Student Notebook - Security Intelligence Fundamentals PDF

®
Student Notebook
Security Intelligence Fundamentals
Course code BQ600 ERC 1.0
IBM Training
Month Year of publication edition
NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other
claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those
products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to
the names and addresses used by an actual business enterprise is entirely coincidental.
TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, and/or other countries.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used
under license therefrom.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
IT Infrastructure Library is a Registered Trade Mark of AXELOS Limited.
ITIL is a Registered Trade Mark of AXELOS Limited.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and
other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
© Copyright International Business Machines Corporation 2015.

This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
About this course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Course objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .x
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Agenda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Course description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Unit 1 The status quo of IT security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Lesson 1 Technology trends in 2015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Technology trend - Innovation introduces new vulnerabilities and avenues of attack . . . . . . . . . . . . . . . 1-4
Technology trend - Mobile and BYOD is strategic for many organizations . . . . . . . . . . . . . . . . . . . . . . . 1-5
Technology trend - Mobile is complex and challenging to manage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Technology trend - Big data is all data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Technology trend - Every industry can leverage Big Data and analytics . . . . . . . . . . . . . . . . . . . . . . . 1-10
Technology trend - Cloud is rapidly transforming the enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Technology trend - Cloud presents the opportunity to radically transform security practices . . . . . . . . 1-12
Technology trend - Capitalizing on social media data today . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
Technology trend - Collaboration is a key to business transformation . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
Technology trend - Risk and threat management is not isolated to security incidents and attacks . . . 1-17
Attackers break through conventional safeguards every day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18
IBM X-Force - Research around the Globe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20
IBM X-Force Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21
IBM Security has global reach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
New technologies introduce new risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24
Lesson 2 IT security landscape in 2015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26
The IT Security landscape in 2015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
The IT Security landscape in 2015 - Internet services and the vanishing network perimeter . . . . . . . . 1-29
Internet services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30
Internet services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-32
Internet services and the vanishing network perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34
Internet services and the vanishing network perimeter (2 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-35
Internet services and the vanishing network perimeter (3 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36
Internet services and the vanishing network perimeter (4 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-37
The device becomes the perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-38
The IT Security landscape in 2015 - Regulations, Governance, Privacy, and Risk . . . . . . . . . . . . . . . 1-39
Governance, Risk, and Compliance (GRC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-40
IT-GRC capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-41
IT Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-42
IT Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43
IT Compliance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-45
© Copyright IBM Corp. 2015 iii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Contents
Uempty
Compliance management versus IT security compliance management . . . . . . . . . . . . . . . . . . . . . . . . 1-47
Compliance versus Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-48
The IT security landscape in 2015 - Threat and fraud landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-49
Threat and fraud landscape and evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-50
Attackers break through conventional safeguards every day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-52
Where trade magazines tout advanced threats, the vast majority are not . . . . . . . . . . . . . . . . . . . . . . 1-54
The importance of early detection and rapid response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-55
The importance of early detection and rapid response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-56
Why IT security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-57
Security leaders are more accountable than ever before . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-58
Lesson 3 Business and IT drivers that influence security in an organization . . . . . . . . . . . . . . . . . . . . . 1-59
Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-60
Business drivers that influence security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-61
Business drivers that influence security (2 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-62
IT drivers that influence security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-65
IT drivers that influence security (2 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-66
Let us summarize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-69
Lesson 4 Security Intelligence is at the center of a comprehensive security portfolio . . . . . . . . . . . . . . . 1-70
Security Intelligence at the center of a comprehensive security portfolio . . . . . . . . . . . . . . . . . . . . . . . 1-71
IT Security Governance for PCI-DSS regulation and the role of Security Intelligence . . . . . . . . . . . . . 1-73
IT Security Governance for PCI-DSS regulation and the role of IBM Security Solutions . . . . . . . . . . . 1-74
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-75
Unit 2 Security Intelligence and Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Lesson 1 Analyze source data that feeds the Security Intelligence solution . . . . . . . . . . . . . . . . . . . . . . . 2-3
Security Intelligence at the center of a comprehensive security portfolio . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Maturity categories of integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Maturity categories and security solution types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
IBM security software portfolio and QRadar SIEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Today’s threat landscape drives Security Intelligence strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Example: Anatomy of an attack – lions at the watering hole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
Example: Attack timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Example: Vulnerable hosts were infected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
Example: After being infected, compromised hosts made contact with a remote command and control
server in China . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
Example: If the attack is not detected fast enough, the infected machine becomes the new launch point of
deepening the penetration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Apply Big Data to Security Intelligence and threat management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18
A dynamic, integrated system to help detect and stop advanced threats . . . . . . . . . . . . . . . . . . . . . . . 2-19
Lesson 2 Detect and stop advanced threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
Best practices: Intelligent detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21
What is Security Intelligence? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22
Ask the right questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
© Copyright IBM Corp. 2015 iv

V7.0
Contents
Uempty
IBM Security QRadar SIEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25
IBM Security QRadar Vulnerability Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26
IBM Security QRadar Risk Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-27
IBM Security QRadar Incident Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-28
IBM Security QRadar Incident Forensics (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29
From NetFlow to QFlow to QRadar Incident Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-30
QRadar Embedded intelligence offers automated offense identification . . . . . . . . . . . . . . . . . . . . . . . . 2-31
Embedded intelligence of QRadar directs focus for investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-33
Benefits of IBM Security Intelligence approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34
Lesson 3 IT security governance and compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35
Security leaders are more accountable than ever before . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-36
Example: IT Security Governance for PCI-DSS regulation
and the role of IBM Security Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Reporting in QRadar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-38
Reports tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39
Lesson 4 Security Intelligence and enterprise security architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40
What is an architecture? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-41
What is an architecture? (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-42
Following an enterprise security architecture 
with Security Intelligence design in mind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-44
O-ESA Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-45
O-ESA Security Technical Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-46
O-ESA Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-47
Working together with the CISO’s office when designing 
the Security Intelligence solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-48
Working together with the CISO’s office when designing the
Security Intelligence solution (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-49
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-50
Unit 3 Designing a Security Intelligence solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Lesson 1 Security Intelligence solution design high level process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Security Intelligence solution design high level process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
High level design steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Security Intelligence and IT Security Architectures addressing ISO/IEC 27002 or similar framework . . 3-6
Security Intelligence additional configuration management requirements . . . . . . . . . . . . . . . . . . . . . . . 3-7
Security Intelligence in deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
Lesson 2 Detailed Security Intelligence solution design, implementation, and deployment process . . . . 3-9
Detailed Security Intelligence solution design, implementation, and deployment process. . . . . . . . . . . 3-9
IT Security Framework reference example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10
Security Intelligence Design (Macro & Micro) – Activity Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
Data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13
Incident management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Integration with incident response tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Change management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
Data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17
Monitoring use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18
IT security policy for logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19
© Copyright IBM Corp. 2015 v

V7.0
Contents
Uempty
IT security policy for logging (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20
Create a baseline security policy for logging using Common Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21
Determine the network information flow and forensics policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23
Dashboards, views, and reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24
Data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25
Technical vulnerability management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26
Vulnerability management information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-27
Asset configuration management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28
Lesson 3 Document detailed use cases and requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29
Document detailed use cases and requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29
Documentation of detailed use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30
Documentation of functional requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-32
Documentation of functional requirements (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33
Documentation of non-functional requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-34
Documentation of non-functional requirements (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-35
Document detailed use case and requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-36
Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-37
Retention time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39
Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-40
Logging example: Using Common Criteria guidelines for AIX 5L logging . . . . . . . . . . . . . . . . . . . . . . . 3-41
Logging example: Mapping the controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-43
Logging example: Gather platform audit subsystem configuration details . . . . . . . . . . . . . . . . . . . . . . 3-44
Logging example: Platform specific audit guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-45
Network information flow collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-46
Vulnerability Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-48
Other integrations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-49
Security Intelligence Design (Macro & Micro) – Activity Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-50
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-51
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-52
Unit 4 Security Intelligence functional components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Lesson 1 Building a foundation through centralized Security Intelligence management - IBM QRadar SIEM
Functional architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Built upon a common foundation of QRadar SIOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
Command console for Security Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
An integrated, unified architecture in a single console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
Answering questions to help prevent and remediate attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7
Network flow analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
Scalable appliance/software/virtual architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10
QRadar SIEM logical components and data flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11
QRadar SIEM appliance types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12
Deployment models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13
Lesson 2 Building a foundation through centralized Security Intelligence management - IBM QRadar SIEM
Component architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
Architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15
High-level architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-16
© Copyright IBM Corp. 2015 vi

V7.0
Contents
Uempty
Flow Collector architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18
Application detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19
Superflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20
Flows per minute (FPM) burst handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-21
Event Collector architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23
Autodiscovery of Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24
Log Source parsing uses QID mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25
Events per second (EPS) burst handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26
Event Processor architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28
Custom Rules Engine (CRE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-29
Accumulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-30
Console architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32
Offense management by the Magistrate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-33
Offense management by the Magistrate (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-34
Offense types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-35
Anomaly Detection Engine rule types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-36
New asset and service detection by Vulnerability Information Server . . . . . . . . . . . . . . . . . . . . . . . . . . 4-37
Lesson 3 External threat intelligence feeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-38
IBM Security X-Force Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-39
The value of the IBM X-Force research and development team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-40
X-Force Threat Intelligence - vulnerability coverage use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-41
Lesson 4 Real-world large-scale attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-42
How quickly can you … . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-43
About Target Corporation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-44
The situation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-45
Phases of the intrusion kill chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-46
Kill chain timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-47
First trigger – already compromised . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-48
More alerts – no linkage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-49
DOJ notification – 40 million records gone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-50
Continued breaches undetected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-51
Missed opportunities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-52
Potential improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-53
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-54
© Copyright IBM Corp. 2015 vii

About this course
IT Security Intelligence Fundamentals
© Copyright IBM Corporation 2015

Security Intelligence is a fairly new discipline for organizations of all sizes that has evolved from
traditional log management and security information and event management solutions. Embracing
this new approach will help reduce risk and improve threat protection, prevention, and remediation.
This 2-day course focuses on the current IT and security landscape as well as the business and IT
drivers behind a holistic IT security approach, which is a prerequisite to successfully thwart
malicious attacks and the misuse of valuable enterprise assets.
Students learn what is important to a board of executives in organizations today. They will realize
the impacts of weak IT security, and how to mitigate exposures by utilizing a properly designed and
integrated Security Intelligence solution.
© Copyright IBM Corp. 2015 viii

V7.0
About this course
Uempty
The following topics are among those included in this course:
• Current IT and security landscape
• Business and IT drivers for executives that will influence an organization’s IT Security
Architecture
• Principles of designing and deploying a centralized and well integrated Security Intelligence
solution
• Security Intelligence component architecture based on IBM Security QRadar
• A real-world large-scale breach investigation
No lab environment is required for this course.
Details
Delivery method Classroom
Course level ERC 1.0
This course is a new course
Duration 2 days
Skill level Basic
© Copyright IBM Corp. 2015 ix

V7.0
Course objectives
Uempty
Course objectives
After completing this course, you should be able to perform the following tasks:
• Identify enterprise business and IT drivers that influence the overall IT Security Architecture
• Define the role of a centralized Security Intelligence solution and how it integrates with other IT
enterprise security components
• Explain how a Security Intelligence solution can be used to investigate and stop advanced threats and
address IT governance and regulatory compliance
IT Security Intelligence Fundamentals © Copyright IBM Corporation 2015
Course objectives
© Copyright IBM Corp. 2015 x

V7.0
Audience
Uempty
Audience
This course is designed for academic faculty and their students to gain an overview of today’s IT
security challenges and how to utilize a properly designed Security Intelligence solution at its center
to protect the valuable assets of an organization.
Prerequisites
Before taking this course, make sure that you have a thorough understanding of the basic security
fundamentals as introduced in the Security Foundation Course material that is available through
the Cyber Security Specialist portal:
http://www.ibm.biz/meauniversity
© Copyright IBM Corp. 2015 xi

V7.0
Agenda
Uempty
Agenda
• Day 1
Unit 1: The status quo of IT security
Unit 2: Security Intelligence and Operations
• Day 2
Unit 3: Designing a Security Intelligence solution
Unit 4: Security Intelligence functional components
IT Security Intelligence Fundamentals © Copyright IBM Corporation 2015
Agenda
© Copyright IBM Corp. 2015 xii

V7.0
Course description
Uempty
Course description
The course contains the following units:
1. The status quo of IT security
In this unit we describe the current technology trends and the IT security landscape generally
found in 2015 so that the student can gain a broad understanding where potential attackers
want to launch their intrusion attempts.
We explain business and IT drivers that influence security-related business decisions from a
C-level perspective because security is no longer an after thought, but one of the major
influencing factors when it comes to IT decisions in every organization.
We close this unit by introducing a comprehensive security solution portfolio to address the
holistic IT security requirements in an organization, including every aspect that needs to be
taken into consideration. We use one particular business driver example (PCI-DSS compliance)
to clarify the importance of integration when it comes to IT security.
2. Security Intelligence and Operations

In this unit we describe how an organization can use a centralized Security Intelligence solution
to improve their overall security maturity by integrating capabilities from all security domains.
We use an example of a typical attack to demonstrate how important it is to consolidate data
across many security domains.
Next, we examine how a Security Intelligence solution can help mitigate advanced threats by
using different solution components that cover different phases from vulnerability management,
risk management, security information and event management, and incident forensics.
Finally, we explain how an organization can plan and design a Security Intelligence solution
using an existing enterprise security architecture method.
3. Designing a Security Intelligence solution

Designing a Security Intelligence solution involves much more than documenting how to install
and configure a Security Intelligence software product. In this unit we introduce a design
methodology that covers all steps from information gathering to specifying the required
maintenance on the solution. The major steps of the methodology will first be explained, after
which the detailed activities of each major step will be discussed.
4. Security Intelligence functional components

In this unit we start to focus our attention on the IBM QRadar Security Intelligence solution and
explain the functional architecture. In order to study and understand how a Security Intelligence
solution works we examine each component in itself and how data and information is
exchanged in the overall system. We also consider the importance of integrating an external,
real-time threat intelligence feed to.
We finalize this course by an examination of a real-world large scale attack against a US based
retail company.
© Copyright IBM Corp. 2015 xiii

Unit 1 The status quo of IT security
The status quo of IT security

© Copyright IBM Corp. 2015 1-1

V7.0
Unit 1 The status quo of IT security
Uempty
Unit objectives
• Describe/define technology trends and IT security landscape in 2015
• List business and IT drivers that influence security-related business decisions
• Define a comprehensive security solution portfolio to address the holistic IT security requirements in
an organization
The status quo of IT security © Copyright IBM Corporation 2015
Unit objectives
In this unit we describe the current technology trends and the IT security landscape generally found
in 2015 so that the student can gain a broad understanding where potential attackers want to
launch their intrusion attempts.
We explain business and IT drivers that influence security-related business decisions from a
C-level perspective because security is no longer an after thought, but one of the major influencing
factors when it comes to IT decisions in every organization.
We close this unit by introducing a comprehensive security solution portfolio to address the holistic
IT security requirements in an organization, including every aspect that needs to be taken into
consideration. We use one particular business driver example (PCI-DSS compliance) to clarify the
importance of integration when it comes to IT security.

V7.0
Lesson 1 Technology trends in 2015
Uempty
Lesson: Technology trends in 2015

V7.0
Uempty
Technology trend:
Innovation introduces new vulnerabilities and avenues of attack
Adopting new business models and embracing Exponentially growing and interconnected
new technologies and data digital universe
Bring your Employees,

own IT customers, 30 billion RFID tags1 1 billion
contractors, (products, passports, workers will
outsourcers buildings and be remote or
animals) mobile
1 billion mobile
1 trillion connected Internet users
Mobility
Social business objects (IoT: cars, 30 percent growth
appliances, cameras) of 3G/4G devices
33 percent of all new business

software spending will be
Cloud and virtualization Big data Software as a Service
1Source: IBM X-Force® Trend and Risk Report, 2012
Technology trend - Innovation introduces new vulnerabilities and avenues of attack
Every board of directors wants their organization to reap the benefits of new technology to improve
business results.
Participating in social media and connecting with customers, employees, and business partners
can improve communication effectiveness and open new channels of innovative interactions.
Collecting large amounts of data can help with business analytics, and storing and processing this
data in cloud based or virtualized IT environments can drastically reduce costs and improve
responsiveness to fluctuating demands.
Allowing every employee, customer, and business partner to interact with the organization’s IT
solutions from everywhere and with every device, including devices not owned by the organization,
will increase productivity and satisfaction for all involved parties.
But let’s put ourselves into the shoes of a CISO. The world is getting more complicated with all the
variety of devices that are available. Technology gets more and more sophisticated and innovation
constantly creates amazing new things … but all of this also introduces new vulnerabilities and
potential avenues of attacks for malicious players.
Let us take a close look at Mobility and BYOD, Social Business, Big Data, as well as Cloud and
virtualization.

V7.0
Uempty
Technology trend: Mobile and BYOD is strategic for many organizations
BYOD
Mobile Mobile Mobile
Freedom of device
provides a better changes the way creates risk of
choice with
experience people work company data
increase of risk
Technology trend - Mobile and BYOD is strategic for many organizations
Let’s talk about the state of mobile and Bring-Your-Own-Device (BYOD) in today’s organizations.
Mobility is now a strategic part of just about every business strategy. It’s viewed as a way to
transform workflows and business processes in a very dramatic way:
• Mobile is about providing better experiences and new ways to serve customers
• Mobile is about changing how people work and where they work and how they collaborate
• At the same time, mobile introduces new risks to protecting sensitive company data
• While BYOD allows users the freedom of choice for their device, it also adds significant risks

V7.0
Uempty
Technology trend: Mobile is complex and challenging to manage
Mobile Mobile Mobile

mixes personal lives outside is fast-paced and
and work your perimeter multiplatform
Technology trend - Mobile is complex and challenging to manage
Mobile brings on new complexities and challenges to manage. It truly connects everyone to
everything and provides certain expectations.
• Mobile is very personal and gets mixed with individual work lives (especially when combined
with BYOD).
• Mobile by its very nature is outside of your physical network perimeter and your control.
• Mobile moves fast and the pace of change is very rapid.
Organizations need the capabilities to:

• Support range of usage models - corporate owned, BYOD, and shared devices
• Separate work and personal data
• Secure apps and data on devices that they do not own
• Ensure compliance with internal policy and industry or legal regulations
• Protect apps and content that are stored in the cloud and on your network
• Scale deployments beyond pilots to new use cases
• Keep pace with OS and mobile platform updates that happen very frequently

V7.0
Uempty
What are the major security identifiers behind mobility and BYOD?
• Asset management (including protection policies and automated enforcement)

• Data and device encryption
• Communication protocols between mobile devices and enterprise IT assets (networks,
systems, apps)
• Intrusion prevention services (including anti-virus, behavioral protection, anti-fraud)
• User education (recurring programs, constant vigilance, “enablement instead of enforcement”)

V7.0
Uempty
Technology trend: Big data is all data
Transactional & Enterprise Cognitive

Machine data Social data
application data content computing
• Volume • Velocity • Variety • Variety • Dynamic learning

• Structured • Semistructured • Highly unstructured • Highly unstructured • Highly unstructured
• Throughput • Ingestion • Veracity • Volume • 2.5 quintillion bytes
of new data created
daily
Technology trend - Big data is all data
Today, big data comes from many sources. Data sources have become much more diverse and
exceed our traditional transactional and application data sources. Machine Data can come from a
variety of sensors, networks, or other observational sources, constantly being added to the data
pool. Our Social Data stream, highly unstructured and from a broad variety of platforms and
applications, adds a constant data flow, and non-traditional enterprise content adds more data to
the unstructured high volume. On top of all that we have entered the era of Cognitive Computing
where dynamic learning of unstructured data adds more content at a pace that we have not yet
seen.
In order to capitalize on new business opportunities in relation to Big Data you need to look beyond
the traditional data sources and embrace all available data and apply proper data and business
analytics to it.

V7.0
Uempty
What are the major security identifiers behind Big Data?
• Data encryption at rest and in transit

• Encryption key lifecycle management
• Access control logs and analytics (not everyone with access rights to a database should access
the data, for example, privileged users like an administrator)
• Data classification
• Data usage (in applications, in communication (email, social media channels), on mobile
devices)
• Data privacy
• Backup and restore (local, remote), high availability and disaster recovery

V7.0
Uempty
Technology trend: Every industry can leverage Big Data and analytics
Energy and Media and
Banking Insurance Telco utilities entertainment
• Ûview of domain • Smart meter analytics • Business process

• Optimizing offers and • Proactive call center
cross-sell or subject • Distribution load transformation
• Network analytics
• Catastrophe modeling Forecasting and • Audience and marketing
• Customer service and call • Location based services scheduling optimization
center efficiency • Fraud and abuse
• Condition based
maintenance
Travel and Consumer

Retail Government Healthcare
transport products
• Actionable customer • Customer analytics and • Shelf availability • Civilian services • Measure and act on
insight loyalty marketing • Promotional spend • Defense and intelligence population health
• Merchandise • Predictive maintenance optimization outcomes
• Tax and treasury services
optimization analytics • Merchandising • Engage consumers in
• Dynamic pricing compliance their healthcare
Chemical and Aerospace and Life Sciences

Automotive Electronics
petroleum defense
• Advanced condition • Operational surveillance, • Uniform information • Customer and channel • Increase visibility into
monitoring analysis and optimization access platform analytics drug safety and
• Data warehouse • Data warehouse • Data warehouse • Advanced condition effectiveness
optimization consolidation, integration optimization monitoring
and augmentation
Technology trend - Every industry can leverage Big Data and analytics
This slide with sample use cases of big data can provide research topics for your students.
Let each student pick an industry sample and explain the major security identifiers for this use case.
For example:
• What data needs to be encrypted at rest and in transit?
• For which data sources do you need encryption key lifecycle management? On what devices is
that data stored?
• Which access control logs and analytics do you need to collect? For which data sources?
Which user groups do you need to monitor?
• What can be a proper data classification scheme?
• How is the data being used? (in applications, in communication (email, social media channels),
on mobile devices)
• What about data privacy?
• Which data needs to be backed up, and what is the strategy behind it? (local, remote, high
availability, disaster recovery)

V7.0
Uempty
Technology trend: Cloud is rapidly transforming the enterprise

HR,
Data archive CRM, SCM
100+
10
0100+
0+ IBMM
IBM
Offerings
Offerings
IaaS S
SaaSS
Online Business App
website Infrastructure PaaS development
services Development applications
services
Public cloud
Private cloud
Traditional enterprise IT External stakeholders

Technology trend - Cloud is rapidly transforming the enterprise
Welcome to the new world of IT, where organizations are rapidly accumulating a diverse portfolio of
cloud services. As cloud adoption is rising, companies have more and more interconnected
resources, more applications, data, and services residing on different types of platforms. For
example, some infrastructures are running in public clouds, some applications and data is located
on private clouds.
There are multiple reasons for this massive adoption. Transforming costs, scalability, helping the
responsiveness of IT, speeding delivery of new products and services. Those are the great benefits
of cloud delivery models.
This is very exciting overall, but for security professionals this can be somewhat overwhelming. The
picture here is somewhat simplified, because cloud adoption is usually not as simple as just signing
up for a new service like Dropbox, or SalesForce.com. We actually see most large organizations
move to hybrid cloud environments. They are using traditional IT components and connect those to
private and public clouds. They use a wide range of public cloud services usually from multiple
vendors.
One of our large e-commerce clients runs their operational ERP (Enterprise Resource Planning)
system on their own in-house IT environment; they store sensitive data here. They have also set up
a mobile app hosted in a public cloud for clients to access their e-commerce site. Their marketing
team leverages analytics on yet another service that is outside their own environment running on a
public cloud as well so they can understand buyer behavior. At the same time, their in-house
development leverages a self-service private cloud for IT operations helping to develop and deploy
new applications in-house.

V7.0
Uempty
Technology trend:
y transform security
Cloud presents the opportunity to radically yppractices
Traditional security Dynamic cloud security

Manual, static, Standardized, automated,
and reactive agile, and elastic
Cl
Cloud
C security
ity is not only achievable,
bl it is
i an opportunity
to drive the business, improve defenses and reduce risk
Technology trend - Cloud presents the opportunity to radically transform security practices
Today’s cloud services deployments are really not that much different than any other outsourcing
project that organizations have undertaken in the past 20 years. You need to evaluate every player
that participates in the project and ensure who brings what to the table when it comes to security.
Let us take a look at two examples:

• One aspect makes cloud security even more secure than any traditional aspect: The cloud can
help standardize authentication because usually all cloud environments and solutions are gated
with username and passwords. Many security professionals are looking at this as a strategic
choke point, whereas in traditional IT environments access mechanisms can be spread out
across many different types of systems. In cloud, all the apps and the infrastructure are gated
by default by usernames and passwords, which the security professionals can strengthen and
lock down.
• In the second cloud environment example you can “inherit” the security model or
implementation of the provider, or possibly a cloud model implementation in your private cloud
environment. We are seeing more and more clients who literally drop IT workloads in a public
or private cloud zone where the security model matches that workload. You can build a cloud
zone with PCI compliance wrapped around it, including auditing, logging, vulnerability testing,
and reporting, and then drop workloads that require PCI compliance into that cloud zone.

V7.0
Uempty
What are the major security identifiers behind Cloud Computing?
• Workloads on cloud environments can be protected in the same way as they are on traditional
environments
• Security solutions and services can be deployed in cloud environments
• Monitor sensitive data access in cloud repositories
• Create centralized auditing for data sources deployed on cloud virtual images
• Virtual machine layer (hypervisor) security has to be added to the secured asset list

V7.0
Uempty
Technology trend: Capitalizing on social media data today
More than 1 billion unique users visit YouTube each month

watching over 6 billion hours of video
More than 388 million people view more than 12.7 billion blog
pages each month
There are 500 million tweets daily – that’s 5,700 per second
50% of Facebook users check it daily – there are more than

1 billion users worldwide
Technology trend - Capitalizing on social media data today
Our online social lives are prolific. The explosion of social media has created enormous volumes of
data. Every day, we create 2.5 quintillion bytes of data. From social media site conversations, to
blogs, images and photos, video clips…. to user comments or user reviews from something like
Amazon or TripAdvisor…. and comments in forums or chat rooms – or even from your own website
– there are an extremely large number of social media content sources.
This is all unstructured data – information that doesn’t have a pre-defined data model or isn’t
organized in a pre-defined way. It is typically text-heavy but may have dates, numbers and facts
buried in the details. This data is difficult to work with and understand. It’s a “Big Data” challenge.
More and more organizations use social media to communicate with their workforce, their clients,
as well as their contractors and suppliers. Individuals access social media channels from all their
devices (company owned or BYOD technology) at any time of the day.
Statistics sources (these will need to be updated periodically)

• http://en.wordpress.com/stats/
388 million people view more than 12.7 billion pages
• http://www.youtube.com/yt/press/statistics.html
More than 1 billion unique users visit YouTube each month
Over 6 billion hours of video are watched each month on YouTube—that's almost an hour for
every person on Earth, and 50% more than last year
• http://www.statisticbrain.com/facebook-statistics/

V7.0
Uempty
50% of users check it daily
# of users worldwide – 1.1B
• https://blog.twitter.com/2013/new-tweets-per-second-record-and-how
# of Tweets – 5700 per second, 500M a day and 143,199 is the record on Aug 2, 2013

V7.0
Uempty
Technology trend: Collaboration is a key to business transformation
Simplifying
complexity requires Customers Suppliers
collaboration
Employees Investors
Ź Amplify the corporate message and gain mindshare and awareness by interacting with individuals
over digital channels
Ź Provide a seamless experience for your customers including information about products and
services, contact to sales partners, and easy follow-up on ordering or service contracts
Ź Enrich employee experience by allowing use of BYOD and staying connected professionally and
personally 24x7
Ź Collect valuable feedback and input on a social base from customers and business partners for
greater business insights and improved decision making
Technology trend - Collaboration is a key to business transformation
The business ecosystem of today thrives on relationships – customers, suppliers, investors and
employees. Business processes can play a key role in managing these relationships, allowing
businesses to integrate better – not as an end in itself but as a part of a strategy that can lead to
sustained competitive advantage.
What are the major security identifiers behind Social Media?
• Educate your users (employees, business partners, customers) about potential dangers on
social media (watering holes, social profiling)
• Track social media related traffic inside your premises and devices and scan for malicious
activities or malware

V7.0
Uempty
Technology trend:
Risk and threat management is not isolated to security incidents and attacks
Increased risk Budgetary constraints
40% 71%
of Fortune 500 and of the average IT
Mobile in the popular web sites budget is dedicated to
enterprise contain a vulnerability2 ongoing operations4
90% Social business
of organizations will
support corporate 74%
of enterprises use
apps on personal
devices by 20146 social media today
to communicate
with clients7
Innovation in
the cloud Exploding data
growth
60% Aging Infrastructure 2.7 ZB
of chief information
officers view cloud
computing as critical 71%
of data centers are
of digital content in
2012, a 50% increase
to their plans5 from 20113
over 7 years old1
Sources: See speaker notes
Technology trend - Risk and threat management is not isolated to security incidents and attacks
Keeping this kind of slide with updated information will help students better understand that IT
Security is not only a purely technical discussion in an organization, but rather constrained by
budgets, business priorities, lack of skilled talent, and other facts that no C-level officer can ignore
in a real-world decision making process.
For your information: 1,000 terabytes = 1 petabyte; 1 million terabytes = 1 Exabyte; 1 billion
terabytes = 1 zettabyte ;-)
Sources:
• 1
The Essential CIO: Insights from the Global Chief Information Officer Study, May 2011
• 2
IBM X-Force Mid-year 2011 Trend and Risk Report, September 2011
• 3
IDC, “IDC Predictions 2012: Competing for 2020” by Frank Gens December 2011, IDC
#231720, Volume:1
• 4
Based on IBM Research
• 5
McKinsey How IT is managing new demands 2011
• 6
Gartner predicts that by 2014, “90% of organizations will support corporate applications on a
personal devices.”
• 7
Forrsights Business Decision-Makers Survey, Q4 2011

V7.0
Uempty
Attackers break through conventional safeguards every day
2012 2013 2014

40% increase 800,000,000+ records Unprecedented impact
Attack types
XSS Heartbleed Physical Brute Misconfig. Watering Phishing SQLi DDoS Malware Undisclosed
access force hole
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015
For more research, visit the IBM X-Force Interactive Security Incidents site
A new security reality is here, where…
Sophisticated attackers break through conventional safeguards every day.
Organized criminals, hacktivists, governments and adversaries are compelled by financial gain,
politics and notoriety to attack your most valuable assets. Their operations are well-funded and
business-like ‒ attackers patiently evaluate targets based on potential effort and reward. Their
methods are extremely targeted ‒ they use social media and other entry points to track down
people with access, take advantage of trust, and exploit them as vulnerabilities. Meanwhile,
negligent employees inadvertently put the business at risk via human error. Even worse, security
investments of the past can fail to protect against these new classes of attacks. The result is more
severe security breaches more often.
Note: The size of the circle indicates the estimated relative impact
In the past three years, the amount of data records and variety of attacks have expanded to epic
levels.
• 2012: Near Daily Leaks of Sensitive Data
40% increase in reported data breaches and incidents
• 2013: Relentless Use of Multiple Methods

V7.0
Uempty
800,000,000+ records leaked, while the future shows no sign of change
• 2014: “Insane” Amounts of Records Breached
42% of CISOs claim the risk from external threats increased dramatically from prior years.
Exercise for students:
Students can visit the interactive Security Incident chart and investigate individual incidents.
Research the attacked organization and the individual attack vector and discuss how that particular
incident could have been avoided or mitigated.
http://www.ibm.com/security/xforce/xfisi/
Source: IBM X-Force Threat Intelligence Quarterly – 1Q2015
https://www.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S
_PKG=ov33510&S_TACT=C327017W&dynform=18101_

V7.0
Uempty
IBM X-Force - Research around the Globe
• IBM X-Force Threat Intelligence Quarterly
• Research Publications
The X-Force mission • Download the latest (and past) documents and
reports here:
• Monitor and evaluate the http://www.ibm.com/security/xforce/downloads.html
rapidly changing threat landscape
• Research new attack techniques and • IBM X-Force Exchange

develop protection for tomorrow’s Overview video:
security challenges https://www.youtube.com/watch?v=xwcoUfU56N4
• Educate IBM customers and

the general public
IBM X-Force - Research around the Globe
The IBM X-Force security professionals monitor and analyze security issues from a variety of
sources, including its database of more than 88,000 computer security vulnerabilities, its global web
crawler with over 25B cataloged web pages and URLS, international spam collectors, and millions
of malware samples collected daily.
The X-Force produces many thought leadership assets including the IBM X-Force Threat
Intelligence Quarterly report to help customers, fellow researchers and the public at large better
understand the latest security risks, and stay ahead of emerging threats. In addition to the quarterly
report, regular blogs are posted from SecurityIntelligence.com, as well as webinars and research
papers based on insights from our Managed Security Services business.
For more research make sure to visit: http://www.ibm.com/security/xforce/

V7.0
Uempty
IBM X-Force Exchange

• Cloud-based threat
intelligence sharing
platform
Enable users to rapidly
research the latest global
security threats
Aggregate actionable
intelligence
Collaborate with peers
• IBM X-Force Exchange

is supported by human-
and machine-generated
intelligence leveraging
the scale of IBM X-
Force
IBM X-Force Exchange
IBM X-Force Exchange is a cloud-based threat intelligence sharing platform enabling users to
rapidly research the latest global security threats, aggregate actionable intelligence and collaborate
with peers. IBM X-Force Exchange is supported by human- and machine- generated intelligence
leveraging the scale of IBM X-Force. To visit the platform and learn more, use the links below.
• Use the platform at xforce.ibmcloud.com
http://xforce.ibmcloud.com/
• Download the IBM X-Force Exchange datasheet
http://www.ibm.com/common/ssi/cgi-bin/ssialias?subtype=SP&infotype=PM&htmlfid=WGD030
55USEN&attachment=WGD03055USEN.PDF
• Attend the webinar "(Security) Ignorance isn’t Bliss: 5 Ways to Advance Security Decisions with
Threat Intelligence“
http://securityintelligence.com/events/security-ignorance-isnt-bliss-5-ways-advance-security-de
cisions-threat-intelligence/#.VR2TjGOsN8E
• See how IBM X-Force Exchange can enable collaborative threat intelligence (Youtube,
00:02:37)
https://www.youtube.com/watch?v=d81MY8KIde4

V7.0
Uempty
IBM Security has global reach
IBM Security by the Numbers

+ +
monitored countries (MSS) endpoints protected
+ +
service delivery experts events managed per day
IBM Security has global reach
IBM operates one of the broadest enterprise security research, development and delivery
organizations in the world. This powerful combination of expertise is made up of the award-winning
IBM X-Force research and development team—with one of the largest vulnerability databases in
the industry and includes:
(9) Security Operations Centers:
• Atlanta, US
• Boulder US
• Brussels, BE
• Hortolandia, BR
• Wroclaw, PL
• Brisbane, AU
• Tokyo, JP
• Bangalore, IN
• San Jose, CR

V7.0
Uempty
(12) Security Research Centers:
• Almaden, US
• Atlanta, US
• TJ Watson, US
• Ottawa, CA
• Bangalore, IN
• Tokyo, JP
• Wrosclaw, PL
• Haifa, IL
• Herzliya, IL
• Zurich, CH
• Nairobi, KE
• New Delhi, IN
(15) Security Solution Development Centers:
• Atlanta, US
• Bangalore, IN
• Costa Mesa, US
• Austin, US
• Detroit, US
• Raleigh, US
• Waltham, US
• Fredericton, CA
• Belfast, N IR
• Delft, NL
• Pune, IN
• Taipei, TW
• Singapore, SG
• Perth, AU
• Gold Coast, AU

V7.0
Uempty
New technologies introduce new risks
44%
of security leaders
33%
of organizations do not
expect a major cloud provider to suffer test their mobile apps
a significant security breach in the future
Source: November 2014, “Security for the Cloud and on the Cloud”, Security Intelligence.com
Traditional security practices are unsustainable
85 security tools from 83%

45 vendors
Source: IBM Client Example
of enterprises have difficulty
finding the security skills they need
Source: Enterprise Information Security in Transition, 2012 ESG
Technology Brief
New technologies introduce new risks
New technologies introduce new risks, in fact, businesses are adopting cloud and mobile
technologies at unprecedented rates. This influx of new innovation, technologies, and end-points
push more and more business transactions outside company walls and completely transform
enterprise security as we know it. As the traditional network perimeter around the data center
permanently dissolves, it is more difficult to defend company data from the increasing gaps in
security, and to verify that users accessing data are protected.
According to an article from SecurityIntelligence.com, 44% of security leaders expect a major cloud
provider to suffer a significant security breach in the future.
Source: November 2014, “Security for the Cloud and on the Cloud”, Security Intelligence.com
http://securityintelligence.com/security-for-the-cloud-and-on-the-cloud/
And according to a Ponemon study, 33% of organizations don’t even test their mobile apps!
Source: The State of Mobile Application Insecurity, 2014 Ponemon Institute Study
http://securityintelligence.com/mobile-insecurity/#.VbqirPlVhBc
Without dynamic protection, an organization may spend more time recovering from attacks than it
does preventing them. And those who do not prepare for change are leaving their companies
dangerously exposed.
…traditional security practices are simply unsustainable
Until recently, organizations have responded to security concerns by deploying a new tool to
address each new risk. We’ve observed one company was using 85 tools from 45 different software

V7.0
Uempty
vendors! Now they have to install, configure, manage, patch, upgrade, and pay for dozens of
non-integrated solutions with limited views of the landscape. Costly and complex, these
fragmented security capabilities do not provide the visibility and coordination needed to stop today’s
sophisticated attacks.
Moreover, the skills and expertise needed to keep up with a constant stream of new threats is not
always available. In fact, 83% of enterprises report having difficulty finding the security skills they
need (2012 ESG Research).
As new risks emerge, the environment will grow more complex and the skills gap will grow even
wider.
Source: Enterprise Information Security in Transition, 2012 ESG Technology Brief

V7.0
Lesson 2 IT security landscape in 2015
Uempty
Lesson: IT security landscape in 2015

V7.0
Uempty
The IT Security landscape in 2015

• Internet services and the vanishing network perimeter
• Regulations
• Governance
• Privacy
• Risk management
• Threats and fraud

The Internet started as an infrastructure to let computers communicate with each other.
Nowadays the way “things” communicate with each other and data is exchanged has evolved
into many different forms and factors, resulting in a plethora of different Internet based services.
Those services include business or commerce related services, entertainment, a variety of
human communication (including email, instant messaging, social media, and more).
• Regulations
The fact that the IT networks can be used by anyone with access to a computer requires proper
regulation for individuals, organizations, and the Internet as a whole.
• Governance
Human nature requires that if you impose regulations upon them, you also need a governing
institution that audits and verifies that the regulations are followed.
• Privacy
Many people and organizations exchange and maintain personal data using computer systems
and the Internet. This requires particularly strong regulations when it comes to the protection of
personally identifiable data (PII) data.
• Risk management

V7.0
Uempty
Every case of intentional use invites malicious actors who will try to gain access to systems and
data illegally. Utilizing IT resources for any purpose always introduce risks to the intended use
and pose threats to the participating assets and actors.
Malicious actors pose threats to your IT operations in order to fraudulently access and retrieve
information (secrets, PII, monetary assets, and such). These threats use many different attack
vectors (network, application, physical, social) and are constantly evolving.

V7.0
Uempty

• Regulations
• Governance
• Privacy
• Risk management
• Threat and fraud landscape
The IT Security landscape in 2015 - Internet services and the vanishing network perimeter

V7.0
Uempty
Internet services
• Marketplace / eCommerce
eBay, Amazon, Craigslist, and so on
Apple, Lenovo, Sony, Samsung, or any other direct brand connections
Ubiquitous inline advertising, information push to mobile devices
Expected to be available 24x7x365
• Financial services
Retail banks: BBVA, Nedbank, Bank Aljazira, and so on
Investment banks: J.P. Morgan, Deutsche Bank, Citigroup Inc., and so on
Internet “founded” banks such as PayPal
“Untraceable” forms of payments such as BitCoin
• Healthcare services
Connect with doctors, hospitals, and insurances to exchange information
Immediate access to records for authorized personnel
• Government services
Passports, driver’s licenses, vehicle registration, and ever-growing service portfolios
Makes it easier for every citizen to utilize these services whenever and wherever they are
Internet services
Today, Internet services are ubiquitous … they are expected to just “be there” … 365 days a year,
24 hours a day. We easily get aggravated when we have to wait more than a few minutes for a
service to respond, a shopping cart to update, or a set of data to download.
These Internet services include:

• Online retailers
Either big brand names (like Apple, Lenovo, Sony, and such), or the typical online store that
never existed in the pre-Internet domain (like Amazon, eBay, and such).
• Financial services
Almost everyone is conducting their banking affairs in an online fashion (like the transfer of
money, investment management, and such).
Improved payment services (either credit cards with EMV chips or mobile device payment
methods like ApplePay).
• Healthcare services
Remote patient access to medical records, communication with doctors and staff.
More globally connected healthcare systems that allow remote access to medical data for
consultations and diagnosis.
• Government services
Governments around the world are trying to provide better services for their citizens through a
plethora of online or mobile apps.

V7.0
Uempty
Example: Tax returns are accepted online and can be completed within days compared to
weeks (in paper form).
Example: Vehicle registration renewal takes less than 10 minutes without leaving your home or
having to stand in line.
Example: Reporting a damaged public installation (a fence in the park) using the mobile
community app can be submitted by a citizen including a picture and GPS coordinates.
(continue on next slide)

V7.0
Uempty
Internet services
• Insurance services
Online/mobile submission of claims
Flexible, location-specific polices
• Communication and social media
Skype, Twitter, QQmobile, WeChat, WhatsApp … a “jungle” of communication apps
Facebook, LinkedIn, Instagram, and many other personal data display platforms
People advertise their own weaknesses, personal connections, and whereabouts
What “seem to look” real “must be” real; Do not trust
• Data and information transport, storage or gathering
WeTransfer, DropBox, Google, NSA, and so on
Look for 360 degree encryption (on your device … in transit … on their device)
• Virtual identity
Are you really who you say you are?
No authoritative source for authentication
Lately we’re seeing more one-time-password (OTP) and second factor (for example, biometric) authentication
• Remote control facilities and “Internet of Things”
SCADA networks, industrial control systems
Thermostats, washing machines, home security systems, light switches, cooking devices, cars, and so on
Internet services
These Internet services include:

• Insurance services
Mobile apps allow for claim submission (including photos, GPS coordinates, undisputable time
stamp, biometric authentication, and such).
GPS and motor engine activity allows for a flexible insurance policy (while driving the vehicle
the rates are higher compared to when the vehicle is parked in the garage at home).
• Communication and Social Media
A wide variety of social media apps have become daily outlets of personal information streams.
Information that is not properly secured and publicly available can be used for “social
engineering purposes”.
• Data and information transport, storage or gathering
When storing private or corporate data in the cloud you have to worry about proper 360 degree
encryption of your data.

V7.0
Uempty
When participating in any online transactions people are relying on the “virtual identity” of their
transaction partners. This includes:
• Digital certificates from servers that are involved in any transaction (do we trust these server
certificates?)
• Spoofed Internet addresses (or slight differences in well known addresses, for example: GOOD
“www.amazon.co.uk” … BAD “www.amazon.co.uk.net”)
• User ID and password is no longer good enough for high risk transactions (although it may still
be accepted when you order a Pizza online)
• Banks, insurances, governments, and such are using more stringent methods like
second-factor authentication or one-time-passwords.
• Biometric authentication is becoming more common, too.
Besides regular Internet services we are seeing more and more connectivity appear in the
“Internet-of-Things” (IOT). We have to closely monitor:
• … how these devices are connected into our existing network infrastructure.
• … if and how these devices can be connected to individual personas.
• … how data traffic with these devices is being handled (encrypted/clear).
• … how these devices can be remotely controlled, for example, turn off the air condition in your
home, disable the brakes of an Internet enabled vehicle, and such.
Industrial control systems (ICS) are other forms of services that may not be openly accessible to
the public via the Internet, however, many of those large industrial complexes utilize Internet
connections for may control related capabilities. Accessing ICS installations with malicious intent
has become a serious threat in recent times, disabling cooling systems in nuclear power plants,
re-routing power grid distribution, altering chemical composition mixtures in oil refineries, etc.
Because most of these services are intended to be accessible by a wide public audience, there are
many avenues for malicious attacks in many forms.
It is important to understand that everyone, good or bad guys, who wants to interact with these
services has to use a “network infrastructure” of some sorts to get to the services.

V7.0
Uempty
Internet services and the vanishing network perimeter
• Mainframe centered IT
Green Zone infrastructure
• Physical network model
• Directly connected
terminals to mainframe
Mainframe
• Batch mode
3270 terminals
Internet services and the vanishing network perimeter
How do all these Internet services relate to the networking infrastructure principles?
Well, it all started in the “glass-house”, where organizations first implemented centralized IT
infrastructures around a mainframe computer. The purely physical network had terminals hard
wired to the mainframe. If you wanted to access data on the mainframe, you had to use one of
these terminals in batch mode to either enter or retrieve data.
Access was controlled with IDs and passwords as well as physically, where administrative terminals
were only accessible on locked premises.

V7.0
Uempty
Internet services and the vanishing network perimeter (2 of 4)
• Client / Server
Green Zone Green Zone computing
• Physical network model
• Directly connected
workstations to
mainframe and servers
Mainframe
• Highly interactive
• Employees shielded in
Application Database separate network zone
servers servers
• Concept of router and
Employees firewall
Administrator Contractors
With the introduction of the client/server computing model we first saw a distribution of workloads
between so called servers and client workstations for user interactions.
Clients were still hard wired into a local physical network attaching them to centralized and
decentralized servers of all sorts and sizes. First firewall concepts were introduced that was able to
segregate network traffic. In the early stages of commercially used TCP/IP networks different
segments of networks were connected through routers, and traffic flows controlled through more
sophisticated firewalls. Employees were shielded from highly sensitive data in their own separate
network zones.
Organizations that had to establish remote network connections were using leased lines, which
represented private networks that were not accessible by anybody else from the outside. This way
banks built private networks with their branch offices, retail stores connected remote cash registers
with centralized computing systems, and so on.

V7.0
Uempty

• Service Oriented
Architecture and
distributed services
Remote DMZ Green Zone Green Zone
location • Physical interconnected
network model
• Directly and remotely
connected workstations to
Mainframe mainframe and servers
Remote
location HTTP • Highly interactive
Servers
Internet or
leased lines
• Users shielded in
Application
servers
Database
servers
separate network zone
• Remote users (usually
Administrator
Employees employees or other
Contractors
businesses) shielded via
DMZ and identity and
access management
solution
The next phase introduced the use of public network services (the Internet) for network
connectivity. This ubiquitous network technology began to replace most of the more proprietary
forms of network protocols very fast, and TCP/IP with all its capabilities and flaws started to take
over.
At this time networks were still relying on physical connections. Central and remote networks began
to utilize public network infrastructures to exchange information, and the need for encryption (data
at rest and data in transfer) was becoming more important.
Application models (service oriented architectures) now allowed flexible components being
distributed between application servers and even client based execution. Identity and access
management solution for user related access control became more and more wide spread.

V7.0
Uempty

• BYOD and distributed
Remote services
location
DMZ Green Zone Green Zone
• Loosely connected
network model
Public
• Directly and remotely
locations connected devices and
applications to network
Mainframe and services
HTTP • Highly interactive and
Internet or Servers uncontrollable
leased lines
Application
servers
Database
servers
• Network perimeter does
not exist
Remote
location Administrator
Employees
Contractors
• Remote users such as
clients, employees,
contractors, and everyone
else connect from
everywhere
Looking at today’s network infrastructure we have added wireless connectivity of computer systems
and all sorts of mobile and “smart” devices that are capable of running a diverse mixture of
applications using one or many identities.
This new network infrastructure opens millions of new capabilities for businesses and governments
to deliver services of all kinds.
Put yourselves into the position of managing and controlling access to your organization’s IT
resources while empowering as many users as possible AND at the same time securing your
assets appropriately.

V7.0
Uempty
The device becomes the perimeter

• All network traffic is considered “suspicious”
Look for patterns, analyze behavior, track your data flow
Do not blindly trust identities and granted access
• Tightly monitor and control all IT assets
This includes all BYOD assets such as smart devices, laptops, and
so on
Log, catalog, and remediate vulnerabilities
If it cannot be fixed, cut access privileges
• No more “unscanned” applications open to business
• Put a tight leash on your privileged users
• Monitor and report on all access to important data
Structured and unstructured
• Educate your users, that is, employees, contractors,
customers, and so on
Not just once, but constantly
• Centrally collect and correlate ALL suspicious IT events
Apply intelligent algorithms to filter and focus
The device becomes the perimeter
At this time you have to realize that the device ultimately becomes the network perimeter.
Closely examine these security paradigms and define a strategy to understand and implement
them.

V7.0
Uempty

• Regulations
• Governance
• Privacy
• Risk management
The IT Security landscape in 2015 - Regulations, Governance, Privacy, and Risk
The fact that the IT networks can be used by anyone with access to a computer requires proper
regulation for individuals, organizations, and the Internet as a whole.

V7.0
Uempty
Governance, Risk, and Compliance (GRC)
GRC defines how an organization understands stakeholder Risk

Governance
expectations and then directs and manages activities to maximize management
performance against those expectations; at the same time, GRC

manages risks and complies with applicable laws, regulations, and
obligations Compliance
GRC is not just focused on one area of the business; Financial
each business line approaches GRC differently based

on the laws, regulations, and obligations that must be
Types of
satisfied Legal
GRC
IT
An IT Security practitioner will most likely be involved in Environmental,

IT GRC projects and implementations; however, it is Health, Safety
paramount that everyone who is dedicated to IT security
understands the bigger business picture
Governance, Risk, and Compliance (GRC)

V7.0
Uempty
IT-GRC capabilities
IT-GRC is a subset of GRC programs focused on implementing
technical, administrative, and security controls; these controls are
in place to satisfy various laws, regulations, and/or obligations
Administrative Controls require a formal and structured IT GRC
management approach to ensure that they remain relevant and
consistently address the security needs of the organization
Best
Technical Controls should be guided by a decision process that Practices
includes regulations, business needs, and an assessment of risks (ISO 27002,
CoBIT,
Security Controls are safeguards or countermeasures to avoid, COSO,
Regulations ITIL)
counteract or minimize security risks; to help review or design (HIPAA, Industry
security controls, these controls can be classified by several GLBA,
(PCI, NIST)
FISMA,
criteria SOX, NERC)
Before the event, preventive controls are intended to MSS – SIEM,

prevent an incident from occurring GRC Tools Vulnerability
Scanning,
During the event, detective controls are intended to Firewall
identify and characterize an incident in progress
Consulting Threat
After the event, corrective controls are intended to limit (Gap Ethical Analysis
Assessments, Hacking
the extent of any damage caused by the incident Audits) (X-Force)
IT-GRC capabilities

V7.0
Uempty
IT Governance
IT Governance is often misunderstood and is much

more an art than a science
Based on leadership style and operating model, a
balanced governance needs to enable IT to complete
the following tasks
• Align with business priorities
• Manage risk
• Optimize resources
The focus is to put practices in place to Govern and
Manage the IT while mitigating risk
• Govern: Evaluate, Direct, and Monitor
• Manage: Plan, Build, Operate, and Monitor
IT Governance

V7.0
Uempty
IT Risk Management
Security risk exists when the following conditions are met
Threat Vulnerability Impact
Can exploit And cause
(Actor) (Weakness) (Loss)
• A high severity security event is meaningless without an understanding of

vulnerability and impact.
• As a result, threat management extends well beyond security, to device
management, operations, business management, and more…
• Given limited time and resources, a proper assessment of risk identifies the most
critical investments (rather than relying on gut instinct)
IT Risk Management
IT Risk Management covers activities that are related to overlooking and driving the security risk
posture of the enterprise IT environment. IT Risk Management can be divided into the following
disciplines:
• Risk Identification
Risk Identification refers to the ability to discover, recognize, and verify the existence of specific
risks. It also encompasses the structuring of risk by mapping it into clearly defined classification
schemes that can be specific to the industry or even to the risk taxonomy of an individual
organization.
• Risk Analysis
Risk Analysis refers to activities that are related to the categorization, qualification, or
quantification of the likelihood and impact of risks. It also covers the investigation of
connections, dependencies, and correlations among various risks.
• Risk Controlling
Risk Controlling covers the determination of activities that can be used to address risks. The
valid activities can range from risk acceptance over different approaches of risk mitigation to
risk transfer. Risk Controlling also includes the determination of costs for such activities and the
identification of potential risk and risk mitigation owners and actors. Another important part of
Risk Controlling is tracking the status of identified and agreed risk mitigation activities until their
closure.
• Risk Reporting

V7.0
Uempty
Similar to Compliance Reporting, Risk Reporting refers to the ability to summarize analyzed risk
data and other risk-relevant information and to provide different levels of detail about the
security risk posture to different parts of the organization as input for further analysis and
processing.

V7.0
Uempty
IT Compliance Management
• When an organization operates in accordance
with expectations, the process is called
compliance management
• For the area of IT security, the expectations are
formulized as requirements in the IT security
policies and can include the following items
Requirements from the individual mission statement
of an organization, such as like ethical behavior or
business conduct guidelines
Requirements that are derived from external laws and
regulations
IT Compliance Management
IT Compliance Management covers activities that are related to overlooking and driving the security
compliance state of the IT environment. IT Compliance Management can be divided into the
following disciplines:
• Compliance Monitoring
Compliance Monitoring refers to the observation of the environment to identify gaps between
the actual operations, the internal policies and standards, and the requirements as they derive
from external industry regulations, laws, and orders.
• Compliance Auditing
Compliance Auditing refers to the ability to match event sources and their event streams to
compliance reporting requirements for IT security and produce reports that are based on those
event streams, either periodically or on demand as part of an audit. Managing the association
between the event sources reports and the compliance reporting requirement is a key capability
of this component. Also, compliance requirements often impose record retention requirements
on audit data, which might be different from the retention requirements for the event streams in
the IT environment in general. From an IT operations perspective, the event streams are more
short lived, while data that supports compliance audits might have a life span of multiple years.
• Compliance Controlling

V7.0
Uempty
Compliance Controlling stands for the continuous work that is contributed by IT security
compliance experts throughout the various parts of an organization, focusing mostly on two key
activities:
– Compliance support
– Compliance tracking
Compliance support refers to providing advice and guidance to users who are not necessarily
compliance experts, but whose activities are subject to compliance. For example, compliance
experts work with a business unit to help them prepare for an upcoming audit or to help during
an audit. Similar to an attorney of law in court, a compliance expert can help an audited
business unit with the preparation of paperwork that is requested by the auditors or in the
preparation of audit interview partners for their meeting with the auditors.
The other aspect of Compliance Controlling is compliance tracking, which covers the structured
documentation of follow-up activities after an audit and the progress of these activities until
closure. The activities are either determined by the auditor directly or are derived by an analysis
of audit results as those actions, which must be implemented to mitigate identified compliance
and security issues.
Compliance Controlling is a continuous process (before, during, and after the audit) and, hence,
requires substantial ongoing efforts of a well-functioning compliance regime in an organization.
• Compliance Reporting
Compliance Reporting refers to the ability to summarize analyzed event data and other
security-relevant information for the specific use of demonstrating compliance. Most often,
reporting is used to assess regulatory compliance or compliance with security service level
agreements and overall compliance performance of the IT environment. From an internal
security perspective, Compliance Reporting is most commonly used to demonstrate control
over security policies and to identify trends in security compliance.

V7.0
Uempty
Compliance management versus IT security compliance management

This course intentionally distinguishes between compliance management and IT security
compliance management
• A compliance management system represents the practice that an organization applies to

manage the entire compliance process, such as the audit compliance functions that
independently test the organization’s compliance program, and includes adherence to all
policies, procedures, and applicable laws and regulations
• An IT security compliance management system represents a method that can help an

organization prove that its IT systems and infrastructure are being operated according to
all policies, procedures, and applicable laws and regulations
This proof can be achieved by continually and consistently collecting log information to
document and report on who accessed important IT resources, and when those accesses
occurred
Compliance management versus IT security compliance management

V7.0
Uempty
Compliance versus Control

If you have been audited (or if you have audited someone), you probably know that there is a
difference between being in compliance and being in control
• When you are in compliance, all your systems and processes are operated and delivered
according to the security policies and standards, and you have evidence for compliance
• When you are in control, you know what is in compliance and what is not, you know why,
you have a plan of action, and you have evidence for control
Now, which is more important?
• Being in control is more important because you can be in compliance by accident;
furthermore, if you are compliant but not in control, chances are high that you will not stay
compliant for very long
• If you are in control, you will end up being compliant eventually, or at least you will have it on
record why you are not compliant
• In addition, if you are not compliant and not in control, gaining control must be your primary
goal, which is why more and more often regulations shift from compliance to control
objectives
Compliance versus Control

V7.0
Uempty
The IT security landscape in 2015

• Regulations
• Governance
• Privacy
• Risk management
The IT security landscape in 2015 - Threat and fraud landscape

Malicious actors pose threats to your IT operations in order to fraudulently access and retrieve
information (secrets, PII, monetary assets, and such). These threats use many different attack
vectors (network, application, physical, social) and are constantly evolving.

V7.0
Uempty
Threat and fraud landscape and evolution
Threat and fraud landscape and evolution
In the early 2000s, the industry observed basic threats such as worms and viruses. Attackers were
relatively unsophisticated and unorganized.
Over time, threats evolved to include spyware and rootkits. They became harder to find and detect.
Their objective was to conceal themselves deep in a target system and carry out stealth attacks
that evaded detection and maintained privileged access for future compromise. This new class of
attacks gave rise to a heightened focus on perimeter security with Intrusion Prevention Systems
(IPS) and Intrusion Detection Systems (IDS).
Now, advanced persistent threats and cyberware are serious menaces to security. Entire nation
states are involved in these types of threats. It’s not just enterprises being impacted but entire
governments. The threats are backed by well-funded, organized groups with specific goals in mind
and sophisticated tools to launch targeted attacks. Stuxnet is a good example of this new class of
threat trending in the security landscape. These attacks leverage the same exploit patterns as in
the past, but combine them across multiple attack vectors in a sustained lifecycle. Organizations
added reputation and sandboxing to defend against this formidable threat.
Looking forward, we will feel the impact of the “Any-to-Any” challenge. That is, any user on any
device, increasingly using any type of network connection, with any application, and on any cloud.
Many of these connections and interactions are happening simultaneously, leading to blended
business and personal applications on the same platform.
Mobility and cloud are profoundly expanding the attack surface. As the number of connections
increases and the volume of information being processed over the network grows, we are in a time

V7.0
Uempty
when global, cloud-based intelligence and real-time analytics are increasingly critical to our network
defense.
_____________________________________________
Source: Cisco Security Intelligence Operations: Defense in Depth blog,

http://blogs.cisco.com/ciscoit/cisco-security-intelligence-operations-defense-in-depth

V7.0
Uempty
2012 2013 2014

40% increase 800,000,000+ records Unprecedented impact
Attack types
XSS Heartbleed Physical Brute Misconfig. Watering Phishing SQLi DDoS Malware Undisclosed
access force hole
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015
For more research visit the IBM X-Force Interactive Security Incidents site
A new security reality is here, where…
Sophisticated attackers break through conventional safeguards every day.
Organized criminals, hacktivists, governments and adversaries are compelled by financial gain,
politics and notoriety to attack your most valuable assets. Their operations are well-funded and
business-like ‒ attackers patiently evaluate targets based on potential effort and reward. Their
methods are extremely targeted ‒ they use social media and other entry points to track down
people with access, take advantage of trust, and exploit them as vulnerabilities. Meanwhile,
negligent employees inadvertently put the business at risk via human error. Even worse, security
investments of the past can fail to protect against these new classes of attacks. The result is more
severe security breaches more often.
Note: The size of the circle indicates the estimated relative impact.
In the past three years, the amount of data records and variety of attacks have expanded to epic
levels.
• 2012: Near Daily Leaks of Sensitive Data
40% increase in reported data breaches and incidents
• 2013: Relentless Use of Multiple Methods

V7.0
Uempty
800,000,000+ records leaked, while the future shows no sign of change
• 2014: “Insane” Amounts of Records Breached
42% of CISOs claim the risk from external threats increased dramatically from prior years.
Source: IBM X-Force Threat Intelligence Quarterly – 1Q2015
https://www.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S
_PKG=ov33510&S_TACT=C327017W&dynform=18101_

V7.0
Uempty
Where trade magazines tout advanced threats, the vast majority are not
Threat Type % of Incidents Threat Profile
Sophisticated tradecraft
Foreign intelligence agencies, organized crime groups
Advanced, National governments Well-financed and often acting for profit
Persistent Organized crime Equals less than Target technology as well as information
Threat / Industrial spies 10 percent Target and exploit valuable data
Mercenary Terrorist cells Establish covert presence on sensitive networks
Difficult to detect
Increasing in prevalence
Inexperienced-to-higher-order skills
Potential Impact
White hat and black hat Target known vulnerabilities

hackers Equals less than Prefer denial of service attacks BUT use malware as means to introduce
Hacktivist
Protectors of Internet 10 percent more sophisticated tools
freedoms Detectable, but hard to attribute
Increasing in prevalence
Inexperienced or opportunistic behavior
Acting for thrills, bragging rights
Worm and virus writers Limited funding
Opportunist 20 percent
Script Kiddie Target known vulnerabilities
Use viruses, worms, rudimentary Trojans, bots
Easily detected
No funding
Insiders - employees, Causes harm inadvertently by unwittingly carrying viruses, or posting,
Inadvertent
contractors, 60 percent sending, or losing sensitive data
Actor
outsourcers Increasing in prevalence with new forms of mobile access and social
business
Source: Government Accountability Office (GAO), Department of Homeland Security's (DHS's) Role in Critical Infrastructure Protection (CIP) Cybersecurity, GAO-05-434
Where trade magazines tout advanced threats, the vast majority are not
This chart shows that the majority of threats that a typical organization will encounter are not the
so-called APTs, but rather much more minor disturbances. Although these disturbances have much
less impact than a targeted APT they must be dealt with to avoid or reduce potential exposure and
data loss.
This large amount of lower impact threats can distract from the sophisticated APTs than have the
potential to cause enormous damage.
In many cases you will find a very high amount of malicious activity based on low-impact threats to
mask a highly sophisticated exploit that exfiltrates the more valuable assets at the same time,
which makes it very hard for the security operations team in an organization to detect the advanced
threat in time.

V7.0
Uempty
The importance of early detection and rapid response

Compromises take days or more to discover in 96% of cases, and over 91% take weeks or more to contain
Time span of events by percent of breaches
This chart documents the terrible reality that most organizations face today.
The upper two horizontal lines in this chart represent the activities of the bad guys. The chart shows
that it takes an attacker usually between seconds, minutes, and hours to initially compromise their
targets, and about the same amount of time to begin their data exfiltration after the compromise has
been successful.
On the mitigation side it takes the security operations group between days, weeks, and even
months to discover that there has been a compromise in their IT environment.
After the discovery it typically takes them another set of day, weeks, or months to contain and
remediate the situation.
Source:
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_
xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z038

V7.0
Uempty

Compromises take days or more to discover in 96% of cases, and over 91% take weeks or more to contain
Time span of events by percent of breaches
The ultimate goal of a real-time Security Intelligence solution is to move the lower frame as far left
as possible. This means that the moment an attacker penetrates our perimeter with any kind of
malware the IT security operations group will know about it.
There are other IT security disciplines that can help organizations move the upper frame to the right
by making it harder for the attackers to a) gain a foothold in your organization, and b) exfiltrate data
after they managed an initial compromise. Those security disciplines can include, but are not
limited to, database encryption, masking, and activity monitoring as well as privileged identity and
access management.

V7.0
Uempty
Why IT security
Business Brand image Supply chain Legal Impact of Audit risk

results exposure hacktivism
Sony estimates HSBC data Epsilon breach TJX estimates Lulzsec 50-day Zurich
potential $1B breach impacts 100 $150M class hack-at-will Insurance PLc
long term discloses 24K national brands action spree impacts fined £2.275M
impact – private banking settlement in Nintendo, CIA, ($3.8M) for the
$171M / 100 customers release of PBS, UK NHS, loss and
customers* credit / debit UK SOCA, exposure of
card info Sony … 46K customer
records
*Sources for all breaches are shown in the text

Why IT security
Sources
• Sony breach
http://www.search.sony.net/result/net/search.x?ie=utf8&site=&pid=ACsW7rd0W_Zt_QIz-sORfA
..&qid=rOX1wPP0JvM.&q=security+breach&msk=1#5
• HSBC breach
http://news.bbc.co.uk/2/hi/business/8562381.stm
• Epsilon breach
http://www.securityweek.com/massive-breach-epsilon-compromises-customer-lists-major-bran
ds
• TJX breach
TJX Companies, Inc. press release, 8/14/2007
http://www.businesswire.com/news/tjx/20070814005701/en
• Lulzec breach
http://www.reuters.com/article/2011/08/01/us-britain-hacking-lulzsec-idUSTRE7702IL20110801
• Zurich Insurance breach
(Financial Services Authority of Britain)
http://www.fsa.gov.uk/pubs/final/zurich_plc.pdf

V7.0
Uempty
Security leaders are more accountable than ever before
CEO / COO CCO / CFO CIO / CISO CHRO / CDO CMO
Loss of market Audit failure Impact to data Violation of Loss of

share and and systems, employee customer
reputation Fines and (confidentiality, privacy trust
enforcement integrity,
Legal exposure impact availability) Loss of Loss of
sensitive data brand reputation
Business Financial loss
continuity
Your board and CEO demand a strategy
We know security has long been a top priority for CISOs and CIOs. Increasingly sophisticated and
costly advanced attacks, along with deteriorating security perimeters have raised the issue to the
view of CEOs and Boards. The adoption of cloud, mobile and big data technologies has increased
the potential attack surface. These trends combine to create an acute, growing need for
comprehensive, integrated security solutions.
Source: IBM C-Suite Study; 13,000 C-Suite executive were included in the IBM study.
According to IDC’s 2015 Study, “The State of the ‘C’ in CISO Study”, 42% of CISOs were, in fact,
reporting to their company's board of directors on a quarterly basis. This level of interaction
provides the open lines of communication necessary to ensure that an organization understands its
security capabilities and value delivered at the highest level.
Source: 2015 IDC Survey, “The State of the ‘C’ in CISO Study

V7.0
Lesson 3 Business and IT drivers that influence security in an organization
Uempty
Lesson 3 Business and IT drivers that
influence security in an organization
Lesson: Business and IT drivers that

influence security in an organization

V7.0
Uempty
Definitions
• Business drivers • IT drivers
These drivers represent a relationship between the These drivers represent operational constraints in
IT organization and the rest of the business; they the general IT environment; for example, the
refer to business needs that must be supported by complexity of a system, including its environment,
the IT security infrastructure; they measure value, that is exposed to internal and external threats
risk, and economic costs that influence an presents risks that the organization must address
organization’s approach to IT security
The IT drivers represent technical considerations that
Value drivers determine the worth of assets of the can affect the trustworthiness of the IT environment
system to the business and of the business itself and the managed business systems as a whole
Risk drivers involve compliance, corporate structure, IT drivers are universal and must be considered within
corporate image, and the risk tolerance of the company the context of the business drivers in all efforts
Economic drivers determine productivity impact,
competitive advantage, and system cost
The combination of business and IT drivers represents the key initiatives for security management
Definitions

V7.0
Uempty
Business drivers that influence security

• Correct and reliable operation
Correct operation means that the operations perform the correct response or function with no errors
Reliable means that the same result occurs all the time; any IT system must consistently provide stakeholders
with the expected results
• Service-level agreements (SLAs)

SLAs incorporate acceptable conditions of operation within an organization
SLAs might vary from business system to business system or application to application
The availability of systems, data, and processes is a condition that is commonly referenced within SLAs
Security threats can impact SLAs and thereby an organization’s ability to conduct business
• Asset value
From a business perspective, the asset value is directly related to the value of the business transactions that it
supports
Asset value can mean many different things for different organizations, including tangible and intangible assets
such as physical merchandise, research documents, or other intellectual capital, personal and private data,
people, and so on
Business drivers that influence security

V7.0
Uempty
Business drivers that influence security (2 of 4)

• Protection of the business asset value of brand image
This driver captures the firm's desire to protect its image
The loss of goodwill from a security incident or attack has a direct consequence to the business; therefore, the
security measures should be proportional to the consequence
• Legal and regulatory compliance

Legal and regulatory compliance involves externally imposed conditions on the transactions in the business
system and the company
This compliance includes the rules and policies that are imposed by industry, regulatory, and government
organizations
Civil liability and criminal or regulatory penalties from a security incident or attack have a negative
consequence on the business; therefore, the extent of regulation and measures taken to ensure that
compliance should be factored in this driver, including privacy issues, the ability to identify and document
transactions and their initiators, and proving compliance

V7.0
Uempty

• Contractual obligation
Security measures for an IT system should be proportional to the consequences incurred when the business
encounters contractual liability from a security attack; for example, when security incidents occur, the business
might be unable to fulfill its contractual obligation to provide goods or services
• Financial loss and liability

Direct or indirect financial loss is a consequence to the business as a result of a security incident
Direct loss might include theft of assets, theft of service, or fraud
Indirect loss might include a loss that is based on civil or criminal judgment, loss of good will, impact to
organizational reputation or brand image, or reprioritized budget allocation
This driver identifies the fact that security measures for an IT system are likely to be in proportion to these
consequences

V7.0
Uempty

• Critical infrastructure
This driver applies where security threats or threat agents can have a major impact on services or resources
that are common to, or shared among, a community of businesses, the population at large, or both; examples
include telecommunications, electrical power grids, transportation systems, computing networks, and others
The loss of a critical infrastructure by its provider might have a ripple effect, causing secondary losses and
driving security decisions for those parties that are affected
Identifying critical infrastructure is an important part of risk analysis
• Safety and survival

This driver applies where security threats and threat agents can have a major impact on aspects of human life,
government function, and socio-economic systems; examples of processes to be considered for safety and
survival impact include continuity of critical infrastructure, medical systems, life support, or other high-impact or
time-dependent processes

V7.0
Uempty
IT drivers that influence security

• Internal threats
Security-related failures and incidents are caused by threats that are found within the physical and logical
boundaries of the organization that operates and controls the IT system; these threats might be associated
with technology or people
An example of an internal threat is a poorly designed system that does not have the appropriate controls or a
person who uses his ability to access the IT system or influence business or management processes to carry
out a malicious activity
• External threats
Security-related failures and incidents are caused by threats that are found outside the physical and logical
boundaries of the organization that operates and controls the IT system
These threats are also associated with technology or people; they seek to either penetrate the logical or
physical boundary, or to influence business or management processes from outside the logical or physical
boundary
One example of an external threat is a computer virus or worm that penetrates the physical or logical network
boundary; another example is an attacker, or someone who gained the ability to act as an insider, using
personal electronic credentials or identifying information
IT drivers that influence security

V7.0
Uempty
IT drivers that influence security (2 of 4)

• IT service management commitments
This driver identifies the fact that failure to manage the operation of the IT system might result in
security exposures to the business; this driver can be divided into two categories: IT service delivery
and IT service support
Service delivery commitments

The failure of the IT system can result in a security exposure to both business or management processes
An example of security exposure for service delivery occurs when IT operational processes cannot respond to
critical events in a timely manner; another example would be IT resilience processes that cannot recover from
a denial-of-service attack in a timely manner, resulting in a loss of capacity or response time for business
processes
Service support commitments

The failure of the business or IT management system to meet its service-level agreements can be viewed as a
security exposure to business or management processes
An example of security exposure for service support is a situation in which the customer relationship processes
do not add, modify, or remove users from access control lists in a timely manner

V7.0
Uempty

• IT environment complexity
The complexity of the IT environment might contribute to the security or insecurity of the IT system;
the IT environment reflects the infrastructure on which the business system is placed
For example, any IT environment that is connected to the intranet or extranet is exposed to internal or
external threats or threat agents and requires specific security responses
A stand-alone facility represents the lowest complexity
A hosting facility with other systems and other firms represents a more complex environment
An environment with a larger number of systems, varied network access paths, or a complex architecture
increases the complexity of an IT environment
• Business environment complexity

Most business environments consist of an interconnected set of organizations, each with its own
complex IT environment, business processes, and IT management processes
This complexity contributes to the risk associated with the IT system

V7.0
Uempty

• Audit and traceability
This driver identifies the need for the IT system to support an audit of information that is contained
within the system, whether it is associated with management data or business data
• IT vulnerabilities
IT systems can contain vulnerabilities that are caused by many factors; they can occur because of
misconfiguration of a system itself, or because of software defects
Many vulnerabilities can go undetected for long periods of time; they can lead to so called zero-day
attacks when they are discovered and rapidly exploited
Usually, it is this discovery or disclosure that leads to the actual exploitation, which results in the actual
threat and risk to an organization; exploitation might also be because a function was used within a
system in an unintended way that compromises the system or underlying data

V7.0
Uempty
Let us summarize
• We understand the major technology drivers
Mobile, BYOD, Big Data, Cloud, Social
• We observed the increasing number and intensity of attack vectors
Backed and researched by the IBM X-Force
• We examined the IT Security landscape in 2015 by looking into the following aspects
The variety of Internet services and the vanishing network perimeter
Various regulations, governance, privacy, and risk management aspects
The threat and fraud landscape
The reasons why IT Security has become an executive discussion
• We investigated business and IT drivers that influence IT Security in an organization
Now it is time to examine the proper IT Security portfolio

and the specific role of Security Intelligence
Let us summarize

V7.0
Lesson 4 Security Intelligence is at the center of a comprehensive security portfolio
Uempty
Lesson 4 Security Intelligence is at the center
of a comprehensive security portfolio
Lesson: Security Intelligence is at the center

of a comprehensive security portfolio

V7.0
Uempty
Security Intelligence at the center of a comprehensive security portfolio
SECURITY Advanced Mobile and Compliance Skills

Cloud
TRENDS Threats Internet of Things Mandates Shortage
Comprehensive Security Portfolio
Strategy, Risk and Compliance Cybersecurity Assessment and Response
Security Intelligence and Operations
Advanced Identity Network, Mobile

Data Application
Fraud and Access and Endpoint
Security Security
Protection Management Protection
Advanced Threat and Security Research
DELIVERY Management Systems Integrated Security Managed Partner

MODELS Consulting Integration Products as a Service Security Ecosystem
The new way to think about security:
Intelligence is the new defense -- it helps prevent threats faster and make more informed
decisions.
IBM Security helps clients gain valuable intelligence through a common and intuitive view that
combines deep analytics with real-time security intelligence.
Integration is the new foundation -- it puts security in context and automates protection.
IBM Security helps clients create an integrated security foundation through unifying existing tools
and infrastructures with new forms of defense in order to reduce complexity and lower the cost of
maintaining a strong security posture.
Expertise is the new focus -- it is essential to leverage global knowledge and experience to stay
ahead.
IBM Security helps clients achieve expertise through a more proactive and trusted source of truth
in order to stay ahead of emerging threats and risks.
Every organization needs a comprehensive enterprise security portfolio customized to their needs.
It needs to detect new threats, deploy security innovations and reduce the cost and complexity of IT
security.
In the next unit we will take a close look into the capabilities of such an IT Security portfolio.

V7.0
Uempty
Let us finalize the first unit with a real world example of what it means to holistically address the IT
Security requirements for PCI-DSS.

V7.0
Uempty
IT Security Governance for PCI-DSS regulation

and the role of Security Intelligence
PROFESSIONAL SERVICES • SOFTWARE SOLUTIONS • MANAGED SERVICES • HARDWARE
Firewall to Protect Cardholder Data Use5 and Update Anti-Virus Software Restrict Physical Access
Security Intelligence Endpoint Protection Governance, Risk and Compliance

Endpoint Protection Network Protection Security Strategy, Risk and Compliance Services
Governance, Risk and Compliance Security Intelligence
Network Protection Managed Security Services Monitor Access
Managed Security Services
Secure Systems and Applications Identity Management
No Default Passwords or Security Parameters
Managed Security Services
Endpoint Protection
Access Management Data Access Management
Network Protection
Security Intelligence Governance, Risk and Compliance
Application Security
Endpoint Protection Security Intelligence
Identity Management
Identity Management Governance, Risk and Compliance
Network Protection Security Intelligence Test Security Systems and Process
Data Access Management
Endpoint Protection
Protect Stored Cardholder Data Restrict Access
CyberSecurity Assessment and Response Services
Identity Management Data and Application Security Services
Governance, Risk and Compliance Network Protection
Access Management
Data Access Management Security Intelligence
Key Lifecycle Management Application Security
Unique IDs
Network Protection
Data and Application Security Services Identity Management Security Policy for Employees
Storage Management Access Management and Contractors
Encrypt Transmission Security Intelligence
Identity and Access Management Services Security Strategy, Risk and Compliance Service
Access Management (transport layers) Governance, Risk and Compliance
Data and Application Security Services
Data Encryption
IT Security Governance for PCI-DSS regulation and the role of Security Intelligence
The individual sections display the 12 high level PCI DSS requirements that every organization has
to address to claim compliance. The different IT Security disciplines listed in each of the categories
outline the broad spectrum of defenses that have to be in place.

V7.0
Uempty
IT Security Governance for PCI-DSS regulation

and the role of IBM Security Solutions
IBM PROFESSIONAL SERVICES • IBM SOFTWARE SOLUTIONS • IBM MANAGED SERVICES • IBM HARDWARE
IBM Security QRadar IBM Security BigFix (Endpoint Manager) IBM OpenPages
IBM Security BigFix (Endpoint Manager) IBM Security Network Intrusion Prevention IBM Security Strategy, Risk and Compliance Services
IBM OpenPages IBM Security QRadar
IBM Security Intrusion Prevention Monitor Access
IBM Managed Security Services
IBM Managed Security Services IBM Security Identity Manager
Secure Systems and Applications
No Default Passwords or Security Parameters IBM Managed Security Services
IBM Security BigFix (Endpoint Manager) IBM Security zSecure Audit
IBM Security Access Manager (WebSeal) IBM Security Network Intrusion Prevention IBM Security Guardium
IBM Security QRadar IBM Security AppScan IBM OpenPages
IBM Security BigFix (Endpoint Manager) IBM Security Identity Manager IBM Security QRadar
IBM Security Federated Identity Manager Products IBM OpenPages
IBM Security Intrustion Prevention IBM Security QRadar Test Security Systems and Process
IBM Security Guardium
Restrict Access IBM Security BigFix (Endpoint Manager)
Protect Stored Cardholder Data IBM CyberSecurity Assessment and
IBM Security Identity Manager Response Services
IBM OpenPages IBM Security Access Manager IBM Data and Application Security Services
IBM Security Guardium IBM Security zSecure Admin IBM Security Network Intrustion Prevention
IBM Security Key Lifecycle Manager Products IBM Identity and Access IBM Security QRadar
IBM Security Intrusion Prevention Management Services IBM Security AppScan
IBM Data and Application Security Services
IBM Storage Manager Unique IDs Security Policy for Employees
and Contractors
Encrypt Transmission IBM Security Identity Manager
IBM Security Access Manager IBM Security Strategy, Risk and
IBM Security Access Manager for eBusiness (WebSeal)
IBM Security QRadar Compliance Service
IBM Security Access Manager (ISAM)
IBM DataPower IBM OpenPages
IBM Data Encryption for IMS and IBM DB2 IBM Identity and Access Management Services
IT Security Governance for PCI-DSS regulation and the role of IBM Security Solutions
Every organization struggles to implement and maintain many IT Security solutions from many
different vendors, mostly because of the complexity and differences in those solutions as well as
the required manpower and skill sets to handle all of these.
This supplemental slide tries to depict how an organization can potentially tackle most of the PCI
DSS requirements with IT Security solutions from IBM.

V7.0
Uempty
Unit summary
• Describe/define technology trends and IT security landscape in 2015
• List business and IT drivers that influence security-related business decisions
• Define a comprehensive security solution portfolio to address the holistic IT security requirements in
an organization
Unit summary

Unit 2 Security Intelligence and
Operations


V7.0
Unit 2 Security Intelligence and Operations
Uempty
Unit objectives
• Illustrate the integration between Security Intelligence and other IT Security domains to identify
important source data used to populate the Security Intelligence solution
• Describe how Security Intelligence can help detect and stop advanced threats
• Describe how Security Intelligence can help address organizational and regulatory compliance
• Describe how a Security Intelligence solution can be integrated into an overall enterprise security
architecture
Security Intelligence and Operations © Copyright IBM Corporation 2015
Unit objectives
In this unit we describe how an organization can use a centralized Security Intelligence solution to
improve their overall security maturity by integrating capabilities from all security domains. We use
an example of a typical attack to demonstrate how important it is to consolidate data across many
security domains.
Next, we examine how a Security Intelligence solution can help mitigate advanced threats by using
different solution components that cover different phases from vulnerability management, risk
management, security information and event management, and incident forensics.
Finally, we explain how an organization can plan and design a Security Intelligence solution using
an existing enterprise security architecture method.

V7.0
Lesson 1 Analyze source data that feeds the Security Intelligence solution
Uempty
Lesson 1 Analyze source data that feeds the
Security Intelligence solution
Lesson: Analyze source data that

feeds the Security Intelligence
solution

V7.0
Uempty
SECURITY Advanced Mobile and Compliance Skills

Cloud
TRENDS Threats Internet of Things Mandates Shortage
Comprehensive Security Portfolio
Strategy, Risk and Compliance Cybersecurity Assessment and Response
Advanced Identity Network, Mobile

Data Application
Fraud and Access and Endpoint
Security Security
Protection Management Protection
Advanced Threat and Security Research
DELIVERY Management Systems Integrated Security Managed Partner

MODELS Consulting Integration Products as a Service Security Ecosystem
When planning your Security Intelligence operations you have to examine every aspect of the
holistic security portfolio or your enterprise security architecture and decide whether to collect
and include data from each of the security domains or not. Even if you decide not to include a
particular subset of data you have to properly document and explain your decision.
Addressing individual security domain solutions without integrating them into the bigger picture will
not get you past a basic security posture and can only reduce your overall risk profile slightly.
Let us examine the different maturity categories of an enterprise security program and how an
organization can improve its overall maturity.

V7.0
Uempty
Maturity categories of integration
Automated Optimized
Organizations use
predictive and
automated security
analytics to drive toward
security intelligence
Basic
Manual
Organizations
employ perimeter Proficient
protection, which Security is layered
regulates access and into the IT fabric and
feeds manual reporting business operations
Reactive Proactive
Maturity categories of integration
This quadrant model depicts a path that every organization should go through in order to achieve
an optimized enterprise security program.
First, many organizations focus on what we term the Basic approach; they deploy perimeter
protection and feed manual reporting, very reactive in nature.
As these organizations develop more sophisticated postures on security they must become both
automated and proactive in their approach.
At the Proficient stage they implement a so called “security in depth” posture. Security is layered
into the IT fabric and business operations. All layers, network zones, IT systems, and applications
provide sophisticated security mechanisms and artifacts that can be deployed and configured in an
automated fashion. But still, they are divided in silos and managed separately.
Finally, with the deployment of predictive and automated security analytics, the organization can
move towards a highly optimized posture. Here, logs, flows, and events from the distributed
security mechanisms and artifacts are brought together. This collected data can now be augmented
with additional data about assets, vulnerabilities, and actual world-wide threat data to provide
centralized Security Intelligence.
At IBM we believe Security Intelligence is the key cornerstone to conquering an optimized

enterprise security posture.
In the next slide we depict how Security Intelligence can advance the maturity of the different
security domains.

V7.0
Uempty
Maturity categories and security solution types

Security Intelligence:
Information and event management
Security Advanced correlation and deep analytics
Intelligence External threat research
Optimized
Op Advanced network
Role-based analytics Secure app monitoring
Identity governance Data flow analytics engineering
processes Forensics / data
Privileged user Data governance mining
controls Fraud detection
Secure systems
Virtualization security
User provisioning Application firewall
Access monitoring Asset mgmt
Proficient
Pr Access mgmt Source code
Data loss prevention Endpoint / network
Strong authentication scanning
security management
Encryption Perimeter security

Basic Centralized directory Application scanning
Access control Anti-virus
Network, Mobile,
Identity and Access and Endpoint
Data Security Application Security
Management Protection and Fraud
Protection
Maturity categories and security solution types
In the Basic state of maturity organizations deploy multiple point solutions.

• A centralized directory allows the organization to manage userIDs in one place. Administrators
handle the addition of new IDs and the removal of IDs when people leave the organization or
change jobs.
• Data at rest and in transit is encrypted with standard protocols. Databases and applications
servers that are involved in data transactions are configured manually by individual
administrators.
• Deployed applications are being scanned for vulnerabilities by individual groups who own the
applications.
• Anti-Virus software is deployed on all endpoints that are used in the organization. Gateways,
firewalls, and IPS are configured and monitored by individual groups to provide perimeter
security.
In the Proficient state of maturity organizations begin to integrate solutions and teams by creating
and working with a documented enterprise security architecture. This architecture is based on a
proper risk assessment that has been conducted with all involved organizational business and IT
departments.
• The organization uses a partially automated user provisioning and access management
solution that is tied to the HR IT software to automatically feed new identities and remove the
ones who left the organization. Business application owners are responsible to administer the
proper accesses.

V7.0
Uempty
To control access to “high risk” or “high value” resources the organization deploys strong
authentication (biometric, two-factor, and so on) methods. The centralized identity and access
management solution is capable of collecting consolidated logs and create focused reports for
compliance.
• According to the organization’s asset classification (part of the risk profile and enterprise
security architecture document) access to data is being strictly monitored, especially for
privileged users. The data access management (DAM) solution carefully logs all accesses and
reports can be created at will to address data loss scenarios and compliance reporting. In
addition, the organization deploys data loss prevention (DLP) solutions.
• Application security is expanded into the development area where all source code is now
scanned for vulnerabilities before it is being released for production.
In addition, the organization deploys application firewalls (smart firewall appliances that are
able to scan the payload for specific web application patterns).
• The organization applies a centralized approach to endpoint and network security
management. All network events are consolidated on one console or multiple consoles that are
being managed by a single group.
A similar approach is implemented for endpoint management where a common endpoint policy
defines accepted standards and rules and endpoint management software enforces them. That
software also reports if endpoint devices are no longer policy compliant and either returns the
endpoints to a compliant state or denies access to the enterprise network. In addition,
virtualized environment security is being handled by a centralized group of experts.
The organization also implements mandatory asset management for all IT assets and begins to
log vulnerabilities, compliance state, location and configuration information.
In the Optimized state of maturity organizations begin to reap the benefits of Security Intelligence
because they deploy solutions that are able to collect, process, and correlate log and event data
from many disparate IT systems that do not immediately seem to be connected.
• Furthermore they use role based analytics when examining access log information to
understand if data has been accessed outside of usual behavior patterns. Together with identity
governance (the policy-based centralized orchestration of identity management and access
control) the organization can better support enterprise IT security and regulatory compliance.
A separate privileged user control management solution is put into place to help reduce misuse
of privileged IDs and lock down the ability for attackers to gain privileged identities altogether.
• Data governance and data flow analytics help “follow the critical” assets and locate them. This
is especially important if the data is accessed, decrypted, sent to external parties, and such, by
users who don’t have a legitimate reason to do so., or this happens in a way or at a time of day
that clearly depicts misuse.
• The complete application engineering process is conducted in a policy based secured fashion.
In addition to source code scanning and final application scanning the organization also reports
vulnerabilities of existing applications to the asset management system, which makes it
possible for the Security Intelligence solution to include those in its correlation processes.

V7.0
Uempty
Fraud detection on endpoints scans for the slightest deviations in behavioral patterns of
standard applications, for example, if an attacker sends a malicious PDF file that instructs
Acrobat Reader to perform mysterious tasks. The solution then blocks access for this
application and immediately sends those reports and logs into the Security Intelligence solution
for further investigation and forensic analysis.
• Advanced network monitoring includes layer 7 application traffic and the capture of complete
data packets if necessary to conduct large scale forensic investigations and data mining.
By bringing all these data sources together in a Security Intelligence solution and by combining this
enterprise owned forensic data with publicly available real-time threat research data an
organization can implement an optimized holistic security portfolio.

V7.0
Uempty
IBM security software portfolio and QRadar SIEM
IBM security software portfolio and QRadar SIEM
Here is a more detailed slide on what IBM can offer to solve these issues.
The key is the deployment of Security Intelligence with QRadar solutions as the driving factor to
reach the optimized state.
This information should be used for further research with students into extended capabilities of the
individual security domains and their integration aspects.

V7.0
Uempty
Today’s threat landscape drives Security Intelligence strategy
Escalating attacks Increasing complexity Resource constraints
Designer Malware
Spear Phishing
Persistence
Backdoors
• Increasingly
asingly sophisticated
sophisticate attack methods • Constantly changing infrastructure • Struggling security teams
include social engineering, spear phishing,
watering holes, and so on • Too many security products from multiple • Too much data from point products with limited
vendors; costly to configure and manage; no manpower and skills to manage it all make it
• Disappearing perimeters mean you cannot correlation of events; no centralized reporting almost impossible to realize an attack pattern
rely on network based protection alone or connection
• Often inadequate and ineffective tools
• Privileged access methods (stolen • Increasing compliance demands need to be
credentials) used in attacks require you to • Sophisticated attack methods can only be managed and monitored
monitor your valuable assets more closely detected by combining events from
infrastructure (network, servers, endpoints),
identity, applications, databases, and so on
Today’s threat landscape drives Security Intelligence strategy
While keeping in mind that the strength of Security Intelligence is to combine and correlate many
security data sources we will investigate how the current threat landscape shapes our Security
Intelligence strategy. Try to keep in mind all the different security domains that are involved even in
narrow attack vectors.
• Escalating attacks
Despite reports that show the majority of network breaches are due to a lack of basic network
protection efforts, there is a growing base of sophisticated attackers pursuing targets of choice
in order to steal intellectual property, trade or national secrets, and you need the ability to detect
and defend against these bad guys.
• Increasing complexity
Few people would disagree that everything is just getting more complex as capabilities brought
about by the Internet invade all aspects of our corporate and personal lives. Almost nothing
exists in a vacuum anymore.
• Resource constraints
Considering resource constraints, the issue has transcended a lack of budget to also
incorporate a lack of skill. Even if you have the funding to add necessary staff, it doesn’t mean
you’re going to find any qualified applicants without conducting a broad-ranging search. And the
few well trained SMEs have a hard time to properly realize a complex attack pattern through
manual examination.

V7.0
Uempty
Some reminders
Threat Landscape:
• Vulnerabilities increasing by rate of 12 / day
• Automated exploit kits appear within weeks of new disclosures
• Persistent and stealthy attacks continuously search chosen targets for weaknesses
IT Infrastructure:
• Mobile device integration multiplies complexity of endpoints
• Evolving networking and connectivity standards
• Rapid growth of Web applications
• Compliance is not enough
• Routine tactics only appease auditors
• Protecting business assets requires continuous monitoring
• Complete spectrum of tools required to safe-guard networks
These dynamics contribute to a whack-a-mole scenario where it’s impossible to totally secure the
network.

V7.0
Uempty
Example: Anatomy of an attack – lions at the watering hole

In July 2012, several high-profile institutions in the financial and technology sectors were
victimized by a 䇾watering hole䇿 attack
MA
Step 1: Stake out the watering hole NY
Watering holes Metro
Insert iFrame that redirects visitors to a Regional financial
zero-day malware download
services institutions
Step 2: Catch the visiting 䇾gazelles䇿 DC
… visits compromised consumer banking site …
… redirected to a zero-day malware download
Employee using
corporate laptop at
home …
Employees bring their infected laptops in to work the next day …
Step 3: The prey returns to the herd

… and infected laptops siphon off
sensitive data to a command and
control server in China
Example: Anatomy of an attack – lions at the watering hole
Here is an example – a watering hole attack that took place in 2012 and was subsequently
analyzed by the IBM X-Force Research team.
Attack vectors
• Fraudulent malware download (maybe as part of a JPG, a PDF, or just by visiting a website that
downloads a malicious JavaScript) that is not detected by anti-virus software
• Spear Phishing – luring people to click on something “interesting”
• Network attack vectors – command and control malware uses “unusual ports” on the client’s
machine to communicate with remote control server
The next slides look at the timeline, the actual vulnerabilities that were involved, and the malicious
communication scheme.

V7.0
Uempty
Example: Attack timeline
Hidden iFrame
• July 13th-15th, 2012

Several regional consumer financial services websites are hacked
The hackers plant a hidden iframe on the consumer portal
• July 13th-22nd, 2012
Customers of the bank are redirected to a malicious download site when they visit to do their online banking
• July 15th-18th, 2012
Infections are detected at several IBM clients
IBM Emergency Response Services are deployed for incident response
IBM collaborates with the FBI, major anti virus (AV) vendors, and others to protect its clients
Example: Attack timeline

V7.0
Uempty
Example: Vulnerable hosts were infected
Attackers used different variants of the Gh0stRAT remote access

Trojan horse, making detection even harder
Variant A Variant B
• Exploited a known Microsoft vulnerability • Exploited a known Java vulnerability (CVE-

(CVE-2012-1889, 6/12/2012) 2012-1723, 6/16/2012)
• Patch for all Microsoft operation systems was • Patch was released by Oracle 6/12/2012
released on 7/10/2012 • Variant was recognized by McAfee VSE as of
July 17, 2012
• Variant was not recognized by any AV vendor
when IBM first detected it
Example: Vulnerable hosts were infected

V7.0
Uempty
Example: After being infected, compromised hosts made contact with a remote
command and control server in China
• Infected machines attempt to communicate with one of two Chinese command and control (C&C)
servers, 58.64.155.57 and 58.64.155.59, on ports 53, 80, and 443
• If communications are successfully established, the C&C server gains complete, real-time control of
a system on the protected network
• The malware, a remote access Trojan, allows a remote attacker to access data, log system activity,
capture key logs, take screenshots, activate the system’s camera, and record from the system’s
microphone
• The remote attacker can also drop additional downloads and programs on the controlled machine,
and use it as a launching point for further attacks
Example: After being infected, compromised hosts made contact with a remote command and control server in China

V7.0
Uempty
Example: If the attack is not detected fast enough, the infected machine
becomes the new launch point of deepening the penetration
• The infected machine “legitimately” distributes more malware inside the enterprise network to gain a
stronger foothold if detected
• The malware’s first goal is to obtain privileged user identities, which it then uses to gain access to
valuable assets inside the enterprise network
• Most attacks utilize ports and scans that are usually not executed from either the infected machines
or user IDs
• After valuable assets are found, they are slowly exfiltrated to not raise any suspicion
Example: If the attack is not detected fast enough, the infected machine becomes the new launch point of deepening the
penetration
More attack vectors
• Endpoint management negation - additional software gets installed on machine by remote

malware
Control: endpoint management software should immediately detect any new software
deployments, report them, and either remove them or deny network access
• Privileged user access – if a machine of a privileged user is found that credential is going to
open many doors for the attackers
Control: a privileged user access control system can negate the chance of any attacker gaining
privileged access because those ID have to be signed out through a particular process using
multi-factor authentication and other security means
Control: if privileged user access is maliciously gained, a data access monitoring solution can
realize that large amounts of privileged data is being accessed in a behavioral pattern that does
not reflect usual routines and report on it
• Network anomalies – unusual ports or scan activity is detected from IT systems that usually do
not display such activity
Control: the flow control system show traffic records involving on-site and off-site IT systems
and immediately logs and reports this
• Not an isolated event – the attacked organization is one out of many who is being probed by
those remote command and control systems

V7.0
Uempty
Control: public threat research feeds the recognized IP addresses and ports into a black list of
malicious hosts that can be incorporated into the organizations Security Intelligence solution
The correlation of all these single events in almost real-time enables an organization to detect and
stop threats (hopefully) before they can be exploited and cause any damage.

V7.0
Uempty
Apply Big Data to Security Intelligence and threat management
Collection, storage, and processing

Collection and integration
Logs
g
Size and speed
Basic maturity Events
s Alerts
Enrichment and correlation
Configuration Analytics and workflow

information Visualization
System Identity Unstructured analysis
audit trails context Learning and prediction
Customization
Network flows
Sharing and export
and anomalies
External threat Full packet and Global intelligence
intelligence feeds DNS captures Campaign identification
Web pag
page Business IP reputation covering
attacker, industry, and region
text process data
Comparisons
Optimized Emaiiill an
Email and
nd Customer
Anomaly detection
maturity social activity transactions
Apply Big Data to Security Intelligence and threat management

V7.0
Uempty
A dynamic, integrated system to help detect and stop advanced threats

Attack Chain
1 Break
ak-
k-in
2 Latch
h-
h-on
3 Expand
4 Gather
5 Exfiltrate
E
A dynamic, integrated system to help detect and stop advanced threats
In the example on the previous slides we have learned about the typical “attack chain”.
And with all the knowledge about the different security domains we now understand that we have to
design a proper security solution that can help us prevent some of the break-ins, and quickly
detect the remaining ones to devise proper responses to mitigate the overall impact to our IT
operations.
In this course we focus on the Detect phase … so let us take a closer look at how we can best
detect and stop advanced threats.

V7.0
Lesson 2 Detect and stop advanced threats
Uempty
Lesson: Detect and stop advanced

threats

V7.0
Uempty
Best practices: Intelligent detection

1 Predict and prioritize security weaknesses
Gather threat intelligence information
Manage vulnerabilities and risks
Augment vulnerability scan data with context for optimized prioritization
Manage device configurations (firewalls, switches, routers, IPS/IDS)
2 Detect deviations to identify malicious activity

Establish baseline behaviors
Monitor and investigate anomalies
Monitor network flows
3
React in real-time to exploits
Correlate logs, events, network flows, identities, assets, vulnerabilities, configurations, and add
context
Use automated solutions to make data actionable by existing staff
Best practices: Intelligent detection
So let us do a quick re-cap of what we have said so far. The cost of cyberattacks is increasing,
threats are escalating and becoming more complex, perimeter defenses are no longer sufficient,
and new techniques like flow analysis, anomaly detection, and vulnerability management are
needed. So we’ve defined the problem, and some capabilities that can help, but exactly what do we
do about it? What are the best practices that should be followed?
• The first best practice is proactive in nature. Identify, predict, and prioritize your security
weaknesses so you can take actions to prevent a breach. Use resources such as X-Force and
the US National Vulnerability Database (https://nvd.nist.gov/) to gather threat information,
address vulnerabilities, and risks based on priorities, add network context, and manage device
configurations to improve security (for example, remove ineffective firewall rules, add new rules
that are more effective).
• Use tools that can detect unusual behavior for follow-up. Deploy solutions that can find network
anomalies and provide visibility to network flows for the reasons mentioned earlier.
• Use Security Intelligence solutions that use integrations, automation, and context to provide a
complete view of what is happening in your network. Automation is key so that you can utilize
existing staff more efficiently, and reduce the large amount of collected data into a small number
of events that can be acted upon by existing personnel.

V7.0
Uempty
What is Security Intelligence?
Security Intelligence
--noun
The real-time collection, normalization and
analytics of the data generated by users,
applications, and infrastructure that impacts
the IT security and risk posture of an
enterprise
Security Intelligence provides actionable and comprehensive insight for managing

risks and threats from protection and detection through remediation
What is Security Intelligence?
Several years ago, we introduced the term Security Intelligence to describe the value
organizations can gain from their security data by treating and analyzing security information in
much the same way they do the outputs produced from other business functions, such as
marketing. The term has caught on!
We’re seeing this term being used more and more by customers, vendors, and industry experts -
but what’s interesting is how no one seems to be describing the same concept.
To avoid confusion, we are explicitly stating our own definition. So here it is:
Security Intelligence (SI) is the real-time collection, normalization, and analysis of the data
generated by users, applications and infrastructure that impacts the IT security and risk posture of
an enterprise.
The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces
risk and operational effort for any organization, no matter what their size.
Data collected and warehoused by security intelligence solutions includes logs, events, network
flows, user identities and activities, asset profiles and locations, vulnerabilities, asset configurations
and external threat data.
Security Intelligence provides analytics to answer fundamental questions that cover the full
“before-during-and-after” timeline of risk and threat management.

V7.0
Uempty
Customer reference
Equifax, a large credit reporting agency, started working with Q1 shortly before it was bought by
I.B.M. With 572 million consumer records in its data centers, Equifax must stay at the leading edge
of security technology, said Tony Spinelli, its chief security officer. He said security was a
never-ending race to stay ahead of modern hackers, whom he called “artful and creative guys.”
The appeal of IBM’s strategy, Mr. Spinelli said, is that it focuses on “security intelligence.” The
traditional approach to security, he explained, has focused on “detection and reaction.” But today,
he added, the need is for automated tools that mine data flows to spot threats and issue alerts to
security professionals.

V7.0
Uempty
Ask the right questions

Are we configured
What are the major risks What security incidents What was the impact
to protect against
and vulnerabilities? are happening right now? to the organization?
advanced threats?
Vulnerability Pre-Exploit Exploit Post-Exploit Remediation
PREDICTION / PREVENTION PHASE REACTION / REMEDIATION PHASE
• Gain visibility over the organization’s security posture • Automatically detect threats with prioritized workflow to
and identity security gaps quickly analyze impact
• Detect deviations from the norm that indicate early • Gather full situational awareness through advanced
warnings of APTs security analytics
• Prioritize vulnerabilities to optimize remediation • Perform forensic investigation reducing time to find the
processes and close critical exposures before exploit root cause; use results to drive faster remediation
Vulnerability Risk SIEM Log Incident

Manager Manager Manager Forensics
Ask the right questions
Securing today’s businesses requires a new approach. Companies need to gain insights across the
entire security event timeline.
Our IBM Security Intelligence solution helps customers react and respond to exploits as they occur
in a network. But we also provide much needed value to customers as they seek to predict and
prevent incidents in the first place through our solutions that help to model risk, evaluate
configurations and prioritize vulnerabilities.
To IBM, Security Intelligence can be characterized in two ways. First, we describe Security
Intelligence as the result of advanced analytics. It’s the wisdom gained from reviewing every
available bit of data and normalizing, correlating, indexing, and pivoting it to discover the dozen
things your team needs to investigate as soon as possible. Alternatively, we use Security
Intelligence to characterize the iterative process of eliminating false positive results by continuously
tuning the system analytics and rules to remove an increasing number of interesting but
non-threatening incidents.
Adding QRadar Risk Manager, QRadar Vulnerability Manager, and QRadar Incident Forensics
modules to the core SIEM engine improves accuracy and provides context throughout the entire
security event timeline – from detection and protection through investigation and remediation.
Working together, these solutions can help you both reduce exposures and recognize attacks as
early as possible. Think back to the best practices discussion we had a few minute ago.

V7.0
Uempty
IBM Security QRadar SIEM

Web-based command console for Security Intelligence
• Delivers actionable insight focusing security teams

on high-probability incidents
Employs rules-based correlation of events, flows, assets,
topologies, and vulnerabilities
• Detects and tracks malicious activity over extended
time periods, helping uncover advanced threats
often missed by other solutions
Consolidates “big data” security incidents within purpose-built,
federated database repository
Optimized threat analysis
• Provides anomaly detection to complement existing
perimeter defenses Daily volume of events, flows, incidents
Calculates identity and application baseline profiles to assess 2,000,000,000
abnormal conditions
automatically analyzed to find
20 – 25
potential offenses to investigate
IBM Security QRadar SIEM
QRadar SIEM consolidates log source event data from thousands of devices endpoints and
applications distributed throughout a network. It performs immediate normalization and correlation
activities on raw data to distinguish real threats from false positives. As an option, this software
incorporates IBM Security X-Force Threat Intelligence which supplies a list of potentially malicious
IP addresses including malware hosts, spam sources and other threats. QRadar SIEM can also
correlate system vulnerabilities with event and network data, helping to prioritize security incidents.
IBM Security QRadar SIEM provides the following capabilities:

• Provides near real-time visibility for threat detection and prioritization, delivering surveillance
throughout the entire IT infrastructure.
• Reduces and prioritizes alerts to focus investigations on an actionable list of suspected
incidents.
• Enables more effective threat management while producing detailed data access and user
activity reports.
• Delivers security intelligence in cloud environments.
• Produces detailed data access and user activity reports to help manage compliance.
• Offers multi-tenancy and a master console to help Managed Service Providers provide security
intelligence solutions in a cost-effective manner.

V7.0
Uempty
IBM Security QRadar Vulnerability Manager ®

Scan, assess, and remediate vulnerabilities
Contains an embedded, well proven, scalable, analyst

recognized, PCI-certified scanner
Detects 70,000+ vulnerabilities
Tracks National Vulnerability Database (CVE)
Is present in all QRadar log and flow collectors and processors
Integrates with IBM Security Endpoint Manager (BigFix) to
reveal which vulnerabilities will be patched and when
Leverages QRadar Risk Manager to report which vulnerabilities
are blocked by your IPS and FW
Uses QFlow report if a vulnerable application is active
Presents a prioritized list of vulnerabilities you should deal with
as soon as possible
IBM Security QRadar Vulnerability Manager
QRadar Vulnerability Manager proactively discovers network device and application security
vulnerabilities, adds context and supports the prioritization of remediation and mitigation activities.
It is fully integrated with the QRadar Security Intelligence platform, and enriches the results of both
scheduled and dynamic vulnerability scans with network asset information, security configurations,
flow data, logs and threat intelligence to manage vulnerabilities and achieve compliance.
QRadar Vulnerability Manager helps you develop an optimized plan for addressing security
exposures. Unlike stand-alone tools, the solution integrates vulnerability information to help
security teams gain the visibility they need to work more efficiently and reduce costs. It is part of the
QRadar SIEM architecture. It can be quickly activated with a licensing key and requires no new
hardware or software appliances.
IBM Security QRadar Vulnerability Manager provides the following capabilities:

• Helps prevent security breaches by discovering and highlighting over 70,000 known dangerous
default settings, mis-configurations, software features and vendor flaws.
• Provides a consolidated vulnerability view across major vulnerability products and technologies.
• Adds context to identify key vulnerabilities and reduce false positives.
• Integrates with IBM QRadar Security Intelligence Platform for easy installation, faster time to
value and reduced deployment cost.
• Performs intelligent, customizable scheduled and event-driven scanning, asset discovery and
asset profiling for 360-degree, enterprise-wide visibility to your network

V7.0
Uempty
IBM Security QRadar Risk Manager ®

Scan, assess, and remediate risks
Network topology model based on security device

configurations enables visualization of actual and potential
network traffic patterns
Policy engine correlates network topology, asset vulnerabilities
and configuration, and actual network traffic to quantify and
prioritize risk, enabling risk-prioritized remediation and
compliance checking, alerting, and reporting
Centralizes network security device configuration data and
discovers configuration errors; monitors firewall rule activity
Models threat propagation and simulates network topology Asset risk
isk quantification
changes
Remediation prioritization
Network topology
Policy and compliance

monitoring
Threat simulations
IBM Security QRadar Risk Manager
QRadar Risk Manager provides three key areas of value that build on top of the QRadar SIEM
value proposition:
• Network topology visualization and path analysis
• Network device optimization and configuration monitoring
• Improved compliance monitoring and reporting
A key area to emphasize is the ability of the product to risk-prioritize vulnerable machines based on
network reachability, and to provide detailed device configuration information that can be used to
quickly shut down network paths that attackers may use to exploit vulnerabilities. This is key, as
many vulnerabilities either cannot be rapidly remediated due to change windows or technological
limitations, or there may be no remediation available (many vulnerabilities never have patches
available). In either case, the ability to rapidly pinpoint the precise firewall rule(s) that enable the
attack path is key.

V7.0
Uempty
IBM Security QRadar Incident Forensics ®
Intuitive investigation of security incidents Incident Forensics
Reduces incident investigation periods from days or

hours to minutes
Employs Internet search engine technology to close security team skill
gaps
Compiles evidence against malicious entities

breaching secure systems and deleting or stealing
sensitive data
Creates rich “digital impression” visualizations of related content
Helps determine root cause of successful breaches

to prevent or reduce recurrences Wins
the
Adds full packet captures to complement SIEM security data collection
race
and analytics
against
time
IBM Security QRadar Incident Forensics
QRadar Incident Forensics allows you to retrace the step-by-step actions of a potential attacker,
and quickly and easily conduct an in-depth forensics investigation of suspected malicious network
security incidents. It reduces the time it takes security teams to investigate offense records, in many
cases from days to hours—or even minutes. It can also help you remediate a network security
breach and prevent it from happening again.
The solution offers an optional QRadar Packet Capture appliance to store and manage data used
by QRadar Incident Forensics if no other network packet capture (PCAP) device is deployed. Any
number of these appliances can be installed as a tap on a network or sub-network to collect the raw
packet data.
QRadar Incident Forensics provides the following capabilities

• Retraces the step-by-step actions of cyber criminals to provide deep insights into the impact of
intrusions and help prevent their reoccurrence
• Reconstructs raw network data related to a security incident back into its original form for a
greater understanding of the event
• Integrates with IBM QRadar Security Intelligence Platform and offers compatibility with many
third-party packet capture offerings

V7.0
Uempty
IBM Security QRadar Incident Forensics (continued) ®
Incident Forensics
Modern Security Intelligence platform

Analysis of processes – advanced data correlation, vulnerability management, built-
in analytics including advanced flow analytics, investigative analysis, relationship
analysis
2nd gen. SIEM Cyber Forensics

Analysis of processes – advanced data Incident investigation, investigative analysis,
correlation, rule engine relationship analysis
1st gen. SIEM

Analysis of interconnected
systems – data correlation
Log Management
Analysis of individual
systems
Vulnerability data Full packet capture

Log data Flow data
External threat feeds External data
IBM Security QRadar Incident Forensics (continued)

V7.0
Uempty
From NetFlow to QFlow to QRadar Incident Forensics

Internet/
intranet Netflow: packet oriented, identifies unidirectional sequences sharing
source and destination IPs, ports, and type of service
packet
Internet/ QFlow: packet oriented, identifies bidirectional sequences

intranet aggregated into sessions, also identifies applications by capturing
the beginning of a flow.
Internet/
Competitive solutions: session oriented, some only capture a subset
intranet
of each flow and index only the metadata—not the payload.
Internet/ QRadar Incident Forensics: session oriented, captures all

intranet packets in a flow indexing the metadata and payload to enable
fast search-driven data exploration
From NetFlow to QFlow to QRadar Incident Forensics

V7.0
Uempty
QRadar Embedded intelligence offers automated offense identification
Security devices
S
Correlation
• Logs/events Suspected
Servers and mainframes
S
incidents
• Flows
• IP reputation
Network and virtual activity
G
• Geographic location True offense
Data activity
Offense identification
• Credibility
Application activity Secure archive • Severity
• Relevance
Configuration information A
Activity baselining and
anomaly detection
• User activity
Vulnerabilities and threats
• Database activity
• Application activity
Users and identities • Network activity dded
Embedded d
ence
e
intelligence
Global threat intelligence
G
Security Intelligence
igence and Operations © Copyright IBM Corporation 2015
QRadar Embedded intelligence offers automated offense identification
Harness security-relevant information from across the organization. Use real-time big data
analytics to provide context to help detect threats faster, identify vulnerabilities, prioritize risk, and
automate compliance activities.
For security threat management the key challenge is to reduce millions of logs to actionable
intelligence that identify key threats. Traditional first Gen SIEMs achieve this by leveraging
correlation – ‘five failed logins followed by a successful login’ for example – to identify suspected
security incidents. Event correlation is a very, very important tool, but it’s not enough.
There are two problems. First, consider a 100k to 1 reduction ratio of events to correlated incidents.
On the surface, this sounds impressive, but for companies generating 2 billion events per day (and
you don’t need to be a massive company to do that), it will leave that company’s security team with
20,000 incidents per day to investigate. Traditional SIM correlation can’t get the data reduced
enough and, of course, Log Managers can’t even get a 10,000 to 1 reduction ratio. Secondly, an
exclusive reliance on event correlation assumes that the criminals will not figure out ways to disable
or bypass logging infrastructure – but that’s practically their entire focus and you can’t correlate logs
that are not there. This limitation results in missed threats or a very poor understanding of the
impact of a breach.
QRadar vastly expands the capabilities of traditional SIEMs by incorporating new analytics
techniques and broader intelligence. Unlike any other SIEM in the market today, QRadar captures
all activity on the network for assets, users and attackers before, during, and after an exploit and
analyzes all suspected incidents in this context. New analytical techniques like behavioral analysis
are applied. QRadar notifies analysts about ‘offenses’ where an “offense” is a correlated set of
incidents with all of the essential, associated network, asset, vulnerability and identity context. By

V7.0
Uempty
adding business and historical context to suspected incidents and applying new analytic
techniques, massive data reduction is realized and threats otherwise missed will be detected.
IBM delivers real-time correlation and anomaly detection across a distributed and scalable
repository of security information enable more accurate security monitoring and better visibility for
any organization, small or large.

V7.0
Uempty
Embedded
mbedded intelligence of QRadar directs focus for investigations
Suspected
incidents
True offense
Directed forensics investigations
• Rapidly reduce time to resolution

through intuitive forensic workflow
• Use intuition more than technical training
• Determine root cause and prevent recurrences
Embedded
intelligence
Security
rity Intelli
Intelligence
igge
ennc
ce and
an
nd Operations
Operat
Op
Oper ati
tio
ions
ions © Copyright IBM Corporation 2015
Embedded intelligence of QRadar directs focus for investigations
We now have the forensic ability to use collected data to recover the details that are critical to a
much deeper and faster investigation.

V7.0
Uempty
Benefits of IBM Security Intelligence approach

• Holistic IT security management and integration with infrastructure and processes
Use tools and solutions that know how to communicate with each other
Integrate with centralized vulnerability management
• Pro-active IT security management

Detect and counteract the threat before the actual exploit
• Network flow analysis and forensics

Collect data that no attacker can obfuscate (network flow) and store application data for more detailed forensic
investigations
• Risk assessment support through network topology awareness in combination with vulnerability
information
Investigate potential risks due to network topology and vulnerabilities
Focus on the “important and valuable” assets that need protection and do not flood the Security Intelligence
system with useless data
Benefits of IBM Security Intelligence approach

V7.0
Lesson 3 IT security governance and compliance
Uempty
Lesson 3 IT security governance and
compliance
Lesson: IT security governance and

compliance

V7.0
Uempty
CEO / COO CCO / CFO CIO / CISO CHRO / CDO CMO
Loss of market Audit failure Impact to data Violation of Loss of

share and and systems, employee customer
reputation Fines and (confidentiality, privacy trust
enforcement integrity,
Legal exposure impact availability) Loss of Loss of
sensitive data brand reputation
Business Financial loss
continuity
Your board and CEO demand a strategy
Remember this slide from Unit 1?
You can see how much the leadership of an organization has to focus on governance and
compliance issues.
Repeatedly failing an audit usually encompasses fines and legal exposure. That’s why a constant
stream of focused reports can help the IT leadership team to stay in control of policy and guidelines.
And what IT subsystem is better suited to collect a large amount of compliance related data and
report on it than the Security Intelligence solution.

V7.0
Uempty
Example: IT Security Governance for PCI-DSS regulation

IBM PROFESSIONAL SERVICES • IBM SOFTWARE SOLUTIONS • IBM MANAGED SERVICES • IBM HARDWARE
IBM Security QRadar IBM Security BigFix (Endpoint Manager) IBM OpenPages
IBM Security BigFix (Endpoint Manager) IBM Security Network Intrusion Prevention IBM Security Strategy, Risk and Compliance Services
IBM OpenPages IBM Security QRadar
IBM Security Intrusion Prevention Monitor Access
IBM Managed Security Services
IBM Managed Security Services IBM Security Identity Manager
Secure Systems and Applications
No Default Passwords or Security Parameters IBM Managed Security Services
IBM Security BigFix (Endpoint Manager) IBM Security zSecure Audit
IBM Security Access Manager (WebSeal) IBM Security Network Intrusion Prevention IBM Security Guardium
IBM Security QRadar IBM Security AppScan IBM OpenPages
IBM Security BigFix (Endpoint Manager) IBM Security Identity Manager IBM Security QRadar
IBM Security Federated Identity Manager Products IBM OpenPages
IBM Security Intrustion Prevention IBM Security QRadar Test Security Systems and Process
IBM Security Guardium
Restrict Access IBM Security BigFix (Endpoint Manager)
Protect Stored Cardholder Data IBM CyberSecurity Assessment and
IBM Security Identity Manager Response Services
IBM OpenPages IBM Security Access Manager IBM Data and Application Security Services
IBM Security Guardium IBM Security zSecure Admin IBM Security Network Intrustion Prevention
IBM Security Key Lifecycle Manager Products IBM Identity and Access IBM Security QRadar
IBM Security Intrusion Prevention Management Services IBM Security AppScan
IBM Storage Manager Unique IDs Security Policy for Employees
and Contractors
Encrypt Transmission IBM Security Identity Manager
IBM Security Access Manager IBM Security Strategy, Risk and
IBM Security Access Manager for eBusiness (WebSeal)
IBM Security QRadar Compliance Service
IBM Security Access Manager (ISAM)
IBM DataPower IBM OpenPages
IBM Data Encryption for IMS and IBM DB2 IBM Identity and Access Management Services
Example: IT Security Governance for PCI-DSS regulation

Every organization struggles to implement and maintain many IT Security solutions from many
different vendors, mostly because of the complexity and differences in those solutions as well as
the required manpower and skill sets to handle all of these.
At this time consider the areas where the Security Intelligence solution can provide input and
reports for compliance related activities.

V7.0
Uempty
Reporting in QRadar
• A QRadar SIEM report is a means of scheduling and automating one or more saved searches
• QRadar SIEM reports perform the following tasks
Present measurements and statistics derived from events, flows, and offenses
Provide users the ability to create custom reports
Can brand reports and distribute them
• Predefined report templates serve a multitude of purposes, such as the following examples
Regulatory compliance
Authentication activity
Operational status
Network status
Executive summaries
• Regulatory coverage
HIPAA: Health Insurance Portability and Accountability Act
COBIT: Control Objectives for Information and Related Technology
SOX: Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act
PCI: Visa Payment Card Industry Data Security Standard
GLBA: Gramm-Leach-Bliley Privacy Act
FISMA: Federal Information Security Management Act
NERC: The North American Electric Reliability Council
GSX: Government Secure Extranet
Reporting in QRadar
QRadar SIEM supports the following regulatory schemas:

• HIPAA: Health Insurance Portability and Accountability Act
• COBIT: Control Objectives for Information and Related Technology
• SOX: Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act
• PCI: Visa Payment Card Industry Data Security Standard
• GLBA: Gramm-Leach-Bliley Privacy Act
• FISMA: Federal Information Security Management Act
• NERC: The North American Electric Reliability Council
• GSX: Government Secure Extranet

V7.0
Uempty
Reports tab
You can search and sort report templates in a similar way as events and flows
Reports tab
You can manage your compliance related reports with the rest of the operational reports. They can
either be run on an automatic schedule or manually on request.

V7.0
Lesson 4 Security Intelligence and enterprise security architecture
Uempty
Lesson 4 Security Intelligence and enterprise
security architecture
Lesson: Security Intelligence and

enterprise security architecture

V7.0
Uempty
What is an architecture?
• An architecture takes into consideration the overall environment in which the system (here: IT
system) will operate
• It lays out all the elements of the IT system and their relationships
• An architecture further describes the fundamental concepts or properties of the IT system; it

focuses on the essentials and does not have to cover everything
• In order to create an IT architecture, every organization should follow well accepted rules and
guidelines
ISO / IEC 27001:2013 Security techniques – Information security management systems

ISO / IEC 27002:2013 Security techniques – Code of practice for information security controls
Control Objectives for Information and Related Technology (COBIT)
What is an architecture?
The British Standard 7799 that preceded the International Organization for Standardization
27001/27002:2013 (ISO/IEC 27001/27002:2013) is the most widely recognized security standard in
the world. The standard started in 1992 as a Code of Practice that evolved into the British Standard
7799 in 1995. The last major publication was in May 1999, an edition that included many
enhancements and improvements over previous versions. When it was republished in December
2000, it evolved into the International Organization for Standardization 17799 (ISO/IEC 17799).
17799 was republished again in 2005 as ISO/IES 17799:2005(E) with more revisions. In 2007, the
name of ISO17799 was, without further amendment, adapted to the new ISO/IEC numbering
scheme for information security management standards and is now identified as ISO/IEC
27002:2013.
ISO/IEC 27002:2005 is comprehensive in its coverage of security issues. It contains many control
requirements, some of which are extremely complex. Compliance with ISO/IEC 27002:2005 is not
a trivial task, even for the most security-conscious of organizations.
_____________________________________________
COBIT is a framework that was created by the Information Systems, Audit, and Control Association
(ISACA) and the IT Governance Institute (ITGI) in 1996. It is an internationally accepted framework
that is based on defining the controls and processes that bridge the gap between the business and
the Information Technology view of information security. The framework has gone through multiple
releases over time. The latest version, Version 5, was published in 2012.

V7.0
Uempty
What is an architecture? (continued)

• Following these rules and guidelines, an organization should use a well accepted enterprise
security architecture to describe and document all elements and their relationships for the
organization
TOGAF (The Open Group Architectural Framework)

TOGAF covers the development of four related types of architecture (not security focused); these four types of
architecture are commonly accepted as subsets of an overall enterprise architecture, all of which TOGAF is
designed to support
í Business Architecture
í Data Architecture
í Application Architecture
í Technology Architecture
O-ESA (Open Enterprise Security Architecture)

The O-ESA is a policy-driven security architecture that places this architecture in the context of a larger
enterprise security program and describes the major elements of an ESA
í Program Management
í Governance
í Architecture
í Operations
What is an architecture? (continued)
TOGAF, a standard from The Open Group, is an architecture framework that provides methods and
tools for assisting you with the acceptance, production, usage, and maintenance of an enterprise
architecture. TOGAF is based on an iterative process model that is supported by preferred
practices and a reusable set of existing architecture assets. TOGAF helps practitioners avoid being
locked into proprietary methods, use resources more efficiently and effectively, and realize a
greater return on investment (ROI). First developed in 1995, TOGAF was based on the US
Department of Defense Technical Architecture Framework for Information Management (TAFIM).
The Open Group Architecture Forum developed successive versions of TOGAF at regular intervals
and published them on The Open Group public website at:
http://www.opengroup.org
_____________________________________________
The O-ESA is a policy-driven security architecture that places this architecture in the context of a
larger enterprise security program and describes the major elements of an ESA: Governance,
Technology Architecture, and Operations.
An enterprise security architecture must be created at the level of the overall corporation, and thus
in relationship with the enterprise architecture, the corporate risk management guidelines, and IT
governance as defined within the organization. As such, the ESA is the part of an enterprise
architecture that defines how to fulfill the objectives of preserving the availability, integrity, and
confidentiality of an organization’s information.
Enterprise security architecture is the specialized framework for fulfilling these objectives while it
satisfies the security demands placed on the IT service organization by its customers. It includes all

V7.0
Uempty
aspects of security governance, security technology architecture, and security operations that are
required to protect the IT assets of the enterprise.

V7.0
Uempty
Following an enterprise security architecture

with Security Intelligence design in mind
The O-ESA Enterprise Security Program is
expanded into four concentric rings of
responsibility
• Overall Program Management responsibility

in the outer ring
• Governance responsibility in the second ring
• Architecture, or Technical Architecture, in the

third ring
• Operations responsibility in the inner ring
O-ESA Enterprise Security Program (© The Open Group)
Following an enterprise security architecture 

with Security Intelligence design in mind
The O-ESA Enterprise Security Program is expanded into four concentric rings of responsibility:
• Overall Program Management responsibility in the outer ring
• Governance responsibility in the second ring
• Architecture, or Technical Architecture, in the third ring
• Operations responsibility in the inner ring
Each ring identifies key components and processes that fall within that responsibility domain. The
components of each ring represent deliverables that further narrow the definition of what must be
provided by the inner rings. The Requirements, Strategy, Planning roadmaps, Risk Management
assessments, Education and Awareness, and the Ongoing Program Assessment from the outer
Program Management ring narrow the definition of what must be provided in the governance,
technology, and the architecture rings.
More information about The Open Group O-ESA can be found here:
https://www2.opengroup.org/ogsys/jsp/publications/PublicationDetails.jsp?publicationid=12380

V7.0
Uempty
O-ESA Security Governance
• Principles
Basic assumptions and beliefs that provide overalll
security guidance
• Policies
The security rules that apply in various control
domains
• Standards, Guidelines, and Procedures
The implementation of the policies through
technical requirements, recommended practices,
and instructions
• Enforcement
The processes for ensuring compliance with the
policies
• Ongoing Assessment (audit)
The process of reviewing security activities for
policy compliance
O-ESA Security Governance

V7.0
Uempty
O-ESA Security Technical Architecture

• Conceptual Framework
Generic framework for policy-based management
of security services
• Conceptual Architecture
Conceptual structure for management of decision-
making and policy enforcement across a broad set
of security services
• Logical Architecture
Provides more detail about the logical components
that are necessary to provide each security service
• Physical Architecture
Identifies specific products, showing where they
are, and how they are connected to deliver the
necessary functionality, performance, and reliability
• Design and Development
Guides, templates, tools, reusable libraries, and
code samples to aid in the effective usage and
integration of applications into the O-ESA O-ESA Enterprise Security Program (© The Open Group)
environment
O-ESA Security Technical Architecture

V7.0
Uempty
O-ESA Security Operations

• Incident Management
The process for responding to security-related events that
indicate a violation or imminent threat of violation of the
security policy
• Vulnerability Management
The process for identifying high-risk infrastructure
components, assessing their vulnerabilities, and taking the
appropriate actions to control the level of risk to the
operational environment
• Compliance
The process for ensuring that the deployed technology
conforms to the organization’s policies, procedures, and
architecture
• Administration
The process for securing the organization’s operational
digital assets against accidental or unauthorized
modification or disclosure
• Deployment
Assumed to be the normal IT deployment process, not a
security operations process
O-ESA Security Operations

V7.0
Uempty
Working together with the CISO’s office when designing

the Security Intelligence solution
• Security Program Management
Define Requirements
Validate Requirements
Define Strategy and high-level Planning
Drive or participate in the Risk Management activities
O-ESA Enterprise Security Program Framework (© The Open Group)

Run Education and Awareness programs for users
Assess the effectiveness of the implemented security services
and identify possible gaps
• Security Governance
Define Principles (you can possibly use the principles in the
four security domains)
Define Policies
Guide and monitor the translation of Policies into Procedures ,
Guidelines, and Standards
Perform an Audit and facilitate external audits
Define and run a policy Enforcement program, and be the
process owner
Nomenclature: In the O-ESA figure, the rectangular boxes represent

components or deliverables, and the rounded boxes represent processes
Working together with the CISO’s office when designing 

the Security Intelligence solution
Defining an enterprise security architecture is not a one-time activity. Setting the foundation takes
the most time and effort, but after it is defined, it requires regular updates that are driven by the
changes in business requirements, possibly new threats, or disruptive changes in technology.
Although the CISO office cannot play an active role in all security-related activities in an
organization, it must own the Enterprise Security Program and participate as a stakeholder in the
related activities.
In the O-ESA Enterprise Security Program Framework the CISO office must fulfill its role in several
activities, and this role varies depending on the type of activity.
These are the security activities where the CISO office should play a role.

V7.0
Uempty
Working together with the CISO’s office when designing the

Security Intelligence solution (continued)
• Security Technology Architecture

Provide input to the architecture team
Validate the deliverables for compliance with Policies and
Guidelines
O-ESA Enterprise Security Program Framework (© The Open Group)

• Security Operations
Have day-to-day follow-up of overall security metrics and key
performance indicators (KPIs)
Decide and adapt an incident severity classification (at time of
review or at time of demand)
Coordinate incident response actions for severe incidents
Review reports
(Re)act upon severe out-of-compliance situations
Nomenclature: In the O-ESA figure, the rectangular boxes represent

components or deliverables, and the rounded boxes represent processes
Working together with the CISO’s office when designing the

Security Intelligence solution (continued)
Defining an enterprise security architecture is not a one-time activity. Setting the foundation takes
the most time and effort, but after it is defined, it requires regular updates that are driven by the
changes in business requirements, possibly new threats, or disruptive changes in technology.
Although the CISO office cannot play an active role in all security-related activities in an
organization, it must own the Enterprise Security Program and participate as a stakeholder in the
related activities.
In the O-ESA Enterprise Security Program Framework the CISO office must fulfill its role in several
activities, and this role varies depending on the type of activity.
These are the security activities where the CISO office should play a role.

V7.0
Uempty
Unit summary
• Illustrate the integration between Security Intelligence and other IT Security domains to identify
important source data used to populate the Security Intelligence solution
• Describe how Security Intelligence can help detect and stop advanced threats
• Describe how Security Intelligence can help address organizational and regulatory compliance
• Describe how a Security Intelligence solution can be integrated into an overall enterprise security
architecture
Unit summary

Unit 3 Designing a Security Intelligence
solution
Designing a Security Intelligence

solution


V7.0
Unit 3 Designing a Security Intelligence solution
Uempty
Unit objectives
• Discuss the high level steps needed to design and implement a Security Intelligence solution
• Describe the detailed activities needed to design and implement a Security Intelligence solution
Designing a Security Intelligence solution © Copyright IBM Corporation 2015
Unit objectives
Designing a Security Intelligence solution involves much more than documenting how to install and
configure a Security Intelligence software product. In this unit we introduce a design methodology
that covers all steps from information gathering to specifying the required maintenance on the
solution. The major steps of the methodology will first be explained, after which the detailed
activities of each major step will be discussed.

V7.0
Lesson 1 Security Intelligence solution design high level process
Uempty
Lesson 1 Security Intelligence solution design
high level process
Lesson: Security Intelligence solution

design high level process
Security Intelligence solution design high level process

V7.0
Uempty
High level design steps

• Four major steps define the Security Intelligence solution design; we discuss the first two steps in this
unit
• Steps 3 and 4 assume that a Security Intelligence solution has already been selected; we do not
discuss these steps in this course
1. Identify the IT Security Framework of choice
A policy framework similar to ISO/IEC 27001/2 ensures that auditing and detection capabilities are included in the framework
2. Design an IT Security Architecture or examine and understand the existing one
A Security Intelligence solution is mostly affected by the auditing, detection, and configuration services architecture; but keep
in mind that authorization, access control, authentication, content control, and cryptographic services may also have an impact
3. Implement and deploy the IT Security Architecture as a physical architecture
• Develop or choose IT solutions to implement the IT Security Architecture; in units 4 and 5 we discuss how to select
a Security Intelligence product
• In existing IT Security Architectures implementations, the IT Security Intelligence solution ideally meets all criteria
required by the IT Security Architecture
4. Design operational processes to implement the IT Security Framework capabilities
The Security Intelligence related operational processes are comprised of security event management, security compliance,
event management, and incident management
Note: Refer to the O-ESA enterprise security architecture for detailed steps
High level design steps
The four major steps in the solution design are:

1. Identifying the IT Security procedures used by the organization. Most organization nowadays
have implemented an IT Service Management framework, like ITIL, COBIT or ISO/IEC20000.
These frameworks also contain IT Security process requirements, but do not explicitly detail
which and how these IT Security processes must be implemented. To successfully integrate a
security Intelligence solution, you must first find out how it will be used. If the organization does
not have a clear understanding of how the solution should be used, you can suggest to consult
an IT Security framework like ISO/IEC 27001/2 and select specific controls from that framework
to start with. Some of which result into the functional requirements for the Security Intelligence
solution.
2. Design the IT Security architecture for the Security Intelligence solution. The architectural
design must support the functional requirements for the Security Intelligence product. This step
is still not depending on a Security Intelligence software product. Instead the architectural
design relies on the functional requirements and how they can be met using the available IT
infrastructure. Like: types of data that must be collected and archived, alerting and reporting
mechanisms, communication protocol requirements, etc.
3. Implement and deploy the Security Intelligence solution. once the architectural design has been
approved, the search can start to find a software solution that meets all requirements set out by
the architectural design. Practice learns that the architectural design in the end will be adjusted
in minor details to represent the possibilities of the selected software product.
4. Design operational processes. Once the Security Intelligence solution is deployed successfully,
processes must be designed to maintain the solution and keep it operational. But also

V7.0
Uempty
document how the solution is integrated and used by IT services, such as event management
and incident management.
In this unit we discuss the steps 1 and 2. The steps 3 and 4 assume that a software product has
been selected and we discuss these steps in units 3 and 4, assuming that QRadar SIEM 7.2.x is
the software product that was selected.

V7.0
Uempty
Security Intelligence and IT Security Architectures addressing ISO/IEC 27002 or

similar framework
• Auditing
The Security Intelligence solution is considered to collect, securely archive, and enable effective analysis of
audit trails, security relevant logs, and security relevant events
Risk Management and IT Security Governance frameworks define the required information that needs to be
collected in audit trails and security relevant logs
The Security Intelligence solution must present this information in a format that enables effective event and
incident management
• Detection
The Security Intelligence solution must provide tools that can automatically detect violations to security controls
based on collected data
The detection capability takes into consideration intrusion, anomaly, and vulnerability assessments
• Configuration
Derived from the audit policy defined by Risk Management and IT Security Governance frameworks, the
technical audit configuration must be included in the configuration management service; the technical audit
configuration is also determined by the auditing and detection capabilities of the sources for, and support by, the
Security Intelligence solution
Security Intelligence and IT Security Architectures addressing ISO/IEC 27002 or similar framework
When defining the functional requirements for a Security Intelligence solution, one can start with the
minimal requirements set out by IT Security frameworks similar to ISO/IEC 27002 or O-ESA. The
security controls defined in an earlier stage of implementation, also define the configuration
requirements of the solutions and of the sources of event data used by the solutions. In the
implementation step, the Security Intelligence solution may not be capable to use the event data
sources or the sources may not be capable to produce the required data. If this is the case, the
requirements specified in the architectural step might need adjustments.

V7.0
Uempty
Security Intelligence additional configuration management requirements

• Integrate asset vulnerability and configuration information for compliance checks and to improve
detection of exploitation and threats
• Use network perimeter device configuration to improve governance enforcement; network device
status monitoring combined with device configuration and vulnerability information can improve risk
and threat detection
• Provide network topology information; the combination of asset configuration information, network
device status monitoring, and network topology information can improve the risk and threat detection
• Ensure that sufficient forensic data is gathered and archived; collections of forensic evidence support
operations incident management
Security Intelligence additional configuration management requirements
To optimize the Security Intelligence functionalities, the requirements can be stretched to include
the usage of vulnerability, asset management, network (device) configuration, and any computer or
network forensics data. Security Intelligence might help to prioritize the exploit of an vulnerability, or
to determine the risk related to a vulnerability. In this step one also realizes that logging and
monitoring is more than gathering event and flow data, also called event auditing. It also should
include the frequent check if assets are configured according to the security policy for software and
hardware configuration, also called status auditing.

V7.0
Uempty
Security Intelligence in deployment

• Many organizations employ security officers in a Security Operation Center (SOC); these officers can be
considered the primary users of a Security Intelligence solution, and together with the GRC and CISO team, they
determine the functional requirements of the solution
• Depending on the IT security maturity level of an organization, you might find an Incident Response Team (IRT)
that includes contacts from each software department, such as database management, network management,
and software development
• Once the Security Intelligence solution is deployed, the following functional requirements must be fulfilled and
configured
Security incident management
í Inform the SOC about IT security policy violations
í Provide sufficient information to the IRT to analyse and respond to an incident
Security compliance
í Test if assets or events subject to the IT security policy are indeed in compliance with the IT security policy
í Inform the SOC about non-compliant assets or events
Event management
í Collect and securely archive the IT security relevant data as required by the IT security policy
í Provide regular (daily) event analysis
í Provide the ability to search IT security relevant data for suspicious activity and send alerts to the SOC if suspicious
activity is detected
í Invoke an security incident as soon as possible, preferably in near real time
Security Intelligence in deployment
During the deployment step, the Security Intelligence product integration must be tested for if it
meets the functional requirements defined in an earlier step. Normally this means that the use
cases must be tested for incident management, compliance management, and event management.
Bulleted are a few examples of typical use cases.

V7.0
Lesson 2 Detailed Security Intelligence solution design, implementation, and deployment process
Uempty
Lesson 2 Detailed Security Intelligence
solution design, implementation, and
deployment process
Lesson: Detailed Security Intelligence

solution design, implementation, and
deployment process
Detailed Security Intelligence solution design, implementation, and deployment process.
The unit continues to discuss each step in detail and major activities in the steps are explained.

V7.0
Uempty
IT Security Framework reference example

• Use an IT Security Framework, such as ISO/IEC 27001 and 27002 as your template for Data
Collection
• ISO/IEC documents can be obtained from the ISO/IEC 27001 and ISO/IEC 27002 website
IT Security Framework reference example
From now on, we assume that the Security Intelligence project is using the ISO/IEC 27002:2013
framework. The security controls and processes discussed are taken from this framework and the
purpose of the activities is to follow the ISO/IEC 27002:2013 recommendations. But in general you
will find that this framework is extensive and may differ only in detail with other frameworks like
O-ESA.
Obtain the ISO/IEC 27001/2 2013 documents from: http://bit.ly/1MspEIj and http://bit.ly/1MrWnKN

V7.0
Uempty
Security Intelligence Design (Macro & Micro) – Activity Details
Key delivery
activities Document detailed use High level Detailed and physical Review and finalize
Security Intelligence Design (Macro & Micro)
Data collection
cases and requirements macro design micro design design
Tasks Collect, interview and/or perform Define, document, and map Develop architecture overview Identify and document additional Review and finalize design
workshops to elaborate on IT detailed use cases including any diagram and description architecture details including with stakeholders, SI
processes such as incident, custom data source requirement Document architectural decisions physical design operations team, and
problem, change Define, document, and map Define at the micro system design additional QA team as
Update component model and
Gather security intelligence functional requirements level needed
develop macro system design
system requirements o logging level specifications for: o data/event sources and phased Develop system test plan
o monitoring use cases o event collection o data/event source collection integration plan Conduct deployment
o normalization protocols and methods o firewall rulesets planning and update
o dashboard, views, and reporting
o correlation o asset risk weighting criteria o updates to use cases project plan
o asset vulnerability information o storage o alert classification criteria
o asset classification profiles
o forensic data collection o system access o compliance groupings for assets o network topology (including risk
o network device and topology o reporting o vulnerability scanner usage, weighting) and associated
configuration o customization requirements configuration, and frequency objects
Define, document, and map non- o customization requirements o vulnerability management
o integration targets (ticketing, systems and process integration
identity, human resources, functional requirements o dashboard requirements
o monitoring, reporting, retention o user accounts and roles o hardware compatibility
change management..)
o regulatory and contractual Develop design document at Document interface as well as
considerations macro level customization and configuration
o high availability and disaster specifications
recovery Update design document at micro
o success criteria for target state level
Scoping inputs Prior inputs plus

Number of use case(s) to be developed and implemented for monitoring
Number of custom log source parsers to develop
Number of VA systems to incorporate
Client and environment complexity (users, roles, network topology, and so on)
The first step in the solution design, is investigating and documenting all the requirements. These
requirements are categorized as functional and non-functional requirements. The objective of this
step is to create detailed architectural design documents, containing detailed information on how
the Security Intelligence system must be deployed and implemented as to meet all requirements.
each phase contains a minimal list of activities. The 2 major phases from a design point of view are:
• Data Collection
• Document detailed use cases and requirements
The remaining phases in this step, follow from these two and therefore we will discuss these
phases in short.
High Level macro design
The requirements gathered during the first two phases are translated to the organization's IT
infrastructure to specify the details. Restrictions following from the organization's IT infrastructure
result in architectural decisions, that may conflict with the original requirements. Think for example
of the requirement that log data must be collected in near real time, but because of bandwidth
limitations on some network segments, the collection must occur in batches. Requirements
regarding logging, collection, storage, reports, etc, are detailed out using the organization's IT
infrastructure as the reference.
Detailed and physical micro design
The next phase almost assume that one knows the requirements for the Security Intelligence
solution of choice, regarding hardware, network footprint, event collection mechanisms, system

V7.0
Uempty
integration, and system usage. The micro details describe the requirements to deploy the Security
Intelligence. Theoretically one will not know in detail how events are collected by the system at this
point. But one can specify in detail for example what vulnerability information must be used by the
Security Intelligence system and how it must be retrieved. Once a Security Intelligence product is n
chosen, the micro design is updated to reflect the actual requirements as defined by the product.
Review and finalize design
The macro and micro design is reviewed by all stakeholders and the use cases drive the test plan.
But one also creates tests to make sure that the critical non functional requirements are also met.
Now the deployment can start and the project plan must be updated with the milestones.

V7.0
Uempty
Data collection
This lesson reviews in detail each of the four major

Data collection Data Collection steps
Collect, interview and/or perform

workshops to elaborate on IT These data collection substeps are examined in
processes such as incident, the following slides
problem, change
Gather security intelligence system
requirements
o monitoring use cases
o asset vulnerability information
o forensic data collection
o network device configuration
o integration targets (ticketing,
identity, human resources, change
management..)
Data collection
There two activities in the first phase:

• Gather information about existing incident and monitoring processes, amongst others.
• Gather Security Intelligence requirements. The organization has decided to implement a
Security Intelligence system, so it will likely have requirements for the system to fulfill.
We discuss the two first phases and indicate with boxes the activities that we concentrate on in the
following slides.

V7.0
Uempty
Incident management
• Incident management is required by the IT Security Framework of choice
• Example guidelines are found in Chapter 16 Information security incident management of the
“ISO/IEC 27002 Code of practice for information security controls”
Incident management
As states, we assume that the organization uses ISO/IEC 27001/2 2013 as their security
framework. This framework contains guidelines for all IT governance processes that affect the list of
requirements for a Security Intelligence system. Section16 of the framework specifies the required
controls for incident management. More specific paragraphs 16.1.4 to 16.1.7 contain guidelines for
how the Security Intelligence system should support this security control.
16.1.4 Implies that the system must be capable to identify security incidents and report them in
time.
16.1.5 Ideally the system allows to track and check if a reported incident is being worked on or is
solved.
16.1.6 Lessons learned must be applicable to the system to prevent and detect future occurrences
of the same incident. The system must also be able to gather evidence and information to analyze
the root cause of the incident.
16.1.7 The system must be capable to gather evidence and archive the data in a secure manner.
These are just some requirements that follow from the security controls.

V7.0
Uempty
Integration with incident response tools

• Gather evidence from a variety of integration targets that can be divided into two requirements
Gather traces of evidence that may support the actual evidence
Think of gathering logs and network traffic meta information that cannot be used as evidence in court because
the logs and meta information has been preprocessed
Gather actual evidence by collecting original audit trails, unprocessed network communication traffic by means
of network taps, and other binary data obtained through computer forensics
• Observe the following considerations when capturing and archiving network communication traffic by
using taps
Risk assessment determines the critical network paths that are in scope for collection
Privacy laws may require that any personally identifiable information (PII) must be deleted as soon as possible,
unless it is proven to contain evidence
• Determine how the Incident Response Team prefers to be notified of an incident and what data the
team requires to investigate the incident
• Grant necessary access privileges to archived data the Incident Response Team might need
Integration with incident response tools
When data must be gathered for evidence, find out if this evidence must be usable in court or if the
evidence is used to trace how the incident took place. In the first case the data gathered for
evidence, must be unprocessed. Which means that unprocessed original system and network data
must be archived. For system events this means that the original logs or audit trails as produced by
the system’s audit subsystem, are collected and archived. For network data this means that the
network packages must be collected by directly copying them of the wire and archived.
When designing a Security Intelligence solution, it is always tempting to just let the system collect
and archive everything. This may lead to an overkill of data and even worse, the organization might
be breaking an (inter)national law. For example gathering and archiving Privacy Data that was not
shared with the organization in consensus with the owner of that data, is clearly illegal. To prevent
an overkill of data, the system should gather data from systems and network segments that present
a risk to the organization.
The system must be integrated with systems used by the Incident Response team. Therefore
gather information about the Service Level Agreements used by the IR team to start investigations.
Ideally the system is capable to provide all information required by the SLAs.

V7.0
Uempty
Change management
• Prepare for violations of IT security policy that might occur because a scheduled change to the IT
environment is performed
• Check if the organization uses a change management system that can inform the monitoring system
that certain violations are expected
Human resource lifecycle

• Check if the organization maintains a workforce lifecycle management system that automatically
assigns user roles and authorizations to employees
• If so, verify that this management system information can be used to automatically build IT security
policy rules for the monitoring system
Change management
Change management processes may have a severe impact on the visibility incidents. Therefore the
Security Intelligence system must ideally be capable to be updated with scheduled change
management requests.
Human Resources system manage account life cycles. These system provision accounts with
authorization profiles that can be used by the Security Intelligence system to identify violations to
the authorization schema. Therefore if possible, find out if such as HR life cycle is used and if so
require that the Security Intelligence system uses the authorization schema to monitor for
violations.
User account directories may be used by the Security Intelligence system to monitor user behavior
based on their user or group privileges. Therefore require the integration between the Security
Intelligence system and any available user directory.

V7.0
Uempty
Data collection
Data collection

workshops to elaborate on IT
processes such as incident,
problem, change
requirements
identity,..)
Data collection

V7.0
Uempty
Monitoring use cases

• Log collection from the IT environment is required by the IT Security Framework of choice
• Example guidelines are found in Chapter 12.4 Logging and monitoring of the “ISO/IEC 27002 Code
of practice for information security controls”
Monitoring use cases
Section 12 of ISO/IEC 27002 2013 contains paragraphs addressing controls for Logging and
monitoring. These controls directly affect the functional requirements for the Security Intelligence
system.

V7.0
Uempty
IT security policy for logging (1 of 2)

• Frameworks like ISO usually does not specify which user activities, exceptions, or information security
events must be logged
• A risk assessment determines the level of logging required; the results of such an assessment
typically include a set of security controls to manage the risks
• Part of these security controls are the logging requirements to ensure that these controls can be
checked and balanced
• In practice, organizations know the bussiness processes that expose a risk, but do not know how these are
represented in the IT environment
• For example, financial transactions run at the end of a day using a computer generated list; the questions are,
how is this list produced, processed, and which computer platforms and networks are involved
• Organizations that have not defined an IT security policy for logging frequently start with a baseline
security policy for logging
• Start with IT systems essential to the business
• A good approach is to follow the Common Criteria guidelines to meet the audit requirements for each computer
platform
IT security policy for logging
Although section 12 of ISO/IEC 27002 2013 does not specify what type of user actions must be
logged, you will find some guidance in other paragraphs. For example paragraph 9.4.2. suggests
that one should log all account log-on activity.
The proper way to determine what user actions, and in general, what data must be collected, is to
use the results of the organization’s most current risk assessment. This assessment contains
information of risks that must be addressed and managed. The result is a collection of security
controls that define how

V7.0
Uempty

• Determine the reasonable level of exposure of the organization to the actual threat landscape and the
possible impact on day to day bussiness; examples include:
What might be the impact of a DDOS attack on the day-to-day business operations? \
Are computers, which contain customer data, accessible from the DMZ, and if so, what is the network path
likely to be used?
Computer based logging alone may not be sufficient, it possibly has to be extended with network traffic
monitoring according to the organization´s network information flow and forensics policy
To complete the assessment of systems and network segments or infrastructure that will be
integrated with the Security Intelligence system, one also has to consider the actual exposure of the
systems to the current threat landscape. The Security Intelligence system can benefit from the
collection, analysis and archiving of network data. Detection of incidents can become more
effective and the system can provide more details to analyze the incident. Also consider to collect
and archive the complete traffic on critical network paths. To provide network forensic evidence
when needed and to provide deep analysis if normalized can not provide it.

V7.0
Uempty
Create a baseline security policy for logging using Common Criteria /

Use Common Criteria to create a logging baseline security policy
1. Create a list of computer systems and software versions critical to the organization; these can include
databases, applications, operating systems, and network devices
2. Check which platforms are certified by Common Criteria (a list of certified products can be found at
the Common Criteria Portal)
If the platform type and version is not certified, you might conclude that actions on that platform are not
auditable, which is most uncommon and undesirable
3. Obtain the Security Target documents for each platform type and version
The structure of these documents are very similar, and you only have to concentrate on the
information regarding the class FAU and requirements FAU_GEN1.1 and FAU_GEN1.2
4. The list of auditable events for the security target informs you about what Common Criteria
recommends to be logged for the platform type; this contributes to the recommendation of baseline
security policy for logging
5. Investigate how the platform type must be configured to generate the auditable events; in some
cases, the Security Target documents contain a mapping of the baseline recommendations and the
platform’s audit functions (Hint: Search for the words “audit function” in the Security Target document
Create a baseline security policy for logging using Common Criteria
After identifying the sources from which the Security Intelligence system receives data, the next
important step is to configure these data sources to produce sufficient data for the Security
Intelligence system to meet all functional requirements. In case of network related data sources,
taps, flow collectors, etc, the configuration tools are limited to the location of the network taps and
the usage of flow filters. More special are the configuration options for host systems like,
databases, operating systems, applications, etc. It is essential that in this design phase one already
has a clear understanding what data can be retrieved from the sources, to decide which security
controls, or use cases, can be supported by the Security Intelligence system. The goal is that the
architectural design will only contain use cases for which data can be collected from the sources.
This introduces a field of IT expertise that is not commonly available, namely system expertise on
the topic of auditing. Most system experts are familiar with the architecture and available tools on
the system, but lack deep knowledge of how the audit subsystem works. It is therefore that system
security has long been neglected and is still the field of experts. Luckily there are guidelines and
standards for audit subsystem architectures and one of them is Common Criteria. To find an
introduction to the Common Criteria standard, check this website http://bit.ly/1G6ojz5
In the Common Criteria Portal one most likely find a Security Target (ST) document for a specific
Target Of Evaluation (TOE), the system that is evaluated against one of the Common Criteria’s
Evaluation Assurance Levels (EAL). From a practical point view, it shows that if a system is certified
by Common Criteria, it should be certified for at least the EAL 4 level before it makes sense to
integrate the system in a Security Intelligence solution. EAL 4 assures that the system has an audit
subsystem that allows the user to log in detail, security relevant activities on the system.

V7.0
Uempty
These Common Criteria documents are a good start for anyone who needs to understand the audit
capabilities of a specific system. Details about the system’s audit subsystem can most likely be
found in the product documentation. Searching the INTERNET for “<system type and version>
security auditing guide” (e.g. oracle 11.2 security auditing guide) will already give you some hints
where to search for this information.
Another useful application of the Common Criteria documents, is by looking at the audit
requirements defined by Common Criteria for a certain class. For example if you look at the
Security Functional Requirements CCPART2V3.1R3, you will find the audit requirements defined
for class FDP requirement FDP_ACF.1 on page 59 of that document.
In case the organization has no policy regarding audit requirements for some of their systems, you
can at least make a good start by suggesting to use audit requirements as defined by Common
Criteria. This has the benefit that these guidelines are widely accepted as an industrial standard.

V7.0
Uempty
Determine the network information flow and forensics policy

1. Obtain the organizations’s IT network topology
2. Locate the known critical systems in the topology
3. Locate the critical bussiness processes on the topology
4. Derive the typical network information flows from the result
• Protocol
• IP Addresses
• Ports
• Data size footprint/day
5. The result can be considered the network flow policy
6. Determine where in the network to best monitor the traffic
7. Determine which network devices must be monitored in addition to the host computers already
included in the baseline security policy for logging
8. Decide if and where to tap the network to gather forensic evidence and if this must done continuously
Determine the network information flow and forensics policy
To define the requirements regarding network data and network forensics, start by obtaining the
network topology and locate the critical systems in the topology. Also find out what the critical
business processes are so you can track the communication paths in the topology that can be
interesting to monitor. The result is an overview of normal communication by systems, protocols,
ports and maybe even by normal size of data. Any anomaly regarding these characteristics are
considered suspicious network communication. Therefore you can recommend that the result of
this investigation may be used as the network flow policy. The security Intelligence system can use
this information to collect, filter and monitor the essential network information flows. Depending on
the required detail defined by the use cases, the Security Intelligence system must either collect
network accounting flows, flows with layer 7 data, or tap into the network to obtain all data
packages.
If the use cases require all data packages to be collected for forensic evidence, then find out if
evidence must be collected after an incident was detected, or if data packages must always be
collected. If Personally Identifiable Information (PII) is also collected, then this data is subject to
local Privacy Laws. If it is evidence, then different criteria apply.

V7.0
Uempty
Dashboards, views, and reports

• Discuss the use cases with the SOC team and document what action they take if they need to follow
up a use case
• By definition, every Security Intelligence use case requires access to reports, views, or dashboards;
determine what information should be available for the SOC to effectively follow up on a use case
• Dashboards typically inform the SOC team in near real time about Security Policy violations and
incidents
• Views help the SOC team to investigate an incident and gather detailed information
• Reports are part of the security controls, and help the SOC team to check that process guidelines
have been followed
For example a report containing a list of user accounts created, must contain enough information for
the SOC team to check if the account was created in accordance with all change management
procedures and security procedures
• In general, the content required in reports, view, and dashboards is defined by information the SOC
team needs to successfully process the security policy violation or incident
Designing a Security Intelligence solution
Dashboards, views, and reports
Any Security Intelligence system must have the capability to allow the SOC team to:
• Be alerted in near real time of security incidents
• Monitor the security status of the whole IT infrastructure by means of security dashboards
• Generate and view the reports needed for the use cases
• Analyze any number of events in detail
Determine with the SOC team how the information must be made available and what information
must be made available in each of the above formats. These will then be the functional
requirements regarding reports, views, and dashboards.

V7.0
Uempty
Data collection
Data collection

workshops to elaborate on IT
processes such as incident,
problem, change
requirements
identity,..)
Data collection

V7.0
Uempty
Technical vulnerability management

• Vulnerability management is required by the IT Security Framework of choice
• Example guidelines can be found in 12.6 Technical vulnerability management of the “ISO/IEC
27002 Code of practice for information security controls”
Technical vulnerability management
Frequent discovery of technical vulnerabilities of the systems improves the risk assessment by the
Security Intelligence system and helps to provide more accurate information about security
incidents. Therefore if the organization has vulnerability scanners in place, require that this
information is gathered by the Security Intelligence system and used to improve security incident
detection and reporting.

V7.0
Uempty
Vulnerability management information

• Find out if the organization has an existing vulnerability management process
This can be as simple as updating all IT systems to the latest patch level, or as complex as a process that requires risk
assessment of found vulnerabilities in production and deployment of patches after going through test and acceptance before
deploying to production
• The risk assesment of vulnerabilities requires knowledge about the probability that a vulnerability can
be exploited; this may depend on the exposure of the system to threats related to the vulnerabilty
For example, if a vulnerability relates to the use of remote procedures and the IT system does not accept inbound connections
at all, then the risk related to this vulnerabilty of the IT system can be neglected
• Obtain network device configurations to determine exposure of assets to threats
For example, if a vulnerability relates to the use of specific network ports and the IT system is located in a network segment
where these ports are blocked, then the risk related to this vulnerabilty of the IT system can be neglected
• Determine if the organization uses vulnerabilty scanners; the scan results combined with the risk
assessment results can help monitor the IT environment more efficiently
For example, if a vulnerability has been identified on an IT system and the exploit risk for this particular vulnerability is high,
then monitoring should focus on possible exploitation of this vulnerabilty until the vulnerabilty has been mitigated
• Use the information about network information flow policy and the vulnerable IT systems to scale
the risk that these systems are actually exploited using the vulnerability; this is a repetitive
assessment task
Vulnerability management information
Using technical vulnerability information is a good start to improve the Security Intelligence
reporting and detection. But if the system is also required to provide information for the risk
assessment processes, then these vulnerabilities must be put into context. For example a high risk
vulnerability that exposes the system to a rpc attack, is only an actual risk if the system accepts
connection on any of the standard rpc ports and network traffic containing any of the rpc protocols
to the system is also allowed. Therefore it is important to use the network information flow policy as
the context for the technical vulnerability information.

V7.0
Uempty
Asset configuration management

• Check if the organization has an asset management system that also scans the software installed on
the assets; these scan results have to be compared with the IT security policy requirements regarding
allowed software usage and any violation must be reported
• Software usage footprints can also be indicated by usage of ports and protocols on assets; this
requires monitoring network information flows that can be linked to a managed asset
• Assets may include network devices, physical access devices, servers, desktops, laptops, and mobile
devices such as smartphones and tablets
Software configuration management

• Software configuration and deployment may be tested frequently by a web application security testing
and monitoring tool
• Automated penetration and source code evaluation tests are typically used by these tools
• Test results may contain additional vulnerability information that can be used to improve the incident
monitoring capabilities of the IT Security Intelligence solution
Asset configuration management
Asset management system manage configuration information of assets. Software that is expected
be installed on the assets and also how this software is configured. It also may contain information
about assets that are not in compliance with the security policy. Meaning that these assets either
have software installed, or are missing software, with the result that these assets are not in
compliance. It could also be that the software footprint is correct, but the configuration of the
software is not correct. Think for example of a firewall devices that did not load the correct firewall
rule set, with the result that the device introduces an elevated risk on the IT infrastructure. If the
Security Intelligence system can use the information managed by asset management systems,
then the Security Intelligence system will be better in informing about the impact of incidents and
risks introduced by non-compliant assets.
Nowadays organizations schedule yearly black box security tests on their IT infrastructure. Not only
do they perform disaster recovery tests and fail over tests, but also penetration tests to find out if
their defense tools and processes are strong enough. These penetration tests can also be done by
an application security testing and monitoring tool. These tools test if applications are vulnerable for
attacks like SQL injection, cross-site scripting, buffer overflow, etc. As like vulnerability scanner
results, this information is valuable for any Security Intelligence tool. Because the system may use
this information to inform about elevated risks, or inform about the possibility of an incident
occurring if, for example, the system finds patterns in the network information flow, that resembles
the usage of SQL injection. Therefore if the organization deploys an application security testing and
monitoring tool, then suggest that the Security Intelligence system integrates the results of the test
performed by the application security testing and monitoring tool.

V7.0
Lesson 3 Document detailed use cases and requirements
Uempty
Lesson 3 Document detailed use cases and
requirements
Lesson: Document detailed use cases

and requirements
Document detailed use cases and requirements

V7.0
Uempty
Documentation of detailed use cases

The use case model describes the functional requirements of the overall IT system(s); the model
typically uses graphical symbols and text to specify how users in specific roles use the system, and
more detailed text explains the use cases from a user’s point of view
Use case models do not describe how the system works internally, nor do they describe any internal
structure or mechanisms
Purpose
The main purpose of the use case model is to establish the boundary of the Security Intelligence system
and fully document its functional capabilities with respect to the users; the major focus areas in a use
case model are listed below
• Identify objects, object functionality, interaction, and interfaces
• Define test cases
• Produce user support materials and documentation
Documentation of detailed use cases
Determining the use cases for the Security Intelligence system is fundamental for the whole
solution design project. Without the use case, one cannot determine how the system is used, what
the success criteria are, and how the solution is configured. Information to obtain:
• Identify the actors in each use case
Who is involved?
• Means and flow of communication
How do the actors communicate and what is the order of information exchange?
• Preconditions for each use case
What is needed for the use case to be applicable?
• The flow of events
What are the steps in the use case from start to termination?
• Termination outcome description
What is the purpose of the use case?
• Successful completion description
What are the criteria to determine that the use case has terminated successfully?
• Failure condition description
What are the consequences if the use case did not terminate successfully?
• Dependencies with other use cases

V7.0
Uempty
Are there any other uses cases on which this use case rely?
Use flow charts whenever you describe flow of communication or events. It makes it much easier to
follow the sequences.

V7.0
Uempty
Documentation of functional requirements

The functional requirements document the operations and activities that an IT system must be able to perform;
functional requirements should include the following aspects
• Descriptions of data to be entered into the system
• Operations performed
• Workflows performed
• System reports or other outputs
Functional requirements consist of the following items
• Business rules
• Administrative functions
• Authentication
• Authorization levels
• Audit tracking
• External interfaces
• Certification requirements
• Reporting requirements
• Historical data
• Legal and regulatory requirements
Documentation of functional requirements
Before the organization can start looking for a Security Intelligence software product, it must know
what it requires from the product. This is described by the functional requirements. It contains the
use cases described on the previous pages, but also how the product must fit into the existing IT
infrastructure and processes. For example:
The use cases define a functional requirement that the system must collect, normalize, report and
archive log data. While the organization’s business rules and regulatory requirements state that
administration of the system must be done by application administrators who shall not have access
to the log data by any means. And on top of this, any administration action on the system must be
audit-able.

V7.0
Uempty
Documentation of functional requirements (2 of 2)

Purpose of functional requirements
Functional requirements are used to address the following aspects
• Define what the IT system must do
How the system implements these functions is described in the design specification
• Clearly outline the user requirements
• Assess the viability of the proposed IT system
• Detail the capabilities and functions that the IT system is capable of performing; provides assurance that the IT
system will indeed correctly and reliably perform its intended functionality
The work products that use the functional requirements as input include the following
• Architecture overview
• Component model
• Operational model
• High level design document (macro design)
Documentation of functional requirements (2 of 2)
The organization may be using an architectural framework like The Open Group Architecture
Forum (TOGAF http://pubs.opengroup.org/architecture/togaf9-doc/arch/index.html) which
recommends to use so-called work products. These architectural work products or artifacts cover a
specific area of the design and they take as input so-called building blocks. (See for definitions
http://pubs.opengroup.org/architecture/togaf9-doc/arch/index.html) For example the functional
requirements regarding use cases, are together one building block that can be re-used in several
work products. In fact the different types of functional requirements that are discussed on the
previous pages, are each building blocks that find their way into the architectural work products.
These building blocks will also be used as guidelines in the deployment and implementation steps.
The Security Intelligence product specialist should be aware of the building blocks that matter to the
product she or he is implementing. Therefore, if you haven’t been involved in the architectural
designs and if your responsibility is to implement and deploy the product, still try to obtain the
relevant building blocks to make sure that you are following the architectural guidelines.

V7.0
Uempty
Documentation of non-functional requirements

The non-functional requirements specify the service levels that the IT system must satisfy, the required
non run-time properties of the system, and the constraints to which the IT system must conform; non-
functional requirements might apply to the IT system as a whole, to parts of the system, or to particular
use cases
Non-functional requirements are used to address the following aspects
• Service Level Requirements (SLRs) that define the following run-time properties that the IT system
must satisfy
• Capacity and performance
• Availability
• Security
• System management
• Other required non run-time properties of the IT system, including portability, and maintainability
Non-functional requirements are also used to address the following constraints to which the IT system
must conform
• Business constraints
• Technical standards
• Technical constraints such as existing hardware that the DBMS must use
Documentation of non-functional requirements
Besides the functional requirements, one also has to gather and document the non-functional
requirements. These requirements are likely to be driven by availability, security, system
management SLRs. Think of the requirements regarding responsiveness of the system, or down
time in case of a disaster. Again these requirements are documented in building blocks an may well
have to be considered when implementing and deploying the Security Intelligence product.

V7.0
Uempty
Documentation of non-functional requirements (2 of 2)

Purpose of non-functional requirements
• Non-functional requirements are used to address the following aspects
• Define clear requirements and constraints for the IT system, which are necessary for a successful project because they
define the project’s goals
• Early system sizing and estimates of cost
• Viability of the proposed IT system
• Drive the design of the operational models
• Non-functional requirements are frequently the most important determining factor of the overall solution
architecture
• Two IT systems based on the same use cases but with different non-functional requirements may result in very
different solution architectures
Documentation of non-functional requirements (2 of 2)
The non functional requirements impose requirements on the architecture of the Security
Intelligence system. It might well turn out that these requirements can not be met by the Security
Intelligence system. For example it might well be that the requirements regarding performance and
responsiveness that one product can meet and the other cannot. Although both have the same
Security Intelligence functionality.

V7.0
Uempty
Document detailed use case and requirements
Document detailed use cases and

requirements
In this step, we do not discuss in detail:
Define, document, and map detailed use cases • Normalization: To correlate events and clearly inform the
including any custom data source requirement user of the Security Intelligence system, the system must
Define, document, and map functional requirements normalize the original events
o storage • Correlation: Use cases require correlation of logs and
o logging other data sources
For example, to indentify a brute force attack followed by
o event collection unauthorized data access
o reporting
• System access: Data gathered by the system is
o normalization confidential and must be protected by authorization and
o correlation authentication mechanism
o system access The required quality of this mechanism has to be
documented
o customization requirements
Define, document, and map non-functional • Customization requirements: Maybe the organization
knows upfront that any Security Intelligence system
requirements needs customization
o retention For example, it might be required that the system runs on
o regulatory and contractual considerations domestic, custom built hardware
o high availability and disaster recovery • Any project must have criteria to determine if the project
o success criteria for target state was a success or a failure
Document detailed use case and requirements
In the next pages we detail out some functional and non-functional requirements. Others are not
discussed because they are considered straight forward.
Normalization: Every Security Intelligence tool must present the report data in a normalized format.
Not only does this eliminate the need for specialist to understand the data, but to do effective
correlation, the system benefits from normalization of the original log data.
Correlation: Security Intelligence is all about correlation data from different sources in an intelligent
manner. Thus correlation of data is an obvious critical requirement.
System access: As discussed before, data gathered by the system includes PII data and must
therefore be safeguarded by security controls. Restricting data access to authorized personnel
only. And all access must be audit-able. One might even just say that the Security Intelligence
system must be certified according to the Common Criteria EAL-4 standard.
Customization requirements: The system must be customizable. Frequently organizations require

that thee system collects data from software that has been developed in house.
Success criteria: One must always define the criteria for successful termination of the project.

V7.0
Uempty
Storage
• Based on the IT security policy for logging, configure the machines in scope to meet the logging
requirements
• For 7 days, monitor the daily amount of logging data generated
• Determine daily logging thresholds by using the number of audit records written to the audit vault every day
• Remember that some audit subsystems overwrite when the audit trail file is full and others switch between
audit trail files in the vault
• Determine the impact of logging on the machine performance, and determine if system performance
remains within the service availability requirements as defined by risk management
• Use flow accounting information, like Netflow,Jflow, or Sflow, if available, to estimate the amount of
flow data that will be generated on the network information flow capture points, as determined by the
network information flow policy
• If flow accounting information is not available, determine the maximum bandwith of each network
connection in scope and assume an average of 70% utilization of the bandwith
Storage
Any security Intelligence system struggles with the question how much storage is required. log and
flow data must be stored for reporting and to meet regulatory requirements. The retention defines
for how long this data must be kept. But first one has to determine the average daily amount of data
that is collected. Crucial is that one uses the IT security policy for logging, to configure the data
sources so that these will only log what is needed for the use cases, reporting requirements and
incident management. Once the data sources are configured, monitor the log data generation for 7
days and keep in mind that some audit subsystems overwrite their audit trail files, and others create
new files when the maximum size of an audit trail has been reached.
At this point you can also assess the impact of auditing or logging on all systems. Logging and
auditing always has an impact simply because these processes require writing to storage and CPU
processing to determine if and what must be stored. Crucial is that the impact on system
performance does not violate any SLRs regarding availability and performance of the system itself.
For example, a database application which performance metrics drop significantly because of
logging and auditing.
To estimate the size of network data, first use the Network Information Flow policy to determine
what flows must be collected and where, which network segments, these flows must be collected
from. If available, use flow accounting information to estimate the average daily flow data size. If
you cannot use flow accounting information, then determine the bandwidth of the lines in the
network segments of interest, and assume that on a daily basis 70% of the bandwidth is utilized.
Once you have the sizing metrics for storage, and consequently for event and flow processing,
assume that these numbers equal 80% of the required daily storage and processing capacity. This
to avoid system overload caused by peaks resulting from an attack or other system activity. So if

V7.0
Uempty
you find that the average number events per second from all data sources equals 100 EPS, then
require that the Security Intelligence system must be able to process (100/80) * 100 = 125 EPS.

V7.0
Uempty
Retention time
• IT regulations usually define the log retention time for all logdata
This retention time is different as the time the logdata must ideally be kept online for daily monitoring
Best practice is to keep 90 days of logdata online
• Local privacy laws might apply to the log retention time
For example, audit trails or flows containing customer data which can be used to identify a lawful
person (PII), may be kept for 2 years; but it should be deleted as soon as possible
• Include any requirements regarding Logging and Monitoring services, such as high availabilty and
backup, that increases the required amount of storage
Retention time
Important to realize is that log and flow data must not always be kept available for immediate
reporting and investigation. Although regulations may require that log and flow data is kept for 2
years or more, large portions of that data may be kept on off line storage like tape devices or ROM
devices. Best practice is to keep 3 months of log and flow data in on line storage for reporting and
investigation.

V7.0
Uempty
Reports
• IT security frameworks, like ISO 27001, specify that an analysis of logs must occur daily and that
monitoring must occur frequently
• The IT security policy controls must be evaluated and an analysis must be made if the reports can
support the implementation of the controls
• The resulting list of reports have to be mapped to the IT systems in scope
• Determine how much logdata per report must be processed to produce the report
• Determine the maximum number of investigations running at the same time
The resulting numbers have an impact on the performance of the Security Intelligence solution and they
will be used to determine the necessary computing performance of the system
In addition, the required reports dictate the audit configurations and, thus, the daily amount of logging
data
Reports
The need for log and flow data is largely required for the reports. It is therefore important to know
which reports and use case are required. In our example we are using the ISO/IEC 27001/2 2013
framework in combination with the Common Criteria certification requirements regarding auditing,
to determine how frequent the reports must be generated and which reports must be generated.
And finally what information must be presented in the reports to support the execution of the
security controls. In other words you have to determine the reports and their contents for each use
case.
Once this is determined, then you can specify how much data on average will be processed by
each report. This number is a reference for the Security Intelligence to produce the report within the
performance metrics required. Another important parameter for these performance metrics is the
number of consecutive queries will run on the system. Even if all the SOC members investigate
incidents at the same time, the system must perform within the requirements metrics.
Therefore, when documenting the functional requirements for reporting, also consider to document
the expected amount of data for each report. But most important is of course to determine the
required reports and how the data sources must be configured to provide the necessary information
in the reports. In the following pages we assume that the organization has no use cases or report
requirements. So we use the Common Criteria to define report requirements.

V7.0
Uempty
Logging example: Using Common Criteria guidelines for AIX 5L logging

• After obtaining the Security Target document
for the platform, find the chapter describing the
FAU (Audit) class
• Find the information regarding the mapping of
platform audit control settings to Common
Criteria audit requirements
Note: To find this and other Security Target

documents visit the Common Criteria Portal
Logging example: Using Common Criteria guidelines for AIX 5L logging
In this example we assume that the organization deploys AIX 5L systems that are assumed to be
critical and must be integrated in the Security Intelligence system. But the organization has no idea
what and how to monitor these systems. Therefore we turn to Common Criteria standard to learn
about the AIX 5L system and find guidelines on what might be of interest to monitor on these
systems. To start this, we turn again to the Security Functional Requirements CCPART2V3.1R3
document. as we discussed on page 22. As said, this document contains audit recommendation for
the different controls required by Common Criteria. For this example, locate the audit
recommendations for the FDP_ACF.1 class as shown below:

V7.0
Uempty
SFP stand for Security Function Policy. So this control requires that if the system is meant to meet
the audit controls requirement as defined by Common Criteria, then request to make a changes to
the security configuration of the system must be audit-able. Systems that are Common Criteria
EAL-4 certified all meet the FAU_GEN class requirements. So the challenge is to find out for such
system how it should be configured to meet the requirements. Or in other words, how the audit
subsystem works and how it must be configured. Most Security Target documents only state that
the system does meet the FAU_GEN class requirements, but do not inform how it meets the
requirement. The information we are looking for is often made available in the product
documentation. Sometimes very accessible as for IBM AIX, Oracle database, DB2 database, and
Red Hat systems, and sometimes harder. But a good start is to search the INTERNET for the
keywords “<system name>”,”security”,” guide”,” audit”. For example, a search for “windows 2012
security guide audit” will finally present the page
https://technet.microsoft.com/library/dn319078.aspx
In the example on the slide we searched for IBM AIX 5L which leads us to the IBM Redbooks. The
system security guides explain how to use and configure system auditing and the Common Criteria
informs what to audit. You have to combine these two sources of information to produce your macro
and micro design building blocks for event collection and logging.

V7.0
Uempty
Logging example: Mapping the controls

• The IT security policy regarding logging as defined by the organization must be mapped to the
platform specific audit configuration
• For example:
• Assume the organization requires that all IT system clocks are synchronized and any manual adjustments
violate this policy (Control A12.4.4 from ISO/IEC 27002)
• This control is also required according to Common Criteria FPT_STM.1
• Therefore, look at how the specific IT system platform satisfies this requirement and determine if system time
management can be logged by the platform
Logging example: Mapping the controls
From the IBM Redbook you can learn that to audit IBM AIX properly, you must configure the
auditbin deamon, and not just rely on AIX syslog messages or the accounting system. (This is also
emphasized in the Common Criteria Security Target document as shown on the next pages) Luckily
the Common Criteria Security Target document for AIX 5L contains a table that maps Common
Criteria FAU_GEN class requirements to event names that are used to configure the AIX auditbin
deamon. In the slide above the table informs us that to audit any modification made to the system
time is audit-able by configuring the PROC_Adjtime event name. It is not always as simple as
shown in this example. In most of the cases you will have to figure out yourself what system audit
configuration is required to audit changes to system times. First by determining how the audit
subsystem reports on system time modifications, which event IDs/names/types represents the
actions, and then by determining how to configure the audit subsystem must be configured to audit
such actions.
Note: Use https://technet.microsoft.com/en-us/library/dn319078.aspx to learn about Windows

2012 auditing.

V7.0
Uempty
Logging example: Gather platform audit subsystem configuration details

The Common Criteria Security Target document normally provides high level explanations of the
structure of a particular platform’s audit subsystem
Logging example: Gather platform audit subsystem configuration details
You will not always find details about system audit configuration in the Common Criteria Security
target document. But if you do, use it as a reference for further investigation. Remember that the
Security Target document has been produced with the help of the system developer and therefore it
should contain reliable information.

V7.0
Uempty
Logging example: Platform specific audit guides

• Obtain platform security documentation to detail the necessary
audit configuration for the platform
• This configuration is required to generate the reports, policy
rules, and estimate the daily logging size
• In the case of AIX 5, search for “AIX 5 audit guide”, and locate
the AIX auditing overview documentation
• In case of AIX 5, there is also an excellent IBM Redbooks
publication Accounting and Auditing on AIX 5L
Logging example: Platform specific audit guides
When you use the system security guides on auditing, make sure that they have been produced
and are supervised by the system developer. There are many firms and individuals that share their
own finding on system audit configurations. Some, like National Institute of Standards and
technolog (NIST), Bundesamt für Sicherheit in der Informationstechnik (BSI) are highly regarded
institutes where you will find excellent reference material.
Note: For more information refer to:

https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m
04/m04344.html and http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf

V7.0
Uempty
Network information flow collection

• Use the network information flow policy, report requirements, and use cases to document the flow
types that must be collected
• Network Accounting flows such as Netflow, sFlow, Jflow, IPFIX
• Flows including selective layer 7 data
• Full packet capture to support network forensics
• If Internet traffic must be captured, determine if inbound and outbound traffic uses the same Internet
gateway; if this is the case, the Security Intelligence solution must be able to recombine inbound and
outbound flows to a single session (it is important to add this fact to the non-functional requirements)
• Notice that accounting flows may only show inbound flows and that additional configuration of the flow
source may be required
• Monitor the amount of data passing the network at the collection points based on the network
information flow policy for 7 days or make an educated estimate by looking at the network bandwidth
at the collection points; these results add to the storage requirements
• Be aware that the collection points must use a network TAP if network forensics is part of the
functional requirements because data packages obtained through SPAN ports may have been pre-
processed because they have gone through a duplication process and may therefore not be
admissable in a court of law as evidence
Network information flow collection
When designing the collection of network flows and network packages for network forensics, first
determine the level of information required by the use cases and reports. Does the organization
require insight into the actual data that has been communicated? If not then it might be sufficient to
just collect network accounting flows if available. If INTERNET traffic must be monitored, make sure
that the Security Intelligence system is capable to combine outbound and inbound traffic into
communication sessions. Otherwise it will be very hard to analyze the flow information.
A major concern when collecting network information flows, is the amount of data that is collected
and must be archived. As with system data sources, apply a 7 days network information flow
collection window to assess the average daily amount of network information flow that the Security
Intelligence system must be able to process.
Regarding SPAN versus TAP ports usage for network forensic evidence, consider the following:
SPAN
• The device that supports the SPAN may drop packages if the replication requires too much
resources.
• Frame interaction timing is affected by spanning.
• Corrupt packages and below minimum size packages are dropped by the SPAN port.
TAP
• TAPs duplicate all packages. Also corrupted or below size packages.
• TAPs must be positioned on the INGRES side of the device to duplicate all traffic.

V7.0
Uempty
It should be clear that when network information flows are needed for legal evidence, that this can
only be achieved by using TAPs. Any possible modification to or incompleteness of the network
information flows is not acceptable.
Note: Check the NIST publication referenced on page 45 to learn more about network forensics
and network sniffing techniques.

V7.0
Uempty
Vulnerability Information
• To produce a proper risk and threat assesment, the Security Intelligence solution requires acccess to
vulnerabilty information for all assets within the scope of the solution
• Document the available vulnerabilty information sources, such as VA scanners and web application
security testing tools
• Ideally the Security Intelligence solution uses the vulnerability information in combination with the
possible network exposure of the asset to known threats; this item may need to be included in the
non-functional requirements
Note: This requires integration with network device management tools to include firewall and router
configuration information in the risk and threat assessment by the Security Intelligence solution
• If asset management information from a Configuration Management Database (CMDB) can be
combined with vulnerability information managed by the Security Intelligence solution, the threat and
risk assessment might be more complete and more valuable; while integration with a CMDB is not
necessary but is encouraged
Vulnerability Information
When defining the architectural requirements regarding the usage of vulnerability data, consider to
require that the vulnerability data is used in context. This means that the Security Intelligence
system must use the vulnerability data in combination with network device configuration and
network topology information. The latter to determine the logical location of the systems for which
vulnerability data is made available, and the network device configuration to determine what type
network flows can reach the systems. For example a system with a shell-shock vulnerability may
not be reachable from the Internet, while ssh and telnet connections are not allowed by the firewalls
protecting the network segment of the system. This means that although the system has a critical
vulnerability, the risk of this vulnerability being exploited on this system is relatively low. A Security
Intelligence system that can combine vulnerability data in such manner, will be much more effective
in helping the SOC to identify the actual risk of an incident.
Besides network device configuration and network topology, any asset information is also very
useful. If the Security Intelligence system would know what software, ports and patch level is
available on the system, then it could combine this information also with the vulnerability data and
provide better information to the SOC to assess the actual risk of an incident.

V7.0
Uempty
Other integrations
• The use cases imply the required integration between the Security Intelligence solution and ticket
management systems; describe the prerequisites for the Security Intelligence solution necessary to
interact with the ticketing system; this interaction can go both ways
• Forwarding incidents from the Security Intelligence solution to the ticketing system
• Updating security incident findings in the Security Intelligence solution after incident response processing
• The functional requirements might contain use cases that require access to the Security Intelligence
solution has to be granted by a user directory; in this case, document the following details
• Connection details to the user directory requirements
• Account and password policies or general authentication mechanisms requirements
• Another non-functional requirement regarding the integration with user directories is the use of user
account and group information to improve the Security Intelligence reports and security policy rules
• Document the user directory structures that have to be queried and the required connection method, such as
LDAP and AD
Other integrations
Organizations with a SOC and IRT team will probably also use ticketing systems, change
management systems and human resources systems, integrated with their user directories. To
optimize the work flow between the SOC, IRT and HR departments, the Security Intelligence
system could be integrated with all these systems. Therefore find out how incidents identified by the
SOC can be integrated with the ticketing system, how this should be done, and what information
must be made available from the Security Intelligence.
Human Resources life cycle management system can be very useful for the Security Intelligence
system. Imagine that a new employee is assigned his computer account and the HR system
informs the user directory to create an account and assign the necessary privileges and authorities.
Assuming that the user directory supports a LDAP structure, this information can be used by the
Security Intelligence system to automatically modify the (correlation) filter rules to monitor the new
user account actions according to the official account configuration. Also if an employee is about to
leave the organization, his account might be labeled by the HR system as critical. This information
could again be used by the Security Intelligence system to monitor accounts of employees that
require elevated monitoring. take all this into account while defining the integration requirements for
the Security Intelligence system.

V7.0
Uempty
Key delivery
activities Document detailed use High level Detailed and physical Review and finalize
Security Intelligence Design (Macro & Micro)
Data collection
cases and requirements macro design micro design design
Tasks Collect, interview and/or perform Define, document, and map Develop architecture overview Identify and document additional Review and finalize design
workshops to elaborate on IT detailed use cases including any diagram and description architecture details including with Client stakeholders, SI
processes such as incident, custom data source requirement Document architectural decisions physical design operations team, and
problem, change Define, document, and map Define at the micro system design additional QA team as
Update component model and
Gather security intelligence functional requirements level needed
develop macro system design
system requirements o logging level specifications for: o data/event sources and phased Develop system test plan
o monitoring use cases o event collection o data/event source collection integration plan Conduct deployment
o normalization protocols and methods o firewall rulesets planning and update
o correlation o asset risk weighting criteria o updates to use cases project plan
o asset vulnerability information o storage o alert classification criteria
o asset classification profiles
o forensic data collection o system access o compliance groupings for assets o network topology (including risk
o network device configuration o reporting o vulnerability scanner usage, weighting) and associated
o customization requirements configuration, and frequency objects
o integration targets (ticketing, o vulnerability management
identity,..) Define, document, and map non- o customization requirements
functional requirements o dashboard requirements systems and process integration
o monitoring, reporting, retention o user accounts and roles o hardware compatibility
o regulatory and contractual Develop design document at Document interface as well as
considerations macro level customization and configuration
o high availability and disaster specifications
recovery Update design document at micro
o success criteria for target state level
Scoping inputs Prior inputs plus

Number of use case(s) to be developed and implemented for monitoring
Number of custom log source parsers to develop
Number of VA systems to incorporate
Client and environment complexity (users, roles, network topology, and so on)
This brings us to the end of this unit. We have discussed the first two phases of the Security
Intelligence Design step. This should give you a good introduction to the methods we used,
ISO/IEC, O-ESA, TOGAF, Common Criteria, and how we use them in the design step. As said the
last three steps detail out the gathered information from the first two steps. You will have to decide
on your own what the format of the building blocks and work products, aka artifacts, will be.
Changes are high that the format is already decided by the organization and you will have to use
the same templates for your work products and building blocks.

V7.0
Uempty
Exercise introduction
Complete the following exercise in the Student Exercises book
• Determine Logging and Event Collection requirements for Common Criteria baseline
applied to the Windows 2008 R2 platform
Notes:
• Assume all Windows machines must be hardened according to the common criteria
standard, provide all information required for the following documents for ´Security
Intelligence Design (Macro & Micro) – Activity Details´
• Logging
• Event Collection
• Use the following documents:
• MS Windows 2008 CC TOE document,
• Windows_Server_2008_R2_Security_Guide
• Windows 7 and Windows Server 2008 R2 Security Event Descriptions
Exercise introduction

V7.0
Uempty
Unit summary
• Discuss the high level steps needed to design and implement a Security Intelligence solution
• Describe the detailed activities needed to design and implement a Security Intelligence solution
Unit summary

Unit 4 Security Intelligence functional
components
Security Intelligence functional

components


V7.0
Unit 4 Security Intelligence functional components
Uempty
Unit objectives
• Describe the functional components of a Security Intelligence solution based on the IBM Security
QRadar SIEM solution
• Describe the benefits and value of IBM X-Force threat intelligence in a Security Intelligence solution
• Evaluate a large-scale advanced persistent attack against a US retailer and evaluate how a properly
implemented Security Intelligence solution could have been beneficial to fend off the attackers
Security Intelligence functional components © Copyright IBM Corporation 2015
Unit objectives
In this unit we start to focus our attention on the IBM QRadar Security Intelligence solution and
explain the functional architecture. In order to study and understand how a Security Intelligence
solution works we examine each component in itself and how data and information is exchanged in
the overall system. We also consider the importance of integrating an external, real-time threat
intelligence feed to.
We finalize this course by an examination of a real-world large scale attack against a US based
retail company.

V7.0
Lesson 1 Building a foundation through centralized Security Intelligence management - IBM QRadar SIEM Functional
Uempty
Lesson 1 Building a foundation through
centralized Security Intelligence
management - IBM QRadar SIEM
Functional architecture
Lesson: Building a foundation through

management
IBM QRadar SIEM

Functional architecture

V7.0
Uempty
Built upon a common foundation of QRadar SIOS
Security QRadar QRadar

Intelligence QRadar Log QRadar Risk
QRadar SIEM QFlow and Vulnerability
Solutions Manager Manager
VFlow Manager
Reporting Engine Workflow Rules Engine Real-Time Viewer
Analytics Engine
Security
Intelligence
Operating
System Warehouse Archival
(SIOS)
Normalization
Built upon a common foundation of QRadar SIOS
The IBM QRadar Security Intelligence solution delivers a “One Console Security” through a long
planned and carefully developed strategy to build an operating system approach to Security
Intelligence.
QRadar SIOS - the Security Intelligence Operating System - powers the QRadar family of security
intelligence products. QRadar SIOS is the foundation of the industry's first total Security Intelligence
Platform, a common framework for collecting, warehousing, filtering, analyzing and reporting on all
security intelligence telemetry.
This integrated solution is the platform for risk management, SIEM, log management, and
network and application activity monitoring, as well as new products to be delivered.
The benefits of the Security Intelligence Operating System include the following capabilities:
• Convergence – by consolidation of previously siloed monitoring and analysis capabilities
• Simplicity - by delivering multiple functions within a common user experience
• Scalability – by providing expansion capabilities for the largest infrastructures

V7.0
Uempty
Command console for Security Intelligence

• Provides full visibility and actionable insight to protect against advanced threats
• Adds network flow capture and analysis for deep application insight
• Employs sophisticated correlation of events, flows, assets, topologies, vulnerabilities, and external data to identify
and prioritize threats
• Contains workflow management to fully track threats and ensure resolution
• Uses scalable hardware, software, and virtual appliance architecture to support the largest deployments
273 correlation rules

1,659 report templates
Command console for Security Intelligence
No matter how many QRadar applications are leveraged, or how many appliances constitute a
deployment, all capabilities are leveraged through a single, Web-based console – with all the
associated benefits that a common interface delivers in terms of speed of operation, transference of
skills, ease of adoption, and a universal learning curve.

V7.0
Uempty
An integrated, unified architecture in a single console
An integrated, unified architecture in a single console
This example showcases the integration of the QRadar console with QRadar Vulnerability
Manager.
Designed to integrate Log Management, SIEM, Vulnerability and Risk Management, and Incident
Forensics into one solution, the QRadar Security Intelligence solution can deliver a large log
management scale without any compromise on SIEM “Intelligence.”
QRadar analysts can switch from log events, to network flows, to risk and compliance policy reports
and prioritized lists of network-wide vulnerabilities, and complete analysis of incidents after an
offense has occurred. This allows an organization to reduce the time before an initial breach is
detected and avoid the actual exploit

V7.0
Uempty
Answering questions to help prevent and remediate attacks
Answering questions to help prevent and remediate attacks
IBM Security QRadar SIEM can analyze tremendous amounts of data (logs, network flows) and
uses context to transform it into useful, actionable information as is depicted in this slide.
Here is what security analysts can see when they begin to investigate an offense record triggered
by a correlation rule. The analysts can quickly investigate the who, what and where behind an
offense and quickly determine if it is a legitimate threat or a false positive.
IBM Security QRadar SIEM provides strong event-management and analysis capabilities and is
very effective in detecting threats because it can leverage a broad range of data, analyze it, and
apply context from an extensive range of sources. This helps to reduce false positives, report on
actual exploits, and shows what kind of activity is taking place. This results in faster threat detection
and response.
QRadar continuously monitors data sources across the IT infrastructure, leveraging the full context
in which systems are operating. That context includes security and network device logs,
vulnerabilities, configuration data, network traffic telemetry, application events and activities, user
identities, assets, geo-location, and application content.
This activity generates a staggering amount of data, which makes the automation in QRadar very
important because it can correlate this large amount of data down to a small number of actionable
offenses.
QRadar SIEM leverages this data to establish very specific context around each potential area of
concern, and uses sophisticated analytics to accurately detect more and different types of threats.
For example, a potential exploit of a web server reported by an intrusion detection system can be
validated by unusual outbound network activity detected by QRadar.

V7.0
Uempty
QRadar uses intelligence, automation, and analytics to provide actionable security information
including the number of targets involved in a threat, who was responsible, what kind of attack
occurred, whether it was successful, vulnerabilities, evidence for forensics, and so on.

V7.0
Uempty
Network flow analytics

• Provides insight into raw network traffic
Attackers can interfere with logging to erase their tracks, but
they cannot cut off the network (flow data)
• Allows deep packet inspection for layer 7 flow data
Pivoting, drill-down, and data mining activities on flow sources
allow for advanced detection and forensics
• Helps to detect anomalies that might otherwise be missed
• Helps to detect zero-day attacks that have no signature
• Provides visibility into all attacker communications
• Uses passive monitoring to build asset profiles and
classify hosts
• Improves network visibility and helps resolve traffic
problems
Network flow analytics
While log events are critical, they can leave gaps in visibility. When attackers compromise an IT
system they first turn off logging to obfuscate their tracks. Traditional SIEMs are blind at this point.
However, no attacker can disable the network or they cut themselves off as well.
In addition to providing full network traffic visibility, network activity passively builds up an asset
database and profiles your assets. For example, an IT system that has responded to a connection
on port 53 UDP is obviously a DNS server. Another IT system that has accepted connections on
ports 139 or 445 TCP is a Windows server.
Adding application detection can confirm this not only at a port level, but the application data level
as well.

V7.0
Uempty
Scalable appliance/software/virtual architecture
Log Management • Turn-key log management and reporting

• Upgradeable to enterprise SIEM
• Log, flow, vulnerability, and identity correlation

SIEM • Sophisticated asset profiling
• Offense management and workflow
• Layer 7 application monitoring

Network and
• Content capture for deep insight and forensics
Application Visibility
• Physical and virtual environments
Risk & Vulnerability • Network security configuration monitoring

Management • Vulnerability scanning and prioritization
• Predictive threat modeling and simulation
• Event Processors for remote site

Scalability • High Availability and Disaster Recovery (HADR)
• Data Node to increase storage and performance
• Reconstructs network sessions

Network Forensics Incident Forensics
• Data pivoting and visualization tools
• Accelerated clarity around who, what, and when
Scalable appliance/software/virtual architecture
The IBM QRadar Security Intelligence solutions can be delivered in the following form factors:
• Hardware appliance
• Software, that an organization may install on their self-provided appliances
• Virtual appliance, that is deployed in a virtual machine form (for example, VMware ESX server)

V7.0
Uempty
QRadar SIEM logical components and data flow
Network Network Central User Console

Logs Logs Magistrate (manages offense creation and magnitude)
packages flows
Global correlation across flow and event processors
Offense management
Asset and identity management
Event Processor
Flow Collector Event Collector Rule Processor
Storage for events, accumulated meta data
Storage for flows, accumulated meta data
Event Collector
Log event collection, coalescing, and normalization
Flow Processor Event Processor Third-party flow collection such as NetFlow, sFlow, J-Flow,
deduplication, and recombination
Flow Collector
QFlow and Superflow creation, and application detection
Console
QRadar SIEM logical components and data flow

V7.0
Uempty
QRadar SIEM appliance types

• Console only
Must be combined with event or flow processors, and (optional) flow collectors
• Server
For medium and enterprise environments; combines a flow processor and event processor in one
• Event Processor
Processes and stores event logs
• Flow Processor
Processes third-party network flows, QFlow, and stores flows
• Flow Collector
Receives third-party network flows and packages; normalizes and forwards them as QFlows
• Event Collector
Receives log records, normalizes and forwards them to an event processor; provides temporary storage of
normalized log events and payload
QRadar SIEM appliance types

V7.0
Uempty
Deployment models
All-in-One Flow Console

(2100/31XX) Processor (31XX)
(17XX)
Event
Processor
(16XX)
QFlow
Collector
(12XX/13XX)
All-in-One is a single appliance used to collect events and flow A Distributed deployment consists of multiple appliances for different purposes
data from various security and network devices, perform data • Event Processor to collect, process, and store log events
correlation and rule matching, report on alerts and threats, and • Flow Processor to collect, process, and store several kinds of flow data generated from network
provide all administrative functions through a Web browser devices; optional QFlow Collector is used to collect Layer 7 application data
• Console to correlate data from managed processors, generate alerts and reports, and provide all
administrative functions
Deployment models
Based on the different form factors introduced in the previous slide, different appliance models are
available to address different deployment models. The selection depends on the amount of
collected and processed events, data storage estimations, high availability and disaster recovery
requirements, organizational network topology, and other factors.
This course material will not pay any closer attention to the currently available exact configurations
and models.

V7.0
Lesson 2 Building a foundation through centralized Security Intelligence management - IBM QRadar SIEM Component
Uempty
Lesson 2 Building a foundation through
management - IBM QRadar SIEM
Component architecture
Lesson: Building a foundation through

management
IBM QRadar SIEM

Component architecture

V7.0
Uempty
Architecture overview
• High-level architecture
• Flow Collector (FC)
• Event Collector (EC)
• Event Processor (EP)
• Console

V7.0
Uempty
High-level architecture
• Flow and event data is stored in the Ariel database on the
Identity
Event Processors
Asset If accumulation is required, accumulated data is stored in the
Offense
Ariel accumulation database
As soon as data is stored, it cannot be changed (tamper proof)
Console Services
• Offenses, assets, and identity information are stored in
User interface the master PostgreSQL database on the Console
Magistrate
Reporting Scalability and performance are managed through bulk insert
and update transactions and by populating memory caches to
avoid numerous round trips to the database
Flows Provides one master database with copies on each processor
Events Event Processor
Accumulations for backup and automatic restore
• Secure SSH communication between appliances in a
distributed environment is supported
Flow Collector Event Collector
Network Packet Events from log

Interface, sFlow, and sources
3rd party
High-level architecture

V7.0
Uempty
• High level architecture
• Console

V7.0
Uempty
Flow Collector architecture

Collector
To flow collector every 60 seconds

• A flow is a record of a conversation between two devices
Flow reporting and routing - Create superflows on a network
• Flow data packets are collected from a variety of network
Application Detection Module (appId = eventId) device vendors and directly from the network interface
• Collected flows data can update asset profiles with the
Aggregator ports and services that are running on each host
(enforce license limit)
• If the flow license limit is exceeded, an overflow record is
created with SRC/DST address 127.0.0.4/5
Raw data packets received
(NetFlow, sFlow, NIC, and so on) • (Custom) applications are detected
QFlow
• Superflows are created
• QFlow provides layer 7 insights into the payload if it is
Flow data packets unencrypted
Flow Collector architecture
A network flow record provides information about a conversation between two devices using a
specific protocol and can include many fields that describe the conversation. Examples include the
source IP, the destination IP, the port, and other fields.
Up to a configurable number of bytes, QFlow provides layer 7 insights into the payload if it is
unencrypted. Using a tap or span port, QFlow collects raw packets and places them into 60-second
chunks. QFlow can also receive layer 4 flows from other network devices in IPFIX/NetFlow, sFlow,
J-Flow, Packeteer, and Flowlog file accounting technologies.

V7.0
Uempty
Application detection
Methods of determining the application of the flow
• User defined
This method is mainly used when users have a proprietary application running on their network
For example: All traffic going to host 10.100.100.42 on port 443 is recognized to be MySpecialApplication
• State-based decoders
This method is implemented in the source code and determines the application by analyzing the payload for
multiple markers
For example: If we see A followed by B then application = X; if we see A followed by C, then application = Y
• Signature matching
Basic string matching in the payload
Custom signatures are allowed (see Application Configuration Guide for signature customization)
• Port-based matching (port 80 = http, and so on)
Application detection

V7.0
Uempty
Superflows
• Types of superflows
Type A
Single SRC, Multiple DST – Same DST Port (TCP/UDP), byte count, SRC flags/ICMP Codes
(for example, network sweeps)
Type B
Multiple SRC, Single DST – Same DST Port (TCP/UDP), byte count, SRC flags/ICMP Codes
(for example, DDoS attacks)
Type C
Single SRC and DST, TCP/UDP Only, Changing SRC/DST ports
(for example, port scans)
• Only store the single flow with the collection of IP addresses
• Specific rule tests can leverage the flow type to determine if an offense needs to be created
• Creation of superflows can be disabled
Superflows

V7.0
Uempty
Flows per minute (FPM) burst handling

• Flows are temporarily stored in an overflow buffer if the FPM license is exceeded
• Every log source protocol has an overflow buffer of 100,000 events
• If the overflow buffer fills up, the additional flows are dropped
• In general, a Flow Collector can handle an event burst for up to 15 seconds
Flows per minute (FPM) burst handling

V7.0
Uempty
• Console

V7.0
Uempty
Event Collector architecture

Event Processor
• Each Event Collector gathers events from local and
remote sources
• The Event Collector normalizes events and classifies Coalescing filter
them into low- and high-level categories
• Log Sources are automatically discovered after
record analysis Device Support Module (DSM)
Parser threads
• The Event Collector bundles identical events to
conserve system usage through a process that is DSM normalization filter
known as coalescing
• Events are parsed by Log Source parser threads Overflow filter
• EPS license is checked

Raw data packets received
Event Collector
Log Sources
Event Collector architecture

V7.0
Uempty
Autodiscovery of Log Sources

• Is an essential module for automating a successful evaluation or deployment
• Categorizes traffic from devices that are unknown to the system
• Creates a new Log Source if detection is successful on an IP address
• Carries out detection only on event protocols that are “pushed” to the Event Collector,
for example, syslog
Autodiscovery of Log Sources

V7.0
Uempty
Log Source parsing uses QID mapping

• The Log Source parser extracts the Log Source Event ID from the log record
• The QID (QRadar Identifier) is a unique ID that links the extracted Log Source Event ID to a QID
• Each QID number relates to a custom Event Name and description, as well as severity and event
category information
• The event category information is structured into High Level Categories (HLC) and Low Level
Categories (LLC); every QID is linked to one of these low-level categories
For example, "Authentication (HLC) – Admin Login Successful (LLC)" is a category combination
Log Source parsing uses QID mapping

V7.0
Uempty
Events per second (EPS) burst handling

• Events are temporarily stored in an overflow buffer if the EPS license is exceeded
• Every log source protocol has an overflow buffer of 100,000 events
• If the overflow buffer fills up, the additional events are dropped
• In general, an Event Collector can handle an event burst for up to 15 seconds
Events per second (EPS) burst handling

V7.0
Uempty
• Console

V7.0
Uempty
Event Processor architecture Anomaly New host

Magistrate
Detection Engine or port event
• Every single event and flow is tested against all
enabled rules in the rules engine
• New offenses are created by the Magistrate (see Accumulations Accumulator Host profiling Exit filter
Console)
• If a new port or host is detected, an asset profile is Flows
Events
Event storage filter
updated or created in the PostgreSQL database
(see Console) Offense type analyzer
• Events are accumulated every minute and stored in

Drop
the accumulator Ariel database (no match Custom Rules Engine (CRE)
on events)
• Events and flows are stored in the events or flows
Ariel database Overflow filter
• EPS license is checked and enforced

Event sources received
Event Processor
Event Processor Event Processor Event Processor

Event Processor Event Collector Flow Collector
Event Processor architecture

V7.0
Uempty
Custom Rules Engine (CRE)

• Every single event or flow is tested against all enabled rules; matched rules can have a response or
result
• Matched rules might trigger the creation of an offense or create a CRE event that triggers the creation
of an offense
• Multiple matched events, flows, and matched rules might correlate into a single offense
• A single event or flow can be correlated into multiple offenses
• By default, rules are tested against events or flows received by a single Event Processor (local rules)
• Global Cross Correlation (GCC) allows rules testing across multiple Event Processors in the QRadar
SIEM deployment
Custom Rules Engine (CRE)

V7.0
Uempty
Accumulator
• Accumulations are defined by “grouped by” searches
• Accumulations create time-series statistical metadata (counts) that is used for the following purposes
Dashboards
Event and flow forensics and searching
Reporting
Anomaly and behavior alerts
• Accumulated intervals are 1 minute, 1 hour, and 1 day
• The Accumulator is a distributed component that operates on each Event Processor
Accumulator

V7.0
Uempty
• Console

V7.0
Uempty
Console architecture
• The Magistrate creates and stores offenses
in the PostgreSQL database; these offenses Offenses
are then brought to the analyst’s attention in
the interface
• The Magistrate instructs the Ariel proxy to Magistrate
gather information about all events and flows Custom Rule
Engine
that triggered the creation of an offense Assets
• The Anomaly Detection Engine (ADE)

Vulnerability Anomaly
searches the Accumulator databases for Overflow filter Ariel
Information Detection
(enforce license limit) Proxy
anomalies, which are then used for offense Server Engine
evaluation
Event Sources received
• The Vulnerability Information Server (VIS)
Console
creates new assets or adds open ports to
existing assets based on information from the
EPs Event Processor
Ariel Host
Accumulators
Event Processor Query Server Profiler
Console architecture

V7.0
Uempty
Offense management by the Magistrate

• Rules can correlate events and flows into a single offense
• A single event or flow can belong to multiple offenses
• While rules are tested, they might lead to the creation of an offense
• Pending offenses tag the events and flows as long as the rule that triggered the creation of the offense
remains at least partially matched
• A maximum of 100,000 offenses can be stored
Offense management by the Magistrate

V7.0
Uempty
Offense management by the Magistrate (2 of 2)
Rule triggers the

creation of an
2
Rules engine offense
Magistrate
(Rule xyz)
1
4
Partial matches
tag the 3
Offense is created with
flows and events
Before the offense is all tags to events and
created, the Magistrate flows that lead up to
queries for all matching the offense
event and flow tags to be
included
Flows
Events
Accumulations
Offense management by the Magistrate (2 of 2)

V7.0
Uempty
Offense types
• An Open Offense that is created remains an Active Offense as long as the rules that triggered the offense
creation are matched by events or flows within 30 minutes after the last match has been found; new tags of
events or flows are added to the Active Offense
• If an Open Offense did not find additional matches for more than 30 minutes, it becomes a Dormant Offense
• A Dormant Offense becomes active again when additional matches are found within 5 days after the offense
became dormant, and it is now called a Recalled Offense; new tags of events or flows are added to the Recalled
Offense
• After a Dormant Offense has not received any matches within 5 days after it became dormant, it turns into an
Inactive Offense
• Open Offenses can manually be turned into Closed Offenses
• If events or flows are matched to an Inactive Offense or Closed Offense, a new Open Offense is created
• A maximum of 2,500 Active Offenses and 500 Recalled Offenses are allowed
• Closed and Inactive Offenses are subject to retention management
Offense types

V7.0
Uempty
Anomaly Detection Engine rule types

Three categories of rule types
• Threshold: greater than, less than, and range
Bandwidth of an application
Failed service
Number of users connected to a VPN
Large outbound transfer
• Anomaly: Change in short term when comparing against a longer time frame
New service activity
Change in the bandwidth volume on a link
• Behavioral: Change from the same time yesterday or last week
Mail traffic, for example, increase on external SMTP server traffic (could be a relay)
Backup monitoring (backup failed)
Just about anything with a repetitive pattern
Anomaly Detection Engine rule types

V7.0
Uempty
New asset and service detection by Vulnerability Information Server

• Generates a new asset based on an event when hosts, services, and
vulnerabilities that cannot be mapped to existing assets are discovered
• Detects new or modifies assets and automatically checks the asset information
against uploaded vulnerability information using flow information
New asset and service detection by Vulnerability Information Server

V7.0
Lesson 3 External threat intelligence feeds
Uempty
Lesson: External threat intelligence feeds

V7.0
Uempty
IBM Security X-Force Threat Intelligence

• Purpose
To further enrich the threat detection capabilities in QRadar using the IBM X-
Force Threat Intelligence data on a subscription basis
• X-Force Threat Intelligence
X-Force represents the IBM security threat research team that collects and
maintains comprehensive Internet threat and reputation data such as spam
servers, botnet command and control servers, malware distribution points, X-Force IP
anonymous proxies, and dynamic and dialup network address ranges Reputation
data
• Integration with QRadar
X-Force Threat Intelligence data is constantly updated and maintained,
with updates being pushed out continuously to subscribing QRadar
appliances
Any QRadar event and flow activity involving X-Force Threat Intelligence
QRadar Appliance with X-Force
addresses is automatically flagged in offenses, rules, and reports; this data IP Reputation feed subscribed
can be used to identify new threats or validate threats detected through
existing QRadar means
• Ordering
Each appliance in a deployment needs to subscribe this service
IBM Security X-Force Threat Intelligence
You can use the IBM Security X-Force Threat Intelligence service to augment QRadar intelligence
capabilities by feeding it proprietary threat insights, including data on malware hosts, spam sources,
and anonymous proxies. Combining worldwide intelligence from IBM X-Force with security
information and event management (SIEM), log management, anomaly detection, and
configuration and vulnerability management capabilities from QRadar solutions provides
organizations with additional context on security incidents, helping improve prioritization of
incidents that require additional examination—and enabling organizations to prevent or minimize
damaging attacks.

V7.0
Uempty
The value of the IBM X-Force research and development team
The value of the IBM X-Force research and development team
The X-Force research and development team inspects millions of new and updated Internet sites
every day, collects information, categorizes content and identifies those sites that pose a security
danger to an organization.

V7.0
Uempty
X-Force Threat Intelligence - vulnerability coverage use cases
Security issue Insight provided
A series of attempted logins from a dynamic range of IP addresses Malicious attacker
An anonymous proxy connection to a business partner portal Suspicious behavior
A connection from a non-mail server with a known spam host Spam contamination
A connection between an internal endpoint and a known botnet Botnet infection

command and control server
Communication between an endpoint and a known malware Malware attack

distribution site
X-Force Threat Intelligence - vulnerability coverage use cases
X-Force Threat Intelligence provides vulnerability coverage across a wide range of use cases, as
shown in the examples in this table.
By adding the dynamic information from X-Force Threat Intelligence to the analytical capabilities of
the QRadar Security Intelligence solution, organizations can gain more intelligent and accurate
security enforcement. This additional insight from X-Force Threat Intelligence enables QRadar
analysts to apply this valuable data in real time to more closely monitor—and tightly secure—their
environment.

V7.0
Lesson 4 Real-world large-scale attack
Uempty
Lesson: Real-world large-scale attack

V7.0
Uempty
How quickly can you …
• Deploy the solution
• Identify the threat or breach
• Identify the authenticity of the threat
• Identify the impact
• Identify the cause
• Remediate the problem
Security Intelligence functional components
How quickly can you …

V7.0
Uempty
About Target Corporation
• Target Corporation is an American retailing company, founded in 1902 and headquartered in Minneapolis, Minnesota. It
is the second-largest discount retailer in the United States, Walmart being the largest. The company is ranked 36th on
the Fortune 500 as of 2013 and is a component of the Standard & Poor's 500 index. Its bullseye trademark is licensed
to Wesfarmers, owners of the separate Target Australia chain, which is unrelated to Target Corporation.
• The first Target store was opened in 1962 in Roseville, Minnesota. Target grew and eventually became the largest
division of Dayton Hudson Corporation, culminating in the company being renamed as Target Corporation in August
2000. Target operates 1,916 stores in the United States; it began operations in Canada in March 2013 and operates
127 locations through its Canadian subsidiary. In December 2013, a data breach of Target's systems affected up to
110 million customers.
Source: Wikipedia
About Target Corporation
Key message here is that when something like the breach happens, it goes down in history – in this
case Wikipedia highlights the attack and that can tarnish a company for years.

V7.0
Uempty
In November and December 2013, cyber thieves executed a successful cyber attack against Target, one of the largest retail
companies in the United States. The attackers surreptitiously gained access to Target’s computer network, stole the financial
and personal information of as many as 110 million Target customers, and then removed this sensitive information from Target’s
network to a server in Eastern Europe.
John Mulligan, Target’s Executive Vice President and Chief Financial Officer, testified that his company “had in place multiple
layers of protection, including firewalls, malware detection software, intrusion detection and prevention capabilities and data
loss prevention tools.” He further stated that Target had been certified in September 2013 as compliant with the Payment Card
Industry Data Security Standards (PCI-DSS), which credit card companies require before allowing merchants to process credit
and debit card payments.
Source: “Kill Chain” Analysis of the 2013 Target Data Breach; Committee On Commerce, Science and Transportation
The situation
The key message here is that Target were not an organization that had shirked on their
responsibilities. They were PCI compliant, they had purchased a number of security products, and
yet the breach still happened.
Being compliant does not mean you are secure.
Download your own copy of this report at:
http://bit.ly/1LxBRJH

V7.0
Uempty
Phases of the intrusion kill chain
Phases of the intrusion kill chain

V7.0
Uempty
Kill chain timeline
Security Intelligence functionall components

t © Copyright IBM Corporation 2015
Kill chain timeline

V7.0
Uempty
First trigger – already compromised
• Fire eye event

• False position prone
Users don’t fully trust
• No additional activity
information
What traffic preceded and
followed, from and to where ?
• Network and business context
Are these or can they reach critical
assets?
• No business process for
triaging and analysing
• Ignored !
Security Intelligence functional com

components
mponents
t © Copyright IBM Corporation 2015
First trigger – already compromised

V7.0
Uempty
More alerts – no linkage
• More alerts
• Different areas of
network
• Not correlated with other
activity or in the context
of the business or
network
• Not enough visibility or
context
• Still ignored !
More alerts – no linkage

V7.0
Uempty
DOJ notification – 40 million records gone
• Too Late
• Nightmare business
scenario unfolds
DOJ notification – 40 million records gone
Note that Target only really became aware when they were notified by DOJ.

V7.0
Uempty
Continued breaches undetected
• Nightmare
• Worst case business scenario
Continued breaches undetected

V7.0
Uempty
Missed opportunities
Missed opportunities

V7.0
Uempty
• Security Logs + Events

• Network Flow Data
• Vulnerability Data
• Network Topology
• Asset profile with business
context, risk, ownerships
• Correlation Rules
• Behavioural Analysis
• Increased incident
relevance
• One incident case and
analysis workflow
• Integrated Forensics –
Rapid confirmation of
attack
• Massive reduction of
window of exposure
Potential improvements

V7.0
Uempty
Unit summary
• Describe the functional components of a Security Intelligence solution based on the IBM Security
QRadar SIEM solution
• Describe the benefits and value of IBM X-Force threat intelligence in a Security Intelligence solution
• Evaluate a large-scale advanced persistent attack against a US retailer and evaluate how a properly
implemented Security Intelligence solution could have been beneficial to fend off the attackers
Unit summary

V7.0
Uempty
IBM Training
© Copyright IBM Corporation 2015. All Rights Reserved.

Student Notebook - Security Intelligence Fundamentals PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Student Notebook - Security Intelligence Fundamentals PDF

Uploaded by

Copyright:

Available Formats

®

© Copyright International Business Machines Corporation 2015.

Unit 1 The status quo of IT security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

© Copyright IBM Corp. 2015 iii

Unit 2 Security Intelligence and Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

© Copyright IBM Corp. 2015 iv

Unit 3 Designing a Security Intelligence solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

© Copyright IBM Corp. 2015 v

Unit 4 Security Intelligence functional components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

© Copyright IBM Corp. 2015 vi

© Copyright IBM Corp. 2015 vii

IT Security Intelligence Fundamentals

© Copyright IBM Corporation 2015

© Copyright IBM Corp. 2015 viii

No lab environment is required for this course.

© Copyright IBM Corp. 2015 ix

IT Security Intelligence Fundamentals © Copyright IBM Corporation 2015

© Copyright IBM Corp. 2015 x

© Copyright IBM Corp. 2015 xi

IT Security Intelligence Fundamentals © Copyright IBM Corporation 2015

© Copyright IBM Corp. 2015 xii

2. Security Intelligence and Operations

3. Designing a Security Intelligence solution

4. Security Intelligence functional components

© Copyright IBM Corp. 2015 xiii

The status quo of IT security

© Copyright IBM Corporation 2015

© Copyright IBM Corp. 2015 1-1

The status quo of IT security © Copyright IBM Corporation 2015

© Copyright IBM Corp. 2015 1-2

Lesson: Technology trends in 2015

The status quo of IT security © Copyright IBM Corporation 2015

© Copyright IBM Corp. 2015 1-3

Bring your Employees,

33 percent of all new business

1Source: IBM X-Force® Trend and Risk Report, 2012

The status quo of IT security © Copyright IBM Corporation 2015

Technology trend - Innovation introduces new vulnerabilities and avenues of attack

© Copyright IBM Corp. 2015 1-4

Technology trend: Mobile and BYOD is strategic for many organizations

The status quo of IT security © Copyright IBM Corporation 2015

Technology trend - Mobile and BYOD is strategic for many organizations

© Copyright IBM Corp. 2015 1-5

Technology trend: Mobile is complex and challenging to manage

Mobile Mobile Mobile

The status quo of IT security © Copyright IBM Corporation 2015

Technology trend - Mobile is complex and challenging to manage

Organizations need the capabilities to:

© Copyright IBM Corp. 2015 1-6

• Asset management (including protection policies and automated enforcement)

© Copyright IBM Corp. 2015 1-7

Technology trend: Big data is all data

Transactional & Enterprise Cognitive

• Volume • Velocity • Variety • Variety • Dynamic learning

The status quo of IT security © Copyright IBM Corporation 2015

Technology trend - Big data is all data

© Copyright IBM Corp. 2015 1-8

• Data encryption at rest and in transit

© Copyright IBM Corp. 2015 1-9

• Ûview of domain • Smart meter analytics • Business process

Travel and Consumer

Chemical and Aerospace and Life Sciences

The status quo of IT security © Copyright IBM Corporation 2015

• Ûview of domain • Smart meter analytics • Business process

More than 1 billion unique users visit YouTube each month

50% of Facebook users check it daily – there are more than