Security Intelligence: Finding and Stopping Attackers with Big Data Analytics

Editor's Notes

1. We are in an era of continuous breaches, where reported attacks continue to increase In 2011, IBM X-Force declared, somewhat prematurely it would appear, the Year of the Security Breach. It has only gotten worse since. 2012 was a record year for reported data breaches and security incidents, with a 40 percent increase in total volume over 2011. In 2013, security incidents surpassed the total number reported in 2012, and their effects on the organizations involved was more troubling. 2014 kicked off with a number of high profile sophisticated attacks on major websites, media, and tech companies. A new security reality is here, where… Sophisticated attackers break through conventional safeguards every day. Organized criminals, hacktivists, governments and adversaries are compelled by financial gain, politics and notoriety to attack your most valuable assets. Their operations are well-funded and business-like ‒ attackers patiently evaluate targets based on potential effort and reward. Their methods are extremely targeted ‒ they use social media and other entry points to track down people with access, take advantage of trust, and exploit them as vulnerabilities. Meanwhile, negligent employees inadvertently put the business at risk via human error. Even worse, security investments of the past fail to protect against these new classes of attacks. The result is more severe security breaches more often. 61% of organizations say data theft and cybercrime are the greatest threats to their reputation (2012 Global Reputational Risk & IT Study, IBM). And the costs are staggering. By one estimate, the average cost of a breach is over $3.5 million (2014 Cost of a Data Breach Study, Ponemon Institute)
2. Yesterday’s practices are simply not working, and the costs are staggering. By one estimate, the average cost of a breach is over $3.5 million (2014 Cost of a Data Breach Study, Ponemon Institute). Up to now, organizations have responded to security concerns by deploying a new tool to address each new risk. Now they have to install, configure, manage, patch, upgrade, and pay for dozens of non-integrated solutions with limited views of the landscape. Costly and complex, these fragmented security capabilities do not provide the visibility and coordination needed to stop today’s sophisticated attacks. Moreover, the skills and expertise needed to keep up with a constant stream of new threats is not always available.
3. Because your business is a keystroke away from being in the headlines.   Criminals will not relent: Once you are a target, criminals will spend as much time trying to break into your enterprise as you do on your core business. If you do not have visibility, they will succeed. Every business is impacted: In the past, banks were the primary targets of cyber criminals. Today, diverse actors move with lightning speed to steal money, intellectual property, customer information, and state-secrets across all sectors. Your perimeter is breached, criminals are inside: Recent attacks demonstrate that victims were compromised for months before they discovered it. Assuming that you have been breached is today’s prudent security posture. Because this new era offers an opportunity to transform IT security.   Change will expand and accelerate: Cloud, Mobile, Social and Big Data are radically changing the business landscape. Adoption is accelerating as your business realizes the opportunity they present – the new era is here to stay. New innovations provide the opportunity to get it right: By building security in from the start, you have a chance to secure the new era of computing better than the old. Big Data, Social and Cloud will enable greater security: Now is the chance to embrace the new era of computing to modernize your security capability. Assess how your security team can use these disruptive forces to strengthen and streamline your security infrastructure. Because security leaders are held more accountable than ever before.   Your Board and CEO demand a strategy: After reading about recent breaches, business leaders are asking you for a plan. You need a strategy and roadmap that gets you to best-in-class. Security is now a business, not technology, initiative. Your team is blind to the business risk: With disparate IT security tools deployed and silos preventing visibility, your team is blindfolded and unable to develop an effective risk-based program for improvement. You cannot do this alone: Skills shortages and rapidly changing techniques mean you lack the staff and expertise to counter the threat at hand.
4. Companies need to change their approach to security and adopt…. INTELLIGENCE by using insights and analytics to build a smarter defense. INNOVATION to proactively implement and optimize security to innovate faster. INTEGRATION to develop an integrated approach to stay ahead of the threat.
5. INTELLIGENCE: Use insights and analytics to build a smarter defense.   Use intelligence and anomaly detection across every domain: Enable your security team to hunt for breaches by collecting security-relevant data from everywhere in the enterprise. Deploy security intelligence technologies that enable real-time analysis, fraud prevention and anomaly detection. Leverage external threat intelligence and expertise to augment your knowhow. Build an intelligence vault around your crown jewels: Discover and classify the crown-jewel assets of your organizations. Protect this data, these employees, or these transactions with intelligent controls. Monitor who is accessing that data and from where. Detect anomalies and unauthorized access. Look for subtle indicators of attack using deep security analytics.   Prepare your response for the inevitable: Staff an incident response team. Enable your team with a “hunter mentality” to think like an attacker. Construct a coordinated response plan using the right tools, information and skills to limit the impact of an inevitable breach. Know whom to call when you need help. managed services professionals, as well as advanced research capabilities, to help shore up skills gaps and understand complex threats.
6. Harness security-relevant information from across the organization. Use real-time big data analytics to provide context to help detect threats faster, identify vulnerabilities, prioritize risk, and automate compliance activities. For security threat management the key challenge is to reduce millions of logs to actionable intelligence that identify key threats. Traditional first Gen SIEMs achieve this by leveraging correlation – ‘five failed logins followed by a successful login’ for example – to identify suspected security incidents. Event correlation is a very, very important tool, but it’s not enough.  There are two problems. Firstly, consider a 100,000 to 1 reduction ratio of events to correlated incidents. On the surface, this sounds impressive, but for companies generating 2 billion events per day (and you don’t need to be a massive company to do that), it will leave that company’s security team with 20,000 incidents per day to investigate. Traditional SIM correlation can’t get the data reduced enough and of course Log Managers can’t even get a 10,000 to 1 reduction ratio. Secondly, an exclusive reliance on event correlation assumes that the criminals intent on attacking your company will not figure out ways to disable or bypass logging infrastructure – but that’s practically their entire focus and you can’t correlate logs that are not there!!! This limitation results in missed threats or a very poor understanding of the impact of a breach. QRadar vastly expands the capabilities of traditional SIEMs by incorporating new analytics techniques and broader intelligence. Unlike any other SIEM in the market today, QRadar captures all activity on the network for assets, users and attackers before, during, and after an exploit and analyzes all suspected incidents in this context. New analytical techniques like behavioral analysis are applied. QRadar notifies analysts about ‘offenses’ . . . Where an “offense” is a correlated set of incidents with all of the essential, associated network, asset, vulnerability and identity context. By adding business and historical context to suspected incidents and applying new analytic techniques, massive data reduction is realized and threats otherwise missed will be detected. IBM delivers real-time correlation and anomaly detection across a distributed and scalable repository of security information enable more accurate security monitoring and better visibility for any organization, small or large. QRadar SIEM excels at taking in massive amounts of enterprise-wide security data and using it’s advanced intelligence and analytics to build a prioritized list of incidents requiring immediate attention. Inside the Offenses tab, Security teams can simply right-click any of the entries within the dashboard to see any of the underlying event and flow data to start determining a remediation plan or determine the result was a false positive. With the arrival of QRadar Incident Forensics, there’s a new option for seeing even more supporting data extracted from the associated network packet data. This problems a new level of clarity to the incident and allows investigators to discover less obvious data connections and previously hidden relationships between multiple IDs. Using Internet search engine technology, QRadar Incident Forensics presents a simplified user interface accepting free-form text and Boolean logic operators. The search criteria can use any packet capture metadata, reconstructed file metadata or keywords that would reside within a document, email, chat session, etc. Results are normally returned in minutes if not seconds. QRadar Incident Forensics does to full packet capture data what QRadar SIEM does to event and flow data—it helps security teams discover the malicious or anomalous conditions really, really quickly.
7. Provide real-time indexing and search Up to 100 terabytes of uncompressed data and 20+ search threads per node Each Data Node instance is 100% dedicated to storage and search workload Scale new or existing deployments to meet even the most demanding data retention and search needs Virtually unlimited, dedicated and cost effective horizontal scalability for data retention, Data Nodes can easily support PBs worth of data
8. Vulnerability Protection: Reverse engineer and protect against 81K+ vulnerabilities IP Reputation: Categorize 800K+ suspect IP addresses including malware hosts, botnets, spam sources, and anonymous proxies Web Application Control: Identify and manage the capabilities of 2,000+ web and client applications (e.g., Gmail or Skype) URL / Web Filtering: Categorize information on 23 billion+ URLs in one of the world’s largest URL databases
9. A financial information provider hardens defenses against threats and fraud
10. 1. IBM QRadar Security Intelligence Analyze security-related data 2. IBM Big Data Platform (BigInsights, Streams, Netezza) Customized unstructured data analysis 3. IBM i2 Analyst Notebook Investigate fraud 4. IBM SPSS Capture, predict, discover trends
11. Maintain visibility and control of the Cloud: A leader in securing every stage of cloud adoption, from design to consume, with end-to-end solutions to harden workloads and monitor malicious activity to and from the cloud.   IBM Cloud Security Solutions     Secure transactions and access to the mobile enterprise: A leader in protecting every layer of the mobile enterprise, ensuring the highest levels of security across handsets, networks, applications, and the transactions in between.     IBM MobileFirst Security SolutionsIBM Trusteer Mobile Fraud SolutionsIBM Fiberlink Mobile Security Solutions   Adopt enterprise-class Security as a Service: A leader in providing security from the cloud leveraging the ease-of-deployment and crowd-sourced intelligence that SaaS offers.   IBM Cloud-based Security Services IBM Web Presence Protection ServiceIBM Trusteer Advanced Fraud Protection
12. IBMs solutions and services systematically integrates new and existing security solutions, third-party tools, and threat intelligence to deploy a systematic approach to automatically detect, notify, and respond to threats identified across security capabilities, domains, and stakeholders
13. INNOVATION: Proactively implement and optimize security to innovate faster.   Own the security agenda for innovation: Get smart now on how to secure Mobile, Cloud, Big Data and Social. Understand the strategic imperatives and work with the business to develop risk-based alternatives. Tap into experts to develop a roadmap and to deploy secure solutions. Embed security on day one: This new era is a chance to do it right. Engage early and mandate security in Cloud, Mobile, Social and Big Data initiatives. Use the latest technologies to make mobile devices more secure than laptops, cloud more secure than data centers, social more secure than email, and big data more secure than databases. Leverage Cloud, Mobile, Social and Big Data to improve security: Security as a service offers easy deployment and improved intelligence. Crowd-sourced threat intelligence provides the tips needed to stay ahead of cyber-attacks. Big data forensics tools enable faster breach detection and recovery. And data containers on BYOD devices secure business information no matter where it travels. skills gaps and understand complex threats.
14. IBM mobile security is provided by a wide range of powerful solutions, including Maas360, Worklight, IBM Security AppScan, IBM Security Access Manager and Trusteer. Robust security intelligence can be achieved by deploying the IBM QRadar Security Intelligence Platform.
15. Prepare your response for the inevitable: Staff an incident response team. Enable your team with a “hunter mentality” to think like an attacker. Construct a coordinated response plan using the right tools, information and skills to limit the impact of an inevitable breach. Know whom to call when you need help. Partnerships bring strength. Engage consulting and managed services professionals, as well as advanced research capabilities, to help shore up skills gaps and understand complex threats.
16. More data analyzed reduces the required incident investigations Look for automated big data security solutions Deploy integrated solutions to optimize your security investment and protect against advanced threats