X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data

© 2015 IBM Corporation

Fight Insider Threats & Protect Your Sensitive Data

Robert FreemanJoe DiPietro

X-Force Threat Intelligence:

Insights from the 2Q 2015 X-Force Threat Intelligence Quarterly with Guardium Database Security

2 © 2015 IBM Corporation

Robert Freeman X-Force background Highlights from Q2 2015 X-Force

– Classifications of Insider Threats– Modern trends in enterprise breach methodology

Breach planning and recommendations

Joe DiPietro Database Security Controls Using IBM Guardium

– Identifying privilege users with entitlement reports– Integrating LDAP & Active Directory with Database Security Controls– Monitoring Operating System Users that access the database

Agenda


is the foundation for advanced security and threat research across the IBM Security Framework.


IBM X-Force® Research and Development

VulnerabilityProtection

IPReputation

Anti-Spam

MalwareAnalysis

WebApplication

Control

URL / WebFiltering

The IBM X-Force Mission Monitor and evaluate the rapidly changing threat landscape

Research new attack techniques and develop protection for tomorrow’s security challenges

Educate our customers and the general public

Integrate and distribute Threat Protection and Intelligence to make IBM solutions smarter

Expert analysis and data sharing on the global threat landscape

Zero-dayResearch


IBM X-Force monitors and analyzes the changing threat landscape

20,000+ devices under contract

15B+ events managed per day

133 monitored countries (MSS)

3,000+ security related patents

270M+ endpoints reporting malware

25B+ analyzed web pages and images

12M+ spam and phishing attacks daily

89K+ documented vulnerabilities

860K+ malicious IP addresses

Millions of unique malware samples

6 © 2015 IBM Corporation6 Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015 and 2014 IBM Chief Information Security Officer Assessment

83% of CISOs say that the challenge posed by external threats has increased in the last three years

Near Daily Leaks of Sensitive Data

40% increase in reported data

breaches and incidents

Relentless Use of Multiple Methods

800,000,000+ records were leaked, while the future

shows no sign of change

“Insane” Amounts of Records Breached

42% of CISOsclaim the risk from external threats

increased dramatically from prior years.

https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S_PKG=ov33510&S_TACT=C327017W&dynform=18101





http://www.ibm.com/security/ciso




According to Ponemon Institute, the cost of a data breach to global organizations is on the rise

Source: Ponemon Institute Cost of Data Breach Study

$154Average cost per record compromised

23% increaseTotal cost of a data breach net change over two years

$3.79 millionAverage total cost per data breach

up 6%

up 7%

FY 2013 FY 2014 FY 2015

$136 $145

$154

Average per capita cost

Net change over 1 year = 6%Net change over 2 years = 12%

http://www.ibm.com/services/data-breach





Overwhelmingly, survey respondents identify evasion of existing security controls as a key reason for breaches

Other

Lack of accountability

Lack of data classification

Incomplete knowledge of where sensitive data exists

Poor leadership

Third-party vetting failure

Lack of in-house expertise

Insufficient funding

Evaded existing preventive security controls

3%

6%

7%

12%

15%

20%

35%

37%

65%

Source: Ponemon Institute Cost of Data Breach Study. Two responses permitted.






Recent data from IBM Security Services shows 55% of all attacks were found to be carried out by malicious insiders or inadvertent actors

Source: IBM 2015 Cyber Security Intelligence Index, Figure 5

http://www.ibm.com/common/ssi/cgi-bin/ssialias?subtype=ST&infotype=SA&htmlfid=SEJ03278USEN&attachment=SEJ03278USEN.PDF


New classifications of Insider Threats

Disgruntled employees

Malicious insiders

Inadvertent insiders Quasi-insiders

Traditionally, “insider threats” meant disgruntled or negligent employees were inflicting harm to the company’s assets; today many different classifications

have come forward


Modern trends in enterprise computing increase the attack surface of people with trusted access

• Trusted users with privileged access to systems housing critical business, PII and monetary assets

• The digital connectivity of IoT opens up new entry points into physical systems.

• Third party contractors or suppliers can widen the attack surface

• Inadvertent insiders can merely click a malicious link

Social Media

Trends Attack Vectors

Big data

Mobility Cloud


Physical security is just as important as digital monitoring

Maintaining a rigorous security posture that considers not just digital but also physical security is key to protect against insider threats.


Spam origination efforts have become so distributed that no one country exceeds 8% of the total volume.

Source: IBM X-Force Threat Intelligence Quarterly, 2Q 2015



Any insider, even those with the best of intentions, can inadvertently aid in an attack by clicking on a malicious link sent in a phishing email.




Network administrators can take a few basic steps to fend off malicious spam attachments

Keep your spam and virus filters up to date.

Block executable attachments. In regular business environments it is unusual to send executable attachments.

Most spam filters can be configured to block executable files even when they are within zip attachments.

Use mail client software that allows disabling automatic rendering of attachments and graphics, and preloading of links—and then disable them.

Educate users on potential danger of spam, and actions to take


Every breach requires a plan of action

Forensic analytics can provide the insights to understand what is happening in the network and what steps are necessary to prevent threats.

Retrieval & Session Reconstruction• For a selected security incident, retrieve all the packets (time

bounded)

• Re-assemble into searchable documents including full payload displayed in original form

Full Packet Capture• Capture packets off the network

• Include other, related structured and unstructured content stored within the network

Forensics Activity• Navigate to uncover knowledge of threats

• Switch search criteria to see hidden relationships


Because many compromises take place over longer periods of time, providing the largest window at the lowest cost takes on great importance




Visualizing "outliers" in your network takes on greater significance




Reconstruction enables organizations to view recordednetwork transactions in formats tailored for humanconsumption

Different types of reconstruction:• Web page• Chat• Social networking• Webmail• Blogging• File transfers• File attachments• File metadata• File flows (attached executables,

JavaScript, macros, redirects)

Traffic Capture


People can be the weakest link in securing valuable data


Using Identity and Access management solutions can help mitigate risks

Strong authentication that relies on sound

policy for identity assurance

Use identity governance solutions to help classify users by

roles and access requirements

Privileged IDs are growing, so control the associated risk.

Grant user entitlements

appropriately and keep them updated

Manage and monitor users for both security and compliance.


Joe DiPietro


Guardium Actionable Controls Regarding X-Force Report

Identify privilege users with Guardium entitlement reports Integrate Database security controls with LDAP/Active Directory for On boarding & Off

boarding employees Monitoring privilege user access at the operating system with UID Chaining


Identifying Privilege Users With Database Security Controls

• Trusted users with privileged access to systems housing critical business, PII and monetary assets

• The digital connectivity of IoT opens up new entry points into physical systems.

• Third party contractors or suppliers can widen the attack surface

• Inadvertent insiders can merely click a malicious link

Attack VectorsDatabase Privilege Users

Accounts with system privileges

All system and admin privileges (by user/role)

Object privileges by user

Roles granted (user and roles)

Privilege grants

Execute privileges by procedure


Entitlement Reporting: Reducing the Cost of Managing User Rights

Provides a simple means of aggregating and understanding entitlement information– Scans and collects information on a scheduled basis,

including group and role information Out-of-the box reports for common views

– Report writer for custom views Support for all major DBMS platforms Integrated with all other modules including workflow,

enterprise integrator, etc.

Database Privilege Users

Accounts with system privileges

All system and admin privileges (by user/role)

Object privileges by user

Roles granted (user and roles)

Privilege grants

Execute privileges by procedure

Eliminates resource intensive and error prone process of manually examining each database and stepping through roles


Heterogeneous Database Entitlement Reports – Oracle Report


DB2 Entitlement Reports


Microsoft SQL Server Entitlement Reports


Informix Entitlement Reports


Sybase Entitlement Reports


Integrating LDAP & Active Directory With Database Security Controls


Integrating LDAP/Active Directory For Database Access Control

Regularly scheduled upload of users into

group definition on the Guardium appliance

Access denied

Validate group information in security policy

Oracle, DB2, MySQL,

Sybase, etc.

New user added or deleted from LDAP (Active Directory)

LDAP Server(Active Directory)

12

4Guardium heterogeneous DB access control policy

S-GATE

3 Group information updated in policy

User deleted

Access permitted User added


LDAP Group Import

Samaccountname import

33

1


Updated group content will be installed into the policy

If not in the group, they will be prevented from executing any transactions in the database

34


– test1 in LDAP • Transaction OK

– test2 not in LDAP• No transactions

35


Using Identity and Access management solutions can help mitigate risks

Strong authentication that relies on sound

policy for identity assurance

Use identity governance solutions to help classify users by

roles and access requirements

Privileged IDs are growing, so control the associated risk.

Grant user entitlements

appropriately and keep them updated

Manage and monitor users for both security and compliance.


Monitoring OS Users that “Switch Identity” To Different Users Accounts


Summary

Find more on SecurityIntelligence.com

IBM X-Force Threat Intelligence Quarterly and other research reports:

:// . . / /http www ibm com security xforce

/

Twitter@ibmsecurity and @ibmxforce

IBM X-Force Security Insights Blog. . / / -www SecurityIntelligence com topics x force

Data Security and Privacy Information http://www-03.ibm.com/software/products/en/category/data-security

http://www.ibm.com/security/xforce/



https://twitter.com/IBMSecurity

https://twitter.com/IBMSecurity

http://www.twitter.com/ibmxforce

http://www.twitter.com/ibmxforce

http://www.securityintelligence.com/topics/x-force

http://www-03.ibm.com/software/products/en/category/data-security

http://blogs.iss.net/


Q&A

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOUwww.ibm.com/security

http://www.ibm.com/security

http://www.ibm.com/security

X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data

Technology

Transcript of X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data