SECURITY
Agenda
09:00 Introduction and IBM Security Strategy - Peter Holm and Kaja Narum
09:15 Security operation center behind the curtains - Marcus Hallberg

14. Security operation center behind the curtains
WATSON SUMMIT STOCKHOLM 2018-02-06
Marcus Hallberg,
Security solution specialist

15. 15 IBM SECURITY
What is it?
“A security operations center (SOC) can be
defined both as a team, often operating in
shifts around the clock, and a facility
dedicated to and organized to prevent, detect,
assess and respond to cybersecurity threats
and incidents, and to fulfill and assess
regulatory compliance.”
Gartner, October 12th 2017
“A security operations center (SOC) is a facility
that houses an information security team
responsible for monitoring and analyzing an
organization’s security posture on an ongoing
basis. The SOC team’s goal is to detect,
analyze, and respond to cybersecurity
incidents using a combination of technology
solutions and a strong set of processes.”
Digital Guardian, January 15th 2018

16. 16 IBM SECURITY
Why are we building one?
What are our goals?
• Protect our clients?
• Fulfill compliance?
• Avoid data breach?
• Ensure security monitoring?
What are the prerequisites?
• Funds?
• Delivery?
• Timeline?
• Sponsorship?

17. 17 IBM SECURITY
Deploy
Optimize
Build
Plan
Design
SOC Transformation
Build next generation security operations
SOC Maturity
Assess and transform your security posture
Metrics
Technology
Governance
Process
Organization
What is our current state?

18. 18 IBM SECURITY
Balance your priorities
Business Requirements
Centralized Decentralized
Technical Requirements
Standard Highly Customized
Risk Tolerance
Externally Managed Internally Managed
Financial Constraints
Low Cost High Cost

19. 19 IBM SECURITY
Governance
OperationsTechnology

20. 20 IBM SECURITY
• Mission/vision set
• Roadmap
• Cross functional
matrixed ops.
• Minimal capabilities
• Center ops go-live
• Basic capabilities
est.
• SIEM, Log Mgmt
• Big Data POC
• Core processes est.
• Metrics collected
• Basic Reporting
• Foundational
use cases / rules
• Basic capabilities
enhanced, improving
• Network/Flow
Analysis
• BI tools and portal
• Big Data pilot
• Context data added
• Semi-structured data
• Processes stable
• Enhanced reporting
• Roadmap maintained
• Network Forensics
• Big data analytics
become operational
• Fraud mgmt. est.
• Predictive threat
management PoC
• Unstructured Data
• BU security data
warehouse etc.
• Guided analytics in
place for IT, BU’s
• Process statistical
quality control est.
Phase 2
Managed
~ 1 year
Phase 3
Defined
~ 1 year
Phase 4
Quantitatively managed
~ 1 year
Phase 1
Initial
~ 6 months
Phase 5
Optimized
~ 1 year
• Vulnerability Risk
• Auto Response
• Enhanced Big data
analytics use cases
• Predictive threat
management est.
• Major strategy and
roadmap update
including org. design,
vision and mission
• Board Level security
analytics dashboard
• Use cases maturity
Start the journey

21. ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall
not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM
or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will
be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not
intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other
countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can
result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure
and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which
will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT
OF ANY PARTY.
FOLLOW US ON:
THANK YOU

22. 22 IBM SECURITY
Agenda
09:00 Introduction and IBM Security Strategy - Peter Holm and Kaja Narum
09:15 Security operation center behind the curtains - Marcus Hallberg
09:45 Networking break
10:00 Security intelligence and incident response - Victor Grane and Marcus Hallberg

23. Security intelligence and incident response
WATSON SUMMIT STOCKHOLM 2018-02-06
Victor Grane,
Security solution specialist
Marcus Hallberg,
Security solution specialist

24. 24 IBM SECURITY
Where are the “bad guys”?
• Insider threats: 60-70% of
security incidents
• Inadvertent actors is a
major part
• Attack vectors through
spam and social
engineering
IBM X-Force 2017

25. 25 IBM SECURITY
How do you evolve your security program for the future?
COGNITIVE, CLOUD,
and COLLABORATION
INTELLIGENCE
and INTEGRATION
LAYERED
DEFENSES

26. 26 IBM SECURITY
An integrated and intelligent security “immune” system
SECURITY
INTELLIGENCE
DATA
APPS
IDENTITY
& ACCESS
MOBILE
ADVANCED
FRAUD
THREAT
INTEL
ENDPOINT NETWORK

27. 27 IBM SECURITY
Advanced Threat
Detection
Detect
Insider Threat
Secure Cloud
Usage
Risk and Vuln
Management
Critical Data
Protection
Compliance
Data Leakage
Security intelligence driven by use-cases

28. 28 IBM SECURITY
Security Intelligence driven by relevant use cases
- Detecting user activity anomalies

29. Moving towards
Cognitive Security

30. 30 IBM SECURITY
Challenges for a Security analyst
Quick Insights: Current Security Status
Threats Alerts
Available
analysts
Knowledge
needed
Available
time
• Must constantly maintain and
monitor
defensive measures
• Keep current on new threats and
vulnerabilities
• Greater demand for skilled
resources
increases costs
• Accuracy and responsiveness are
essential

31. 31 IBM SECURITY
20% of Security
data is structured data
and readable by
computers.
80% of Security
data is unstructured,
created for humans, and
inaccessible to traditional
systems.
720K
Security blogs
per year
180K
Security related news
articles per year
10K
Security research
papers per year
• Security events and
alerts
• Threat and vulnerability
feeds
• User and network
activity
• Industry
publications
• Forensic
information
• Threat
intelligence
commentary
• Conference
presentations
• Analyst reports
• Webpages
• Wikis
• Tweets
• Logs and configuration
data

32. 32 IBM SECURITY
Making Cognitive Security accessible to the Security Analyst
SECURITY
ANALYSTS
SECURITY
ANALYTICS
QRadar
Advisor
With
Watson
Watson
for Cyber
Security
Watson
for Cyber
Security

33. 33 IBM SECURITY
Credentials
Stolen
Database
Stolen
Encrypted
Communication
FBI Calls
CEO
Remote Access
to Network
Additional
Compromises
First Public
Indicator
Phishing
Email
Malware
Deployed
BOOM
Twitter
Sentiment
Falls
Insider?
Victim?
Response
Website
Update C-Level
Executives
Press
Conference
Validate Altered
Financial Reports
Notify
Customers &
Partners
SEC
Investigation
Stock Price
Falls
Forensic
Research
Board of
Directors Meeting
Legal
Deposition
IBM Intellectual Property
Timeline of events: Left and right of BOOM!

34. 34 IBM SECURITY

35. 35 IBM SECURITY
User Behavior
Analytics Workflow
Game
TheoryRunbooks
Threat
Hunting
SWOT & Decision
Tree Analysis
Agile SOC
Framework
Human
Factor
Chaos
Everyday
Increase Cost
for Bad Guys
Transparency
equals trust
Mobile SOC
Mobile Data
Center
Security culture

36. 36 IBM SECURITY

37. 37 IBM SECURITY
Maersk’s frontline staff across
130 countries were told to,
“Do what you think is right to
serve the customer — don’t
wait for HQ. We’ll accept the
cost”.
Soren Skou
CEO, Maersk

38. ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall
not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM
or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will
be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not
intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other
countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can
result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure
and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which
will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT
OF ANY PARTY.
FOLLOW US ON:
THANK YOU

39. 39 IBM SECURITY
Agenda
09:00 Introduction and IBM Security Strategy - Peter Holm and Kaja Narum
09:15 Security operation center behind the curtains - Marcus Hallberg
09:45 Networking break
10:00 Security intelligence and incident response - Victor Grane and Marcus Hallberg
10:50 Networking break
11:20 IoT Security - Torbjörn Andersson

40. IoT Security
WATSON SUMMIT STOCKHOLM 2018-02-06
Torbjörn Andersson,
Senior Security & Privacy Consultant, CISSP, CCSP, CISM

41. 41 IBM SECURITY
The IoT landscape –wow!

42. 42 IBM SECURITY4
2
https://www.dailydot.com/layer8/bruce-schneier-internet-of-things/
What are the cyber threats IoT is facing?

43. 43 IBM SECURITY4
3
Cyber attack on Ukraine power grid 2015

44. 44 IBM SECURITY4
4
IoT cyber threats, let’s get personal

45. 45 IBM SECURITY
An evolution, you say?

46. 46 IBM SECURITY
Lack of granular access control
Lack of encryption/key management
Insecure cloud and mobile APIs
Insufficient authentication/authorization
“bad Internet neighborhoods”
The threats of IoT devices –the basics!

47. 47 IBM SECURITY
RFID
NFC
Z-
Wave
Bluetooth
6LowPAN
LPWA
N
Cellular
Zig-bee
Network layer
IOT
The threats of IoT devices –the basics!

48. 48 IBM SECURITY
The lack of standardization – welcome to the wild west!

49. 49 IBM SECURITY
Use cases – Connected cars

50. 50 IBM SECURITY
Business-facing applications
Manufacturing
Healthcare
Energy
Transportation
Consumer-facing applications
Home automation
Security systems
Wearables
IoT market by application

51. 51 IBM SECURITY
Managed servicesProfessional services
Identity Access Management
Data Encryption and Tokenization
Intrusion Detection System/Intrusion Prevention System
Device Authentication and Management
Secure Software and Firmware Update
Secure Communications
PKI Lifecycle Management
Distributed Denial of Service Protection Security Analytics
The IoT Security market 2018 – It’s blurry!

52. 52 IBM SECURITY
Watson IoT Center,
Munich
Makers of things - Design and manufacture securely
• Design for security
• Design for privacy
• Test for security
• Continuous delivery model
• Ensure integrity in manufacturing and delivery
Operator of things - Operate securely
• Harden the device (check for device resiliency) –
Secure the communications channel
• Audit and analyse usage patterns
• Maintain an up-to-date security environment
• Create a trusted maintenance ecosystem
Makers and operators of things have to introduce security
within entire product lifecycle.
IBM IoT Security

53. 53 IBM SECURITY
Continuously stop attacks,
remediate vulnerabilities
• Disrupt malware and exploits
• Discover and patch endpoints
• Automatically fix vulnerabilities
Respond to incidents quickly, with precision
• Hunt for indicators
using deep forensics
• Orchestrate and
automate incident
response
Discover unknown threats
with advanced analytics
• See attacks across IoT
infrastructure
• Sense abnormal behaviors
• Hunt for cyber attackers
• Automatically prioritize threats
RESPOND
PREDICT
In order to protect functionality of things security must be continuously adopted.
IoT Security Strategy – immune system

54. 54 IBM SECURITY
Security principles must be applied, security controls added
to reduce risk.
Secure
IoT Infrastructure
Secure
Communication
Security Information
and Event Mgmt.
Security Operation
Center
Preemptive
Security
Security
Intelligence
Potential controls:
• identity control
• access management
• storage
• ...
operating in secure/trusted
environment
IoT Security Strategy – principles and controls

55. 55 IBM SECURITY
Blockchain + IoT

56. 56 IBM SECURITY
Summery IT+OT+IOT=TRUE

57. 57 IBM SECURITY
Agenda
09:00 Introduction and IBM Security Strategy - Peter Holm and Kaja Narum
09:15 Security operation center behind the curtains - Marcus Hallberg
09:45 Networking break
10:00 Security intelligence and incident response - Victor Grane and Marcus Hallberg
10:50 Networking break
11:20 IoT Security - Torbjörn Andersson
11:50 Summary - Peter Holm
12:00 Lunch

58. ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall
not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM
or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will
be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not
intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other
countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can
result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure
and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which
will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT
OF ANY PARTY.
FOLLOW US ON:
THANK YOU