Reducing IT Costs and Improving Security with Purpose Built Network Appliances

© 2011 IBM Corporation

Managing Incidents with Intelligence

IBM Security Services

Essential Practice:

Stewart CawthrayChief Security Architect – GTS Security ServicesIBM Canada Ltd.

October 2012IBM Defense Summit – Ottawa



2

IBM is well qualified to secure the enterprise

Major Employee Sites

Customer Fulfillment

Manufacturing

Employee Service Centers

IBM Research Centers

IBM Internal Data Centers

� 2,000+ major sites

� 170+ countries

� 400,000+ employees

� Approx. 200,000+ contractors

One of the largest and most complex internal IT infrastructures in the world

� 1M+ traditional endpoints

� ~50% of employees are mobile



3

IBM developed 10 essential practices required to achieve security intelligence

Proactive

Automated

Manual

Reactive

Proficient

Basic

Optim

ized

Maturity based approach

7. Address new complexity of cloud and virtualization

6. Control network access and assure resilience

1. Build a risk aware culture and management system

2. Manage security incidents with intelligence

3. Defend the mobile and social workplace

5. Automate security “hygiene”

4. Secure services, by design

10. Manage the identity lifecycle

9. Secure data and protect privacy

8. Manage third party security compliance

Essential Practices

Securityintelligence



4 4

What problems are incidents causing

and how do they happen?



5

Attacks are inevitable. Are you prepared? How well are they handled?

Source: IBM X-Force ® Research and Development



6

A major security incident can significantly affect an organization’s data, business continuity and reputation

� In the event of a security breach, organizations need expert guidance to protect the availability of critical business systems, and to find and solve the root causes of the problem quickly.

� Vectors for attack are most often well-known vulnerabilities that should be addressed given a unified incident identification and management process

� These issues and their resulting impact were preventable should organizations have brought on a knowledgeable security partner early on

LinkedIn sued for $5 million over data breach

An Illinois woman has filed a $5 million lawsuit against LinkedIn Corp, saying the social network violated promises to consumers by not having better security in place when more than 6 million customer passwords were stolen

Source: Reuters, June 2012

Sony Pegs PSN Attack Costs at $170 Million

The Sony attacks in 2011 will cost it 14 billion yen ($170 million dollars) in increased customer support costs, welcome-back packages, legal fees, lower sales and measures to strengthen security, part of a $3.1B total loss in 2011.

Source: Forbes, May 2011

Business + Technology = Incident



7

You can’t stop the attackers, but majority of incidents can be easily avoided through proactive measurements and intelligence

SYSTEM COMPROMISE

DATA LEAGAGE

TARGETED ATTACK

INCIDENT

INCIDENT

INCIDENT

BREACH

DENIAL OF SERVICE

APPLICATION CRASH

SYSTEM OVERLOAD

INTELLIGENCE

INCIDENT



8

Know thy self, know thy enemy. A thousand battles, a thousand victories.

� Security Intelligence is the gathering of information to identify and understand Threats, Risks and Opportunities.

� The data needed for actionable, quality intelligence is all round you.

� It is a good bet what you don’t know is what your attackers will use against you.

8



9

Security Intelligence

� Which of my systems is most vulnerable?

� What gets attacked the most?

� Are these targeted attacks, or automated attacks?

� Who is attacking me?

� Which department has the most security violations?

� Is my security awareness program effective?

9



10

Intelligence examples

10

14:53:16 drop gw.foobar.com >eth0 product VPN-1 & Firewall-1 src xxx.xxx.146.12 s_port 2523 dst xxx.xxx.10.2 service ms-sql-mproto udp rule 49

14:55:20 accept gw.foobar.com >eth1 product VPN-1 & Firewall-1 src 10.5.5.1 s_port 4523 dst xxx.xxx.10.2 service http proto tcpxlatesrc xxx.xxx.146.12 rule 15

Slammer

Virus

Normal

Code Red or

Nimba VirusAbnormal



11

Organizations typically lack:

� Unified, cross-company policy and process for

incident response

� Actionable insight and information upon which to act

� Incident management and forensic analysis tooling for

remote system capture and analysis

� Resources or skills to actively respond to and

investigate security incidents

“Information is the new worldwide currency. Every piece of data is valuable to someone, somewhere, somehow”

(IDC, Worldwide and U.S. Security Services Threat Intelligence 2011-2014 Forecast)

Assumption #1:

I am under attack

right now.

Assumption #2:

Attackers are

already in.

Assumption #3:

No endpointdevice is secure.

Organizations face four major challenges in operations around incident management



12

Sources of Security Intelligence

� Log Files

– Network (firewalls, routers, etc.)

– System (event logs, access logs, syslogs)

� Network

– Netflows (IP statistics from device interfaces)

– Activity (bandwidth, utilization)

– Togography

� People

– Help Desk calls/tickets

� Services– Commercial feeds (X-

Force, Secunia, etc.)

12



13

IBM help organizations define a roadmap and implement solutions to address these challenges and reach an optimized state

proactive

automated

Proficient

Basic

Optim

ized

Security

Intelligence

manual

reactive



14 14

What should be done to address

these challenges?



15

But I have logsNTurning data into intelligence.

15



16

Which one of these steps should we take first?

1

• Incident Response Program Development

2

• Security Information & Event Management

3

• Forensic Solution Implementation

4

• Emergency response services with XFTAS

1

2

3

4

Strategic A

ppro

ach T

actical A

ppro

ach



17

IBM is a provider of end-to-end services both proactively and reactively, helping clients achieve proficiency and optimization

Challenge Recommendation

Lack of unified incident response policy and process

� Incident Response Program

Development

Lack of resources or skills to respond to incidents

� Emergency response services

� X-Force Threat Analysis

Service

Investment in forensic tools for automation and analysis

� Forensic Solution

Implementation

Need for actionable insight and intelligence

� Security Information & Event

Management (SIEM)

BA

SIC

PR

OF

ICIE

NT

OP

TIM

IZE

D



18

� Incident Response Program Development

When an incident occurs, businesses need the right process, tools, and resources to respond and minimize impact

�Being prepared to minimize the impact of a security incident and to recover faster

�Protecting critical systems and data from downtime and/or information theft

�Analyzing the root cause of an incident and preventing its spread

�Restoring affected systems to normal operations

�Preventing similar incidents from causing future damage

�Meeting regulatory compliance requirements for incident response



19

� The Incident Response Plan is the foundation on which all incident response and recovery activities are based

• It specifically defines the organization, roles and responsibilities of the Computer Security Incident Response Team (CSIRT)

• It should have criteria to assist an organization determine what is considered an incident versus an event

• It defines escalation procedures to management, executive, legal, law enforcement, and media depending on incident conditions and severity

• The plan and process should be fully tested via dry runs and incident mock tests

� A well-developed plan provides a framework for effectively responding to any number of potential security incidents

� Incident Response Program Development – continued



20

� Emergency response services

� Without the need of in-house expertise, IBM emergency response subscription service can provide real-time, on-site support

– Clients retain expert security consultants prior to an incident in order to better prepare, manage and respond; subscription includes:

• Incident response

• Incident management

• Basic data acquisition

• In-depth data analysis

– Subscription includes activities designed to manage incident response from an end to end perspective

• Prevention

• Intelligence gathering

• Containment

• Eradication

• Recovery

• Compliance



21

� X-Force Threat Analysis Service provides customized security intelligence about a wide array of threats with global insight

– Offers detailed analyses of global online threat conditions and includes:

• Up-to-the minute, customized security information about threats and vulnerabilities

• Expert analysis and correlation of global security threats

• Actionable data and recommendations that help clients maintain their network security

� X-Force Threat Analysis Service (XFTAS)



22

� Forensic Solution Implementation

DDoS Prevention Malware / APT Defense

Forensics Analysis

Examples of tools that can be deployed to improve defense and automate the incident response and forensic analysis process



23

Prediction & Prevention

Reaction & RemediationSIEM. Log Management. Incident

Response.Network and Host Intrusion Prevention.

Network Anomaly Detection. Packet Forensics.

Database Activity Monitoring. Data Loss Prevention.

Risk Management. Vulnerability Management. Configuration Monitoring. Patch

Management. X-Force Research and Threat Intelligence.

Compliance Management. Reporting and Scorecards.

What are the external and

internal threats?

Are we configured

to protect against these threats?

What is happening right

now?

What was the impact?

� Security Information & Event Management (SIEM)



24

24

With great power comes great responsibilityN

“ A fool with a tool is still a fool”

�Security Intelligence still requires experienced, knowledgeable professionals

– Understand the log data formats

– Understand the risks presented by the gathered intelligence

– Present the intelligence to decision makers

�Managed Security Intelligence– In house managed solutions

– Outsourced managed solutions



25

ibm.com/security

© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to,

these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and

conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United



26

Trademarks and notes

IBM Corporation 2012

� IBM, the IBM logo, the IBM Business Partner emblem, ibm.com, Rational, AppScan, smarter planet and X-Force are registered trademarks, and other company, product or service names may be trademarks or service marks of International Business Machines Corporation in the United States, other countries, or both. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml

� Adobe, the Adobe logo, PostScript, the PostScript logo, Cell Broadband Engine, Intel, the Intel logo, Intel Inside, the Intel Inside logo, Intel Centrino, the Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, IT Infrastructure Library, ITIL, Java and all Java-based trademarks, Linux, Microsoft, Windows, Windows NT, the Windows logo, and UNIX are trademarks or service marks of others as described under “Special attributions” at: http://www.ibm.com/legal/copytrade.shtml#section-special

� Other company, product and service names may be trademarks or service marks of others.

� References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.



27

IBM Research

Why IBM? Research and Operations

Security Operations Centers

Security Research Centers

Security Solution Development Centers

Institute for Advanced Security Branches

10B analyzed Web

pages & images

150M intrusion attempts

daily

40M spam & phishing

attacks

46K documented

vulnerabilitiesMillions of unique malware samples

� 20,000+ devices under contract

� 3,300 GTS service deliveryexperts

� 3,700+ MSS clients worldwide

� 15B+ events managed per day

� 1,000+ security patents

World Wide Managed Security Services Coverage