IBM Security Strategi
Talare: Peter Holm, Sweden Country Manager Security Systems, IBM och Kaja Narum, Integrated Business Unit Leader Security, IBM
Security Operations Center behind the curtain
Talare: Marcus Hallberg, Technical Solution Specialist, IBM Security
From Log to SIEM ... and Incident Response
Talare: Marcus Hallberg, Marcus Hallberg, Technical Solution Specialist, IBM Security och Victor Grane, Techical Sales, IBM Security
IoT Security
Talare: Torbjörn Andersson, Senior Security Consultant, IBM
Presentationerna hölls på Watson Kista Summit 2018
2. 2 IBM SECURITY
Agenda
09:00 Introduction and IBM Security Strategy - Peter Holm and Kaja Narum
09:15 Security operation center behind the curtains - Marcus Hallberg
09:45 Networking break
10:00 Security intelligence and incident response - Victor Grane and Marcus Hallberg
10:50 Networking break
11:20 IoT Security - Torbjörn Andersson
11:50 Summary - Peter Holm
12:00 Lunch
5. 5 IBM SECURITY
Cybersecurity is a universal challenge
By 2020, there will be…
5 billion
personal data records stolen
20.8 billion
“things” to secure
$8 trillion
lost to cybercrime
Organizations are using
toomany
tools from too many vendors
TOO MANY
TOOLS
GDPR fines can cost
billions
for large global
companies
COMPLIANCE
MANDATES
By 2022, there will be
1.8million
unfulfilled cybersecurity jobs
SKILLS
SHORTAGE
…while security pressures continue to grow
6. 6 IBM SECURITY
Look familiar?
Criminal detection
Fraud protection
Data access control
Application
security management
Application
scanning
Data protection
Device management
Transaction protection
Content security
Malware protection
Endpoint detection
and response
Endpoint patching
and management
Network forensics and threat management
Virtual patching
Firewalls
Sandboxing
Network visibility and segmentation
Access management
Identity governance and administration
Privileged user management
IDaaS
Indicators of compromise
Malware analysis
Threat sharing
Vulnerability management
Security analytics
Threat and anomaly detection
Incident response
User behavior analytics
Threat hunting and investigation
Mainframe security
7. 7 IBM SECURITY
An integrated and intelligent security immune system
Criminal detection
Fraud protection
Data access control
Application
security management
Application
scanning
Data protection
Malware protection
Endpoint detection
and response
Endpoint patching
and management
Network forensics and threat management
Virtual patching
Firewalls
Sandboxing
Network visibility and segmentation
Access management
Identity governance and administration
Privileged user management
IDaaS
Mainframe security
Indicators of compromise
Malware analysis
Threat sharing
Device management
Transaction protection
Content security
Vulnerability management
Security analytics
Threat and anomaly detection
Incident response
User behavior analytics
Threat hunting and investigation
9. How do our clients approach cybersecurity challenge?
PeopleApplications Data Infrastructure
Is your SDLC
Secure by Design?
Do your applications
have vulnerabilities?
What applications exist
in your environment?
What are your critical
data assets?
Where are those
critical data assets?
Based on risk and
criticality, what controls
are required?
Who has access to
what in your
environment?
Do you have a proper
identity governance
program?
What are your
privileged users
doing?
Can you identify an
insider threat?
Are your third party
applications secure?
Is your data exposed?
Is your perimeter
able to identify and
prevent an attack?
Can you identify and
prevent the Zero Day
Threat on your
endpoints?
Can you quarantine a
threat before it impacts
your operations?
Can you track an
intruders’ footstepsin
your environment?
Do you have visibilityto
all assets (e.g. mobile,
IoT) in all environments
(e.g. on-prem, cloud)?
Have you addressed
known vulnerabilities?
An Integrated And Comprehensive Lifecycle Approach Is Required
10. IBM Threat Management Framework
A proven, standards-based approach to prevent, detect, respond to and recover from cybersecurity threats
PROGRAM GOVERNANCE
Threat
Insight
Threat
Prevention
Threat
Detection
Threat
Response
Threat
Recovery
Applications PeopleData Infrastructure
Technology
People
11. NIST Cybersecurity Framework
A globally recognized policy framework to prevent, detect, respond to and recover from cybersecurity threats
Identify Prevent Detect Respond Recover
Organizational understanding to
manage cyber risk to systems,
assets, capabilities and data
The controls and safeguards
necessary to protect or deter
cybersecurity threats
Continuous monitoring to provide
proactive and real-time alerts of
cybersecurity events
Activities to take action
regarding a detected
cybersecurity event
Business continuity
plans to maintain
resilience and recover
capabilities after an
attack
13. 13 IBM SECURITY
Agenda
09:00 Introduction and IBM Security Strategy - Peter Holm and Kaja Narum
09:15 Security operation center behind the curtains - Marcus Hallberg
14. Security operation center behind the curtains
WATSON SUMMIT STOCKHOLM 2018-02-06
Marcus Hallberg,
Security solution specialist
15. 15 IBM SECURITY
What is it?
“A security operations center (SOC) can be
defined both as a team, often operating in
shifts around the clock, and a facility
dedicated to and organized to prevent, detect,
assess and respond to cybersecurity threats
and incidents, and to fulfill and assess
regulatory compliance.”
Gartner, October 12th 2017
“A security operations center (SOC) is a facility
that houses an information security team
responsible for monitoring and analyzing an
organization’s security posture on an ongoing
basis. The SOC team’s goal is to detect,
analyze, and respond to cybersecurity
incidents using a combination of technology
solutions and a strong set of processes.”
Digital Guardian, January 15th 2018
16. 16 IBM SECURITY
Why are we building one?
What are our goals?
• Protect our clients?
• Fulfill compliance?
• Avoid data breach?
• Ensure security monitoring?
What are the prerequisites?
• Funds?
• Delivery?
• Timeline?
• Sponsorship?
17. 17 IBM SECURITY
Deploy
Optimize
Build
Plan
Design
SOC Transformation
Build next generation security operations
SOC Maturity
Assess and transform your security posture
Metrics
Technology
Governance
Process
Organization
What is our current state?
18. 18 IBM SECURITY
Balance your priorities
Business Requirements
Centralized Decentralized
Technical Requirements
Standard Highly Customized
Risk Tolerance
Externally Managed Internally Managed
Financial Constraints
Low Cost High Cost
20. 20 IBM SECURITY
• Mission/vision set
• Roadmap
• Cross functional
matrixed ops.
• Minimal capabilities
• Center ops go-live
• Basic capabilities
est.
• SIEM, Log Mgmt
• Big Data POC
• Core processes est.
• Metrics collected
• Basic Reporting
• Foundational
use cases / rules
• Basic capabilities
enhanced, improving
• Network/Flow
Analysis
• BI tools and portal
• Big Data pilot
• Context data added
• Semi-structured data
• Processes stable
• Enhanced reporting
• Roadmap maintained
• Network Forensics
• Big data analytics
become operational
• Fraud mgmt. est.
• Predictive threat
management PoC
• Unstructured Data
• BU security data
warehouse etc.
• Guided analytics in
place for IT, BU’s
• Process statistical
quality control est.
Phase 2
Managed
~ 1 year
Phase 3
Defined
~ 1 year
Phase 4
Quantitatively managed
~ 1 year
Phase 1
Initial
~ 6 months
Phase 5
Optimized
~ 1 year
• Vulnerability Risk
• Auto Response
• Enhanced Big data
analytics use cases
• Predictive threat
management est.
• Major strategy and
roadmap update
including org. design,
vision and mission
• Board Level security
analytics dashboard
• Use cases maturity
Start the journey
22. 22 IBM SECURITY
Agenda
09:00 Introduction and IBM Security Strategy - Peter Holm and Kaja Narum
09:15 Security operation center behind the curtains - Marcus Hallberg
09:45 Networking break
10:00 Security intelligence and incident response - Victor Grane and Marcus Hallberg
23. Security intelligence and incident response
WATSON SUMMIT STOCKHOLM 2018-02-06
Victor Grane,
Security solution specialist
Marcus Hallberg,
Security solution specialist
24. 24 IBM SECURITY
Where are the “bad guys”?
• Insider threats: 60-70% of
security incidents
• Inadvertent actors is a
major part
• Attack vectors through
spam and social
engineering
IBM X-Force 2017
25. 25 IBM SECURITY
How do you evolve your security program for the future?
COGNITIVE, CLOUD,
and COLLABORATION
INTELLIGENCE
and INTEGRATION
LAYERED
DEFENSES
26. 26 IBM SECURITY
An integrated and intelligent security “immune” system
SECURITY
INTELLIGENCE
DATA
APPS
IDENTITY
& ACCESS
MOBILE
ADVANCED
FRAUD
THREAT
INTEL
ENDPOINT NETWORK
27. 27 IBM SECURITY
Advanced Threat
Detection
Detect
Insider Threat
Secure Cloud
Usage
Risk and Vuln
Management
Critical Data
Protection
Compliance
Data Leakage
Security intelligence driven by use-cases
28. 28 IBM SECURITY
Security Intelligence driven by relevant use cases
- Detecting user activity anomalies
30. 30 IBM SECURITY
Challenges for a Security analyst
Quick Insights: Current Security Status
Threats Alerts
Available
analysts
Knowledge
needed
Available
time
• Must constantly maintain and
monitor
defensive measures
• Keep current on new threats and
vulnerabilities
• Greater demand for skilled
resources
increases costs
• Accuracy and responsiveness are
essential
32. 32 IBM SECURITY
Making Cognitive Security accessible to the Security Analyst
SECURITY
ANALYSTS
SECURITY
ANALYTICS
QRadar
Advisor
With
Watson
Watson
for Cyber
Security
Watson
for Cyber
Security
35. 35 IBM SECURITY
User Behavior
Analytics Workflow
Game
TheoryRunbooks
Threat
Hunting
SWOT & Decision
Tree Analysis
Agile SOC
Framework
Human
Factor
Chaos
Everyday
Increase Cost
for Bad Guys
Transparency
equals trust
Mobile SOC
Mobile Data
Center
Security culture
37. 37 IBM SECURITY
Maersk’s frontline staff across
130 countries were told to,
“Do what you think is right to
serve the customer — don’t
wait for HQ. We’ll accept the
cost”.
Soren Skou
CEO, Maersk
39. 39 IBM SECURITY
Agenda
09:00 Introduction and IBM Security Strategy - Peter Holm and Kaja Narum
09:15 Security operation center behind the curtains - Marcus Hallberg
09:45 Networking break
10:00 Security intelligence and incident response - Victor Grane and Marcus Hallberg
10:50 Networking break
11:20 IoT Security - Torbjörn Andersson
46. 46 IBM SECURITY
Lack of granular access control
Lack of encryption/key management
Insecure cloud and mobile APIs
Insufficient authentication/authorization
“bad Internet neighborhoods”
The threats of IoT devices –the basics!
50. 50 IBM SECURITY
Business-facing applications
Manufacturing
Healthcare
Energy
Transportation
Consumer-facing applications
Home automation
Security systems
Wearables
IoT market by application
51. 51 IBM SECURITY
Managed servicesProfessional services
Identity Access Management
Data Encryption and Tokenization
Intrusion Detection System/Intrusion Prevention System
Device Authentication and Management
Secure Software and Firmware Update
Secure Communications
PKI Lifecycle Management
Distributed Denial of Service Protection Security Analytics
The IoT Security market 2018 – It’s blurry!
52. 52 IBM SECURITY
Watson IoT Center,
Munich
Makers of things - Design and manufacture securely
• Design for security
• Design for privacy
• Test for security
• Continuous delivery model
• Ensure integrity in manufacturing and delivery
Operator of things - Operate securely
• Harden the device (check for device resiliency) –
Secure the communications channel
• Audit and analyse usage patterns
• Maintain an up-to-date security environment
• Create a trusted maintenance ecosystem
Makers and operators of things have to introduce security
within entire product lifecycle.
IBM IoT Security
53. 53 IBM SECURITY
Continuously stop attacks,
remediate vulnerabilities
• Disrupt malware and exploits
• Discover and patch endpoints
• Automatically fix vulnerabilities
Respond to incidents quickly, with precision
• Hunt for indicators
using deep forensics
• Orchestrate and
automate incident
response
Discover unknown threats
with advanced analytics
• See attacks across IoT
infrastructure
• Sense abnormal behaviors
• Hunt for cyber attackers
• Automatically prioritize threats
RESPOND
PREDICT
In order to protect functionality of things security must be continuously adopted.
IoT Security Strategy – immune system
54. 54 IBM SECURITY
Security principles must be applied, security controls added
to reduce risk.
Secure
IoT Infrastructure
Secure
Communication
Security Information
and Event Mgmt.
Security Operation
Center
Preemptive
Security
Security
Intelligence
Potential controls:
• identity control
• access management
• storage
• ...
operating in secure/trusted
environment
IoT Security Strategy – principles and controls
57. 57 IBM SECURITY
Agenda
09:00 Introduction and IBM Security Strategy - Peter Holm and Kaja Narum
09:15 Security operation center behind the curtains - Marcus Hallberg
09:45 Networking break
10:00 Security intelligence and incident response - Victor Grane and Marcus Hallberg
10:50 Networking break
11:20 IoT Security - Torbjörn Andersson
11:50 Summary - Peter Holm
12:00 Lunch