Documente Academic
Documente Profesional
Documente Cultură
Attack Type
Online
SQL Injection Gaming
URL Tampering Gaming Central
IT
Government
Spear Phishing Security
Online
Gaming
3rd Party Software Enter- Defense Central
tainment Govt Consumer Central
Electronics Government Online
DDoS Banking Services
Consulting Online
SecureID Banking Online Online Services
Marketing National Gaming Heavy Gaming Gaming
Trojan Software Police Industry
Services Consulting
Unknown Internet
Services Entertainment
Defense Online Online
Consumer Gaming Gaming
IT Electronics Police
Insurance
Security Entertainment
Central
Agriculture
Government Apparel
State Central Government
Police Financial Government Consulting
IT Defense Market
Security Central
Gaming Central
Consumer Govt Tele- Internet Govt Central
Electronics communicat Services Government
Central State ions
Size of circle estimates relative impact of breach in Government Police
terms of cost to business Online
Defense Gaming
National
Central Central Police Consumer
Government Government Electronics
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Customer Challenges
Detecting threats
Arm yourself with comprehensive security intelligence
10
10 © 2013 IBM Corporation
IBM Security Systems
Network
• Network analytics
Activity &
• Behavioral anomaly detection
Anomaly
• Fully integrated in SIEM
Detection
Network
• Network analytics
Activity &
• Behavioral anomaly detection
Anomaly
• Fully integrated in SIEM
Detection
Was it
Who was successful?
responsible?
Where do I
find them? How valuable are
How many the targets to the
targets business?
involved?
Potential
Potential Botnet
Botnet Detected?
Detected?
This
This is
is as
as far
far as
as traditional
traditional SIEM
SIEM
can go
can go
IRC
IRC on
on port
port 80?
80?
IBM
IBM Security
Security QRadar
QRadar QFlow
QFlow
detects
detects a
a covert
covert channel
channel
Irrefutable
Irrefutable Botnet
Botnet Communication
Communication
Layer
Layer 7
7 flow
flow data
data contains
contains botnet
botnet
command control instructions
command control instructions
Application
Application layer
layer flow
flow analysis
analysis can
can detect
detect threats
threats others
others miss
miss
17 © 2013 IBM Corporation
IBM Security Systems
Who?
An
An internal
internal user
user
What?
Oracle
Oracle data
data
Where?
Gmail
Gmail
PCI compliance at
risk?
Real-time
Real-time detection
detection of
of
possible violation
possible violation
Unencrypted Traffic
IBM
IBM Security
Security QRadar
QRadar QFlow
QFlow saw
saw aa cleartext
cleartext service
service running
running on
on the
the Accounting
Accounting server
server
PCI Requirement
PCI Requirement 44 states: Encrypt
states: Encrypt transmission
transmission of
of cardholder
cardholder data
data across
across open,
open,
public
public networks
networks
Compliance Simplified
Out-of-the-box
Out-of-the-box support
support for
for major
major compliance
compliance and
and regulatory
regulatory standards
standards
Automated
Automated reports,
reports, pre-defined
pre-defined correlation
correlation rules
rules and
and dashboards
dashboards
21 © 2013 IBM Corporation
IBM Security Systems
Security Devices
Security Devices
Data Activity
Application Activity
Configuration Info
User Activity
User Activity
• Helps find threats other SIEMs might miss by combining Network Protection’s Protocol Analysis
Module signature analysis and QRadar’s anomaly detection capabilities
• Enables immediate real-time threat awareness and powerful threat and offense prioritization
capabilities to establish definitive evidence of attack and visibility into all attacker
communications
• Integrates X-Force security content
• Outstanding coverage available within full SIEM solution or targeted Network Anomaly
Detection offering
23 © 2013 IBM Corporation
IBM Security Systems
User Activity
Security Devices
Guardium Database
Monitoring & Vulnerability Enhanced data protection:
Assessment Correlation with database activity
– Collects and categorizes Guardium
events for easy searching, reporting
and correlation with other data
– Correlates database activity with
QRadar network activity to detect
anomalous and suspicious behavior.
For example: Alert is issued when
multiple failed logins to a database
server are followed by a successful
• Guardium logs • Identified Risk
• Database Vulnerability
login and accessing of credit card
tables, then followed by an FTP
upload to a questionable external
site.
Database vulnerability sharing
– Pulls database vulnerability data
from Guardium into QRadar Asset
Profiles to get more complete asset
data for databases.
Security Devices
AppScan Enterprise
Web client
Promoting use of vulnerability :
AppScan Application vulnerability sharing
Enterprise
Server – QRadar imports application
vulnerability data published by
AppScan on a regular basis.
AppScan Standard
(DAST desktop client)
– QRadar shows vulnerability details
on Asset Profile (V7.1)
AppScan Source
(SAST desktop client) Correlation and alert
AppScan Enterprise Dynamic Analysis – Enables QRadar to correlate
Scanners (server-based DAST) network and event activity with
application vulnerability, helping
determine the priority (ranks) of the
• Application • Identified Risk offenses and assess potential impact
Vulnerability
of the attack.
– initiate scanning from qradar
– Sends alerts to AppScan
administrators
• Increases vulnerability database accuracy improving offense and risk analytics to limit potential
offenses
• Establishes baseline for endpoint states and improves alerting on variations to detect threats
other SIEMs might miss
• Speeds remediation of discovered offenses using Endpoint Manager automation
• Represents AV/DLP alerts within consolidated enterprise security view helping correlate
advanced threat activities
• Improves compliance reporting with deep endpoint state data
30 © 2013 IBM Corporation
IBM Security Systems
Identity & Access Management products & QRadar uncover malicious behaviors
Security Devices
• Provides ability to insert user names into reference sets used for writing
searches, reports, and rules
• Improves ability to defend against insider threats involving privilege escalations
or inappropriate data access
• Facilitates compliance reporting by pairing user identities with access to
sensitive data
Security Identity
Applications
Identity enriched security intelligence:
Manager Technical features
Databases
Identity Management
40 © 2012
2013 IBM Corporation
IBM Security Systems
Identity Management
Roles / Requests
Applications • Simplify
Tivoli Identity Manager
Complexity Complexity
Databases • Consistent security
policy
Operating
• Quickly integrate
Systems new users & apps
Networks &
Physical Access • Address
HR Systems/
Identity Stores Compliance Compliance
• Closed-loop
provisioning
• Know the people behind • Automate user privileges
• Access rights
the accounts and why they lifecycle across entire IT audit & reports
have the access they do infrastructure
• Fix non-compliant accounts • Match your workflow processes
48 © 2013 IBM Corporation
IBM Security Systems
ISIM - Workflow
NEW EMPLOYEE PROCESS
Notification
WORKFLOW
Application Reminder
Owner
Approvers
Notification
John Smith
Sending
Request
Manager
Automatic permission
Acceptance termination
HR
System
Position
HR
Automatic permission
Delay
grant
Automatic
Define Role Based Update to User Provisioning
Access Control Attribute Initiates and Rights Policy
Model & Policies Access Change Verification Design
ISIM – Compliance
Reconciliation R
1
E
Who has access to what? Identify L AN MATCH? A
EP L
orphan and dormant accounts – big TH I
T
security exposures! Y
Recertification
3
Reporting
Prove it. Show auditors who has
access to what and how they got it.
ISIM – Reporting
Sample Operational Reports
– Orphan Accounts Report
– Dormant Accounts Report
– Recertification Change History Report
– Pending Recertification Report
– Recertification Policies Report
– Individual Access Report
– Access Report
User
User ID
ID User
User ID
ID
User
User ID
ID
User
User ID
ID User
User ID
ID
62 © 2012
2013 IBM Corporation
IBM Security Systems
EMR
HR Web
Impossible to remember
Mainframe
SAP
Need much quicker access
Lotus Notes
Java
Cloud
SECURITY COMPLIANCE
COSTS PRODUCTIVITY
What if …
. . . users only needed to remember 1 password?
Single sign-on
Supports strong authentication
Kiosk sharing
Password self service
Web-based administration
Browser-based remote access
User access tracking & audit
No change to the infrastructure
TAM E-SSO enables visibility into user activity, control over access to business
assets, and automation of the sign-on process in order to drive value for our
clients.
ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is
provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to,
these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its
suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials
to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities
referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a
commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International
Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of
others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper
access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to
or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security
measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach,
© 2013NOT
80 which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES IBM Corporation
WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.