Security Intelligence Overview

Transcription

1 Security Intelligence Overview Ray Menard Senior Security Architect IBM Security Systems May IBM Corporation

2 Security Intelligence "Electronic intelligence, valuable though it is in its own way, serves to augment the daunting volume of information which is directed at headquarters from satellite and aerial reconnaissance, intelligence-gathering ships, optical observation, special forces, armoured reconnaissance teams, and the interrogation of prisoners. Nowadays the commander is confronted with too much information, rather than too little, and it is his informed judgment which ultimately decides what is relevant and important." [NATO, The Warsaw Pact and the Superpowers, 2 ed. p. 33 Hugh Farringdon 2

3 Security Intelligence Network and security information, valuable though it is in its own way, serves to augment the daunting volume of information which is directed at network and security practitioners from firewalls and IDS/IPS, sever logs, application logs, syslog servers, proxy servers and virus scanners. Nowadays the security practitioner is confronted with too much information, rather than too little, and it is his informed judgment which ultimately decides what is relevant and important." Ray Menard plagiarized from Hugh Farringdon 3

4 Innovative technology changes everything 1 trillion connected objects 1 billion mobile workers Social business Bring your own IT 4 Cloud and virtualization

5 Despite proliferation of security solutions DLP SIEM/Log Management The Security Division of EMC RM/CM 5 IBM Security Systems

6 Targeted attacks remain top of mind Saudi Arabia Says Aramco Cyberattack Came From Foreign States Bloomberg, Dec 2012 How to Hack Facebook In 60 Seconds InformationWeek, June 2013 Facebook hacked in 'sophisticated attack' The Guardian, Feb 2013 Hackers in China Attacked The Times for the Last 4 Months The New York Times, Jan 2013 Fed Acknowledges Cybersecurity Breach The Wall Street Journal, Feb 2013 Adobe Systems Reports Attack on Its Computer Network The Wall Street Journal, Oct 2013 Apple Hacked: Company Admits Development Website Was Breached Huffington Post, July 2013 South Carolina taxpayer server hacked, 3.6 million Social Security numbers compromised CNN, Oct 2012 Chinese hacking of US media is 'widespread phenomenon Wired, Feb

7 What is Security Intelligence? Security Intelligence --noun A methodology of analyzing millions and billions of security, network and application records across the organization s entire network in order to gain insight into what is actually happening in that digital world. --verb Combining internal, locally collected security intelligence, with external intelligence feeds for the application of correlation rules to reduce huge volumes of data into a handful of high probability offense records requiring immediate investigation to prevent or minimize the impact of security incidents Delivers actionable, comprehensive insight for managing risks, combatting threats, and meeting compliance mandates. 7

8 Security Intelligence Timeline Prediction & Prevention Devices and applications having no logging capabilities Anomalous activity Disabled Logging Network Noise Vulnerabilities (Passive) Virtual Activity User Activity Reaction & Remediation Firewalls IDS Syslog Events Application Logs Windows Events Authentication Logs Network Device Logs Database activity Logs Vulnerabilities (Active) 8

9 Early solutions captured only tip of data iceberg Logs Events Alerts System audit trails Configuration information Network flows and anomalies External threat feeds Business Intelligence Identity context and social activity Malware information 9

10 Constantly injecting SI platform intelligence updates QRadar Security Intelligence modules receive nightly content updates or fresh Intelligence Updated content includes: Device Support Modules (Log Parsers) Event Mapping / QID (Log Meta Data) X-Force threat and vulnerability data Custom properties, rules, searches, reports QFlow Application Signatures (Layer 7) Functional Software Patches Delivered to Console and subsequently consumed by all managed hosts No waiting weeks or months for new releases; protection that adapts in concert with changes in security landscape 10

11 Integrated Security Intelligence add Force Multipliers Security Intelligence Feeds Geo Location Internet Threats Vulnerabilities Business Intelligence Business Process Policy Compliance Response 11 IBM Security Systems

12 Log Management 12

13 Easy to use Rule Wizard 13

14 Offense Manager Clear, concise and comprehensive delivery of relevant information: Who was responsible? What was the attack? Was it successful? How many targets involved? Where do I find them? Are any of them vulnerable? How valuable are the targets to the business? 14 Where is all the evidence?

15 Network flow analysis is fundamental capability Log management products collect subset of available data Netflows enable visibility into attacker communications Stored as aggregated, bi-directional records of IP addresses, ports, and protocols Offer advanced detection and forensics via flow pivoting, drill-down and data mining QFlow Collectors dig deeper, adding Layer 7 application insights 15

16 Integrated vulnerability management narrows the actions Existing vulnerability management tools Questions remain: Has that been patched? Has it been exploited? Is it likely to be exploited? Does my firewall block it? Does my IPS block it? Does it matter? Security Intelligence Integration Improves visibility Intelligent, event-driven scanning, asset discovery, asset profiling and more Reduces data load Bringing rich context to Vulnerability Management Breaks down silos Leveraging all QRadar integrations and data Unified vulnerability view across all products QRadar Vulnerability Manager Answers delivered: Real-time scanning Early warning capabilities Advanced pivoting and filtering 16

17 QRadar Vulnerability Manager 17

18 Proactive Security 18

19 Actionable Information 19

20 QRadar Risk Manager QRadar Risk Manager enhances Security Intelligence by adding network topology visualization and path analysis, network device optimization and configuration monitoring, and improved compliance monitoring/reporting to QRadar SIEM Collects firewall, switch, router and IPS/IDS configuration data to assess vulnerabilities and facilitate analysis and reporting Discovers firewall configuration errors and helps remove ineffective rules to improve performance 20 Depicts network topology views and helps visualize current and alternative network traffic patterns Identifies active attack paths and assets at risk of exploit, helping mitigate risks and prioritize remediation activities Analyzes policy compliance for network traffic, topology and vulnerability exposures Improves forensic analyses to determine offense root cause; models potential threat propagation Performs rule change simulation and impact analysis Risk assessment and reporting Network topology visualization and analysis Threat modeling and simulations Network device management Compliance and policy management

21 QRadar Risk Manager topology view 21

22 Path searches from topology Path searches can be initiated directly from the topology view or from the search button Existing paths shown graphically, including support for multiple permutations Blocked path display includes drill down capability to all rules blocking the path Arrows show path direction; hovering over links shows details on allowed ports; click on view rules for rule drill down 22

23 QRadar Risk Manager configuration monitor and firewall rule reporting Once device configurations are imported into QRadar Risk Manager, they are normalized and available and stored on the QRM appliance Configurations may be gathered on-demand or scheduled Rule analysis, configuration error detection (e.g. shadowed rules), rule activity correlation, correlation with QRadar offenses, and configuration comparisons are supported 23

24 QRadar Risk Manager configuration monitor Historical and cross-device configuration comparisons are supported via point-and-click Normalized and raw comparisons are supported 24

25 Additional QRadar offense options When QRadar Risk Manager is installed, additional diagnostic options are available from QRadar offense screens, including displaying offense connections and attack path 25

26 QRadar offense attack path From any QRadar offense, clicking attack path button performs a path search that shows precise path (and all permutations) between source and destination IPs involved in the attack Firewall rules enabling the attack path can then be displayed This allows a virtual patch to be applied by quickly showing which firewall rules may be changed to immediately shut down attack path before patching or other config changes can typically be implemented 26

27 QRadar offense connections view Connections correlates events and flows with source and destination IPs involved in the offense Drastically reduces time required to conduct offense forensics 27

28 QRadar Risk Manager policy monitor Policies can be executed on-demand or in monitor mode, which evaluates hourly Exceptions can raise a QRadar offense and can also place events in the QRadar pipeline Reports can be generated that indicate policy exceptions and pass events, useful for compliance 28

29 Simulating attacks QRadar Risk Manager simulations allow exploit propagation to be modeled based on a specified starting point, asset vulnerability/threat data, and network reachability The example below simulates an attack originating from the Internet, targeting a specific network and vulnerability; up to five steps can be modeled Like policies, simulations can be placed into monitor mode 29

30 Big Data adds more structured and even unstructured data Data Sources Real-time Processing QRadar Security Intelligence Platform Security Operations QRadar Console (Web interface) Two major roles QRadar can play in the IBM Big Data Solution: Security and Infrastructure Data Sources External Threat Intelligence Feeds , Web, Blogs, and Social Activity Big Data Warehouse Hadoop Store Raw Data Watch List Custom Rules InfoSphere BigInsights Relational Store High-value Information Big Data Analytics and Forensics InfoSphere BigSheets i2 Intelligence Analysis 1) Collects SI data and feeds to BigInsights to enrich data sources 2) Provides a dashboard to display, organize, and query the data generated by Big Data Analytics and Forensics Collect Flow of data/information Flow of knowledge 1 Data Collection & Enrichment (HOT) 2 Real-time insights (HOT) Store & Process 3 Forward (HOT) & Store (HOT, Warm, cold) data 4 Big Data Analysis, Trends & History (Warm and cold) Analyze Advanced Visualizations and 5 Investigation (Warm and cold) 6 Enrich / Adapt / Improve 30

31 A Clear & Present Threat Attackers spend an estimated 243 days on a victim s network before being discovered In 2012, 38% of targets were attacked again once the original incident was remediated. Has our organization been compromised? When was our security breached? How do we identify the attack? What type of attack is it? What resources and assets are at risk? How to avoid becoming a repeat victim? 31

32 Extend clarity around incidents with in-depth forensics data Suspected Incidents Prioritized Incidents Directed Forensics Investigations Rapidly reduce time to resolution through intuitive forensic workflow Use guided discovery more than technical training Determine root cause and prevent re-occurrences Embedded Intelligence 32

33 Next generation network forensics: know what happened, fast Our Security Intelligence platform delivers powerful capabilities to limited IT security resources Introducing QRadar Incident Forensics Leveraging the strengths of QRadar to optimize the process of investigating and gathering evidence on advanced attacks and data breaches Tells you exactly when an incident occurred Integrated with QRadar SIEM to discover true offenses Applies search engine technology Returns detailed, multi-level search results in seconds Allows you to quickly Retrace full incident activity Full packet capture for complete session reconstruction Unified view of all flow, user, event, and forensic information Retrace activity in chronological order Provides assistance with navigating investigations Visually construct threat entity relationships Builds detailed digital impressions across multiple IDs 33

34 Network Activity+ From Session Data To Full Visualization of User Activity 34

35 Intelligence To Deliver Clarity QRadar Incident Forensics has several features to deliver intelligence to the security analyst to assist in the forensics investigation Digital Impressions: Compiled set of associations to identify identity trails To rich visualizations of digital impressions showing extended relationships Chat Social Suspect Content: Defined set of rules on content that signify suspicious activity Entity Alert Scanning IP Botnet.. VoIP Web Network Content Categorization: Dynamic categorization of content based metadata and XForce feeds enables analyst to filter out the noise 35

36 Embedded intelligence of QRadar directs focus for investigations Security devices Application activity QRadar SIEM QRadar Incident Forensics Servers and mainframes Global threat intelligence Network and virtual activity Vulnerabilities and threats Configuration information Users and identities Automated data collection and asset discovery Real-time, and integrated analytics Massive data reduction Anomaly detection Offenses Identified by QRadar Full PCAP Forensics Detailed Incident Meta- Data Evidence Reconstruction of content and incident activity Data activity 36 Data Sources Distillation Identification Investigation

37 QRadar Security Intelligence Offense Manager 37

38 Gathering the Information 38

39 Prepare the data 39

40 Composite Data 40

41 Focusing In on Specific Data 41

42 Detail 42

43 The Actual Document 43

44 Document Verification 44

45 Relationships 45

46 Following the Trail 46

47 Zeroing in 47

48 The Smoking Gun 48

49 Delivering multiple security solutions through a single, integrated platform Security Intelligence and Analytics Log Management NextGen SIEM Activity Monitoring Risk Management Vulnerability Management Network Forensics Northbound APIs Real Time and Analyst-driven Work Flow Real Time Correlation / Automated Security Analytics Big Data Store / Warehouse / Archival Southbound APIs Real Time Structured Security Data Unstructured Operational / Security Data 49

50 Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 50 IBM Security Systems