Upload
ibm-security
View
1.323
Download
3
Embed Size (px)
Citation preview
IBM QRadar User Behavior AnalyticsDETECTING INSIDER THREAT AND RISKS
May 2017
2 IBM Security
Agenda
• Problem Context
• Typical Challenges
• IBM UBA capabilities with machine learning
analytics
• IBM’s integrated approach to insider threat
protection
• Case Study
• Next Steps
Johnny Shin
Executive Consultant - Identity
and Access Management
Architecture & Program Delivery
Jas Johal
Sr. Offering Manager –
IAM Services
IBM Security
Milan Patel
Program Director Security
Offerings Management
IBM Security
3 IBM Security
Increasing attacks, shortage of skills and growing insider threats continue to dominate
Growing Insider Risk
Too Many Tools Increasing Attack Activity
Too Few People
anticipated shortfall by 2020
45 vendors
annual increase
for InfoSec analysts
1M
100
more security incidents
from 2014-201564%
’s of incidentsand events daily
37%
insider data breaches
43%
perpetrators take data and go work for competitors
65%
85 security tools from
4 IBM Security
SECURITY TRANSFORMATION SERVICESManagement consulting | Systems integration | Managed security
QRadar Vulnerability / Risk Manager Resilient Incident Response
X-Force Exchange
QRadar Incident Forensics
BigFix Network Protection XGS
QRadar SIEM I2 Enterprise Insight Analysis
App Exchange
SECURITY OPERATIONSAND RESPONSE
MaaS360
INFORMATION RISKAND PROTECTION
Trusteer Mobile
Trusteer Rapport
AppScan
Guardium
Cloud Security
Privileged Identity Manager
Identity Governance and Access
Cloud Identity Service
Key Manager
zSecure
Trusteer Pinpoint
QRadar User Behavior Analytics
Our integrated view provides visibility so you can stop insider threats
5 IBM Security
Example - Extending UBA with flow data
• Detect flow based anomalies
• Accessing non-business resources
• Accessing unauthorized resources
• Potential spam/phishing attempts
• Detecting malware infection
• Accessing sensitive personal information
• Out of policy web usage
• Detect DNS anomalies
• DGA
• Fastflux
• Tunneling and exfiltration
• End-point infection analytics
6 IBM Security
Example - Extending QVM/QRM with UBA data
• Prioritize Vulnerabilities based on user
risk
• Scanning Assets of users above risk
thresholds
• Degrees of separation to critical assets or
information for risk management
• Add, modify rules on IPS side to block at
user level if user is phished
• Augment asset risk based on user risk
• Monitor possible attack vectors for Risky
users
7 IBM Security
Comprehensive data set and open analytics sense malicious users
Insider RiskScore
SENSE
ANALYTICSTM
BEHAVIORAL
• Pattern identification
• User and entity profiling
• Statistical analysis
• Anomaly detection
CONTEXTUAL
• Business context
• Entity and user context
• External threat correlation
TIME-BASED
• Historical analytics
• Real-time analytics
• Threat hunting
• Threshold rules
Users
Cloud
Applications
Applications
Data
Servers
DLP
Endpoints
Network
Threat
Intelligence
3rd Party
SIEM feeds
Other
analytics
8 IBM Security
Comprehensive data set and open analytics sense malicious users
9 IBM Security
IBM QRadar UBA 2.0
• Machine Learning algorithms • Flow based use cases that leverage QNI
10 IBM SecurityIBM INTERNAL & BUSINESS PARTNER USE ONLY
IBM QRadar UBA: Detecting anomalous deviations
Monitor users on deviation from normal
behavior:• 14 different event categories of QRadar
• temporal analysis
• time series analysis
Predict range in which the users’ activities
should fall
Example anomalous activities detected by
these algorithms are:• Abnormal change in user activity (over time)
• Abnormal change in user’s authentication or
access activity
• Deviation from normal risk posture of the user
11 IBM SecurityIBM INTERNAL & BUSINESS PARTNER USE ONLY
IBM QRadar UBA: Machine Learning algorithms
“Deviations
from normal
behavior”
12 IBM Security
SOC analysts gain speed from user behavior analytics
…in the hunt to reduce risks and eliminate threats
Easily find malicious behavior
Easily acquire, deploy and use
Improve analyst efficiency
Detect threats across users and assets leveraging advanced
analytics with behavioral patterns
Tap into broad set of internal data sources and threat intelligence
Visibility into the risk posture within hours not days
Download app and install quickly
Identify risky users, behavior and offences in minutes not hours
Reduce overhead on skills and time
13 IBM Security
To get most of your UBA - 3 steps to stop harmful insider actions
STEP 2: Detect insider threats: Anticipate
the risk of malicious actions before they occur
and respond when breached
STEP 1: Reduce your exposure: Secure
your sensitive data and govern your user
identities
14 IBM Security
Address security gaps insiders exploit with an integrated approach
1. Who has access to sensitive
data?
2. Who should have access?
3. Can you control privileged
user access to sensitive data?
4. How are your users accessing
the data?
1. What data is sensitive?
2. Where is sensitive data stored?
3. Is the right sensitive data being
exposed?
4. What risk is associated with
sensitive data?
1. What are end users and
administrators doing with data?
2. What do normal transaction
patterns look like between the
user and your sensitive data?
3. How much can you trust each
individual user?
4. When should a deviation from
“normal” be cause for further
investigation?
15 IBM Security
User Behavior
Analytics
SIEM
Access management
Identity management
& governance
Privileged users
management
Data protection
Risk detection & threat
analytics
Data activity monitoring
Safeguard against harmful insider actions with trusted security expertise, actionable intelligence and powerful technology
Security Services
Identify gaps, improve compliance
and prioritize security actions
Integrate your capabilities
Security expertise to drive insights
16 IBM Security
3 steps to stop harmful insider actions
STEP 2: Detect insider threats. Anticipate
the risk of malicious actions before they occur
and respond when breached
STEP 1: Reduce your exposure. Secure
your sensitive data and govern your user
identities
STEP 3: Get started today. Apply a systematic
approach and methodology to your 5-10 most
important crown jewel data.
17 IBM Security
Getting started: An integrated approach that provides clear, actionable intelligence
Prioritize compliance
and security actions with
risk-based insights from
end-to-end mapping of
your critical information’s
access pathways
Analyze user behaviors
to detect suspicious
activities for further
investigation
Insider threat protection
services from IBM
Trusted IBM security specialists can offer the business, data and IAM
security experience to help you evaluate intelligence, draw more
meaningful conclusions and prepare for next steps.
18 IBM Security
IBM puts our insider threat solution into practice with a consistent and repeatable four step operational model with emphasis on high risk assets
1 2 3 4Define Discover Investigate Remediate
Define Use Case
Identify critical data
(crown jewels)
Identify privileged users
Matching user list
Corporate Data Trigger
Machine/ statistical analysis
Resource usage analysis
Policy violation analysis
Top down comparative analysis
Bottom up comparative analysis
Anomaly Activity Trigger
Potential Threat
APP/SYSTEM TRANSACITON LOG
APP/SYSTEM CHANGE LOG
APP/SYSTEM ACCESS LOG
APP/SYSTEM PROCESS EXCEPTION
LOGAp
plic
ation
sE
nte
rprise S
yste
ms
HTTP SITE ACCESS/ DOWNLOAD LOG
EMAIL HISTORY/ ATTACHMENTS LOG
PC LAPTOP USB/ EXT. HARD DR./CD
COPY LOG
LYNC CHAT/ DOWNLOAD LOG
REMOTE ACCESS LOG
PRINTER/FAX LOG
PHYSICAL ACCESS LOG
EXT. STORAGE ACCESS LOG
EXT. EMAIL ACCESS LOG
SHARE DRIVE/ POINT ACCESS HISTORY
PC/ LAPTOP LOSS/ STOLEN REPORT
PC/ LAPTOP CRASH/ REPARE LOG
Decision
Committee
Application
Owner/Controller
User’s Manager
Escalation
Corporate/ Legal
Action
Close Loop/
Remediation
PICTURE PC/ LAPTOP SCREEN (CCTV)
Insider threat protection
services from IBM
19 IBM Security
We implemented this solution for one of our global pharma clients to help address concerns about the impact of major re-org on employee morale
Project Overview:
1. Identified 7 areas of Information Classification in scope for the
project
• Finance Management, Financial Transactions,
Procurement-Sourcing, HR, Tax, Planning, and Risk
Management
2. Out of the 7 areas of Information Classification, identified 11
Confidential “Red” information for use cases
• True Cost Data, Process Order, Serialization, Employee
SPI, Investigation and Disciplinary, Purchasing and
Contractual, Vendor SPI, Customer SPI, Undisclosed
Financial Data, Project System
3. Mapped ~ 20% of “Red” data to specific SAP tables,
transactions, and roles which expose the information
4. Collected 7 months of SAP transaction logs to analyze user
activities across the sensitive transactions identified
5. Identified anomaly activities for further investigation
20 IBM Security
During the project, we analyzed sensitive transactions used for the first time on the month leaving the company
Data Summary:
• 7 months of SAP transaction logs obtained
• Termination report obtained 1,984 users
• Over 1M lines of transaction log entries captured
• Of 1M entries, 56k sensitive transactions used
• Of 56k transactions, 885 sensitive transactions were used by users on the terminated report
Outcome:
• 1st Analysis Finding: 8 users used 10 sensitive transactions for the first time in December 2014 before leaving company
1st Analysis Findings
21 IBM Security
Our team also detected sudden and significant increases of users using sensitive transaction on the month leaving the company… risky insiders!
Data Summary:
• 7 months of SAP transaction logs obtained
• Termination report obtained 1,984 users
• Over 1M lines of transaction log entries captured
• Of 1M entries, 56k sensitive transactions used
• Of 56k transactions, 885 sensitive transactions were used by users on the terminated report
Outcome:
• 2nd Analysis Finding: 7 users show sudden increase in sensitive transaction usage right before the termination
2nd Analysis Findings
22 IBM Security
Our experts help deliver
Leading security innovation
by IBM Research, with over 3,000
security and risk patents
Strategic Advising
Product Agnostic
Recommendations
Cognitive-driven
Solutions
Derive insights from
Watson Analytics
Award winning IBM
Security Systems
can provide a full range of
integrated security services
and products
Worldwide Presence
Threat visibility from 10 Security
Operations Centers monitoring
13-plus billon events per day from
20,000-plus devices
Worldwide Subject
Matter Expertise
over 3,700 security
consultants
and 3,300 service
delivery experts
IAM Expertise
23 IBM Security
Take action now
• Download the whitepaper, “An Integrated Approach to Insider Threat Protection”
• Read the blog on using Machine Learning to Detect Anomalies in Users’ Activities
Learn more
• Call your rep, or reach out to 1 (877) 257-5227
• Experiencing a breach? IBM Incident Response
24x7 Hotline: 1-888-241-9812
Contact IBM
Questions? Let us know.
Jas Johal
Sr. Offering Manager –
IAM Services
Johnny Shin
Sr. Executive Consultant-
IAM
Milan Patel
Program Director Security
Offerings Management
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU