IBM QRadar User Behavior AnalyticsDETECTING INSIDER THREAT AND RISKS

May 2017

2 IBM Security

Agenda

• Problem Context

• Typical Challenges

• IBM UBA capabilities with machine learning

analytics

• IBM’s integrated approach to insider threat

protection

• Case Study

• Next Steps

Johnny Shin

Executive Consultant - Identity

and Access Management

Architecture & Program Delivery

jkshin@us.ibm.com

Jas Johal

Sr. Offering Manager –

IAM Services

IBM Security

Johal@us.ibm.com

Milan Patel

Program Director Security

Offerings Management

IBM Security

milpatel@us.ibm.com

3 IBM Security

Increasing attacks, shortage of skills and growing insider threats continue to dominate

Growing Insider Risk

Too Many Tools Increasing Attack Activity

Too Few People

anticipated shortfall by 2020

45 vendors

annual increase

for InfoSec analysts

1M

100

more security incidents

from 2014-201564%

’s of incidentsand events daily

37%

insider data breaches

43%

perpetrators take data and go work for competitors

65%

85 security tools from

4 IBM Security

SECURITY TRANSFORMATION SERVICESManagement consulting | Systems integration | Managed security

QRadar Vulnerability / Risk Manager Resilient Incident Response

X-Force Exchange

QRadar Incident Forensics

BigFix Network Protection XGS

QRadar SIEM I2 Enterprise Insight Analysis

App Exchange

SECURITY OPERATIONSAND RESPONSE

MaaS360

INFORMATION RISKAND PROTECTION

Trusteer Mobile

Trusteer Rapport

AppScan

Guardium

Cloud Security

Privileged Identity Manager

Identity Governance and Access

Cloud Identity Service

Key Manager

zSecure

Trusteer Pinpoint

QRadar User Behavior Analytics

Our integrated view provides visibility so you can stop insider threats

5 IBM Security

Example - Extending UBA with flow data

• Detect flow based anomalies

• Accessing non-business resources

• Accessing unauthorized resources

• Potential spam/phishing attempts

• Detecting malware infection

• Accessing sensitive personal information

• Out of policy web usage

• Detect DNS anomalies

• DGA

• Fastflux

• Tunneling and exfiltration

• End-point infection analytics

6 IBM Security

Example - Extending QVM/QRM with UBA data

• Prioritize Vulnerabilities based on user

risk

• Scanning Assets of users above risk

thresholds

• Degrees of separation to critical assets or

information for risk management

• Add, modify rules on IPS side to block at

user level if user is phished

• Augment asset risk based on user risk

• Monitor possible attack vectors for Risky

users

7 IBM Security

Comprehensive data set and open analytics sense malicious users

Insider RiskScore

SENSE

ANALYTICSTM

BEHAVIORAL

• Pattern identification

• User and entity profiling

• Statistical analysis

• Anomaly detection

CONTEXTUAL

• Business context

• Entity and user context

• External threat correlation

TIME-BASED

• Historical analytics

• Real-time analytics

• Threat hunting

• Threshold rules

Users

Cloud

Applications

Applications

Data

Servers

DLP

Endpoints

Network

Threat

Intelligence

3rd Party

SIEM feeds

Other

analytics

8 IBM Security

Comprehensive data set and open analytics sense malicious users

9 IBM Security

IBM QRadar UBA 2.0

• Machine Learning algorithms • Flow based use cases that leverage QNI

10 IBM SecurityIBM INTERNAL & BUSINESS PARTNER USE ONLY

IBM QRadar UBA: Detecting anomalous deviations

Monitor users on deviation from normal

behavior:• 14 different event categories of QRadar

• temporal analysis

• time series analysis

Predict range in which the users’ activities

should fall

Example anomalous activities detected by

these algorithms are:• Abnormal change in user activity (over time)

• Abnormal change in user’s authentication or

access activity

• Deviation from normal risk posture of the user

11 IBM SecurityIBM INTERNAL & BUSINESS PARTNER USE ONLY

IBM QRadar UBA: Machine Learning algorithms

“Deviations

from normal

behavior”

12 IBM Security

SOC analysts gain speed from user behavior analytics

…in the hunt to reduce risks and eliminate threats

Easily find malicious behavior

Easily acquire, deploy and use

Improve analyst efficiency

Detect threats across users and assets leveraging advanced

analytics with behavioral patterns

Tap into broad set of internal data sources and threat intelligence

Visibility into the risk posture within hours not days

Download app and install quickly

Identify risky users, behavior and offences in minutes not hours

Reduce overhead on skills and time

13 IBM Security

To get most of your UBA - 3 steps to stop harmful insider actions

STEP 2: Detect insider threats: Anticipate

the risk of malicious actions before they occur

and respond when breached

STEP 1: Reduce your exposure: Secure

your sensitive data and govern your user

identities

14 IBM Security

Address security gaps insiders exploit with an integrated approach

1. Who has access to sensitive

data?

2. Who should have access?

3. Can you control privileged

user access to sensitive data?

4. How are your users accessing

the data?

1. What data is sensitive?

2. Where is sensitive data stored?

3. Is the right sensitive data being

exposed?

4. What risk is associated with

sensitive data?

1. What are end users and

administrators doing with data?

2. What do normal transaction

patterns look like between the

user and your sensitive data?

3. How much can you trust each

individual user?

4. When should a deviation from

“normal” be cause for further

investigation?

15 IBM Security

User Behavior

Analytics

SIEM

Access management

Identity management

& governance

Privileged users

management

Data protection

Risk detection & threat

analytics

Data activity monitoring

Safeguard against harmful insider actions with trusted security expertise, actionable intelligence and powerful technology

Security Services

Identify gaps, improve compliance

and prioritize security actions

Integrate your capabilities

Security expertise to drive insights

16 IBM Security

3 steps to stop harmful insider actions

STEP 2: Detect insider threats. Anticipate

the risk of malicious actions before they occur

and respond when breached

STEP 1: Reduce your exposure. Secure

your sensitive data and govern your user

identities

STEP 3: Get started today. Apply a systematic

approach and methodology to your 5-10 most

important crown jewel data.

17 IBM Security

Getting started: An integrated approach that provides clear, actionable intelligence

Prioritize compliance

and security actions with

risk-based insights from

end-to-end mapping of

your critical information’s

access pathways

Analyze user behaviors

to detect suspicious

activities for further

investigation

Insider threat protection

services from IBM

Trusted IBM security specialists can offer the business, data and IAM

security experience to help you evaluate intelligence, draw more

meaningful conclusions and prepare for next steps.

18 IBM Security

IBM puts our insider threat solution into practice with a consistent and repeatable four step operational model with emphasis on high risk assets

1 2 3 4Define Discover Investigate Remediate

Define Use Case

Identify critical data

(crown jewels)

Identify privileged users

Matching user list

Corporate Data Trigger

Machine/ statistical analysis

Resource usage analysis

Policy violation analysis

Top down comparative analysis

Bottom up comparative analysis

Anomaly Activity Trigger

Potential Threat

APP/SYSTEM TRANSACITON LOG

APP/SYSTEM CHANGE LOG

APP/SYSTEM ACCESS LOG

APP/SYSTEM PROCESS EXCEPTION

LOGAp

plic

ation

sE

nte

rprise S

yste

ms

HTTP SITE ACCESS/ DOWNLOAD LOG

EMAIL HISTORY/ ATTACHMENTS LOG

PC LAPTOP USB/ EXT. HARD DR./CD

COPY LOG

LYNC CHAT/ DOWNLOAD LOG

REMOTE ACCESS LOG

PRINTER/FAX LOG

PHYSICAL ACCESS LOG

EXT. STORAGE ACCESS LOG

EXT. EMAIL ACCESS LOG

SHARE DRIVE/ POINT ACCESS HISTORY

PC/ LAPTOP LOSS/ STOLEN REPORT

PC/ LAPTOP CRASH/ REPARE LOG

Decision

Committee

Application

Owner/Controller

User’s Manager

Escalation

Corporate/ Legal

Action

Close Loop/

Remediation

PICTURE PC/ LAPTOP SCREEN (CCTV)

Insider threat protection

services from IBM

19 IBM Security

We implemented this solution for one of our global pharma clients to help address concerns about the impact of major re-org on employee morale

Project Overview:

1. Identified 7 areas of Information Classification in scope for the

project

• Finance Management, Financial Transactions,

Procurement-Sourcing, HR, Tax, Planning, and Risk

Management

2. Out of the 7 areas of Information Classification, identified 11

Confidential “Red” information for use cases

• True Cost Data, Process Order, Serialization, Employee

SPI, Investigation and Disciplinary, Purchasing and

Contractual, Vendor SPI, Customer SPI, Undisclosed

Financial Data, Project System

3. Mapped ~ 20% of “Red” data to specific SAP tables,

transactions, and roles which expose the information

4. Collected 7 months of SAP transaction logs to analyze user

activities across the sensitive transactions identified

5. Identified anomaly activities for further investigation

20 IBM Security

During the project, we analyzed sensitive transactions used for the first time on the month leaving the company

Data Summary:

• 7 months of SAP transaction logs obtained

• Termination report obtained 1,984 users

• Over 1M lines of transaction log entries captured

• Of 1M entries, 56k sensitive transactions used

• Of 56k transactions, 885 sensitive transactions were used by users on the terminated report

Outcome:

• 1st Analysis Finding: 8 users used 10 sensitive transactions for the first time in December 2014 before leaving company

1st Analysis Findings

21 IBM Security

Our team also detected sudden and significant increases of users using sensitive transaction on the month leaving the company… risky insiders!

Data Summary:

• 7 months of SAP transaction logs obtained

• Termination report obtained 1,984 users

• Over 1M lines of transaction log entries captured

• Of 1M entries, 56k sensitive transactions used

• Of 56k transactions, 885 sensitive transactions were used by users on the terminated report

Outcome:

• 2nd Analysis Finding: 7 users show sudden increase in sensitive transaction usage right before the termination

2nd Analysis Findings

22 IBM Security

Our experts help deliver

Leading security innovation

by IBM Research, with over 3,000

security and risk patents

Strategic Advising

Product Agnostic

Recommendations

Cognitive-driven

Solutions

Derive insights from

Watson Analytics

Award winning IBM

Security Systems

can provide a full range of

integrated security services

and products

Worldwide Presence

Threat visibility from 10 Security

Operations Centers monitoring

13-plus billon events per day from

20,000-plus devices

Worldwide Subject

Matter Expertise

over 3,700 security

consultants

and 3,300 service

delivery experts

IAM Expertise

23 IBM Security

Take action now

• Download the whitepaper, “An Integrated Approach to Insider Threat Protection”

• Read the blog on using Machine Learning to Detect Anomalies in Users’ Activities

Learn more

• Call your rep, or reach out to 1 (877) 257-5227

• Experiencing a breach? IBM Incident Response

24x7 Hotline: 1-888-241-9812

Contact IBM

Questions? Let us know.

Jas Johal

Sr. Offering Manager –

IAM Services

Johal@us.ibm.com

Johnny Shin

Sr. Executive Consultant-

IAM

jkshin@us.ibm.com

Milan Patel

Program Director Security

Offerings Management

milpatel@us.ibm.com

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,

express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products

and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service

marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your

enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.

No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,

products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products

or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

FOLLOW US ON:

THANK YOU