Michael andersson - att ligga steget före in en allt mer hotfylld värld BC14
-
Upload
ibm-sverige -
Category
Technology
-
view
174 -
download
0
description
Transcript of Michael andersson - att ligga steget före in en allt mer hotfylld värld BC14
© 2014 IBM Corporation
IBM Security Intelligence
Att ligga steget före in en allt mer hotfylld värld
BusinessConnectA New Era of Smart10/6/2014
© 2014 IBM Corporation3
A New Era of Smart
The threat level is continually intensifying
Operational Sophistication
IBM X-Force declared Year of the
Security Breach
Near Daily Leaks of Sensitive Data
40% increase in reported data
breaches and incidents
Relentless Use of Multiple Methods
500,000,000+ records were leaked, while the future
shows no sign of change
2011 2012 2013
Note: Size of circle estimates relative impact of incident in terms of cost to business.
SQL injection
Spear phishing
DDoS Third-party software
Physical access
Malware XSS Watering hole
UndisclosedAttack types
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2014
A New Era of Smart
© 2014 IBM Corporation
A new security reality is here
61%
data theft and cybercrimeare their greatest threats2012 IBM Global Reputational Risk & IT Study
of organizations say
Average cost of adata breach
2014 Cost of Data Breach, Ponemon Institute
$3.5M
70%of security
executives have cloud and mobile security concerns2013 IBM CISO Survey
Mobile malware growthin just one year
2012 - 2013 Juniper Mobile Threat Report
614% security tools from
vendors
8545
IBM client example
83%of enterprises
have difficulty finding the security skills they need2012 ESG Research
© 2014 IBM Corporation5
Customer Case 1:Under Attack
A New Era of Smart
© 2014 IBM Corporation
An attack timeline
Company are compliance certified
Malware fully installed
Attacker steals credentials
Anti-Virus Software identifies malicious activity
IDS/NGFW triggers alert
More alerts from IDS/NGFW
Company are notified by government organization
Company confirms millons of records stolen efter story leaked
Attacker first breach customer environment
Attacker test malware Malware upgraded –Begin to exfiltrate data
...and more alerts... Company confirms
breach -removes most malware
Attacker lose foothold in network
Company confirms even more millons of records stolen after story leaked
Company timeline
Attacker timeline
A New Era of Smart
© 2014 IBM Corporation
An attack timeline
Company are compliance certified
Malware fully installed
Attacker steals credentials
Anti-Virus Software identifies malicious activity
IDS/NGFW triggers alert
More alerts from IDS/NGFW
Company are notified by government organization
Company confirms millons of records stolen efter story leaked
Attacker first breach customer environment
Attacker test malware
Malware upgraded –Begin to exfiltrate data
...and more alerts...
Company confirms breach -removes most malware
Attacker lose foothold in network
Company confirms even more millons of records stolen after story leakedCompany
timeline
Attacker timeline
AV and IDS alert False position prone
Users don’t fully trust
No additional activity information
What traffic preceded and followed, from and to where?
Network and business context
Are these or can they reach critical assets
No business process for triaging and analysing
Ignored!
A New Era of Smart
© 2014 IBM Corporation
An attack timeline
Company are compliance certified
Malware fully installed
Attacker steals credentials
Anti-Virus Software identifies malicious activity
IDS/NGFW triggers alert
More alerts from IDS/NGFW
Company are notified by government organization
Company confirms millons of records stolen efter story leaked
Attacker first breach customer environment
Attacker test malware
Malware upgraded –Begin to exfiltrate data
...and more alerts...
Company confirms breach -removes most malware
Attacker lose foothold in network
Company confirms even more millons of records stolen after story leakedCompany
timeline
Attacker timeline
More alerts Different areas of
network Not correlated with
other activity or in the context of the business or network
Not enough visibility or context
Still ignored!
A New Era of Smart
© 2014 IBM Corporation
An attack timeline
Company are compliance certified
Malware fully installed
Attacker steals credentials
Anti-Virus Software identifies malicious activity
IDS/NGFW triggers alert
More alerts from IDS/NGFW
Company are notified by government organization
Company confirms millons of records stolen efter story leaked
Attacker first breach customer environment
Attacker test malware
Malware upgraded –Begin to exfiltrate data
...and more alerts...
Company confirms breach -removes most malware
Attacker lose foothold in network
Company confirms even more millons of records stolen after story leakedCompany
timeline
Attacker timeline
Too Late Nightmare business
scenario unfolds
A New Era of Smart
© 2014 IBM Corporation
An attack timeline
Company are compliance certified
Malware fully installed
Attacker steals credentials
Anti-Virus Software identifies malicious activity
IDS/NGFW triggers alert
More alerts from IDS/NGFW
Company are notified by government organization
Company confirms millons of records stolen efter story leaked
Attacker first breach customer environment
Attacker test malware
Malware upgraded –Begin to exfiltrate data
...and more alerts...
Company confirms breach -removes most malware
Attacker lose foothold in network
Company confirms even more millons of records stolen efter story leakedCompany
timeline
Attacker timeline
Nightmare Worst case business
scenario
A New Era of Smart
© 2014 IBM Corporation
QRadar Security Intelligence - Taking in data from wide spectrum of feeds
A New Era of Smart
© 2014 IBM Corporation
Answering questions to help prevent and remediate attacksWhat data contributed to the offense?
© 2014 IBM Corporation13
Customer Case 2:Vulnerability prioritization
A New Era of Smart
© 2014 IBM Corporation
IE Zero day announced !
Real example, from a real customer
The background– 2013-3893 Use-after-free vulnerability – Most versions of IE are affected– Exploits are available and have been active on the internet at malicious
web sites for a week– Metasploit release an exploit kit within 1 week
The Challenge– 1000’s of windows assets in the enterprise– What ones are vulnerable ?
• Re scan the network – how long will that take ? • Need answers now !
– Length of time to patch• Must prioritise• What ones do I patch first ?
A New Era of Smart
© 2014 IBM Corporation
How did QVM and Security Intelligence help – Stage 1
No need to re-scan
QVM’s early alerts correlated data from the last scan with the zero data vulnerability information to immediately create early warning vulnerabilities
Time saved 1-2 days in scanning time
A New Era of Smart
© 2014 IBM Corporation
How did QVM and Security Intelligence help – Stage 2
Patch them all ? No. No need to patch assets were there has been no web traffic
QVM correlates QFlow Layer 7 traffic with vulnerabilities on assets to remove those without associated traffic
Time saved 15%-20% reduction in patching time− Not wasting time and effort on patching assets where there has been no web traffic
A New Era of Smart
© 2014 IBM Corporation
How did QVM and Security Intelligence help – Stage 3
Patch the remainder ? No. Exploits of this vulnerability live in malicious web sites.
QRadar filter out those that have visited potentially malicious web sites in the last month
21 Assets ! Time saved >90% reduction in patching time – ~5 days
A New Era of Smart
© 2014 IBM Corporation
What action to take next ?
Patch to apply – QVM has the answer
IPS signature to enable – QVM has the answer
A New Era of Smart
© 2014 IBM Corporation
Your Vulnerabilities
CVECVE
CVECVE
CVECVE
CVECVE
CVECVE CVE CVE
CVECVE
CVECVE
CVECVE
CVECVE
CVECVE CVE
CVE
CVECVE
CVECVE
CVECVE
CVECVE
CVECVE CVE CVE
CVECVE
CVECVE
CVECVE
CVECVE
CVECVE CVE CVE
CVECVE
CVECVE
CVECVE
CVECVE
CVECVE CVE CVE
CVECVE
CVECVE
CVECVE
CVECVE
CVECVE CVE CVE
CVECVE
CVE CVECVE
CVECVE
CVECVE
CVE CVECVE
CVECVE
CVECVE
CVECVE
CVECVE
CVECVE CVE CVE
CVECVE
CVECVE
CVECVE
CVECVE
CVECVE CVE CVE
CVECVE
CVECVE
CVECVE
CVECVE
CVECVE CVE CVE
CVECVE
CVECVE
CVECVE
CVECVE
CVECVE CVE
CVE
CVECVE
CVECVE
CVECVE
CVECVE
CVECVE CVE
CVE
CVECVE
CVECVE
CVECVE
CVECVE
CVECVE CVE CVE
CVECVE
CVECVE
CVECVE
CVECVE CVE
CVE CVE CVE
Patched
CriticalBlocked
Inactive
Exploited!
At risk!
Reducing data load by leveraging network context
Inactive: QFlow Collector data helps QRadar Vulnerability Manager sense application activity
Patched: IBM Endpoint Manager helps QVM understand which vulnerabilities will be patched
Blocked: QRadar Risk Manager helps QVM understand which vulnerabilities are blocked by firewalls and IPSs
Critical: Vulnerability knowledge base, remediation flow and QRM policies inform QVM about business critical vulnerabilities
At Risk: X-Force Threat and SIEM security incident data, coupled with QFlow network traffic visibility, help QVM see assets communicating with potential threats
Exploited: SIEM correlation and IPS data help QVM reveal which vulnerabilities have been exploited
© 2014 IBM Corporation20
New threats requires a newapproach
A New Era of Smart
© 2014 IBM Corporation
Security Teams are Adopting a New Approach
Threats have evolved… Broad AttacksIndiscriminate malware,spam and DoS activity
Targeted AttacksAdvanced, persistent, organized,
and politically or financially motivated
Requiring a newapproach to protection…
Traditional ApproachCompliance-driven, Reactionary
Strategic ApproachIntelligence-driven, Continuous
…yet the majority of security teams are still using insufficient defenses
Build strong perimeters
Protect all assets
Use signature-based methods
Periodically scan for known threats
Read the latest news
Collect logs
Conduct manual interviews
Shut down systems
Assume constant compromise
Prioritize high-risk assets
Use behavioral-based methods
Continuously monitor activity
Consume real-time threat feeds
Collect everything
Automate correlation and analytics
Gather, preserve, retrace evidence
© 2012 IBM Corporation
IBM Security Systems
23
Use intelligence and anomaly detection
across every domain
Build an intelligence vault around your
crown jewels
Prepare your response for the inevitable
Use analytics and insights for smarter defense
IBM Security Systems
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.