Fernando Imperiale - Security Intelligence para PYMES

1. © 2013 IBM Corporation IBM Security © 2014 IBM Corporation Security Intelligence Implementando una plataforma de inteligencia de Seguridad en PYMES Fernando M. Imperiale Security Advisor - Argentina Noviembre 2015

2. Qué es Security Intelligence? Security Intelligence Información accionable, derivada del análisis de todas las fuentes de datos de Seguridad disponibles de una organización.

3. Por que Security Intelligence es Esencial? Escalating Threats Increasing Complexity Resource Constraints • Increasingly sophisticated attack methods • Disappearing perimeters • Accelerating security breaches • Constantly changing infrastructure • Too many products from multiple vendors; costly to configure and manage • Inadequate antivirus products • Struggling security teams • Too much data with limited manpower and skills to manage it all Spear Phishing Persistence Backdoors Designer Malware

4. El equipo de Seguridad ve ruido

5. La forma mas rápida, integrada y automática posible para alcanzar Security Intelligence: AUTOMATION INTEGRATION IBM QRadar Security Intelligence Platform Correlation, analysis and massive data reduction Driving simplicity and accelerating time-to-value Unified architecture delivered in a single console INTELLIGENCE

6. Security Intelligence platform that enables security optimization through advanced threat detection, meet compliance and policy demands and eliminating data silos Portfolio Overview QRadar Log Manager • Turnkey log management for SMB and Enterprises • Upgradeable to enterprise SIEM QRadar SIEM • Integrated log, flow, threat, compliance mgmt • Asset profiling and flow analytics • Offense management and workflow Network Activity Collectors (QFlow) • Network analytics, behavior and anomaly detection • Layer 7 application monitoring QRadar Risk Manager • Predictive threat modeling & simulation • Scalable configuration monitoring and audit • Advanced threat and impact analysis QRadar Vulnerability Manager • Integrated Network Scanning & Workflow • Leverage SIEM, Threat, Risk to prioritize vulnerabilities QRadar Incident Forensics • Reconstruct raw network packets to original format • Determine root cause of security incidents and help prevent recurrences QRadar Product Portfolio

7. Intelligence: Embedded intelligence to find true offenses Servers and mainframes Network and virtual activity Application activity Data activity Configuration information Vulnerabilities and threats Users and identities Global threat intelligence Security devices Extensive Data Sources …Suspected Incidents • Automated data collection, asset discovery and profiling • Automated, real-time, and integrated analytics • Massive data reduction • Activity baselining and anomaly detection • Out-of-the box rules and templates Embedded Intelligence True Offenses Automated Offense Identification

8. Automático: Simplicidad y aceleración al valor para el negocio Descubre components de RED Proactive vulnerability scans, configuration comparisons, and policy compliance checks Implementación Simple Automated configuration of log data sources and asset databases Actualiza Automaticamente Stay current with latest threats, vulnerabilities, and protocols Reglas y Reportes de fabrica Reduce incident investigations and meet compliance mandates

9. SIEM / LM Virtual Appliance Model Initial Capacity Capacity Increase1 SIEM All-in-1 Virtual Appliance 3190 100 EPS 15K Flows 100 EPS incremental increase to 500, then to 1,000, and then to 2500 or 5000 EPS Flow increase to 25K, 50K, 100K, 200K Flows SIEM Console Virtual Appliance 3190 Not applicable Not applicable SIEM Event Processor Virtual Appliance 1690 100 EPS 100 EPS incremental increase to 500, then to 1,000, 2500, and then 2500 EPS incremental increase, up to 10,000 EPS SIEM Flow Processor Virtual Appliance 1790 15K Flows to 25K, 50K, then 100K Flow incremental increase, up to 600K Flows SIEM Event Collector Virtual Appliance 1590 Not applicable Not applicable SIEM QFlow Collector Virtual Appliance 1290 Not applicable Not applicable SIEM Data Node Virtual Appliance 14904 Not applicable Not applicable Log Manager All-in-1 Virtual Appliance 3190 100 EPS 100 EPS incremental increase to 500, then to 1000, then to 2500 or 5000 EPS Log Manager Console Virtual Appliance 3190 Not applicable Not applicable Log Manager Event Processor Virtual Appliance 1690 100 EPS 100 EPS incremental increase to 500, then to 1,000, 2500, and then 2500 EPS incremental increase, up to 10,000 EPS

Editor's Notes

Several years ago, we introduced the term “Security Intelligence” to describe the value organizations can gain from their security data. It’s a notion that’s similar to Business Intelligence, in that both initiatives can treat and analyze great volumes of data to great advantage for today’s businesses . . . Where Business intelligence reaps benefits that help focus a company’s marketing and sales efforts, Security Intelligence allows highly focused security awareness and protection. They say imitation is the sincerest form of flattery, and our competition is flattering us, because the term Security Intelligence has really caught on! We’re also seeing this term being used more and more by customers, vendors, pundits and industry experts - but what’s interesting is that when they use it, there’s some haziness that they introduce into it, in terms of exactly what they’re talking about. To avoid confusion, we are explicitly stating our own definition. So here it is: Security Intelligence is actionable information derived from the analysis of all security-related data available to an organization. So . . . We’re talking about data . . . What data exactly is it exactly that we’re talking about? It’s typically volumes and volumes of data, and there’s a lot to it -- logs, events, network flows, user identities and activities, asset profiles and locations, vulnerabilities, asset configurations and external threat data. Data, data and more data. The good news? As you’ll see, IBM’s Security Intelligence platform was built from the start with this focus on handling tremendous amounts of data. It is well architected and can be scaled in a simple/straightforward manner to meet the needs of customers regardless of their size of the extremes of the data that needs analyzing. IBM’s Security Intelligence Platform provides analytics to answer fundamental questions that cover the full “before-during-and-after” timeline of risk and threat management. You may still hear of customers who say they want a Security Operations Center or SOC. They may want tools to support a 24x7 center that has the absolute requirement to stay on top of the status of their operational environment and to understand and even anticipate attacks, breaches, penetrations, whatever . . . to allow the business to remediate any such problems and to do it efficiently. Well . . . think of IBM’s Security Intelligence QRadar offerings as a Security Operations Center on steroids . . . By the time I finish this presentation, you should have an appreciation for why I say that . . . But let’s start at the beginning . . . Let’s look at the challenges customers talk to us about, always with goals like protecting their operational environment and clearly understanding the status and the effectiveness of the IT security capabilities they have in place, at any given point in time.
It’s great to be selling IT security . . . Because the need for useful and insightful tools is more pronounced now than ever before. And as a security seller, you benefit from the facts that threats are escalating, IT environments are growing in complexity and our customers’ security teams are pressured to deal with everything they need to deal with, in order to try to keep their operational environments safe. The escalating threats are reported on all the time . . . And these shocking stories become motivation for boards of directors to take security more and more serious as a topic from year to year. We hear about this things daily . . . Attacks involving Organized crime, espionage, hacktivists, social engineering . . . Just recently, there have been attacks on the international department store Target, attacks on governments, by governments . . . And this is story is ever on the rise. As far as complexity goes, we understand that the growing complexity (mobile, cloud, social and beyond) only add to the need for better protection. There are more areas where data needs to be protected, there are new technologies that need to be protected from new types of attacks . . . And on top of all of this we know there are resource constraints when it comes to IT Security . . . that there’s a gap between the level of needs that businesses have today for good security-skilled staff and the people who are available and able to fill those jobs. The bottom line really comes in the form of a question . . . How many businesses today can say that they are immune to all of this? Let’s face it . . . Everyone’s being attacked and no one is immune to the pressures being described on this chart.
To protect against attacks, there are a good number of metrics that have been added to the systems, appliances and applications making up today’s computing environments. Metrics in the form of audit logs, alerts and events . . . And there’s a tremendous amount of information contained in all the flows that are bouncing around all the time. So, think about the volume of log records and events that get generated daily, in any reasonably sized IT shop today. Imagine you are the person in that IT shop who’s responsible for analyzing the incoming data and you’re measured on how well you understand the security status of that IT shop, how quick you are to react to real problems versus the “noise” that kind of predominates the high number of inputs coming in. Do you really want that job? I mean How do human beings deal with those kinds of volumes? We know, for example, that a top 5 energy company in the United States – a current QRadar customer of ours -- is generating more than 2 billion log records every day . . . Do you really want to be the manager or be in the department responsible for determining which of those bits of information flying by is really critical, which ones relate to one another and maybe form the basis for a major concern that your IT shop is under attack? It’s this kind of understanding that companies are striving for . . . That understanding is the security intelligence we talk about. But expecting a human beings or team of human beings to be able to do this manually is totally impractical. What’s needed is a tool that automates this analysis and can find not just the needles in the haystack, but can draw significant connections among the needles and evaluate them in terms of their danger to the business.
That’s where QRadar comes into the picture. The 3 key theme words for QRadar as a Security Intelligence platform are Intelligence, Integration and Automation. Intelligence refers to QRadar being able to not only discern threats but to determine their impacts. QRadar takes in huge amounts of security data and identifies anomalies. It helps customers both after an exploit has occurred and beforehand . . . Proactively . . . to help them minimize the possibilities of exploits occurring and to help prevent serious damage from happening. QRadar is truly integrated, based on all the components of the solution having a common architecture. It helps customers bring together analytics that previously were in separate silos (and therefore were not able to be correlated). The QRadar “single pane of glass” brings it all together for the various admin, auditor and analyst users of QRadar. And the integrated architecture means QRadar is highly scalable . . . offering customers the flexibility and adaptability that today’s security operations centers require. Finally, automation refers to QRadar being a solution that has been architected to deal with large volumes of data . . . it’s easy to deploy, and it delivers immediate and obvious benefits when it’s initially deployed and over time, it can easily expand to meet future growth. And the automation that’s delivered with QRadar offers dramatic efficiencies in how quickly security administrators and analysts can accomplish their tasks.
For security threat management the key challenge is to reduce millions of logs down to actionable intelligence that identifies key threats. Traditional first Generation SIEMs achieve this by leveraging correlation – so ‘five failed logins followed by a successful login’ as a simple example – and the correlation helps identify suspected security incidents. Event correlation is a very, very important tool, but it’s not enough. There are two problems. First, consider a 100,000 to 1 reduction ratio of events to correlated incidents. On the surface, this sounds impressive, but for companies generating 2 billion events per day (and you don’t need to be a massive company to do that), it will leave that company’s security team with 20,000 incidents per day to investigate. Traditional SIEM correlation can’t get the data reduced enough and of course Log Managers can’t even get a 10,000 to 1 reduction ratio. The 2nd problem is that relying exclusively on event correlation assumes that the criminals who are intent on attacking your company won’t figure out ways to disable or bypass logging infrastructure – but let’s face it . . . that’s practically their entire focus and when they erase the logs, you’re in trouble . . . because you can’t correlate logs that aren’t there! This limitation results in missed threats or a very poor understanding of the impact of a breach. QRadar vastly expands the capabilities of traditional SIEMs by incorporating new analytics techniques and broader intelligence. Unlike any other SIEM in the market today, QRadar captures all activity on the network for assets, users and attackers before, during, and after an exploit . . . and it analyzes all suspected incidents in this context. QRadar uses analytical techniques such as activity baselining and anomaly detection. It notifies analysts about ‘offenses’ . . . Where an “offense” is a correlated set of incidents with all of the essential, associated network, asset, vulnerability and identity context. By adding business and historical context to suspected incidents and applying new analytic techniques, massive data reduction is realized and threats otherwise missed will be detected. QRadar has an impressive list of over 400 data sources for log and audit data, and there are many examples of customers achieving results that are in line with what is portrayed on this slide . . . That is, volumes of data from many, many data sources that is reduced down to a reasonable number of true offense possibilities that can be focused on for investigation . . . the classic example being a Fortune 100 energy company in the U.S. that typically experiences more than 2 billion log records being generated each day, and with QRadar, they’re able instead to just take a look at QRadar’s display of in the neighborhood of 25 or so high priority offenses. As anyone in security knows, any portfolio of security offerings is only as good as how current the research is that’s feeding into it. Consider that there are on average 7,000 vulnerabilities reported each year, which means there are many new ones every day. IBM differentiates its Security Intelligence capabilities by offering an X-Force Threat Intelligence feed that includes vulnerabilities, known bad URLs, histories of past attacks, etc. QRadar employs a number of threat and security sources to provide external security context and geographical context. This is integrated into all views and capabilities within the product. Sources include but are not limited to: *IBM's X-Force Intelligence Threat Feed (via subscription) based on the real-time monitoring of 13 billion security events per day, on average, for nearly 4,000 clients in more than 130 countries. *Geographic inputs from Maxmind *Top Targeted Ports, botnets, emerging threats, and other lists of botnets, hostile nets and so on. These services are updated out to our customers through a free auto-update service. This update service also includes updates for event mappings, vulnerability mappings, applications mappings, new Device Support Modules and updates.
A lot of work has gone into making QRadar’s Security Intelligence tasks as automated as possible. When you add it up, it’s an impressive list. There’s simplified deployment that helps deliver quick time to value for customers . . . There’s “passive flow asset detection” populating QRadar’s asset database and allowing policy compliance checks and analysis of configurations to take place . . . . There are out-of-the-box rules and reports that are a key part of QRadar. These have the goal of reducing incident investigations and helping customers meet compliance mandates. Customers appreciate the simplicity delivered by this well thought-through solution. Contrast this story we can tell with many of our competitors, where they are essentially selling toolkits and high-tech tools for high-tech people. The toolkit approach puts the onus on the customer to wring the value out of the provided tools by customizing them or paying significant sums of money to have them customized. Finally, QRadar’s Security Intelligence Platform stays current, through daily and weekly automated updates to rules, reports, vulnerabilities, patches, searches, support modules, protocols and signatures . . . and via immediate discovery where when an asset connects to the network, that triggers proactive vulnerability scans, configuration comparisons and policy compliance checks. Like the title of this slide says, this drives simplicity and accelerates time to value.
Made available with 7.2 MR1: Virtual Appliance’s maximum capacity increased (to be close to Appliance and Software) The managed entitlement process can be used to convert AIO to Console and transfer EPS/Flows. Handling software trade-up request by selling SIEM Virtual Appliance and offer a deeper discount. Made available with 7.2.2: Data Node

Fernando Imperiale - Security Intelligence para PYMES

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (19)

Similar to Fernando Imperiale - Security Intelligence para PYMES

Similar to Fernando Imperiale - Security Intelligence para PYMES (20)

Fernando Imperiale - Security Intelligence para PYMES

Editor's Notes