IBM Security Framework

IBM Security Framework

Intelligence, Integration and Expertise

Sadu Bajekal,

Senior Technical Staff Member

Principal Security Architect

IBM Security Systems

Agenda

 Introduction: The evolving threat landscape

 A new approach to security is needed

M O

T I

V

A

T I

O

N

Motivations and sophistication are rapidly evolving

S O P H I S T I C A T I O N

National Security,

Economic Espionage

Notoriety, Activism,

Defamation

Hacktivists

Lulzsec,

Anonymous

Monetary

Gain

Organized crime

Zeus, ZeroAccess,

Blackhole Exploit Pack

Nuisance,

Curiosity

Insiders, Spammers,

Script-kiddies

Nigerian 419 Scams, Code Red

Nation-state

actors, APTs

Stuxnet,

Aurora, APT-1

Evolving threats and increasing payoffs

IT Security is a board room discussion

Increasingly, companies are appointing CROs and CISOs

with a direct line to the Audit Committee

Loss of market

share and

reputation

Legal exposure

Audit failure

Fines and criminal

charges

Financial loss

Loss of data

confidentiality,

integrity and/or

availability

Violation of

employee privacy

Loss of customer

trust

Loss of brand

reputation

Security challenges are a complex, four-dimensional puzzle…

…that requires a new approach

Applications

_Applications

Systems

_Applications

Web

Web 2.0

_Applications

Mobile

Infrastructure

Datacenters

PCs

Laptops

Mobile

Cloud

Non-traditional

Data

Structured

Unstructured

At rest

In motion

People

Attackers

Suppliers

Consultants

Partners

Employees

Outsourcers

Customers

Employees

Unstructured

Web 2.0

Systems

Applications

Outsourcers

Structured

In motion

Customers

Mobile

Applications

Thinking differently about security

Collect and Analyze Everything

Data

control

Basic-Applications

Bolt-on

Infrastructure

Thicker

walls

Insight

Now

People

Administration

Then

Smarter

defenses

Built-in

Laser-focused

Customers have a growing need to identify and protect against

threats by building insights from broader data sets

Logs

Events Alerts

Configuration

information

System

audit trails

External threat

intelligence feeds

Network flows

and anomalies

Identity

context

Web page

text

Full packet and

DNS captures

E-mail and

social activity

Business

process data

Customer

transactions

Traditional Security

Operations and

Technology

Big Data

Analytics

New Considerations

Collection, Storage

and Processing

 Collection and integration

 Size and speed

 Enrichment and correlation

Analytics and Workflow

 Visualization

 Unstructured analysis

 Learning and prediction

 Customization

Reaching security maturity

13

-09

-17

Security Intelligence

Predictive Analytics, Big Data Workbench, Flow Analytics

SIEM and Vulnerability Management

Log Management

Advanced Fraud Protection

People

Data

Applications

Infrastructure

Identity governance

Fine-grained

entitlements

Privileged user

management

Data governance

Encryption key

management

Fraud detection

Hybrid scanning

and correlation

Multi-faceted

network protection

Anomaly detection

Hardened systems

User provisioning

Access management

Strong authentication

Data masking / redaction

Database activity

monitoring

Data loss prevention

Web application protection

Source code scanning

Virtualization security

Asset management

Endpoint / network

security management

Directory

management

Encryption

Database access control

Application

scanning

Perimeter security

Host security

Anti-virus

Optimized Proficient Basic

IBM Security: Delivering intelligence, integration and expertise

across a comprehensive framework

Intelligence

Integration

IBM Security Investment

• 6,000+ IBM Security experts worldwide

• 3,000+ IBM security patents

• 4,000+ IBM managed security

services clients worldwide

• 25 IBM Security labs worldwide

IBM Security: Market-changing milestones

Mainframe and Server Security SOA Management and Security Network Intrusion Prevention Database Monitoring Access Management Application Security Compliance Management 1976 Resource Access Control Facility (RACF) is created, eliminating the need for each application to imbed security 1999 Dascom is acquired for access management capabilities 2006 Internet Security Systems, Inc. is acquired for security research and network protection capabilities 2007 Watchfire is acquired for security and compliance capabilities Consul is acquired

for risk management capabilities

Princeton Softech

is acquired for data management capabilities 2008 Encentuate is acquired for enterprise single-sign-on capabilities 2009 Ounce Labs is acquired for application security capabilities Guardium is acquired for enterprise database monitoring and protection capabilities 2010 Big Fix is acquired for endpoint security management capabilities NISC is acquired for information and analytics management capabilities 2005 DataPower is acquired for SOA management and security capabilities 2013 Intent to acquire Trusteer for mobile and application security, counter-fraud and malware detection 2002 Access360 is acquired for identity management capabilities MetaMerge is acquired for directory integration capabilities Identity Management Advanced Fraud Protection Security Analytics Security Intelligence IBM Security Systems division is created 2011 Q1 Labs is acquired for security intelligence capabilities 2012

IBM Security Systems Portfolio

People

Data

Applications

Network

Infrastructure

Endpoint

Identity

Management

Guardium Data Security

and Compliance

AppScan

Source

Network

Intrusion Prevention

Trusteer Apex

Access

Management

Guardium DB

Vulnerability

Management

AppScan

Dynamic

Next Generation

Network Protection

Mobile and Endpoint

Management

Privileged Identity

Manager

Guardium / Optim

Data Masking

DataPower Web

Security Gateway

SiteProtector

Threat Management

Virtualization and

Server Security

Federated

Access and SSO

Key Lifecycle

Manager

Security Policy

Manager

Network

Anomaly Detection

Mainframe

Security

IBM X-Force Research

Advanced Fraud Protection

Trusteer

Rapport

Trusteer Pinpoint

Malware Detection

Trusteer Pinpoint

ATO Detection

Trusteer Mobile

Risk Engine

Security Intelligence and Analytics

QRadar

Log Manager

QRadar

SIEM

QRadar

Risk Manager

QRadar

Vulnerability Manager

Increase security, collapse silos, and reduce complexity

JK 2 0 1 3 -04 -265

Consolidate and

correlate siloed

information from

hundreds of sources

Stay ahead of

the changing

threat

landscape

Link security and

vulnerability

information

across domains

Intelligent Security for the Cloud

13-04-02

Data and Application

Protection

Secure enterprise databases

Build, test and maintain secure

cloud applications

Threat

Protection

Prevent advanced threats

with layered protection

and analytics

Identity

Protection

Administer, secure, and extend

identity and access to and

from the cloud

Security Intelligence

Device

Management

Network, Data,

and Access Security

Application Layer

Security

Security for endpoint

device and data

Achieve visibility and

adaptive security policies

Develop and test

applications

Driving Compliance with Enhanced Visibility and Controls

Preventing insider

threat

Accessing Applications

on a need-to-know basis

Monitoring Data and

PII concerns

Managing end users and

Privacy concerns

Security Intelligence

Security Intelligence: Integrating across IT silos

Extensive

data sources

Deep

intelligence

Exceptionally accurate

and actionable insight

+

=

V13-03

Data activity

Servers and mainframes

Users and identities

Vulnerabilities and threats

Configuration information

Security devices

Network and virtual activity

Application activity

Correlation

• Logs/events

• Flows

• IP reputation

• Geographic location

Activity baselining

and anomaly detection

• User activity

• Database activity

• Application activity

• Network activity

True offense

Suspected

incidents

Security Intelligence and Analytics

Offense identification

• Credibility

• Severity

• Relevance

Key Themes

Increased Data Sources

Data from 450+ security collectors and Integration with X-Force intelligence and other external feeds to use in analysis for determining relevant vulnerabilities and potential threats

Integrated Vulnerability Management

Comprehensive understanding of the configuration and exposure of systems in the environment, enabling contextual analysis to determine vulnerabilities against particular threats

Enhanced Identity Context

Integrated understanding of users, their roles, level of privilege, geographical location and their typical behaviors to enable enterprises to identify abnormal activity that might indicate insider threat

Integration: A unified architecture delivered in a single console

Designed from scratch to deliver massive log management scale

without any compromise on SIEM “Intelligence”

Log

Management

NextGen

SIEM

Activity

Monitoring

Risk

Management

Vulnerability

Management

Network

Forensics

People

Identity and Access Management: Helping to extend

secure user access across the enterprise

Key Themes

Standardized IAM

and Compliance Management

Expand IAM vertically to provide identity and access intelligence to the business; Integrate horizontally to enforce user access to data, app, and infrastructure

Secure Cloud, Mobile, Social

Interaction

Enhance context-based access control for cloud, mobile and SaaS access, as well as integration with proofing, validation and authentication solutions

Insider Threat

and IAM Governance

Continue to develop Privileged Identity Management (PIM) capabilities and enhanced Identity and Role management

Deliver intelligent

identity and access

assurance

Safeguard mobile,

cloud and social

interactions

Simplify identity

silos and cloud

integrations

Prevent insider

threat and

identity fraud

• Validate “who is who”

when users connect from

outside the enterprise

• Enforce proactive access

policies

on cloud, social and

mobile collaboration channels

• Manage shared access

inside the enterprise

• Defend applications and

access

against targeted web

attacks and vulnerabilities

• Provide visibility

into all available

identities within the enterprise

• Unify “Universe of Identities”

for security management

• Enable identity management

for the line of business

• Enhance user activity monitoring

and security intelligence across

security domains

Announcing: Threat-Aware Identity and Access Management

Helping achieve secure transactions

and graded trust

Safeguard mobile, cloud

and social interactions

 Eliminate use of passwords

to secure mobile application

access

 Implement Risk Based access

posture for BYOD

 Validate Customer Identity

interacting via Mobile and

Social channels

 Enforce Identity context for

Mobile, SaaS and Cloud access

 Eliminate use of passwords

to secure mobile app access

Prevent insider threat

and identity fraud

Prevent insider breaches caused by privileged

identity misuse

 Audit privileged user activity

and sensitive data access

 Address compliance, regulatory

and privacy requirements

 Secure user access and content

against targeted attacks

 Integrated security intelligence

Target Systems

Credential Vault

Administrative ID

Data

Key Themes

Expand to new platforms

Expand beyond supporting databases to all relevant data sources, including data warehouses, file shares, file systems, enterprise content managers, and Big Data (Hadoop, NoSQL, in-memory DB),

wherever data is stored

Introduce new data protection

capabilities

Complement discovery, classification, monitoring, auditing, and blocking with though leadership capabilities like cloud encryption/tokenization, dynamic data masking, and fraud detection

Lead on scalability and lower

TCO

Continue to improve on solution deployability with improvements to scalability, performance, simplification, automation, serviceability, and ease of use

Data Security: Helping to secure structured, unstructured,

online and offline data across the enterprise

Governance, Security Intelligence, Analytics

Data Discovery and Classification

Policy-based Access and Entitlements

Audit, Reporting, and Monitoring

Enforcement

Data in Motion

Network Loss

Prevention

Data at Rest

Protection &

Encryption

Data in Use

Endpoint Loss

Prevention

at Endpoint

(workstations, laptops, mobile,…)

over Network

(SQL, HTTP, SSH, FTP, email,. …)

Stored

(Databases, File Servers, Big Data, Data Warehouses, Application Servers, Cloud/Virtual

..)

S

ecu

ri

ty

S

ol

utio

ns

IT

&

B

usi

ne

ss

P

roce

ss

i n t e g r a t e i n t e g r a t e

• Protect data in any form,

anywhere, from internal or

external threats

• Streamline regulation

compliance process

• Reduce operational costs



Send security alerts from Guardium to QRadar



Send audit reports from Guardium to QRadar to enhance analytics



Send database vulnerability assessment status from Guardium to QRadar

InfoSphere Guardium integration with QRadar opens up new

opportunities

Extensive Data Sources

Deep

Intelligence

Exceptionally Accurate and

Actionable Insight

+

=

Event

Correlation

Activity Baselining

& Anomaly Detection

Database Activity

Servers & Hosts

User Activity Vulnerability Info Configuration Info

Offense

Identification

Security Devices

Network & Virtual Activity

Application Activity

Data Activity

In-depth data activity monitoring

and security insights from

InfoSphere Guardium

Vulnerability Information

Databases Data warehouses Big Data environments File shares

Applications

Applications Build Systems improve scan efficiencies Integrated Defect Tracking Systems track remediation IDEs remediation assistance Security Intelligence

raise threat level

Application Security: Helping to protect against the threat

of attacks and data breaches

Key Themes

Coverage for Mobile

applications and new threats

Continue to identify and reduce risk by expanding scanning capabilities to new

platforms such as mobile, as well as introducing next generation dynamic analysis scanning and glass box testing

Simplified interface and

accelerated ROI

New capabilities to improve customer time to value and consumability with out-of-the-box scanning, static analysis templates and ease of use features

Security Intelligence

Integration

Automatically adjust threat levels based on knowledge of application vulnerabilities by integrating and analyzing scan results with SiteProtector and the QRadar Security Intelligence Platform Scanning Techniques Applications Governance and Collaboration

Audience Development teams Security teams Penetration Testers

CODING BUILD QA SECURITY PRODUCTION

Static analysis (white box) Software Development Lifecycle Dynamic analysis (black box) Web Applications Web Services Mobile Applications Programming Languages Purchased Applications

• Test policies, test templates and access control • Dashboards, detailed reports and trending

Future

Future

Intrusion

Prevention

Content

and Data

Security

Web

Application

Protection

IBM Network

Security

Security

Intelligence

Platform

Threat

Intelligence

and Research

Advanced

Threat

Platform

Network

Anomaly

Detection

Application

Control

Infrastructure Protection: Network

Key Themes

Advanced Threat Protection

Platform

Helps to prevent sophisticated threats and detect abnormal network behavior by using an extensible set of network security capabilities -in conjunction with real-time threat -information and Security Intelligence

Expanded X-Force

Threat Intelligence

Increased coverage of world-wide threat intelligence harvested by X-Force and the consumption of this data to make smarter and more accurate security decisions

Security Intelligence

Integration

Tight integration between the Advanced Threat Protection Platform and QRadar Security Intelligence platform to provide unique and meaningful ways to detect, investigate and remediate threats

Log

Manager

SIEM

Network

Activity

Monitor

Risk

Manager

Vulnerability

Manager

Future

Vulnerability

Data

Malicious

Websites

Malware

Information

IP

Reputation

Infrastructure

X-Force Threat Intelligence: The IBM Differentiator

URL/Web Filtering

• Provides access to one of the world’s largest URL filter databases containing

more than 20 billion evaluated Web pages and images

Anti-Spam

• Detect spam using known signatures, discover new spam types

automatically, 99.9% accurate, near 0% overblocking

IP Reputation

• Categorize malicious websites via their IP address into different threat

segments, including malware hosts, spam sources, and anonymous proxies

Web Application Control

• Identifying and providing actions for application traffic, both web-based,

such as Gmail, and client based, such as Skype

The mission of X-Force is to:



Monitor and evaluate the rapidly changing

threat landscape



Research new attack techniques and develop protection

for tomorrow’s security challenges



Educate our customers and the general public

Advanced Security and Threat Research

Infrastructure Protection: Endpoint

Provides in-depth security across your network, servers, virtual servers,

mainframes and endpoints

Key Themes

Security for

Mobile Devices

Provide security for and manage traditional endpoints alongside mobile devices such as Apple iOS, Google Android, Symbian, and Microsoft Windows Phone - using a single platform

Expansion of

Security Content

Continued expansion of security configuration and vulnerability content to increase coverage for applications, operating systems, and industry best practices

Security Intelligence Integration

Improved usage of analytics - providing valuable insights to meet compliance and IT security objectives, as well as further integration with SiteProtector and the QRadar Security Intelligence Platform

IBM Security: Helping clients optimize IT security

Integrated Portfolio

Managed and Professional Services

Extensive Partner Ecosystem

www.ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

www.ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE

Disclaimer

Please Note:

IBM

’

s statements regarding its plans, directions, and intent are subject to change

or withdrawal without notice at IBM’s sole discretion.

Information regarding potential future products is intended to outline our general

product direction and it should not be relied on in making a purchasing decision.

The information mentioned regarding potential future products is not a commitment,

promise, or legal obligation to deliver any material, code or functionality. Information

about potential future products may not be incorporated into any contract. The

development, release, and timing of any future features or functionality described

for our products remains at our sole discretion.

Customer successes across domains

Advanced Fraud

Protection

People

Manage user access securely

and cost-effectively

Data

Ensure privacy and integrity

of data

Applications

Automate security testing

on web-based applications

Infrastructure

Proactively alert, simplify

monitoring and management

Protect against financial fraud

and advanced security threats

Security Intelligence

and Analytics

Improve overall security

and compliance

Major South American bank health

reduced

the number of help desk calls by 30%,

resulting in annual savings of

$450,000+

Major global bank

saved $1.5 USD / year

on storage costs and

reduced compliance

costs by $20M USD

Client added 225 new applications per year

to handle

US$1 quadrillion in securities

transactions

per year

Client monitored all devices and networks

across all sites with

zero false positives

without blocking revenue-based traffic

Banking clients

reduced online banking fraud

to near zero

while complying with regulatory

compliance mandates for layered security

Global office products supplier achieved

greater visibility to potential security threats

and PCI compliance with

$0 cost increase