View
293
Download
1
Embed Size (px)
DESCRIPTION
Track 2 c reducing it costs and improving security with purpose built network appliances - shannon de souza
Citation preview
© 2011 IBM Corporation
Managing Incidents with Intelligence
IBM Security Services
Essential Practice:
Stewart CawthrayChief Security Architect – GTS Security ServicesIBM Canada Ltd.
October 2012IBM Defense Summit – Ottawa
© 2012 IBM Corporation
IBM Security Services
2
IBM is well qualified to secure the enterprise
Major Employee Sites
Customer Fulfillment
Manufacturing
Employee Service Centers
IBM Research Centers
IBM Internal Data Centers
� 2,000+ major sites
� 170+ countries
� 400,000+ employees
� Approx. 200,000+ contractors
One of the largest and most complex internal IT infrastructures in the world
� 1M+ traditional endpoints
� ~50% of employees are mobile
© 2012 IBM Corporation
IBM Security Services
3
IBM developed 10 essential practices required to achieve security intelligence
Proactive
Automated
Manual
Reactive
Proficient
Basic
Optim
ized
Maturity based approach
7. Address new complexity of cloud and virtualization
6. Control network access and assure resilience
1. Build a risk aware culture and management system
2. Manage security incidents with intelligence
3. Defend the mobile and social workplace
5. Automate security “hygiene”
4. Secure services, by design
10. Manage the identity lifecycle
9. Secure data and protect privacy
8. Manage third party security compliance
Essential Practices
Securityintelligence
© 2012 IBM Corporation
IBM Security Services
4 4
What problems are incidents causing
and how do they happen?
© 2012 IBM Corporation
IBM Security Services
5
Attacks are inevitable. Are you prepared? How well are they handled?
Source: IBM X-Force ® Research and Development
© 2012 IBM Corporation
IBM Security Services
6
A major security incident can significantly affect an organization’s data, business continuity and reputation
� In the event of a security breach, organizations need expert guidance to protect the availability of critical business systems, and to find and solve the root causes of the problem quickly.
� Vectors for attack are most often well-known vulnerabilities that should be addressed given a unified incident identification and management process
� These issues and their resulting impact were preventable should organizations have brought on a knowledgeable security partner early on
LinkedIn sued for $5 million over data breach
An Illinois woman has filed a $5 million lawsuit against LinkedIn Corp, saying the social network violated promises to consumers by not having better security in place when more than 6 million customer passwords were stolen
Source: Reuters, June 2012
Sony Pegs PSN Attack Costs at $170 Million
The Sony attacks in 2011 will cost it 14 billion yen ($170 million dollars) in increased customer support costs, welcome-back packages, legal fees, lower sales and measures to strengthen security, part of a $3.1B total loss in 2011.
Source: Forbes, May 2011
Business + Technology = Incident
© 2012 IBM Corporation
IBM Security Services
7
You can’t stop the attackers, but majority of incidents can be easily avoided through proactive measurements and intelligence
SYSTEM COMPROMISE
DATA LEAGAGE
TARGETED ATTACK
INCIDENT
INCIDENT
INCIDENT
BREACH
DENIAL OF SERVICE
APPLICATION CRASH
SYSTEM OVERLOAD
INTELLIGENCE
INCIDENT
© 2012 IBM Corporation
IBM Security Services
8
Know thy self, know thy enemy. A thousand battles, a thousand victories.
� Security Intelligence is the gathering of information to identify and understand Threats, Risks and Opportunities.
� The data needed for actionable, quality intelligence is all round you.
� It is a good bet what you don’t know is what your attackers will use against you.
8
© 2012 IBM Corporation
IBM Security Services
9
Security Intelligence
� Which of my systems is most vulnerable?
� What gets attacked the most?
� Are these targeted attacks, or automated attacks?
� Who is attacking me?
� Which department has the most security violations?
� Is my security awareness program effective?
9
© 2012 IBM Corporation
IBM Security Services
10
Intelligence examples
10
14:53:16 drop gw.foobar.com >eth0 product VPN-1 & Firewall-1 src xxx.xxx.146.12 s_port 2523 dst xxx.xxx.10.2 service ms-sql-mproto udp rule 49
14:55:20 accept gw.foobar.com >eth1 product VPN-1 & Firewall-1 src 10.5.5.1 s_port 4523 dst xxx.xxx.10.2 service http proto tcpxlatesrc xxx.xxx.146.12 rule 15
Slammer
Virus
Normal
Code Red or
Nimba VirusAbnormal
© 2012 IBM Corporation
IBM Security Services
11
Organizations typically lack:
� Unified, cross-company policy and process for
incident response
� Actionable insight and information upon which to act
� Incident management and forensic analysis tooling for
remote system capture and analysis
� Resources or skills to actively respond to and
investigate security incidents
“Information is the new worldwide currency. Every piece of data is valuable to someone, somewhere, somehow”
(IDC, Worldwide and U.S. Security Services Threat Intelligence 2011-2014 Forecast)
Assumption #1:
I am under attack
right now.
Assumption #2:
Attackers are
already in.
Assumption #3:
No endpointdevice is secure.
Organizations face four major challenges in operations around incident management
© 2012 IBM Corporation
IBM Security Services
12
Sources of Security Intelligence
� Log Files
– Network (firewalls, routers, etc.)
– System (event logs, access logs, syslogs)
� Network
– Netflows (IP statistics from device interfaces)
– Activity (bandwidth, utilization)
– Togography
� People
– Help Desk calls/tickets
� Services– Commercial feeds (X-
Force, Secunia, etc.)
12
© 2012 IBM Corporation
IBM Security Services
13
IBM help organizations define a roadmap and implement solutions to address these challenges and reach an optimized state
proactive
automated
Proficient
Basic
Optim
ized
Security
Intelligence
manual
reactive
© 2012 IBM Corporation
IBM Security Services
14 14
What should be done to address
these challenges?
© 2012 IBM Corporation
IBM Security Services
15
But I have logsNTurning data into intelligence.
15
© 2012 IBM Corporation
IBM Security Services
16
Which one of these steps should we take first?
1
• Incident Response Program Development
2
• Security Information & Event Management
3
• Forensic Solution Implementation
4
• Emergency response services with XFTAS
1
2
3
4
Strategic A
ppro
ach T
actical A
ppro
ach
© 2012 IBM Corporation
IBM Security Services
17
IBM is a provider of end-to-end services both proactively and reactively, helping clients achieve proficiency and optimization
Challenge Recommendation
Lack of unified incident response policy and process
� Incident Response Program
Development
Lack of resources or skills to respond to incidents
� Emergency response services
� X-Force Threat Analysis
Service
Investment in forensic tools for automation and analysis
� Forensic Solution
Implementation
Need for actionable insight and intelligence
� Security Information & Event
Management (SIEM)
BA
SIC
PR
OF
ICIE
NT
OP
TIM
IZE
D
© 2012 IBM Corporation
IBM Security Services
18
� Incident Response Program Development
When an incident occurs, businesses need the right process, tools, and resources to respond and minimize impact
�Being prepared to minimize the impact of a security incident and to recover faster
�Protecting critical systems and data from downtime and/or information theft
�Analyzing the root cause of an incident and preventing its spread
�Restoring affected systems to normal operations
�Preventing similar incidents from causing future damage
�Meeting regulatory compliance requirements for incident response
© 2012 IBM Corporation
IBM Security Services
19
� The Incident Response Plan is the foundation on which all incident response and recovery activities are based
• It specifically defines the organization, roles and responsibilities of the Computer Security Incident Response Team (CSIRT)
• It should have criteria to assist an organization determine what is considered an incident versus an event
• It defines escalation procedures to management, executive, legal, law enforcement, and media depending on incident conditions and severity
• The plan and process should be fully tested via dry runs and incident mock tests
� A well-developed plan provides a framework for effectively responding to any number of potential security incidents
� Incident Response Program Development – continued
© 2012 IBM Corporation
IBM Security Services
20
� Emergency response services
� Without the need of in-house expertise, IBM emergency response subscription service can provide real-time, on-site support
– Clients retain expert security consultants prior to an incident in order to better prepare, manage and respond; subscription includes:
• Incident response
• Incident management
• Basic data acquisition
• In-depth data analysis
– Subscription includes activities designed to manage incident response from an end to end perspective
• Prevention
• Intelligence gathering
• Containment
• Eradication
• Recovery
• Compliance
© 2012 IBM Corporation
IBM Security Services
21
� X-Force Threat Analysis Service provides customized security intelligence about a wide array of threats with global insight
– Offers detailed analyses of global online threat conditions and includes:
• Up-to-the minute, customized security information about threats and vulnerabilities
• Expert analysis and correlation of global security threats
• Actionable data and recommendations that help clients maintain their network security
� X-Force Threat Analysis Service (XFTAS)
© 2012 IBM Corporation
IBM Security Services
22
� Forensic Solution Implementation
DDoS Prevention Malware / APT Defense
Forensics Analysis
Examples of tools that can be deployed to improve defense and automate the incident response and forensic analysis process
© 2012 IBM Corporation
IBM Security Services
23
Prediction & Prevention
Reaction & RemediationSIEM. Log Management. Incident
Response.Network and Host Intrusion Prevention.
Network Anomaly Detection. Packet Forensics.
Database Activity Monitoring. Data Loss Prevention.
Risk Management. Vulnerability Management. Configuration Monitoring. Patch
Management. X-Force Research and Threat Intelligence.
Compliance Management. Reporting and Scorecards.
What are the external and
internal threats?
Are we configured
to protect against these threats?
What is happening right
now?
What was the impact?
� Security Information & Event Management (SIEM)
© 2012 IBM Corporation
IBM Security Services
24
24
With great power comes great responsibilityN
“ A fool with a tool is still a fool”
�Security Intelligence still requires experienced, knowledgeable professionals
– Understand the log data formats
– Understand the risks presented by the gathered intelligence
– Present the intelligence to decision makers
�Managed Security Intelligence– In house managed solutions
– Outsourced managed solutions
© 2012 IBM Corporation
IBM Security Services
25
ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to,
these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and
conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
© 2012 IBM Corporation
IBM Security Services
26
Trademarks and notes
IBM Corporation 2012
� IBM, the IBM logo, the IBM Business Partner emblem, ibm.com, Rational, AppScan, smarter planet and X-Force are registered trademarks, and other company, product or service names may be trademarks or service marks of International Business Machines Corporation in the United States, other countries, or both. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml
� Adobe, the Adobe logo, PostScript, the PostScript logo, Cell Broadband Engine, Intel, the Intel logo, Intel Inside, the Intel Inside logo, Intel Centrino, the Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, IT Infrastructure Library, ITIL, Java and all Java-based trademarks, Linux, Microsoft, Windows, Windows NT, the Windows logo, and UNIX are trademarks or service marks of others as described under “Special attributions” at: http://www.ibm.com/legal/copytrade.shtml#section-special
� Other company, product and service names may be trademarks or service marks of others.
� References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.
© 2012 IBM Corporation
IBM Security Services
27
IBM Research
Why IBM? Research and Operations
Security Operations Centers
Security Research Centers
Security Solution Development Centers
Institute for Advanced Security Branches
10B analyzed Web
pages & images
150M intrusion attempts
daily
40M spam & phishing
attacks
46K documented
vulnerabilitiesMillions of unique malware samples
� 20,000+ devices under contract
� 3,300 GTS service deliveryexperts
� 3,700+ MSS clients worldwide
� 15B+ events managed per day
� 1,000+ security patents
World Wide Managed Security Services Coverage