Post on 15-Jan-2015
description
Quantify value of IT Security for business
with IBM tools
Andris Soroka17th of April, 2014
Riga, Latvia
The Saga Begins – Scared vs. Informed
“Data Security Solutions” business card
Specialization – IT Security
IT Security services (consulting, audit, pen-testing, market analysis, system testing and integration, training and technical support)
Solutions and experience portfolio with more than 20 different technologies – cyber-security global market leaders from more than 10 countries
Trusted services provider for banks, insurance companies, government and private companies (critical infrastructure etc.)
Role of DSS in Cyber-security Development in Baltics
Cyber-Security Awareness Raising
Technology and knowledge transfer
Most Innovative Portfolio
Trusted Advisor to its Customers
Cybersecurity Awareness Raising
Own organized conference “DSS ITSEC”5th annual event this year (30.10.2014)More than 400 visitors + more than 250 online live streaming watchers from LV, EE, LT4 parallel sessions with more than 40 international speakers, including Microsoft, Oracle, Symantec, IBM, Samsung and many more – everything free of charge (EVENT.DSS.LV)
Participation in other events & sponsorshipCERT & ISACA conferences & eventsRIGA COMM, HeadLight, IBM Pulse Las vegasRoadshows and events in Latvia / Lithuania / Estonia (f.i. Vilnius Innovation Forum, Devcon, ITSEC HeadLight, SFK, business associations)
Participation in cyber security discussions, strategy preparations, seminaries, publications etc.
Innovations – technology & knowledge transfer
Innovative Technology Transfer Number of unique projects done with different technology global leadership vendorsKnowledge transfer (own employees, customers – both from private & public, other IT companies in LV, EE, LT) Specialization areas include:
Endpoint SecurityNetwork SecuritySecurity ManagementApplication SecurityMobile SecurityData SecurityCyber-securitySecurity Intelligence
Some just basic ideas
AGENDA (hopefully 60mins..)
Introduction of DSS and speakerPrologue – Digital world & trendsThe Saga begins – Cybercrime
Introduction & typesBusiness behindExamples
Value of Information Security for businessRisk managementTechnology
IBM SIEM, Risk Manager, ForensicsWhat it is and what forArchitectureUse cases
Q&A (if time allows)
Prologue
Prologue: Some new technologies
3D PrintersGoogle Glasses (“glassh**es)Cloud ComputingBig Data & SupercomputersMobile Payment & Virtual MoneyRobotics and Intraday DeliveriesInternet of thingsAugmented RealityExtreme development of ApsDigital prototypingGadgets (devices) & MobilityTechnology replaced jobs (automation)
Geo-location powerBiometricsHealth bands and mHealthElectronic carsAvegant Glymph and much, much more
Prologue: Mobility & Gadgets
Multi-OS
Millions of mobile applications
Digital Agenda for European Union
True or fake? In fact this isn’t funny...
Best «success story» describing hackers..
No changes in that perspective
Disaster in software world - NSA
Disaster in technology world - NSA
Governments write malware and exploits (USA started, others follow..)
Cyber espionageSabotageCyber warsInfecting own citizensSurveillance
Known NSA “partners”Microsoft (incl. Skype)AppleAdobeFacebookGoogleMany, many others
Internet is changing!!!USA thinks that internet is their creation and foreign users should think of USA as their masters…
Many countries are in the game now…
Many countries are in the game now…
Many countries are in the game now…
Cyberwars going on!
Cybercriminal type #1
“2014.gadā vidēji katram izglītotam darbiniekam būs vidēji 3.3 mobīlās ierīces, salīdzinot ar vidējo statistiku ar 2.8 mobīlajām ierīcēm 2013.gadā.” 1
Cybercriminal type #2 – Monetary driven
Types of cybercriminals (cont.)
Black market figures
Hacking business services...
Current prices on the Russian underground market:Hacking corporate mailbox: $500Winlocker ransomware: $10-$20Unintelligent exploit bundle: $25Intelligent exploit bundle: $10-$3,000Basic crypter (for inserting rogue code into benign file): $10-$30SOCKS bot (to get around firewalls): $100Hiring a DDoS attack: $30-$70 / day, $1,200 / monthBotnet: $200 for 2,000 botsDDoS Botnet: $700ZeuS source code: $200-$250Windows rootkit (for installing malicious drivers): $292Hacking Facebook or Twitter account: $130Hacking Gmail account: $162Email spam: $10 per one million emailsEmail scam (using customer database): $50-$500 per one million emails
Examples: Advanced Persistent Threat
Mobility & Security...
The Sage Continues: Cybercriminals #2
Weakest link is always the most important
Source: IBM X-Force annual report 2013
Some examples of incidents (DDoS)
Mobility & Security
“2014.gadā vidēji katram izglītotam darbiniekam būs vidēji 3.3 mobīlās ierīces, salīdzinot ar vidējo statistiku ar 2.8 mobīlajām ierīcēm 2013.gadā.” 1
Examples: Hackers searching tool
Examples: Hackers searching tool
Examples (continued)
Examples: Hacker is watching / listening
Cybercriminal type #3 – Insider
Bright future of the internet way ahead..
1995 – 20051st Decade of the
Commercial Internet
2005 – 20152nd Decade of the
Commercial InternetMotive
Script-kiddies or hackers
Insiders
Organized crime
Competitors, hacktivists
National Security Infrastructure Attack
EspionagePolitical Activism
Monetary Gain
Revenge
Curiosity
Global statistics
Conclusion: The Saga will continue anyway
For many companies security is like salt, people just sprinkle it on top.
Think security first & Where are You here?
Organizations Need an Intelligent View of Their Security Posture
Security
Intelligence
Proficient
Proactive
Auto
mat
edM
anu
al
Reactive
Proficient
Basic
Optimized Optimized
Organizations use predictive and automated security analytics to drive toward security intelligence
ProficientSecurity is layered into the IT fabric and business operations
BasicOrganizations
employ perimeter protection, which
regulates access and feeds manual reporting
“DSS” is here for You! Just ask for…
Si vis pacem, para bellum. (Lat.)
IBM Security Intelligence
SuspectedIncidents
Prioritized Incidents
Embedded intelligence offers automated offense identification
Servers and mainframes
Data activity
Network and virtual activity
Application activity
Configuration information
Security devices
Users and identities
Vulnerabilities and threats
Global threat intelligence
Extensive Data Sources
AutomatedOffenseIdentification
• Massive data reduction
• Automated data collection, asset discovery and profiling
• Automated, real-time, and integrated analytics
• Activity baselining and anomaly detection
• Out-of-the box rules and templates
Embedded Intelligence
Security Intelligence = SIEM+RM+…+….
IBM QRadarSecurity Intelligence
Platform
Packets
Vulnerabilities
Configurations
Flows
Events
LogsBig data consolidation of
all available security information
Traditional SIEM6 products from 6 vendors are needed
IBM SecurityIntelligence and Analytics
Single web-based console provides superior visibility
LogManagement
Security Intelligence
Network Activity Monitoring
RiskManagement
Vulnerability Management
Network Forensics
Security Intelligence = SIEM+RM+…+….
QRadar Forensics – new one
Scale
• Event Processors• Network Activity Processors• High Availability & Disaster
Recovery• Stackable Expansion
Network and Application
Visibility
• Layer 7 application monitoring• Content capture for deep insight &
forensics• Physical and virtual environments
• Log, flow, vulnerability & identity correlation• Sophisticated asset profiling• Offense management and workflow
SIEM
Network Activity & Anomaly Detection
• Network analytics• Behavioral anomaly detection• Fully integrated in SIEM
• Turn-key log management and reporting
• SME to Enterprise• Upgradeable to enterprise SIEM
Log Management
• Network security configuration monitoring
• Vulnerability scanning & prioritization• Predictive threat modeling &
simulation
Configuration & Vulnerability Management
QRadar All In One
QRadar Distributed Deployment
SIEM installation – plug&play
Higher capacity / performance support
Basic installation in one week, immediate ROIContinuous development of features and integrationBiggest IT Security solutions portfolio in today’s Security market
IBM leadership – taking it back
CA (DataMinder)
Novell (Sentinel)
Nitro
Fortify, WebInspect
ArcSight
TippingPoint
RSA Access Mgr.
ProtectTools
RSA Live Intelligence
System
Team: RSA FirstWatch
OAM, Novell AM, CA
SiteMinder
Norton AV, iPS
Symantec Client/ Svr. Mgmt. Suite
Symantec DLP Data Theft ProtectionDLP
FW, NBA, IPS
Access Rights Reviews
SecureSphere Web App FW
SecureSphere App Virt. Patching FW, IPS
DLP
Endpoint Disk Encryption
FW, IPS, AV Mobile security
FIM
SIEM Use Cases WordCloud
SIEM Use Cases DefinitionSIEM Use Cases Definition
Requirements
Scope
Event Sources
Response
Your Use Case
Build YOUR own use case!React fasterImprove EfficiencyAutomate Compliance
Use Cases
Vulnerability Correlation Suspicious Access CorrelationFlow and Event Combo CorrelationBotnet Application IdentityVMware Flow AnalysisUnidirectional Flows DetectionVulnerability ReportingData Loss PreventionDouble CorrelationPolicy and Insider Threat Intelligence (Social Media
Use Case)
Use Cases
Detecting Threats or Suspicious Changes in BehaviourPreventative Alerting and Monitoring Compliance MonitoringClient-side vulnerability correlationExcessive Failed Logins to Compliance Servers Remote Access from Foreign Country Logons Communication with Known Hostile NetworksLong Durations Multi-Vector Attack Device stopped sending Data (Out of Compliance)
Social Media Intelligence
Problem:Social media is an increasing threat to an organization's policies and network; company employees are the ones who are most likely to fall victim to social engineering based threats, and serve as entry points for Advanced Persistent Threats.
Solution: Social media Monitoring& Correlation in real-time:
Qradar’s real-time monitoring and correlation of hundreds of social media sites, such as Twitter, Facebook, Gmail, LinkedIn, etc., offers automated application aware insight and identifies social media-based threats by user and application.
Social Media Intelligence
With Qradar, you can:Identify all the source, destination and the actual corporate credit card number leaked.
With Qradar, you can:Identify the user responsible for the data leak.
Data Loss Prevention
Customer Requirement:
Customer wants to detect when an employee may be stealing customer contact info in preparation for leaving the company
Solution:Baseline employee access to CRMDetect deviations from norm: 1,000 transactions (access to
customer records) vs normal 50 per dayBUT…what if the user is tech savvy or has a geek nephew,
and makes a single SQL query to the back end database?Profile network traffic between workstations and back-end
database or policy shouldn’t allow direct access to database from workstations
Data Loss Prevention
Potential Data Loss?Who? What? Where?
Who?An internal user
What?Oracle data
Where?Gmail
Indavertent Wrongdoing
A/V Server
Trying to update the entire internet
Issue bubbled to the top of the offense manager immediately post-installation
Problem had existed for months, but was lost in firewall logs.
A/V clients were badly out of date.
System Misconfiguration
QRadar reports remote sources scanning internal SQL servers Firewall admin insists QRadar is incorrect – absolutely no inbound SQL traffic permitted. But … months earlier user had requested access to SQL server from outside campus Administrator fat-fingered the FW rule and unintentionally allowed SQL access to & from all hosts
Teleportation
Customer Requirement:Customer wanted to detect users that logged in from IP addresses in different locations simultaneously.
Solution: Create rule to test for 2 or more logins from VPN or AD from
different country within 15 minutes Can be extended to check for local login within corporate
network and simultaneous remote login
Purell for your VPN
Customer Requirement:
Customer wanted to detect when external systems over the VPN accesses sensitive servers
Customer was concerned that external system could be infected / exploited through split tunneling and infect sensistive internal servers
Solution: Use latest VA scan of user systems Create BB of OSVDB IDs of concern Detect when external systems with vulnerabilities access
sensitive servers
Uninvited Guests
Customer Requirement:
Wants to identify new systems attached to network. There are active wall jacks throughout building
Solution:Set asset database retention to just beyond DHCP lease time
(1-2 days)—user out of office/on vacation, asset expiresNew machine attaches, rule alertsFlows for real-time detection: no other SIEM can do thisCan alert on VA importIn 7.0, can build up MAC list in reference sets (~2 wks), then
alert when new MAC appears on network
Policy Vialation / Resource Misuse
Customer Requirement:
Detect if there are P2P Server located in Local Area Network
Communication to known Bot C&C
Customer Requirement:
Detect if any of internal system is communicating to known Bot Command and Contrlol
Forensic of Administrative Change
Customer Requirement:New User account creation with administrative privilegesSystem registry change, Application Installed/UninstalledPassword resetService started/stopped
Vulnerability Overview
Customer Requirement:
Generate weekly report for Vulnerabilities
Use Cases Summary
Identify the goal for each event correlation rule (and use case).
Determine the conditions for the alert.
Select the relevant data sources.
Test the rule.
Determine response strategies, and document them.
Qradar latest updates Increased scalability, best HW in market Enhanced asset and vulnerability
functionality Centralized license management Multicultural support (languages) Improved bar and pie charts on the
Dashboard tab Data obfuscation Identity and Access Management (IAM)
integration Browser support Java 7 support 2500 + reports New “QRadar 2100 Light” appliance for
SMB’s New Qradar Forensics appliance New Data Node Appliances
Think security first