Defending Against Cyber Threats with Security Intelligence and Behavioral Analytics

Bob Kalka, CRISCDirector, IBM Security Systemsbkalka@us.ibm.com

Four Key Drivers

Organizations continue to move to new platforms including cloud, virtualization, mobile, social business and more

EVERYTHING IS EVERYWHERE

With the advent of Enterprise 2.0 and social business, the line between personal and professional hours, devices and data has disappeared

Consumerization of IT

The age of Big Data – the explosion of digital information – has arrived and is facilitated by the pervasiveness of applications accessed from everywhere

Data Explosion

The speed and dexterity of attacks has increased coupled with new actors with new motivations from cyber crime to terrorismto state-sponsored intrusions

Attack Sophistication

Marketing

Services

Online Gaming

Online Gaming

Online Gaming

Online Gaming

Central Governme

nt

Gaming

Gaming

InternetServices

Online Gaming

Online Gaming

OnlineServices

Online Gaming

IT Security

Banking

IT Security

GovernmentConsulting

IT Security

Tele-communications

Enter-tainment

ConsumerElectronic

s AgricultureApparel

Insurance

Consulting

ConsumerElectronics

InternetServices

CentralGovt

CentralGovt

CentralGovt

Attack TypeSQL Injection

URL TamperingSpear Phishing

3rd Party Software

DDoSSecureID

Trojan SoftwareUnknown

Source: IBM X-Force® Research 2011 Trend and Risk Report

Size of circle estimates relative impact of breach in terms of cost to business

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Entertainment

Defense

Defense

Defense

ConsumerElectronics

CentralGovernment

CentralGovernment

CentralGovernment

CentralGovernment

CentralGovernment

CentralGovernment

CentralGovernment

ConsumerElectronics

National Police

National Police

StatePolice

StatePolice

Police

Gaming

FinancialMarket

OnlineServices

Consulting

Defense

HeavyIndustry

Entertainment

Banking

2011 Sampling of Security Incidents by Attack Type, Time and Impact

IBM Security: Delivering intelligence, integration and expertise across a comprehensive framework

Intelligence ● Integration ● Expertise

Now: Intelligence

•Real-time monitoring

•Context-aware anomaly detection

•Automated correlation and analytics

Then: Collection

•Log collection

•Signature-based detection

Security Intelligence

LogsEvents Alerts

Configuration information

System audit trails

Externalthreat feeds

E-mail and social activity

Network flows and anomalies

Identity context

Business process data

Malware information

Now: Insight

•Identify and monitor highest risk users

•Know who has access to sensitive data and systems

•Baseline normal behavior

•Prioritize privileged identities

Then: Administration

•Identity management

•Cost control

Monitor EverythingMonitor Everything

People

Now: Laser Focus

• Discover and protect high-value data

• Understand who is accessing the data, at what time of day, from where, and in what role

• Baseline normal behavior

Then: Basic Control

• Simple access controls and encryption

Data

Monitor Everything

Now: Built-in

• Harden applications with access to sensitive data

• Scan source and real-time

• Baseline normal application behavior and alert

Then: Bolt-on

• Periodic scanning of Web applications

Applications

Monitor Everything

Now: Smarter Defenses

• Baseline system and network behavior

• Analyze unknown threats using advanced heuristics

• Expand coverage into cloud and mobile environments

Then: Thicker Walls

• Firewalls, manual patching, and antivirus

• Focus on perimeter security

Infrastructure

Monitor Everything

Directory management

Directory management Access Mgmt.

and Strong Authentication

Access Mgmt. and Strong

Authentication

Fine-grained entitlementsFine-grained entitlements

Database Activity Monitoring

Database Activity Monitoring

BasicBasic ProficientProficient OptimizedOptimized

Privileged user

management

Privileged user

managementTest Data Masking

Test Data Masking

EncryptionEncryption

Hybrid Scanning and Correlation

Hybrid Scanning and Correlation

Encryption Key

Management

Encryption Key

Management

Data Discovery and

Classification

Data Discovery and

Classification

Fraud Detection

Fraud Detection

Data Loss PreventionData Loss Prevention

Anomaly DetectionAnomaly Detection

Network SecurityNetwork Security

Host Security

Host Security

VirtualizedVirtualized

Static Source Code

Scanning

Static Source Code

ScanningDynamic

Vulnerability Analysis

Dynamic Vulnerability

AnalysisWeb

Application Protection

Web Application Protection

User Provisioning

User Provisioning

Anti-VirusAnti-Virus

Endpoint Security

Management

Endpoint Security

Management

Log Management

Log Management

Flow AnalyticsFlow Analytics

PredictiveAnalytics

PredictiveAnalytics

Multi-faceted Network

Protection

Multi-faceted Network

Protection

Professional AssessmentsProfessional Assessments

Identity governance

Identity governance

Managed Security Services

Managed Security Services

SIEMSIEM

GRCGRC

IBM Security Systems - Security Intelligence

Directory management

Directory management Access Mgmt.

and Strong Authentication

Access Mgmt. and Strong

Authentication

Fine-grained entitlementsFine-grained entitlements

Database Activity Monitoring

Database Activity Monitoring

BasicBasic ProficientProficient OptimizedOptimized

Privileged user

management

Privileged user

managementTest Data Masking

Test Data Masking

EncryptionEncryption

Hybrid Scanning and Correlation

Hybrid Scanning and Correlation

Encryption Key

Management

Encryption Key

Management

Data Discovery and

Classification

Data Discovery and

Classification

Fraud Detection

Fraud Detection

Data Loss PreventionData Loss Prevention

Anomaly DetectionAnomaly Detection

Network SecurityNetwork Security

Host Security

Host Security

VirtualizedVirtualized

Static Source Code

Scanning

Static Source Code

ScanningDynamic

Vulnerability Analysis

Dynamic Vulnerability

AnalysisWeb

Application Protection

Web Application Protection

User Provisioning

User Provisioning

Anti-VirusAnti-Virus

Endpoint Security

Management

Endpoint Security

Management

IBM Security Systems - Security IntelligenceSIEMSIEM

Log Management

Log Management

Flow AnalyticsFlow Analytics

PredictiveAnalytics

PredictiveAnalytics

Multi-faceted Network

Protection

Multi-faceted Network

Protection

Professional AssessmentsProfessional Assessments

Identity governance

Identity governance

Managed Security Services

Managed Security Services

Security Policy Manager Security Policy Manager

QRadar SIEMQRadar SIEM

Privileged Identity Manager

Privileged Identity Manager

InfoSphere Identity Insight

InfoSphere Identity Insight

InfoSphere Discovery

InfoSphere Discovery

Key Lifecycle Manager

Key Lifecycle Manager

Network Anomaly Detection

Network Anomaly Detection

AppScan familyAppScan family

Access Manager family

Access Manager family

Federated Identity Manager

Federated Identity Manager

InfoSphere GuardiumInfoSphere Guardium

TEM for Core Protection; GTS partnerships

TEM for Core Protection; GTS partnerships

Guardium Data MaskingGuardium Data Masking

Virtual Server Protection (VSP)

VFLOW

Virtual Server Protection (VSP)

VFLOW

IPS, XGS,DataPowerIPS, XGS,

DataPower

AppScan Source AppScan Source

Endpoint ManagerzSecure

Endpoint ManagerzSecure

Directory Integrator

Directory Server

Directory Integrator

Directory Server

InfoSphere Guardium Encryption Expert

STG Solutions

PGP (GTS)

InfoSphere Guardium Encryption Expert

STG Solutions

PGP (GTS)

Network IPSNetwork IPS

Host Protection, RACF

Host Protection, RACF

AppScan StandardAppScan Standard

Endpoint Manager for Core Protection

Endpoint Manager for Core Protection

QRadar Log Manager

QRadar Log Manager

QFLOW/VFLOWQFLOW/VFLOW

XGSXGS

QRadar Risk ManagerQRadar Risk Manager

zSecurezSecure

GTS and BPsGTS and BPs

Identity Manager/Role Lifecycle Manager

Identity Manager/Role Lifecycle Manager

GTS and BPsGTS and BPs

Identity ManagerIdentity Manager

GRCGRC Open PagesOpen Pages

IBM Security Services: Professional and Managed Services Capabilities

Security Consulting• Broad security capability consultative assessments and planning• Compliance focused assessments (e.g. PCI, SCADA, HIPAA)• Information Security Assessments

Security Intelligence & Operations

• SOC and SIEM assessments and planning SOC architecture and design (people, process and technology)

Identity and Access Management

• Identity assessment and planning• Identify solution architecture, design and deployment for access, provisioning, single sign on and two factor

authentication.• Managed identity services

Data & Application / SDLC Security

• Application secure engineering• Data security assessments and enterprise planning• Database protection solution design and deployment• Endpoint and network data control (DLP, encryption) solution design and deployment

Infrastructure Security• Technical infrastructure assessments and planning• Infrastructure solution (UTM, Firewall, IDPS) design and deployment• Network, endpoint, server

Cyber Security Assessment & Response

• Application technical testing and source code scanning• Infrastructure penetration testing• Emergency response services

Managed Security & Cloud Services

• Security event monitoring and managed protection• Security intelligence analysis• Security infrastructure device (UTM, firewall, IPDS) device monitoring & management• Mobile device management• Hosted / managed SIEM, application. email, vulnerability scanning