IBM Security Briefing: Differentiators & Maturity Model

(1)

IBM Security Briefing:

Differentiators & Maturity Model

Hamilton, Bermuda

February 11, 2015

Norman John, MBA

IBM Security Sales Executive – Ontario & Caribbean

[email protected]

(2)

Why IBM Security?

Our Key Differentiators

(3)

IBM Security Experience & Expertise

1976

1999

2002

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

Advanced fraud protection Secure mobile management Cloud-enabled identity management Identity governance Security intelligence IBM Security is created Security Enterprise

Mainframe Identity Endpoint

IBM Security Investment

•

6,000+ IBM Security experts worldwide

•

1,700+ IBM security patents

•

4,000+ IBM managed security services

clients worldwide

•

25 IBM Security labs worldwide

Security services and network security Enterprise single-sign-on Mainframe and server security Identity management Directory integration Endpoint management and security Information and analytics management Application security Risk management Data management Database monitoring and protection Application security Access management SOA management and security

(4)

IBM Security Systems

Analysts Consistently Rank IBM Security as

Leading the Market

Domain

Leading Market Segment

Security Intelligence

Security Information and Event Management (SIEM)

Anti-Fraud

Web Fraud Detection

(Trusteer)

People

Federated Identity Management and Single Sign-On

Identity and Access Governance

Role Management and Access Recertification

Web Access Management (WAM)

Mobile Access Management

Identity Provisioning Management

Data

Database Auditing and Real-Time Protection

Data Masking

Applications

Application Security Testing

(dynamic and static)

Infrastructure

Network Intrusion Prevention Systems (NIPS)*

Endpoint: Client Management Tools

Endpoint Protection Platforms (EPP)*

Mobile Security

(Fiberlink)

Services

Managed Security Services (MSS)

Information Security Consulting Services

Public Cloud Service Providers’ Security (IBM Bluemix)*

(5)

Client Side Attacks Botnets

Buffer Overflow Attacks

Distributed Denial of Service (DDoS)

Backdoors Cross-site Scripting (XSS) Malicious Content Protocol Tunneling Exploit Toolkits Peer-to-Peer Networks

IBM X-Force: The Largest Security R&D Lab in the World

Sharing real-time and

anonymized threat intelligence

Cataloging, analyzing and researching vulnerabilities since 1997

Providing zero-day threat alerts and exploit triage to IBM customers worldwide

Building threat intelligence from collaborative data sharing across thousands of clients

Analyzing malware and fraud activity from 270M+ Trusteer-protected endpoints

X-Force Keeps Customers Ahead of the Threat

IBM Security Operations Centers

and Security Products

(6)

The Most Global Coverage: Crawler, Sensors, Operations, Labs

monitored countries (MSS)

service delivery experts

devices under contract

+

endpoints protected

+

events managed per day

+

IBM Security by the Numbers

+

(7)

IBM Security Framework: Comprehensive, in-depth, unrivaled

Intelligence, integration, and expertise across a comprehensive framework

Advanced threats

Key Security Trends

CISO’s Changing Role

The IBM Security Framework

Cloud

Mobile

Compliance

(8)

(9)

Increase security, collapse silos, and reduce complexity

Integrated Intelligence.

Integrated Research.

Integrated Protection.

Consolidate and

correlate siloed

information from

hundreds of sources

Stay ahead of

the changing

threat

landscape

Link security and

vulnerability

information

across domains

(10)

Security Maturity Model

(11)

Security Intelligence is enabling progress to optimized security

Optimi

ze

d:

Flow analytics / predictive analytics

Proficient:

Security information and event management

Basic:

Log management

Optimized

Identity governance

Fine-grained

entitlements

Privileged user

management

Data governance

Encryption key

management

Fraud detection

Hybrid scanning

and correlation

Multi-faceted network

protection

Anomaly detection

Hardened systems

Security

Intelligence

Proficient

User provisioning

Access

management

Strong

authentication

Data masking /

redaction

Database activity

monitoring

Data loss

prevention

Web application

protection

Source code

scanning

Virtualization security

Asset management

Endpoint / network

security management

Basic

management

Security Policy Manager

Anomaly detection

QRadar Network Anomaly Detection Privileged user management

Privileged Identity Manager zSecure + IM / AM.next

Encryption key management IBM Key Lifecycle Manager

Hybrid scanning and correlation AppScan Standard Hardened systems Host Protection Trusteer User provisioning Identity Manager

Data masking / redaction

InfoSphere Guardium Web application protection

Virtualization security Virtual Server Protection

Security

Intelligence

Security

Intelligence

Proficient

Identity Manager zSecure InfoSphere Guardium Data Redaction Optim Data Masking

Web application protection DataPower + Network Intrusion

Prevention (GX)

Virtual Server Protection QRadar VFlow Access management

Access Manager / ESSO Federated Identity Manager

Database activity monitoring InfoSphere Guardium Database Activity Monitor

Asset management IBM Endpoint Manager

Source code scanning AppScan Source Strong authentication

Partners + Access Manager

enhancements

Data loss prevention InfoSphere Guardium IBM Endpoint Manager for

Core Protection

Network Intrusion Prevention (GX)

Endpoint / network security management IBM Endpoint Manager

SiteProtector Host Protection

Basic

Directory management Directory Server Directory Integrator Encryption

DB2 Encryption Expert Application scanning AppScan on Demand

AppScan Standard AppScan Enterprise

Perimeter security

Network Intrusion Prevention (GX) Host security

RACF Host Protection Database access control

InfoSphere Guardium

Anti-virus IBM Endpoint Manager

for Core Protection

People

Data

Applications

Infrastructure

1₂

-0

(13)

Risk Identification

Automation/Scalability/Remediation

Integration/Analytics/Governance

Have you rolled out an identity program?

How are you managing user access to

resources?

Do you have automated, policy-driven

identity and role based management?

Manage and extend enterprise identity context across security domains with comprehensive Identity Intelligence

Optimized

Basic

Proficient

Approximate % of Clients that Have Reached the Maturity Level

People

45 – 60%

30 – 40%

10 – 15%

Identity governance

1 1 2 2 1 1 1

1

Directory management

User provisioning

Fine-grained entitlements

2

Access management

3

Strong authentication

33

Privileged user management

Identity Manager

Directory Server

Directory Integrator

Directory Server

Directory Integrator

Identity Manager +

Governance Administration

Identity Manager +

Governance Administration

Security Policy Manager

Access Manager /ESSO/

Federated Identity Manager

Access Manager /ESSO/

Federated Identity Manager

Access Manager for

Web & Mobile (MFA)

Access Manager for

Web & Mobile (MFA)

Privileged Identity Manager

₁

2

-0

(14)

IBM Security Strategy for Identity and Access Management

(15)

Optimized

Basic

Proficient

Data

Enterprise-wide solutions for helping secure the privacy and integrity of trusted information in the data center

50 – 70%

20 – 30%

5 – 10%

Risk Identification

Have you classified and encrypted

sensitive data?

Do you know if sensitive data leaves your

network?

Can you monitor (privileged) access to

data?

1

Encryption

Data masking / redaction

2

Database activity monitoring

3

Data loss prevention

InfoSphere Data Redaction /

Optim Data Masking

InfoSphere Data Redaction /

Optim Data Masking

DB2 Encryption Expert

InfoSphere Discovery

IBM Key Lifecycle Manager

Database Activity Monitor

IBM Endpoint Manager

for Core Protection

+

Next Gen Network Intrusion

Prevention (XGS)

for Core Protection

+

Next Gen Network Intrusion

Prevention (XGS)

2

Database access control

InfoSphere Guardium

Data governance

Encryption key management

1

2

-0

(16)

Risk Identification

Do you have a secure application

development process?

Are you regularly testing your website for

vulnerabilities?

Can you test legacy applications for

exposures?

Optimized

Basic

Proficient

Applications

Help identify and remediate application vulnerabilities in both source code and live Web applications

50 – 70%

20 – 30%

5 – 10%

Fraud detection

1 1 2 2 1 1 1

1

Application scanning

Web application protection

Hybrid scanning and

correlation

2

Source code scanning

Next Gen IPS (XGS)

AppScan Standard

AppScan + QRadar

AppScan Source + Enterprise

AppScan Source

(17)

Application Security: Using AppScan for Vulnerability Assessments

Scanning Techniques

Applications

Audience Development teams Security teams Penetration Testers

CODING BUILD QA SECURITY PRODUCTION

Static analysis (white box) Software Development Lifecycle Dynamic analysis (black box) Web Applications Web Services Mobile Applications Programming Languages Purchased Applications © 2013 IBM Corporation Build Systems improve scan efficiencies Integrated Defect Tracking Systems track remediation IDEs remediation assistance Security Intelligence

raise threat level

Key Themes

Coverage for Mobile

applications and new threats

Continue to identify and reduce risk by expanding scanning capabilities to new

platforms such as mobile, as well as introducing next generation dynamic analysis scanning and glass box testing

Simplified interface and

accelerated ROI

New capabilities to improve customer time to value and consumability with out-of-the-box scanning, static analysis templates and ease of use features

Security Intelligence

Integration

Automatically adjust threat levels based on knowledge of application vulnerabilities by integrating and analyzing scan results with SiteProtector and the QRadar Security Intelligence Platform

Governance and Collaboration

• Test policies, test templates and access control • Dashboards, detailed reports and trending

(18)

Risk Identification

Are you providing basic threat management

for all endpoints and network devices?

Do you perform proactive threat and

vulnerability management protection?

Is security built into new initiatives (e.g.,

Cloud, Mobile)?

Optimized

Basic

Proficient

1 – 5%

75 – 85%

5 – 10%

Infrastructure

Help guard against sophisticated attacks with insight into users, content and applications; help endpoints,

servers, and mobile devices remain compliant, updated, and protected

Multi-faceted network protection

1 1 2 2 1 1 1

1

Perimeter security

Anomaly detection

2

Asset management

3

Hardened systems

Virtual Server Protection

QRadar Vflow (netfow)

Virtual Server Protection

QRadar Vflow (netfow)

Firewall

IBM Next Gen Intrusion

Prevention System (XGS)

QRadar Network Anomaly

Detection

QRadar Network Anomaly

Detection

MaaS360

Host Protection

Trusteer Apex

Host Protection

Trusteer Apex

2 2

Host security

Host Protection

3

Endpoint / network security

management

+

3

Anti-virus

for Core Protection

Trusteer Apex

for Core Protection

Trusteer Apex

1

2

-0

(19)

Behavioral Detection Blocks Known and Unknown Attacks

Behavioral Detection Powered by X-Force Research

Ahead-of-the-threat extensible protection

backed by the power of X-Force®

Virtual

Patch

Application

Control

Client-side

Application

Protection

X X X

Web App

Management

Reputation

Visibility

Network

Network and

User Policies

Web App

(20)

IBM Security Network Protection (XGS)

Protection from sophisticated and

constantly evolving threats

– Behavioral detection fights 0-day attacks

– Protects against entire classes of vulnerabilities

Discover and disrupt previously

unknown threats on the network

– Shows application and web use by user

– Detects and blocks malicious traffic

Unprecedented levels of network security, visibility and control

Ranked 2

nd

out of 10 IPS vendors for

blocking exploits in 2013 group test

Received ICSA certification for

– Detects and blocks malicious traffic

– Policy-based monitoring and blocking

– 20B URL database now includes Trusteer

Seamless deployment and integration

– Flexible performance, interfaces and options

– Ability to send flow data feeds to QRadar

– Receive quarantine triggers from QRadar

“...IBM performed extremely well in this testing, achieving an overall score of 95.7%. This speaks to the ability of

the IBM IPS to perform against the types of constantly evolving threats that are often seen in today’s networks.”

Source: Vikram Phatak, Chairman and CEO of NSS Labs

NEW ENHANCED

Received ICSA certification for

Network IPS and PAM engine in 2013

Provided superior protection from

mutated threats vs. SNORT engine

Ranked “Champion” in latest IDPS

vendor landscape report

(21)

Risk Identification

Are meeting compliance and reporting

requirements?

Can you correlate events across domains

and detect advanced threats?

Can you identify active attack paths and

high-risk assets?

Helping customers optimize security with additional context, automation and integration

Security Intelligence and Analytics

Optimized

50 – 70%

20 – 30%

5 – 10%

Basic

Proficient

% of Clients that Have Reached the Maturity Level

Flow analytics

1 1 2 2 1 1 1

1

Log management

Security information and event

management

Predictive analytics

QRadar SIEM

QRadar Log Manager

QRadar Network Activity

Monitoring (VFlow / QFlow)

QRadar Network Activity

Monitoring (VFlow / QFlow)

QRadar Risk Manager

1

2

-0

(22)

Security Intelligence: Integrating across IT silos

Data activity

Servers and mainframes

Configuration information

Security devices

Network and virtual activity

Application activity

Correlation

• Logs/events

• Flows

• IP reputation

• Geographic location

Activity baselining

and anomaly detection

• User activity

• Database activity

• Application activity

• Network activity

True offense

Suspected

incidents

Security Intelligence and Analytics

Offense identification

• Credibility

• Severity

• Relevance

Extensive

data sources

Deep

intelligence

Exceptionally accurate

and actionable insight

+

=

V13-03

Users and identities

Vulnerabilities and threats

• Network activity

Key Themes

Increased Data Sources

Data from 450+ security collectors and Integration with X-Force intelligence and other external feeds to use in analysis for determining relevant vulnerabilities and potential threats

Integrated Vulnerability Management

Comprehensive understanding of the configuration and exposure of systems in the environment, enabling contextual analysis to determine vulnerabilities against particular threats

Enhanced Identity Context

Integrated understanding of users, their roles, level of privilege, geographical location and their typical behaviors to enable enterprises to identify abnormal activity that might indicate insider threat

(23)

PCI Compliance

(24)

Achieving PCI Compliance

Monitoring

GRC

Tools

Program

GRC

Assessments

Controls

(25)

IBM Payment Card Industry (PCI) Advisory Services

A Qualified Security Assessor (QSA

) helps provide

expert advice on definition and validation of PCI

scope, remediation planning and compensating

controls with acquiring institutions or card brands

Customized assessment

that helps determine your

current compliance level and identify steps to avoid

audit fatigue while addressing specific remediation

requirements

Protect cardholder data and achieve PCI

1

compliance

IBM’s PCI compliance approach

requirements

Provides required documentation for PCI-DSS

2

version 3.0 examinations

– PCI gap assessment,

PCI Report on Compliance (RoC), self-assessment

questionnaire, and attestation on compliance

Globally deployed services -

IBM is a QSA, approved

scanning vendor (ASV), payment application qualified

security assessor (PA-QSA) and a payment card

industry forensic investigator (PFI)

Leverages IBM

’

s own experience

in achieving PCI

compliance across its own global businesses

1_{PCI = Payment Card Industry}

(26)

(27)

IBM Security Solutions & PCI Compliance

PCI Point

Item

Description

1,2

IPS for Perimeter and Core

XGS Network Protection Appliance - Next Gen IPS

1,2,3,4,6,7,8,

10,11

SIEM

QRadar All-in-one Appliance

,

QRadar Risk

Manager

,

QRadar Vulnerability Manager

1, 2, 5, 6

Mobile Device Controls

IBM MaaS 360

5,6

Anti-Malware

IBM Endpoint Manager for Core Protection

5,6

Application Scanning

IBM AppScan Standard

3,6,7,8,9,10

Identity Management

2

3,6,7,8,9,10

Identity Management

3,4

Data Protection

Security Key Lifecycle Manager

3,4

Data Protection

Guardium Database Activity Monitor

&

Optim Data

Masking

(28)

PCI Compliance Zone: Segregation, Monitoring, Control

Anti-Malware

Servers

Untrusted Internet

File

Servers

Online &

Mobile

Banking

Application

Trusted Intranet

DMZ

External Users

Database

Perimeter

Firewall

Security &

5

AppScan

IBM Endpoint

Manager

Employee

Access

Storage

Library

External

APIs

Using PCI

Data

Database

Servers

Public Internet

Perimeter

IPS

Security &

Compliance

Systems

1

2

10

11

3

6

5

7

8

9

4

11

5

1-4,6,7

8,10-12

Core IPS

QRadar

Privileged

(29)

IBM Security Services

(30)

IBM Advanced Threat Assessment (ATA)

Uncover indicators of compromise and hidden threats

Coordinated Attack Simulation

Targeted penetration testing helps identify vulnerable systems and

applications from an attacker

’

s perspective, conducted with broad

coverage or using a customized and simulated events. An on-site

coordinator assists with validating that detection mechanisms are

successfully detecting malicious activity.

Tool based APT Forensic Scanning

Checks for the presence of behavioral Indicators of Compromise

(IOCs) frequently seen with intrusions indicating a currently active

but previously unknown compromise.

Targeted External

Testing

Data Collection &

Reconnaissance

but previously unknown compromise.

Memory (RAM) Analysis

For systems identified with suspicious activity, a remote memory

(RAM, volatile data) analysis may be done looking for common

malware traits.

System Log Analysis

Logs from firewalls, IDS/IPS devices, Network AV servers, DNS

and other systems can help reveal IOCs of an intruder or the

presence of malware.

Critical Controls Review

Assessment of the level of implementation of SANS Top 20 Critical

Security Controls helps to develop an overall security strategy.

Internal Scanning &

Analysis

Reviews & Interviews

(31)

A First of a Kind partnership with IBM and AT&T

Transform the network security infrastructure

with

strategic consulting & optimization, cloud delivered

services and integrated threat monitoring

Control costs

by transitioning from capital to

operating expenditures

Minimize the demand

to identify and retain security

NEW

IBM Threat Management and Analysis Service

Minimize the demand

to identify and retain security

experts

Reduce risk

through global threat intelligence,

managed security services and emergency response

services

Gain the flexibility

to meet unique security and

financial demands

Best of breed

approach through strategic partnership

between two leaders in security & telecom

IBM

Network & Security Optimization Consulting

AT&T

Secure Network Gateway

IBM

Security Monitoring & Threat Intelligence

IBM

Emergency Response Services

(32)

Security optimization with advanced threat detection

Multiple offering packages to ensure flexibility

flexible

service levels to support less demanding and also

mission critical environments

Security Operations Optimization

IBM Security

operations consultants help design and deploy an

advanced world-class SIEM for your organization

Real-time monitoring

provides 24x7 security

awareness, ensuring that attackers never have an

Managed Security Information and Event Management

Prices do not vary

awareness, ensuring that attackers never have an

after-hours advantage

Comprehensive incident escalation and reporting

are

designed to meet stringent audit requirements and

optimize investigation

Industry-leading service level agreements for i

ncident

response, change management, system monitoring,

solution availability and content updates

SSAE-16 certified Security Operations

infrastructure

is maintained to meet strict industry standards

Support for leading SIEM vendors

including IBM own

QRadar

Prices do not vary

simply because you

upgrade your

technology or

increase bandwidth.

(33)

IBM Emergency Response Service (ERS)

Prepare for and withstand sophisticated attacks

24x7x365 emergency response

provides access to

key resources that can enable faster recovery and

reduce business impact from incidents

Each incident investigation is handled with

proven

methodology and advanced tools

to provide forensic

level details and to prevent reoccurrence

Periodic review and incident case management

BE

READY

Post-Incident

Analysis

Containment,

Eradication,

and Recovery

Incident

Proactive

Preparation

Periodic

Reviews

Incident

Planning

Periodic review and incident case management

enable a broader view and deeper understanding of

incidents using intelligence data and analytics

Preemptive incident preparation services

reduce risk

and exposure to cyber threats ahead of an attack

An ERS subscription includes

Initial planning workshop

120 hours per year for incident response or proactive services

Quarterly updates and remote support

Access to X-Force Threat Analysis Service

Worldwide, around-the-clock coverage

Cross-platform support from mainframe to mobile

Incident

Triage

(34)

IBM Security: Helping clients optimize IT security

Integrated Portfolio

Managed and Professional Services

Extensive Partner Ecosystem

(35)

response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,

misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

(36)

Appendices

(37)

People & Identity Security Controls

Domain

Maturity

Level Control Control Definition

Basic Directory management

Deployment of a single or multiple enterprise user database, traditionally in the form of an LDAP or X.500 directory that are used by one more than application, system and/or component as it's only repository for user information.

Proficient

Strong authentication

Controls that allow the ability to extend authentication mechanisms built into application to provide additional levels of assurance around user credentials through support for additional authentication mechanisms / channels.

Access management

The ability to manage access decisions through a centralized infrastructure across all

applications including single sign on, self service, centralized access policy management and policy distribution etc. The ability to consume / provide IT services from 3rd Parties such as business partners, SaaS providers etc. based on an established trust model between the 2 parties and without mandating the necessity to share multiple copies of the entire user

People

parties and without mandating the necessity to share multiple copies of the entire user repository across both organizations.

User provisioning

Managing the entire user lifecycle within the organization from a centralized infrastructure that includes ability to manage workflows, compliance and audit requirements, self service

capabilities, etc.

Optimized

Privileged user management

Controls established in place to manage the access and use of shared accounts within a system including system accounts and accounts with elevated privileges while retaining the ability to track usage and establish tasks performed directly to an individual person.

Fine grained entitlements

Controls that allow for discrete entitlement and security policy enforcement using a centralized infrastructure based on standards such as XACML.

Identity governance

Establish mechanisms to manage enterprise wide role definitions and consume them within the user lifecycle management processes as well as within centralized access management infrastructures, hence providing a complete governance level view of how organization is mapped across multiple IT systems in terms of user access and privileges.

(38)

Data Security Controls

Domain

Maturity

Data

Basic

Database access control The ability to restrict access to information within structured data repositories using security controls available within those data repositories.

Encryption

Control to ensure confidential data is not readable or legible without going through a special process that is only feasible for trusted parties irrespective of the location of the data and whether it is at rest or in motion.

Proficient

Data loss prevention Putting enforcement controls to monitor consumption of data and prevention of leakage of confidential data from within the organization across all endpoints and network interfaces. Database activity

monitoring

Control to monitor activities across data repositories and provide the ability to measure compliance to security standards and policies. The ability to enforce data security controls and data access controls across all data repositories enterprise wide using a centralized data access enforcement infrastructure.

data access enforcement infrastructure.

Data masking / redaction Mask or remove sensitive data from documents, forms, and files in real time and in non-production environments.

Optimized

Encryption key management

Simplify, centralize, and automate the encryption key management to help minimeze the risk of loss or breach of sensitive information

Data governance

The required capabilities to manage the entire lifecycle of a piece of data from creation, consumption, retention up to destruction and enforce consistent security controls and measures across the entire lifecycle.

(39)

Application Security Controls

Domain

Maturity

Applications

Basic Application scanning

The ability to perform a black box or glass box test (dynamic scanning) across the user interface of an application to identify security issues and loopholes within the

applications. It is also commonly referred to as DAST.

Proficient

Source code scanning

Mechanism to perform detailed analysis of source code to identify potential security implementation issues within the code at any given phase of the SDLC. It is also referred to as white box testing or SAST.

Web application protection

The ability to automatically perform a dynamic scan on a Web application to detect and alert on vulnerabilities such as SQL injection or cross site scripting (XSS) in the

application in a production environment.

Hybrid scanning and The ability to have black-box (dynamic) and static analysis working together, with the static analysis using information that can only be collected dynamically during URL page

Hybrid scanning and

correlation static analysis using information that can only be collected dynamically during URL page crawling

Fraud detection

The ability to implement security mechanisms and controls within applications and systems that provide the capability to monitor malicious or invalid transactions with the aim of defrauding / cheating an organization of its resources and to eventually help prevent such transactions from occurring.

(40)

Infrastructure Security Controls

Domain

Maturity

Basic

Anti-virus The ability to detect and eliminate known infections within the endpoint which can lead to a security compromise of the endpoint or the entire IT network.

Host security Host-based security measures such as anti-virus applications, host-based firewalls, _{automatic patch download and/or installation, etc.}

Perimeter security The ability to inspect and analyze inbound and outbound packets for malicious content or behaviors and block those packets.

Endpoint / network security management

The mechanism to monitor and ensure continuous enforcement of security related configuration and state as well as compliance directives on the endpoint / network. The ability to use a repository of information regarding all the different network layer equipment / devices within the IT organization (e.g., routers, switches, firewalls,

Infrastructure

Proficient

Asset management

equipment / devices within the IT organization (e.g., routers, switches, firewalls, VPNs, load balancers) to manage those resources. The repository provides a full current inventory and state picture of the network equipment in concern that can include OS installed, patch levels, etc.

Security controls that manage the security of a virtualized environments to ensure all virtualized systems are able to meet the minimum compliance standards and security standards within the organization, manage lifecycle of virtual machine instances as well as ensure the security and integrity of the hypervisor layer within the virtualized environment.

Optimized

Anomaly detection

A mechanism to understand and create a baseline for the regular behavior of the network in terms of bandwidth utilization, type of packet distribution, source / destination distribution etc. and to detect deviations from these baselines to detect potentially unidentified security compromises within the network infrastructure.

Multi-faceted network protection

The ability to integrate and extend the capabilities of traditional network IPS with security threat management capabilities such as layer 7 application level network traffic management, ability to integrate with user directories within enterprise to provide enhanced network threat mitigation within the network layer all the way up to the application layer.

(41)

Security Intelligence & Analytics Security Controls

Domain

Maturity

Security Intelligence &

Analytics

Basic Log management

A mechanism to collect log information from all the different sources across the it enterprise and store it in a centralized manner that is tamper proof such that it can be used to detect security threats as they occur through the use of an additional correlation engine or for investigative purposes as part of an incident management process.

Proficient Security information and event management

Tool that enables an organization to parse through all relevant security related information and events in real time from sources such as log files, network packet captures, vulnerability management systems, etc. and correlate across all of these information sources to identify security threats as they are occurring within the organization and help in their investigation.

The collection and detailed classification of network behavior, as well as the ability

analytics

The collection and detailed classification of network behavior, as well as the ability to correlate network activity against log events and other security activities across your entire network. Predict the risk impact of network changes, including new application and infrastructure deployments through enhanced security modeling and simulations