Leverage security
intelligence for retail
organizations
Embrace mobile consumers, protect payment and
personal data, deliver a secure shopping experience
Highlights
●● ● ●Reach the connected consumer without
risking your business
●● ● ●Incorporate network flow analysis to
gain essential insight beyond traditional security information and event manage-ment (SIEM)
●● ● ●Consolidate data silos to improve visibility
and speed forensic investigations
●● ● ●Better detect fraud and minimize sensitive
data loss to help protect customer loyalty and business reputation
●● ● ●Reduce operational costs and resource
overhead by automating risk-management functions such as network and security configuration, vulnerability assessment, and policy and compliance management
Users are adopting iOS and Android devices faster than any past con-sumer technology. Smart device adoption, in fact, is occurring 10 times faster than that of the PC revolution in the 1980s, twice as fast as that of the Internet boom in the 1990s, and three times faster than that of recent social network adoption.1 Empowered with these smart devices, a new breed of informed and always-connected shopper has emerged, one that demands real choice when it comes to selecting and purchasing goods. These consumers use all channels—from brick-and-mortar stores to catalogs, web and mobile—simultaneously, forcing retailers to adopt multi-channel marketing capabilities to provide a seamless and satisfying consumer experience.
Facing more frequent internal and
external attacks
Merchants today face organized threats that did not exist 10 years ago. Wireless networks, tablet technology and social media are revolutionizing the in-store shopping experience, forcing retailers to create mobile versions of their websites and adopt or develop new applications to support outreach efforts such as customer loyalty programs. And because con-sumers are spending hours every day on social media sites such as Twitter, Facebook and YouTube—as well as using tools such as Instagram, Pinterest and Vine—savvy businesses are stepping up and using these marketing channels to reach them. But the rapid adoption of new technology can significantly increase vulnerabilities to emerging threats.
Vulnerability management is essential for today’s merchants, as infrastructures expand and their footprints increase to support new business initiatives. The Payment Card Industry (PCI) Data Security Standard (DSS) mandates that merchants who store, process or transmit credit card information perform quarterly vulnerability scans to assess the risk within cardholder environments to help ensure the effectiveness of their security defenses.
Vulnerability scans are the front line of defense against the exploitation of software and configuration defects by highly skilled attackers familiar with well-known exposures. These scans enable focused remediation to help prevent data breaches of sensitive customer information or damage to the business and brand. They can detect both known and unknown applica-tion vulnerabilities on corporate endpoints, and can support compliance with PCI DSS regulations by blocking malicious software downloads that steal user access credentials.
Adhering to PCI DSS regulations is one way organizations can firm up their security posture, but when considering the end goal of security intelligence, retailers must also continuously monitor their cardholder environments to help ensure the effectiveness of their defenses. They can do this through actions that include network flow analysis, data loss prevention, fraud detection, vulnerability analysis, network monitoring and device configuration. Using the right integrated tools can help security teams move beyond traditional log management to proactively identify and remediate—or even mitigate—attacks and vulnerabilities based on their threat level.
Exceeding PCI compliance mandates
While the evolution of PCI DSS has resulted in more stringent requirements for network monitoring, device configuration and vulnerability analysis, these standards alone are not enough to protect against tomorrow’s vulnerabilities and evolving threats. The variability of payment card and point-of-sale (POS) devices, as well as overall changes to the retail infrastructure present an unending challenge to security teams. To help prioritize and detect areas of risk, retail organizations need a consolidated view of event information and an active view of the network topology and device configuration—so they can better assess the implications of adapting their infrastructure to new business initiatives that require fundamental changes to the IT environment.
commerce-related information outside the organization. To effectively meet—and even exceed—compliance mandates, retail organizations must be able to leverage all available data in every possible context to accurately detect well-hidden threats. Trusteer Apex goes further to help prevent against the exploita-tion of unpatched and zero-day vulnerabilities. Unlike other solutions, it does not use traditional malware detection methods such as signatures and behavioral profiling, which can be bypassed using advanced evasion techniques. While basic anti-virus platforms may meet minimum PCI DSS requirements, these solutions are largely ineffective against today’s highly advanced, highly evasive, information-stealing malware threats. Trusteer Apex blocks application vulnerability exploitation— the primary way in which cyber criminals install malware on endpoint devices—even while organizations test the impact of vulnerability patches across their software suites.
Delivering critical context and insight
with network flow analysis
Many retail organizations are coming to the realization that network flow collection and analysis can greatly improve their overall security posture. In fact, without network flow analytics, classic log management and SIEM solutions cannot achieve the insight required to protect cardholder data. While the Layer 4 NetFlow format can provide basic static and pre- summarized data, it does not provide deep visibility into appli-cation activity. A more advanced Layer 7 flow-analysis solution, called IBM Security QRadar QFlow Collector, is needed to perform deep analysis of network packet content. For example, it can discover the unauthorized movement of sensitive intellec-tual property or cardholder data outside the organization. Visibility into network flow can help retailers meet PCI requirements in a variety of ways. For starters, network flow provides 24x7 monitoring of everything that happens within
the payment card data environment. This provides security teams with complete records of current and historical traffic for both physical and virtual environments.
QRadar Security Intelligence Platform surveys the entire network—using native flow sources in an organization’s routing/switching infrastructure or from distributed collectors—to gather a detailed history of all network flow activity. Network flows can be further analyzed to build baseline behavioral models based on observed network activity, and then generate alerts and offenses when anomalous behavior is detected.
Consolidating data silos to speed and
enhance forensic investigations
Retailers have an overwhelming number of systems—especially POS devices—that produce various types of data to aggregate, normalize, analyze and correlate. There are encryption prod-ucts to secure credit card data transmission; firewalls to protect critical systems and devices; and vulnerability management tools to provide much-needed visibility into existing risks, such as improper device configurations. But most older-generation SIEM solutions require manual customization during imple-mentation to ensure that they correctly process this data. QRadar automates the discovery of event sources and assets for many products—and with less to manually configure, organiza-tions can see more immediate results.
Detecting fraud and minimizing data
loss to help protect business continuity
Very often, retail organizations have extremely proprietary intellectual property (recipes, designs, schematics, etc.) that must be protected from both insider and external threats. To better detect insider threats, QRadar Security Intelligence Platform can pull data from across an organization, including remote locations, providing a more complete view of its security health. Its integration with identity and access management solutions helps deliver a comprehensive picture of who is accessing what networked assets as well as the user’s typical behavior. QRadar then connects this data with an asset’s vulner-ability state providing information typically not available through the identity and access management solution alone.
QRadar across the retail organization
●● CISO—QRadar helps chief information security officers (CISOs)
roll out emerging technologies, such as mobility solutions, with assurance and confidence that their infrastructure is protected by security intelligence.
●● IT security team—Using SIEM data enhanced with network flow
data, security teams can move beyond PCI compliance to vulnera-bility management best practices that proactively monitor for attacks against credit card environments and sensitive customer data, and that scan for network, payment application and POS vulnerabilities.
●● Operations—As new network devices such as mobile POS or
wire-less access points are deployed, operations can trust that QRadar is collecting, analyzing and correlating this device data, as well as protecting the infrastructure from rogue devices attaching to the wireless network
●● Compliance auditor—QRadar helps minimize resource overhead
as it meets current PCI DSS requirements with a comprehensive set of security capabilities and out-of-the-box reporting.
For example, one popular retail design firm used QRadar to catch an employee transferring intellectual property outside the company for the purpose of starting a competitive business. QRadar helps detect these unauthorized accesses to systems and data and helps prevent sensitive information from being stolen or otherwise compromised.
Predicting risk against your business
QRadar Security Intelligence Platform automates risk- management functions such as network and security configuration, vulnerability assessment, and policy and compliance management. It helps users better understand network topology by monitoring and displaying all network events and devices. This level of knowledge enables retail organizations to better understand which systems are most vulnerable to attack, and by using modeling and simula-tion, retailers can quickly understand the impact of any proposed changes before they are implemented. For example, IBM Security QRadar Risk Manager provides advanced moni-toring of firewalls and routers to help ensure that configurations meet a specific baseline; it then automatically detects when the configuration is outside this baseline.
“A popular retailer used QRadar to catch a
suspect employee transferring intellectual
property outside the company via an email
account for the purpose of starting a
Designed specifically for compliance-driven retailers, IBM Security QRadar Vulnerability Manager includes an embedded, PCI-approved scanning engine that can be set up to run both dynamic and periodic scans, providing near real-time visibility of weaknesses that might otherwise remain hidden. The software can incorporate vulnerability data from a wide variety of IBM or third-party sources, including web application scanners, database vulnerability assessments, endpoint manage-ment systems and even external threat intelligence feeds. Input may come from both on-premises and hosted sources, enabling QRadar users to see exactly what the adversary views from the outside, as well as the view from within.
Retailers can further strengthen risk management activities by leveraging the platform’s integration with other IBM security products including:
●● ●IBM Security SiteProtector™ System—Provides virtual
patching capabilities, using network intrusion prevention system signatures to block associated connections and helping to protect against the exploit of identified vulnerabilities
●● ●IBM X-Force® threat intelligence feed—Supplies
up-to-date information on recommended fixes and security advice for active vulnerabilities, viruses, worms and threats
●● ●IBM Endpoint Manager—Streamlines remediation tasks
by automatically managing patches to hundreds of thousands of endpoints, including the latest mobile devices; provides integrated reporting for real-time monitoring of patch progress
●● ●IBM Security AppScan®—Supports web application
vulnerability assessments, enabling QRadar Vulnerability Manager to provide visibility and prioritization of web application vulnerabilities within its integrated dashboard
●● ●IBM InfoSphere® Guardium® Database Vulnerability
Assessment—Supports scanning of the database infrastruc-ture, enabling QRadar Vulnerability Manager to provide visibility and prioritization of database vulnerabilities within its integrated dashboard
Why IBM?
Additionally, IBM Global Financing can help you acquire the software capabilities that your business needs in the most cost-effective and strategic way possible. We’ll partner with credit-qualified clients to customize a financing solution to suit your business and development goals, enable effective cash management, and improve your total cost of ownership. Fund your critical IT investment and propel your business forward with IBM Global Financing. For more information, visit: ibm.com/financing
© Copyright IBM Corporation 2013 IBM Corporation
Software Group Route 100 Somers, NY 10589
Produced in the United States of America October 2013
IBM, the IBM logo, ibm.com, QRadar, and X-Force are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
The client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation.
