X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
-
Upload
ibm-security -
Category
Technology
-
view
289 -
download
0
Transcript of X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
© 2015 IBM Corporation
Fight Insider Threats & Protect Your Sensitive Data
Robert FreemanJoe DiPietro
X-Force Threat Intelligence:
Insights from the 2Q 2015 X-Force Threat Intelligence Quarterly with Guardium Database Security
2 © 2015 IBM Corporation
Robert Freeman X-Force background Highlights from Q2 2015 X-Force
– Classifications of Insider Threats– Modern trends in enterprise breach methodology
Breach planning and recommendations
Joe DiPietro Database Security Controls Using IBM Guardium
– Identifying privilege users with entitlement reports– Integrating LDAP & Active Directory with Database Security Controls– Monitoring Operating System Users that access the database
Agenda
3 © 2015 IBM Corporation
is the foundation for advanced security and threat research across the IBM Security Framework.
4 © 2015 IBM Corporation
IBM X-Force® Research and Development
VulnerabilityProtection
IPReputation
Anti-Spam
MalwareAnalysis
WebApplication
Control
URL / WebFiltering
The IBM X-Force Mission Monitor and evaluate the rapidly changing threat landscape
Research new attack techniques and develop protection for tomorrow’s security challenges
Educate our customers and the general public
Integrate and distribute Threat Protection and Intelligence to make IBM solutions smarter
Expert analysis and data sharing on the global threat landscape
Zero-dayResearch
5 © 2015 IBM Corporation
IBM X-Force monitors and analyzes the changing threat landscape
20,000+ devices under contract
15B+ events managed per day
133 monitored countries (MSS)
3,000+ security related patents
270M+ endpoints reporting malware
25B+ analyzed web pages and images
12M+ spam and phishing attacks daily
89K+ documented vulnerabilities
860K+ malicious IP addresses
Millions of unique malware samples
6 © 2015 IBM Corporation6 Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015 and 2014 IBM Chief Information Security Officer Assessment
83% of CISOs say that the challenge posed by external threats has increased in the last three years
Near Daily Leaks of Sensitive Data
40% increase in reported data
breaches and incidents
Relentless Use of Multiple Methods
800,000,000+ records were leaked, while the future
shows no sign of change
“Insane” Amounts of Records Breached
42% of CISOsclaim the risk from external threats
increased dramatically from prior years.
7 © 2015 IBM Corporation
According to Ponemon Institute, the cost of a data breach to global organizations is on the rise
Source: Ponemon Institute Cost of Data Breach Study
$154Average cost per record compromised
23% increaseTotal cost of a data breach net change over two years
$3.79 millionAverage total cost per data breach
up 6%
up 7%
FY 2013 FY 2014 FY 2015
$136 $145
$154
Average per capita cost
Net change over 1 year = 6%Net change over 2 years = 12%
8 © 2015 IBM Corporation
Overwhelmingly, survey respondents identify evasion of existing security controls as a key reason for breaches
Other
Lack of accountability
Lack of data classification
Incomplete knowledge of where sensitive data exists
Poor leadership
Third-party vetting failure
Lack of in-house expertise
Insufficient funding
Evaded existing preventive security controls
3%
6%
7%
12%
15%
20%
35%
37%
65%
Source: Ponemon Institute Cost of Data Breach Study. Two responses permitted.
9 © 2015 IBM Corporation
Recent data from IBM Security Services shows 55% of all attacks were found to be carried out by malicious insiders or inadvertent actors
Source: IBM 2015 Cyber Security Intelligence Index, Figure 5
10 © 2015 IBM Corporation
New classifications of Insider Threats
Disgruntled employees
Malicious insiders
Inadvertent insiders Quasi-insiders
Traditionally, “insider threats” meant disgruntled or negligent employees were inflicting harm to the company’s assets; today many different classifications
have come forward
11 © 2015 IBM Corporation
Modern trends in enterprise computing increase the attack surface of people with trusted access
• Trusted users with privileged access to systems housing critical business, PII and monetary assets
• The digital connectivity of IoT opens up new entry points into physical systems.
• Third party contractors or suppliers can widen the attack surface
• Inadvertent insiders can merely click a malicious link
Social Media
Trends Attack Vectors
Big data
Mobility Cloud
12 © 2015 IBM Corporation
Physical security is just as important as digital monitoring
Maintaining a rigorous security posture that considers not just digital but also physical security is key to protect against insider threats.
13 © 2015 IBM Corporation
Spam origination efforts have become so distributed that no one country exceeds 8% of the total volume.
Source: IBM X-Force Threat Intelligence Quarterly, 2Q 2015
14 © 2015 IBM Corporation
Any insider, even those with the best of intentions, can inadvertently aid in an attack by clicking on a malicious link sent in a phishing email.
Source: IBM X-Force Threat Intelligence Quarterly, 2Q 2015
15 © 2015 IBM Corporation
Network administrators can take a few basic steps to fend off malicious spam attachments
Keep your spam and virus filters up to date.
Block executable attachments. In regular business environments it is unusual to send executable attachments.
Most spam filters can be configured to block executable files even when they are within zip attachments.
Use mail client software that allows disabling automatic rendering of attachments and graphics, and preloading of links—and then disable them.
Educate users on potential danger of spam, and actions to take
16 © 2015 IBM Corporation
Every breach requires a plan of action
Forensic analytics can provide the insights to understand what is happening in the network and what steps are necessary to prevent threats.
Retrieval & Session Reconstruction• For a selected security incident, retrieve all the packets (time
bounded)
• Re-assemble into searchable documents including full payload displayed in original form
Full Packet Capture• Capture packets off the network
• Include other, related structured and unstructured content stored within the network
Forensics Activity• Navigate to uncover knowledge of threats
• Switch search criteria to see hidden relationships
17 © 2015 IBM Corporation
Because many compromises take place over longer periods of time, providing the largest window at the lowest cost takes on great importance
Source: IBM X-Force Threat Intelligence Quarterly, 2Q 2015
18 © 2015 IBM Corporation
Visualizing "outliers" in your network takes on greater significance
Source: IBM X-Force Threat Intelligence Quarterly, 2Q 2015
19 © 2015 IBM Corporation
Reconstruction enables organizations to view recordednetwork transactions in formats tailored for humanconsumption
Different types of reconstruction:• Web page• Chat• Social networking• Webmail• Blogging• File transfers• File attachments• File metadata• File flows (attached executables,
JavaScript, macros, redirects)
Traffic Capture
20 © 2015 IBM Corporation
People can be the weakest link in securing valuable data
21 © 2015 IBM Corporation
Using Identity and Access management solutions can help mitigate risks
Strong authentication that relies on sound
policy for identity assurance
Use identity governance solutions to help classify users by
roles and access requirements
Privileged IDs are growing, so control the associated risk.
Grant user entitlements
appropriately and keep them updated
Manage and monitor users for both security and compliance.
© 2015 IBM Corporation
Joe DiPietro
23 © 2015 IBM Corporation
Guardium Actionable Controls Regarding X-Force Report
Identify privilege users with Guardium entitlement reports Integrate Database security controls with LDAP/Active Directory for On boarding & Off
boarding employees Monitoring privilege user access at the operating system with UID Chaining
24 © 2015 IBM Corporation
Identifying Privilege Users With Database Security Controls
• Trusted users with privileged access to systems housing critical business, PII and monetary assets
• The digital connectivity of IoT opens up new entry points into physical systems.
• Third party contractors or suppliers can widen the attack surface
• Inadvertent insiders can merely click a malicious link
Attack VectorsDatabase Privilege Users
Accounts with system privileges
All system and admin privileges (by user/role)
Object privileges by user
Roles granted (user and roles)
Privilege grants
Execute privileges by procedure
25 © 2015 IBM Corporation
Entitlement Reporting: Reducing the Cost of Managing User Rights
Provides a simple means of aggregating and understanding entitlement information– Scans and collects information on a scheduled basis,
including group and role information Out-of-the box reports for common views
– Report writer for custom views Support for all major DBMS platforms Integrated with all other modules including workflow,
enterprise integrator, etc.
Database Privilege Users
Accounts with system privileges
All system and admin privileges (by user/role)
Object privileges by user
Roles granted (user and roles)
Privilege grants
Execute privileges by procedure
Eliminates resource intensive and error prone process of manually examining each database and stepping through roles
26 © 2015 IBM Corporation
Heterogeneous Database Entitlement Reports – Oracle Report
27 © 2015 IBM Corporation
DB2 Entitlement Reports
28 © 2015 IBM Corporation
Microsoft SQL Server Entitlement Reports
29 © 2015 IBM Corporation
Informix Entitlement Reports
30 © 2015 IBM Corporation
Sybase Entitlement Reports
© 2015 IBM Corporation
Integrating LDAP & Active Directory With Database Security Controls
32 © 2015 IBM Corporation
Integrating LDAP/Active Directory For Database Access Control
Regularly scheduled upload of users into
group definition on the Guardium appliance
Access denied
Validate group information in security policy
Oracle, DB2, MySQL,
Sybase, etc.
New user added or deleted from LDAP (Active Directory)
LDAP Server(Active Directory)
12
4Guardium heterogeneous DB access control policy
S-GATE
3 Group information updated in policy
User deleted
Access permitted User added
33 © 2015 IBM Corporation
LDAP Group Import
Samaccountname import
33
1
34 © 2015 IBM Corporation
Updated group content will be installed into the policy
If not in the group, they will be prevented from executing any transactions in the database
34
35 © 2015 IBM Corporation
– test1 in LDAP • Transaction OK
– test2 not in LDAP• No transactions
35
36 © 2015 IBM Corporation
Using Identity and Access management solutions can help mitigate risks
Strong authentication that relies on sound
policy for identity assurance
Use identity governance solutions to help classify users by
roles and access requirements
Privileged IDs are growing, so control the associated risk.
Grant user entitlements
appropriately and keep them updated
Manage and monitor users for both security and compliance.
37 © 2015 IBM Corporation
Monitoring OS Users that “Switch Identity” To Different Users Accounts
38 © 2015 IBM Corporation
Summary
Find more on SecurityIntelligence.com
IBM X-Force Threat Intelligence Quarterly and other research reports:
:// . . / /http www ibm com security xforce
/
Twitter@ibmsecurity and @ibmxforce
IBM X-Force Security Insights Blog. . / / -www SecurityIntelligence com topics x force
Data Security and Privacy Information http://www-03.ibm.com/software/products/en/category/data-security
© 2015 IBM Corporation
Q&A
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security