Integrated, Intelligence driven Cyber Threat Hunting

Similar documents
May the (IBM) X-Force Be With You

Fabrizio Patriarca. Come creare valore dalla GDPR

The New Era of Cognitive Security

Be effective in protecting against the cybercrime

Cybersecurity. You have been breached; What Happens Next THE CHALLENGE FOR THE FINANCIAL SERVICES INDUSTRY

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

Threat Intelligence to enhance Cyber Resiliency KEVIN ALBANO GLOBAL THREAT INTELLIGENCE LEAD IBM X-FORCE INCIDENT RESPONSE AND INTELLIGENCE SERVICES

Securing global enterprise with innovation

Cisco & IBM Security SECURING THE THREATS OF TOMORROW, TODAY, TOGETHER

Detect Fraud & Financial Crime

Notice on Names and Logos Used in This Presentation

Le sfide di oggi, l evoluzione e le nuove opportunità: il punto di vista e la strategia IBM per la Sicurezza

IBM MaaS360 Kiosk Mode Settings

The McGill University Health Centre (MUHC)

ISAM Advanced Access Control

Let s Talk About Threat Intelligence

4/13/2018. Certified Analyst Program Infosheet

ISAM Federation STANDARDS AND MAPPINGS. Gabriel Bell IBM Security L2 Support Jack Yarborough IBM Security L2 Support.

IBM Security. Endpoint Manager- BigFix. Daniel Joksch Security Sales IBM Corporation

Predators are lurking in the Dark Web - is your network vulnerable?

Ponemon Institute s 2018 Cost of a Data Breach Study

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

IBM services and technology solutions for supporting GDPR program

BigFix 101- Server Pricing

SWD & SSA Updates 2018

SIEM Solutions from McAfee

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Healthcare Cognitive Security

IBM Guardium Data Encryption

RSA Security Analytics

RSA NetWitness Suite Respond in Minutes, Not Months

CyberArk Privileged Threat Analytics

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Optimizing IBM QRadar Advisor with Watson

GDPR: An Opportunity to Transform Your Security Operations

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Combatting advanced threats with endpoint security intelligence

BigFix Query Unleashed!

Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

IBM Threat Protection System: XGS - QRadar Integration

ForeScout ControlFabric TM Architecture

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

locuz.com SOC Services

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

IBM Application Security on Cloud

ForeScout Extended Module for Splunk

Security Information & Event Management (SIEM)

How to Secure Your Cloud with...a Cloud?

Aligning with HIPAA mandates in healthcare

IBM Security Vaš digitalni imuni sistem. Dejan Vuković Security BU Leader South East Europe IBM Security

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

MSS VSOC Portal Single Sign-On Using IBM id IBM Corporation

IT Security Mandatory Solutions. Andris Soroka 2nd of July, RIGA

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

How Vectra Cognito enables the implementation of an adaptive security architecture

QRadar Feature Discussion IBM SECURITY SUPPORT OPEN MIC

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

IBM Security Guardium: : Sniffer restart & High CPU correlation alerts

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Incident Response Agility: Leverage the Past and Present into the Future

Noam Ikar R&DVP. Complex Event Processing and Situational Awareness in the Digital Age

Un SOC avanzato per una efficace risposta al cybercrime

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Fidelis Overview. 15 August 2016 ISC2 Cyber Defense Forum

BUILDING AND MAINTAINING SOC

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

RSA INCIDENT RESPONSE SERVICES

Sustainable Security Operations

QRadar Open Mic: Custom Properties

Security Intelligence Overview

Modern Realities of Securing Active Directory & the Need for AI

Security Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

INTEGRATION BRIEF DFLabs and Jira: Streamline Incident Management and Issue Tracking.

empow s Security Platform The SIEM that Gives SIEM a Good Name

RiskSense Attack Surface Validation for IoT Systems

Not your Father s SIEM

Reinvent Your 2013 Security Management Strategy

RSA IT Security Risk Management

Analyzing Hardware Inventory report and hardware scan files

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Staying GDPR Ready with MaaS360. Ankur Acharya Offering Manager, IBM MaaS360

Managed Security Services - Endpoint Managed Security on Cloud

First Look Showcase. Expanding our prevention, detection and response solutions. Marco Rottigni Chief Technical Security Officer, Qualys, Inc.

THE ACCENTURE CYBER DEFENSE SOLUTION

RSA INCIDENT RESPONSE SERVICES

The Resilient Incident Response Platform

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Qualys Cloud Platform

Configuring zsecure To Send Data to QRadar

Transcription:

Integrated, Intelligence driven Cyber Threat Hunting THREAT INVESTIGATION AND RESPONSE PLATFORM Zsolt Kocsis IBM Security Technical Executive, CEE zsolt.kocsis@hu.ibm.com 6th Nov 2018

Build an integrated security immune system Data protection Data access control Application scanning Application security management APPS DATA Security analytics Vulnerability management Threat and anomaly detection IDENTITY & ACCESS Privileged user management Identity governance and administration Access management IDaaS Mainframe security Fraud protection Criminal detection Transaction protection Device management Content security MOBILE SECURITY ORCHESTRATION & ANALYTICS ADVANCED FRAUD Endpoint detection and response Endpoint patching and management Malware protection ENDPOINT Threat hunting and investigation User behavior analytics Incident response THREAT INTEL Threat sharing IoCs Networking Firewalls and intrusion prevention Network forensics and threat management Network visibility and segmentation 2 IBM Security

QRadar & Incident Response (Life of an Incident) QRadar Prioritized Security Insights from Logs, Flows, Vulns, User, Config Data etc. Cyber Incident Response Process Security Operations for responding to threats, breaches, vulnerabilities EXTENSIVE DATA SOURCES Security devices Servers and mainframes Incident Creation Gather Context & Task Remediate & Close Network and virtual activity Data activity Application activity Configuration information Vulnerabilities and threats QRadar Sense Analytics TM Extensive data collection, storage, and analysis Real-time correlation and threat intelligence Automatic asset, service and user discovery and profiling Activity baselining and anomaly detection Prioritized incidents - Assign based on type (e.g. breach) - Business notification based on type (e.g. Risk - Associate additional evidence - Apply compliance context - Assign tasks - Communicate remediation tasks to teams - Confirm Remediation - Close Incident - Report/Notify Users and identities Embedded Intelligence Global threat intelligence Continuous Security Analytics Security Incident Triage Security Incident Knowledge base Security process and detection improvement Incident Report and Notify 3 IBM Security

Security Analyst tasks and technologies in Security Operations Center Tier One Analyst Tier Two Analyst Tier Three Analyst Foundational Security Watson for Cyber Security Physical Geospatial Non-Traditional SIEM Tools Cyber Security Enrichment Tools Multi-Dimensional Analysis Triage Awareness Alerting Monitoring Enrichment Alerting Context Enhancement All Source Data Analysis Deep Investigation Initial Analysis Offense Review Visibility Increased Accuracy Hypothesis Generation Statistical Data Analysis Relational Searching Aggregation Detection Vulnerability Mgmt Speed Up Investigation Static Visualization Advanced Data Queries Active Visualization 4 IBM Security

IBM W7+2 methodology Who : Which person or application generated the action What: What action was performed When: When did the event happened ( absolute and relative time) Where: On which object it happened? Where From: From which object was the action initiated Where To: Which object was the target of the action On What: Which object was impacted + With Whom: Who were the collaborators in the activity Why: Goal of the activity Where Where from Where to Maps intuitively to the Extended Diamond Model of Intrusion Analysis Who With Whom Why On What (Targets) When What Kill chain steps http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf 5 IBM Security

Architecture Events Logs Flows Feeds UBA Threat DB AI Endpoints SIEM ASSET DB Vulnerabilities Business services Investigation and response process Analytics REPORTs evidences USE CASE USERs, Accounts Organisation Threat Intelligence Scoring and Alerting IOC UNSTRUCTURED Text analytics STRUCTURED Threat feeds 6 IBM Security

Architecture with IBM logos Events Logs Flows Feeds UBA Threat DB AI Endpoints SIEM ASSET DB Vulnerabilities Business services Investigation and response process REPORT evidences USE CASE USERs, Accounts Organisation Identity Manager UNSTRUCTURED Text Analytics Threat Intelligence Scoring and Alerting STRUCTURED Threat Feeds IOC 7 IBM Security

Points of automation in investigations tasks Automated Data Load and Update for High Value Targets (protected entities, data, critical systems, VIP persons) Investigation workflows can be triggered by: Proactive: Threat Intelligence alerts ( threat feeds and unstructured data) Real time: SIEM monitoring, offense investigation ( L3) Post attack: forensics investigations, manual eventss Set of connectors and connector framework for AdHoc queries for selected data classes SIEM, Asset DB, IDM, Service models, Endpoints protections, Threat services, etc. Predefined Investigation workflow following Diamond model methodology ( focus questions, roles, tasks, data integrations, result artifacts) Use case updates to SIEM (with results artifacts and automated updates) Up-to-date reporting, evidence collection and dashboard The investigation is supported, structured and accelerated by a methodology and related automation tools with AI support, but done by a human analyst. 8 IBM Security

THREAT INVESTIGATION AND RESPONSE DEMO

THANK YOU FOLLOW US ON: ibm.com/security securityintelligence.com ibm.com/security/community xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions Zsolt Kocsis IBM Security Technical Executive Associate professor, BME Central and Eastern Europe IBM Hungary Neumann Janos u 1 1117 Budapest, Hungary Office : +36 1 3825810 Mobile: +36 20 8235810 zsolt.kocsis@hu.ibm.com Copyright IBM Corporation 2018. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

Attack scenario Petrovich Oleg Oleg s machine Petrovich s machine 11 IBM Security

Investigation result in i2 12 IBM Security

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback