Integrated, Intelligence driven Cyber Threat Hunting THREAT INVESTIGATION AND RESPONSE PLATFORM Zsolt Kocsis IBM Security Technical Executive, CEE zsolt.kocsis@hu.ibm.com 6th Nov 2018
Build an integrated security immune system Data protection Data access control Application scanning Application security management APPS DATA Security analytics Vulnerability management Threat and anomaly detection IDENTITY & ACCESS Privileged user management Identity governance and administration Access management IDaaS Mainframe security Fraud protection Criminal detection Transaction protection Device management Content security MOBILE SECURITY ORCHESTRATION & ANALYTICS ADVANCED FRAUD Endpoint detection and response Endpoint patching and management Malware protection ENDPOINT Threat hunting and investigation User behavior analytics Incident response THREAT INTEL Threat sharing IoCs Networking Firewalls and intrusion prevention Network forensics and threat management Network visibility and segmentation 2 IBM Security
QRadar & Incident Response (Life of an Incident) QRadar Prioritized Security Insights from Logs, Flows, Vulns, User, Config Data etc. Cyber Incident Response Process Security Operations for responding to threats, breaches, vulnerabilities EXTENSIVE DATA SOURCES Security devices Servers and mainframes Incident Creation Gather Context & Task Remediate & Close Network and virtual activity Data activity Application activity Configuration information Vulnerabilities and threats QRadar Sense Analytics TM Extensive data collection, storage, and analysis Real-time correlation and threat intelligence Automatic asset, service and user discovery and profiling Activity baselining and anomaly detection Prioritized incidents - Assign based on type (e.g. breach) - Business notification based on type (e.g. Risk - Associate additional evidence - Apply compliance context - Assign tasks - Communicate remediation tasks to teams - Confirm Remediation - Close Incident - Report/Notify Users and identities Embedded Intelligence Global threat intelligence Continuous Security Analytics Security Incident Triage Security Incident Knowledge base Security process and detection improvement Incident Report and Notify 3 IBM Security
Security Analyst tasks and technologies in Security Operations Center Tier One Analyst Tier Two Analyst Tier Three Analyst Foundational Security Watson for Cyber Security Physical Geospatial Non-Traditional SIEM Tools Cyber Security Enrichment Tools Multi-Dimensional Analysis Triage Awareness Alerting Monitoring Enrichment Alerting Context Enhancement All Source Data Analysis Deep Investigation Initial Analysis Offense Review Visibility Increased Accuracy Hypothesis Generation Statistical Data Analysis Relational Searching Aggregation Detection Vulnerability Mgmt Speed Up Investigation Static Visualization Advanced Data Queries Active Visualization 4 IBM Security
IBM W7+2 methodology Who : Which person or application generated the action What: What action was performed When: When did the event happened ( absolute and relative time) Where: On which object it happened? Where From: From which object was the action initiated Where To: Which object was the target of the action On What: Which object was impacted + With Whom: Who were the collaborators in the activity Why: Goal of the activity Where Where from Where to Maps intuitively to the Extended Diamond Model of Intrusion Analysis Who With Whom Why On What (Targets) When What Kill chain steps http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf 5 IBM Security
Architecture Events Logs Flows Feeds UBA Threat DB AI Endpoints SIEM ASSET DB Vulnerabilities Business services Investigation and response process Analytics REPORTs evidences USE CASE USERs, Accounts Organisation Threat Intelligence Scoring and Alerting IOC UNSTRUCTURED Text analytics STRUCTURED Threat feeds 6 IBM Security
Architecture with IBM logos Events Logs Flows Feeds UBA Threat DB AI Endpoints SIEM ASSET DB Vulnerabilities Business services Investigation and response process REPORT evidences USE CASE USERs, Accounts Organisation Identity Manager UNSTRUCTURED Text Analytics Threat Intelligence Scoring and Alerting STRUCTURED Threat Feeds IOC 7 IBM Security
Points of automation in investigations tasks Automated Data Load and Update for High Value Targets (protected entities, data, critical systems, VIP persons) Investigation workflows can be triggered by: Proactive: Threat Intelligence alerts ( threat feeds and unstructured data) Real time: SIEM monitoring, offense investigation ( L3) Post attack: forensics investigations, manual eventss Set of connectors and connector framework for AdHoc queries for selected data classes SIEM, Asset DB, IDM, Service models, Endpoints protections, Threat services, etc. Predefined Investigation workflow following Diamond model methodology ( focus questions, roles, tasks, data integrations, result artifacts) Use case updates to SIEM (with results artifacts and automated updates) Up-to-date reporting, evidence collection and dashboard The investigation is supported, structured and accelerated by a methodology and related automation tools with AI support, but done by a human analyst. 8 IBM Security
THREAT INVESTIGATION AND RESPONSE DEMO
THANK YOU FOLLOW US ON: ibm.com/security securityintelligence.com ibm.com/security/community xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions Zsolt Kocsis IBM Security Technical Executive Associate professor, BME Central and Eastern Europe IBM Hungary Neumann Janos u 1 1117 Budapest, Hungary Office : +36 1 3825810 Mobile: +36 20 8235810 zsolt.kocsis@hu.ibm.com Copyright IBM Corporation 2018. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
Attack scenario Petrovich Oleg Oleg s machine Petrovich s machine 11 IBM Security
Investigation result in i2 12 IBM Security