Big Data - Amplifying Security Intelligence

© 2012 IBM Corporation

IBM Security Systems

1 IBM Security Systems © 2012 IBM Corporation

Amplifying Security Intelligence

With Big Data and Advanced Analytics

Vijay DheapGlobal Product Manager, Master InventorBig Data Security Intelligence & Mobile Security



2 IBM Security Systems

Welcome to a Not So Friendly Cyber World…

Biggest Bank Heist in History Nets $45MillionAll without setting foot in a Bank…

Cyber Espionage via Social Networking SitesTarget: US DOD Officials

Hidden Malware Steals 3000 Confidential Documents – Japanese Ministry




Playing Defense…

Traditional Approach to Security Predicated on a Defensive MindsTraditional Approach to Security Predicated on a Defensive Mindsetet

� Assumes explicit organizational perimeter

� Optimized for combating external threats

� Presumes standardization mitigates risk

� Dependent on general awareness of attack methodologies

� Requires monitoring and control of traffic flows

Layered Defenses Essential for Good Security Hygiene and Addressing Traditional Security Threats…but attackers adapting too

Origins of Security Intelligence




Business Change is Coming…If Not Already Here

Enterprises are Undergoing Dynamic TransformationsEnterprises are Undergoing Dynamic Transformations

The Organization’s Cyber Perimeter is Being Blurred…It can no longer be assumed




Evolving Attack Tactics…Focus on Breaching Defenses




A Look at the Emerging Threat Landscape

Targeted, Persistent, Clandestine

Situational, Subversive, Unsanctioned

Focused, Well-Funded, ScalableTopical, Disruptive, Public

Concealed, Motivated, Opportunistic




Incorporating a More Proactive Mindset to Enterprise Security

Detect, Analyze & Remediate

Think like an attacker,

counter intelligence mindset

�Protect high value assets

�Emphasize the data

�Harden targets and weakest links

�Use anomaly-based detection

�Baseline system behavior

�Consume threat feeds

�Collect everything

�Automate correlation and analytics

�Gather and preserve evidence

Audit, Patch & Block

Think like a defender,

defense-in-depth mindset

�Protect all assets

�Emphasize the perimeter

�Patch systems

�Use signature-based detection

�Scan endpoints for malware

�Read the latest news

�Collect logs

�Conduct manual interviews

�Shut down systems

Broad Targeted




Greater Need for Security Intelligence…

Visibility across organizational security systems to improve response times and incorporate adaptability/flexibility required for early detection of threats or risky behaviors




Diversity & Sophistication of Attacks Placing Greater Demands…

1. Analyze a variety of non-traditional and unstructured datasets

2. Significantly increase the volume of data stored for forensics and historic analysis

3. Visualize and query data in new ways

4. Integrate with my current operations

1. Analyze a variety of non-traditional and unstructured datasets

2. Significantly increase the volume of data stored for forensics and historic analysis

3. Visualize and query data in new ways

4. Integrate with my current operations

Amplify Security Intelligence with New Insights from Big DataAmplify Security Intelligence with New Insights from Big Data

Big Data Analytics

LogsLogs

EventsEvents AlertsAlerts

Traditional Security Operations and Technology

Configuration Configuration

informationinformation

System System

audit trails audit trails

External threat External threat

intelligence feedsintelligence feeds

Network flows Network flows

and anomaliesand anomalies

Identity Identity

contextcontext

Web pageWeb page

texttext

Full packet and Full packet and

DNS capturesDNS captures

EE--mail andmail and

social activitysocial activity

Business Business

process dataprocess data

CustomerCustomer

transactions transactions




Big Data Brings New Considerations & Empowers Powerful Analysis

Storage and Processing

�Collection and integration

�Size and speed

�Enrichment and correlation

Analytics and Workflow

�Visualization

�Unstructured analysis

�Learning and prediction

�Customization

�Sharing and export

Transforming Data to Insights Requires Some Infrastructure ConsiTransforming Data to Insights Requires Some Infrastructure Considerations derations

© 2011 IBM Corporation11 IBM Confidential

IBM Security Strategy

Confidential – for division executives only


Use Cases




Security Intelligence From Real-time Processing of Big Data

Behavior

monitoring

and flow

analytics

Activity and

data access

monitoring

Stealthy

malware

detection

Irrefutable Botnet CommunicationLayer 7 flow data shows botnetcommand and control instructions

Irrefutable Botnet CommunicationLayer 7 flow data shows botnetcommand and control instructions

Improved Breach Detection360-degree visibility helps distinguish true breaches from benign activity, in real-time

Improved Breach Detection360-degree visibility helps distinguish true breaches from benign activity, in real-time

Network Traffic Doesn‘t Lie Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)

Network Traffic Doesn‘t Lie Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)




Security Intelligence with Investigative Analysis of Big Data:

Hunting for External Command & Control (C&C) Domains of an AttacHunting for External Command & Control (C&C) Domains of an Attackerker

Advanced analytics identify suspicious domains

�Why only a few hits across the entire organization to these domains?

�Correlating to public DNS registry information increases suspicions

Historical analysis of DNS activity within organization

Automate correlation against external DNS registries




Enrich Real-Time Analysis with Insights from Investigative Analysis

Monitor & Thwart Connections to Potential C&C Domains of an AttaMonitor & Thwart Connections to Potential C&C Domains of an Attackercker

Correlate against network activity and visualize

View real-time data and look for active connections




Security Intelligence with Investigative Analysis of Big Data:

Pursue Active SpearPursue Active Spear--Phishing Campaigns Targeting the Organization Phishing Campaigns Targeting the Organization

Employ Big Data Analytics on email to identify patterns to identify targets and redirects

Build visualizations, such as heat maps, to view top targets of a spear-phishing attacks

Load Spear-Phishing targets and redirect URLs into real-time security intelligence analysis to thwart the attack

© 2011 IBM Corporation16 IBM Confidential


Confidential – for division executives only


IBM Security Intelligence Solution with Big Data




High Volume

Security Events

and Network Activity

IBM QRadar Big Data Capabilities Customer Results

� New SIEM appliances with massive scale � Quickly find critical insights among 1000s of devices and years of data

� Payload indexing for rapid ad hoc query leveraging a purpose-built data store

� Search 7M+ events in <0.2 sec

� Google-like Instant Search of large data sets (both logs and flows)

� Instant, free-text searching for easier and faster forensics

� Intelligent data policy management � Granular management of log and flow data

� Advanced Threat Visualization and Impact Analysis � Attack path visualization and device / interface mapping

High PrioritySecurity Offenses

QRadar uses Big Data capabilities to identify critical security events




Data ingest

Insights

IBM Security QRadar

• Hadoop-based• Enterprise-grade• Any data / volume• Data mining• Ad hoc analytics

• Data collection and enrichment

• Event correlation• Real-time analytics• Offense prioritization

Big Data Platform

Custom Analytics

Traditional data sources

IBM InfoSphere BigInsights

Non-traditional

Security Intelligence Platform

Extending the Big Data Support of QRadar

Advanced Threat Detection




Integrated analytics and exploration in a new architecture




2

0

InfoSphere BigInsights - flexible, enterprise-class solution for processing large volumes of data

En

terp

rise

Valu

e

CoreHadoop

BigInsights Basic Edition

BigInsights Enterprise Edition

Free download with web support Limit to <= 10 TB of data

(Optional: 24x7 paid supportFixed Term License)

Professional Services OfferingsQuickStart, Bootcamp, Education, Custom Development

Enterprise-grade features

Tiered terabyte-based pricing

Easy installationand programming

• Analytics tooling / visualization• Recoverability security• Administration tooling• Development tooling• Flexible storage• High availability




For IBM, Security and Business Intelligence offer insightful parallels




Find out more about Security Intelligence with Big Data

� Visit the website

� Watch the video

� Read the white paper

� Develop a richer understanding of big data

– Understanding Big Data eBook

– Harness the Power of Big Data eBook

� Download some collateral

– Security Intelligence white paper

– QRadar SIEM data sheet

– InfoSphere BigInsights data sheet




ibm.com/security

© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.